Bank account takeover is outpacing legacy IAM controls

At a glance

What this is: This is an analysis of how account takeover attacks against financial services are being scaled by bots, phishing-as-a-service, and credential abuse.

Why it matters: It matters because banks and similar institutions need controls that address human identity, customer fraud, and the automated abuse patterns that can overwhelm conventional authentication and monitoring.

By the numbers:

• A single campaign hit 340 companies, including banks, across 48 languages last year.
• Bot attempts to take over consumer financial accounts increased 202% in Q2 2023.
• 29% of Americans have experienced account takeover, up from 22% in 2021.

👉 Read Arkose Labs' analysis of bank account takeover attacks and bot-driven fraud

Context

Account takeover is a human identity and fraud problem, but it is increasingly shaped by automation, phishing infrastructure, and scaled credential abuse. In banking, the issue is not only whether a user can log in, but whether the login request itself is legitimate, whether the session has been hijacked, and whether the surrounding controls can distinguish normal customer behavior from coordinated attack traffic.

The article shows why legacy controls fail when attackers can combine phishing-as-a-service, reverse-proxy interception, credential stuffing, and bot orchestration. For IAM and fraud teams, that means account protection has to be treated as a layered identity programme spanning authentication, anomaly detection, transaction monitoring, and response.

Key questions

Q: How should financial institutions reduce account takeover risk without blocking legitimate customers?

A: Use layered controls that combine phishing-resistant authentication, risk-based step-up checks, bot mitigation, and behavioral analytics. The goal is to challenge suspicious activity, not every user. Institutions also need post-login monitoring, because many ATO attacks succeed after the session is already authenticated.

Q: Why do MFA and passwords fail to stop many account takeover attacks?

A: MFA and passwords protect the front door, but reverse-proxy phishing, credential stuffing, and session relay can still produce valid access. Attackers increasingly target the session and the customer relationship, not just the login form. That is why banks need detection signals beyond static credentials.

Q: What signals show that account takeover may be in progress?

A: Watch for repeated failed logins, unfamiliar devices, unusual geography, rapid credential retries, locked-out users, changes to contact details, and transactions that do not match historical behavior. ATO rarely presents as one clean indicator. It usually appears as a cluster of weak signals that become meaningful when correlated.

Q: Who is accountable when a customer account is taken over despite controls?

A: Accountability usually spans identity, fraud, security operations, and application owners, because ATO crosses multiple control boundaries. Governance teams should define which group owns authentication risk, which owns transaction risk, and which owns customer remediation. Without clear ownership, response becomes fragmented and slow.

Technical breakdown

How phishing-as-a-service enables bank account takeover

Phishing-as-a-service kits lower the barrier to entry by packaging credential harvesting, reverse-proxy interception, and session relay into repeatable attack infrastructure. EvilProxy is a good example of this pattern because it helps attackers capture valid credentials and sometimes defeat MFA by relaying the live session in real time. The result is not simply stolen passwords, but authenticated access that looks legitimate from the bank's point of view. The technical problem is that the control boundary often sits at login, while the attack continues after authentication through a live session.

Practical implication: teams need controls that inspect session risk after login, not just password and MFA events.

Why bots change the economics of account takeover

Bots make ATO industrial by turning manual probing into high-volume, adaptive attack traffic. They can test stolen credentials, probe login forms, rotate IPs, and accelerate account enumeration far faster than human operators. That changes defender workload from isolated fraud cases to continuous adversarial pressure across the authentication stack. Behavioral analytics, device fingerprinting, and rate controls matter because they create friction at the moment attackers try to scale. Without those signals, security teams see only symptoms such as failed logins, account lockouts, or sudden geographic anomalies after the compromise is already underway.

Practical implication: anti-bot controls should be part of identity architecture, not treated as a separate fraud add-on.

Why transaction monitoring is an identity control

In banking, identity assurance does not end at sign-in. Once an attacker controls an account, the next stage is usually monetisation through transfers, beneficiary changes, address updates, or money mule activity. That is why transaction monitoring belongs in the identity control stack: it checks whether post-authentication behaviour still matches the verified user profile. This is especially important in consumer finance because many ATOs succeed without breaching the core banking system at all. The compromise sits in the account relationship, not in the application code.

Practical implication: banks should connect authentication signals to transaction rules and beneficiary-change alerts.

Threat narrative

Attacker objective: The attacker wants durable control of customer accounts that can be monetised through fraudulent transfers, account manipulation, and downstream laundering activity.

1. Entry begins with phishing-as-a-service, reverse-proxy interception, or credential stuffing that captures valid consumer credentials or relays a live session.
2. Escalation occurs when the attacker uses bots and automation to test access, bypass weak friction points, and move from login success to account control.
3. Impact follows when the attacker changes account details, initiates unauthorized transfers, or uses the compromised account for laundering, mule activity, or other financial crime.

Breaches seen in the wild

• Emerald Whale breach — exposed Git config files led to 15K secrets stolen and 10K repo compromises.
• CI/CD pipeline exploitation case study — full server takeover via exposed .git directory and mismanaged CI/CD pipeline secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Account takeover is now an identity governance problem, not just a fraud problem. The article shows that attackers are abusing credentials, sessions, and customer trust at scale, which places ATO squarely in the intersection of IAM, fraud operations, and account lifecycle controls. When login integrity and transaction integrity are disconnected, defenders lose the ability to see the full attack path. Practitioners should treat ATO as a governance issue spanning authentication, session control, and post-authentication monitoring.

Session trust is the named concept that now matters most. The real failure mode is not only credential theft, but the assumption that successful authentication still means a trustworthy session. Reverse-proxy phishing and bot-assisted replay break that assumption by preserving enough of the original flow to appear legitimate. The implication is that banks need to understand where session trust ends and transaction trust begins, because that boundary is now attackable.

Behavioural signals are becoming more valuable than static credentials. Passwords and MFA still matter, but the article makes clear that they are insufficient against infrastructure designed to mimic normal usage and scale attack attempts. Device patterns, login cadence, geography, and transaction anomalies are now part of the identity decision model. Security teams should view those signals as core identity evidence, not auxiliary fraud telemetry.

Customer account protection must be integrated across IAM and fraud response. The article's checklist points to a layered model that includes MFA, phishing protection, bot detection, monitoring, incident response, and secure development practices. Those controls only become effective when they are correlated. Practitioners should re-evaluate whether their IAM and fraud teams share the same risk picture, because attackers already operate across both domains.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• For a broader governance lens, see Ultimate Guide to NHIs for lifecycle controls that reduce blind spots across identity types.

What this signals

The governance lesson for banks is that account protection has to become identity decisioning, not just authentication hardening. When attackers can scale with bots and phishing infrastructure, the most useful control signals are those that connect login behaviour, device trust, and downstream account changes in one operating model.

Session trust debt: when a bank treats authentication as the end of the security decision, it accumulates invisible exposure in the session layer. That is where attack traffic increasingly lives, and where identity teams need better telemetry, correlation, and response paths.

For teams aligning to zero trust, the practical shift is to treat customer accounts as continuously evaluated relationships. That means combining fraud analytics, IAM telemetry, and transaction monitoring so that a trusted session can still be challenged when behaviour changes.

For practitioners

• Harden login flows against reverse-proxy phishing Add phishing-resistant authentication where possible, and pair it with session validation that can detect relay-style attacks after the initial login succeeds.
• Deploy bot controls at the authentication edge Use rate limiting, challenge orchestration, device fingerprinting, and anomaly scoring to interrupt credential stuffing and mass probing before accounts are reached.
• Correlate account events with transaction risk Trigger step-up review for unusual beneficiary changes, large transfers, or address and phone edits when those events follow suspicious login activity.
• Test incident response for customer ATO scenarios Run tabletop exercises that cover account lockout, credential reset, fraud containment, and customer notification across IAM and fraud operations.

Key takeaways

• Account takeover is increasingly industrialised, with bots and phishing infrastructure making traditional login defenses insufficient on their own.
• The strongest warning signs come from correlated behaviour, including session anomalies, account-detail changes, and suspicious transaction patterns.
• Banks need identity and fraud teams to share one control model so that authentication, session risk, and payment risk are governed together.

Key terms

• Account Takeover: Account takeover is the unauthorised control of a user account by an attacker who can then act as if they were the legitimate holder. In financial services, the compromise often turns into fraudulent transfers, profile changes, or monetisation through laundering and mule activity.
• Reverse-Proxy Phishing: Reverse-proxy phishing is a technique that places an attacker-controlled proxy between the user and the real service so credentials and session tokens can be captured in real time. It can preserve the appearance of a normal login while allowing the attacker to reuse the authenticated session.
• Behavioral Analytics: Behavioral analytics uses patterns such as device, location, login cadence, and transaction habits to identify activity that does not match a normal user profile. In identity security, it helps distinguish legitimate access from account abuse when credentials alone are no longer reliable.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Arkose Labs: bank account takeover attacks, bot-driven fraud, and prevention tactics. Read the original.