By NHI Mgmt Group Editorial TeamPublished 2025-12-04Domain: Governance & RiskSource: Seamfix

TL;DR: Account takeover fraud drove nearly $13 billion in losses in 2023 and is rising 354% year over year, with credential stuffing, phishing and weak manual verification helping attackers bypass customer controls, according to Seamfix. The identity problem is not just stronger authentication, but reducing trust in reused credentials, social engineering and brittle recovery flows.


At a glance

What this is: This is a vendor analysis of account takeover fraud that argues password reuse, credential stuffing, phishing and manual verification gaps are making customer identity controls easier to bypass.

Why it matters: It matters because IAM, IGA and fraud teams need controls that reduce account recovery abuse, password reuse risk and transaction authorisation weaknesses across human identity programmes.

By the numbers:

👉 Read Seamfix's analysis of account takeover fraud and identity verification controls


Context

Account takeover fraud is a human identity problem with financial consequences. Attackers do not need to break encryption when they can use stolen credentials, phishing and automated credential stuffing to get past weak customer verification and recovery flows.

The governance gap is that many organisations still rely on manual checks and knowledge-based verification that can be manipulated. Once identity proofing, login and transaction approval are separated, fraudsters look for the easiest weak point and reuse it across channels.


Key questions

Q: How should security teams reduce account takeover risk in customer identity flows?

A: Focus on the full identity journey, not just login. Reduce password reuse risk, add bot-resistant controls to credential stuffing prone surfaces, harden recovery and support desk verification, and apply stronger step-up checks for high-risk actions. The goal is to make stolen credentials, social engineering and manual exceptions less useful at the same time.

Q: Why do reused passwords make account takeover fraud so effective?

A: Reused passwords turn one leaked credential set into access across many services. Attackers can automate testing at scale, and success rates improve when organisations rely on weak recovery questions or inconsistent step-up controls. Password reuse is dangerous because it converts a single compromise into repeated account access opportunities.

Q: What do organisations get wrong about biometric verification for fraud prevention?

A: They often treat biometrics as a blanket replacement for other controls. In practice, biometrics work best as a high-assurance step for specific transactions or onboarding events, and they still need liveness detection, device context and fraud analytics. Without that context, biometrics can become a costly extra layer rather than a meaningful control.

Q: Who is accountable when account takeover fraud succeeds despite identity checks?

A: Accountability usually spans IAM, fraud operations, support and customer experience teams because the failure often sits in a chain of weak controls. If login, recovery, support verification and transaction approval are owned separately, no single team sees the full attack path. Governance needs one owner for customer identity risk across the lifecycle.


Technical breakdown

Credential stuffing turns password reuse into scale

Credential stuffing is an automated attack pattern that tests large volumes of stolen username and password pairs against live services. It succeeds because password reuse collapses the value of a single breach across multiple accounts, especially when rate limits, bot detection and anomaly scoring are weak. The attacker does not need to know the victim, only to find a reused credential that still works. That makes customer identity a volume problem as much as an authentication problem.

Practical implication: prioritise bot-resistant authentication and breach-password checks on customer-facing logins and recovery paths.

Phishing and social engineering bypass the human trust layer

Phishing works because attackers do not always attack the system directly. They target the person, using urgency, trust cues and context to extract passwords, one-time codes or recovery details. In account takeover, that means a stolen factor can be enough if the downstream process still trusts the compromised user session or contact channel. Human identity controls fail when recovery steps are easier to exploit than the original login.

Practical implication: harden recovery flows, step-up checks and support desk verification against social engineering.

Biometric verification changes the transaction boundary

Biometric verification and liveness detection try to answer a different question from passwords: is the person present right now, and is the presentation real rather than replayed? That matters most for high-risk transactions and onboarding, where fraudsters often exploit weak manual review. Biometrics are not a cure-all, but they raise the cost of impersonation when they are paired with strong anti-spoofing and transaction-scoped controls.

Practical implication: use biometrics only where the transaction risk justifies it, and pair them with liveness and device signals.



NHI Mgmt Group analysis

Account takeover fraud is a human identity control failure before it is a fraud event. The attack works when password reuse, weak recovery and manual verification create a path of least resistance for the attacker. That is why IAM and fraud teams need to treat customer identity proofing and authentication as one joined control surface, not separate problems. Practitioners should align login, recovery and transaction authorisation under one risk model.

Manual verification becomes a liability once attackers learn the approval rules. Fraudsters do not need to defeat every control if they can predict which customer support steps still rely on knowledge-based checks or visual review. This is a governance issue as much as a detection issue, because the control assumption is that a human reviewer can reliably spot deceit at scale. Practitioners should re-evaluate every human-mediated exception path.

Biometric consent only helps when it is tied to the right transaction boundary. If biometric approval is used as a general access substitute, it becomes another checkbox. If it is scoped to high-risk actions, it can reduce account takeover impact by forcing a fresh identity event at the moment of value transfer. The practitioner implication is to map biometric use to transaction risk, not to blanket convenience goals.

Identity-proofing and AML/KYC workflows are converging under the same attack pressure. Account takeover fraud increasingly exploits the gap between onboarding trust and post-onboarding access. That means customer identity governance cannot stop at initial verification. Practitioners should design continuous risk signals across onboarding, session use and payout authorisation.

From our research:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • Our research also shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% only partial visibility.
  • For a broader control baseline, see The 52 NHI breaches Report for recurring access patterns and failure modes that help teams prioritise remediation.

What this signals

Customer identity programmes are drifting toward continuous verification, but fraud teams still lose time when recovery and exception paths stay manual. The practical risk is not just login compromise. It is the entire chain from password reset to payout authorisation, where attackers look for the easiest human-approved bypass.

Identity trust debt: this is the accumulated exposure created when reused credentials, support desk overrides and weak step-up checks remain in place after a fraud programme scales. The debt shows up as repeated exceptions, inconsistent controls and higher investigation cost, which means teams should inventory where trust is still implied rather than re-verified.


For practitioners

  • Harden customer recovery flows Remove weak knowledge-based recovery questions, add device and channel risk checks, and require stronger step-up verification before any password reset or account detail change.
  • Deploy bot-resistant login controls Use breach-password screening, rate limiting, behavioural signals and CAPTCHA alternatives where credential stuffing is most likely to hit high-value customer accounts.
  • Tie biometric checks to high-risk transactions Apply liveness detection and biometric consent only when the action creates financial exposure, such as payments, profile changes or beneficiary updates.
  • Audit manual review exceptions Map every human approval path that can override automated fraud checks and test it against social engineering, fake documents and support desk pretexting.

Key takeaways

  • Account takeover fraud succeeds when human identity controls trust the wrong signals, not when attackers are especially sophisticated.
  • The scale is material, with nearly $13 billion in losses in 2023 and attack growth reported at 354% year over year.
  • Teams should focus on recovery, support verification and high-risk transaction controls, because those are the places where account takeover usually becomes monetisable.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63BPasswords, recovery and step-up authentication are central to ATO risk.
NIST CSF 2.0PR.AC-1Identity proofing and access control are the core governance issues in ATO.
NIST SP 800-53 Rev 5IA-5Authenticator management is relevant to password reuse and credential abuse.
GDPRArt.32Identity verification and customer data handling raise security obligations.

Apply SP 800-63B guidance to strengthen authentication and recovery paths against takeover abuse.


Key terms

  • Account Takeover Fraud: Account takeover fraud is the unauthorized control of a customer account for financial gain, data access or downstream abuse. It typically combines stolen credentials, social engineering and weak recovery processes, then uses legitimate-looking access to avoid detection and monetise the account.
  • Credential Stuffing: Credential stuffing is an automated attack that tests stolen username and password pairs against many accounts. It works because people reuse passwords and because some services still lack robust rate limiting, bot detection and breach-password screening, turning one exposed credential set into broad access risk.
  • Liveness Detection: Liveness detection checks whether a biometric sample comes from a real, present person rather than a replayed image, video or synthetic spoof. In identity programmes, it raises assurance for onboarding and sensitive transactions, but it must be paired with device, session and fraud signals to remain effective.
  • Biometric Consent: Biometric consent is the use of a biometric signal to approve a specific high-risk action, such as a payment or profile change. It is strongest when the control is transaction-scoped, time-bound and supported by anti-spoofing and fraud analytics rather than used as a general access shortcut.

What's in the full article

Seamfix's full article covers the implementation detail this post intentionally leaves for the source:

  • Face Match and liveness detection workflow details for onboarding and authentication
  • Biometric consent patterns for high-value transactions in mobile and web applications
  • Automated KYC verification flow with AML, PEP and CFT compliance considerations
  • AWS deployment components used to scale identity verification services

👉 The full Seamfix article covers biometric verification, KYC automation and real-time analytics in more operational detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity governance programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-12-04.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org