Edition #7 ai-bfsi

Account Takeover (ATO): The Silent Crisis in Digital Banking

In FY23, over 55% of all fraud sessions in Indian banks were attributed to Account Takeover. These are not brute-force hacks — they are social-engineered, device-persistent, and behaviourally stealthy. This edition maps how ATO unfolds, the tactics on the rise, and the defence stack that modern institutions need to build.

atoaccount-takeoverfrauddigital-bankingupiidentitycybersecurityindiaauthentication

The Shift: From Password Theft to Full-Scale Identity Hijack

India’s fintech boom is a double-edged sword. While digital credit, embedded UPI, and mobile-first banking scale trust, they also expand the attack surface.

In FY23, over 55% of all fraud sessions in Indian banks were attributed to Account Takeover (ATO). These are not brute-force hacks — they are social-engineered, device-persistent, and behaviourally stealthy.

What Is Account Takeover?

An ATO attack happens when a fraudster gains unauthorised access to a user’s bank account — typically via phishing, malware, SIM swaps, or app cloning.

Once inside, the attacker behaves like a real user:

  • Logs in from a known location
  • Uses stored credentials or OTP
  • Initiates small, frequent transfers
  • Avoids triggering traditional risk engines

How ATO Typically Unfolds

Phishing/Smishing — a fake KYC or cashback link harvests credentials.

Session Hijack — screen-sharing malware grants the attacker real-time control of the device.

UPI Draining — microtransactions under ₹10,000 are routed via mule accounts to avoid scrutiny thresholds.

Disguise — alert suppression, change of contact information, and rapid laundering before the customer notices.

Tactics on the Rise

Fake Regulator Scams — impersonating RBI, police, or tax departments. The psychological authority of a “regulator” bypasses the scepticism that users might apply to ordinary phishing.

Job Offers for Data — victims are tricked into “test transactions” or app installs as part of fake employment processes.

UPI Laundering — high-volume, low-value transactions to evade scrutiny. The volume conceals the pattern.

Reimagining the Defence Stack

Traditional controls — OTPs, device tokens — are no longer sufficient against socially-engineered ATO. Modern defences must include:

Risk-Adaptive Authentication — analyse behaviour: time of login, typing cadence, location switches. A legitimate user’s behavioural fingerprint is consistent; an attacker’s is not.

Session Monitoring — go beyond events to track entire session flows and keystroke behaviour. ATO attackers who survive initial authentication often reveal themselves in the session.

Contextual Consent Layers — detect when intent does not match location, behaviour, or device history. A UPI transfer initiated seconds after an unusual login from a new device warrants friction.

Cross-App Threat Intelligence — build federated alerts across UPI apps, wallets, and core banking. ATO networks operate across channels by design; detection must too.

The Strategic Question for Leadership

ATO is not just a fraud vector — it is a trust and identity problem. And trust is the new currency in fintech.

The question for Boards, CISOs, and Product Heads is not “are we detecting ATO?” but “is our fraud stack proactive or reactive?” Proactive means catching the behavioural anomaly before the transaction executes. Reactive means filing the incident report after.

Sources: RBI KYC Master Direction 2023; CERT-In Annual Cybersecurity Report 2024; Digital Banking Fraud Trends in India 2024.