TL;DR: Account takeover fraud drove nearly $13 billion in losses in 2023 and is rising 354% year over year, with credential stuffing, phishing and weak manual verification helping attackers bypass customer controls, according to Seamfix. The identity problem is not just stronger authentication, but reducing trust in reused credentials, social engineering and brittle recovery flows.
NHIMG editorial — based on content published by Seamfix: Account takeover fraud prevention and identity verification controls
By the numbers:
- Account takeover fraud caused nearly $13 billion in losses in 2023.
- Attacks rose by 354% year over year.
- 78% of customers reuse the same password across, cross different services.
Questions worth separating out
Q: How should security teams reduce account takeover risk in customer identity flows?
A: Focus on the full identity journey, not just login.
Q: Why do reused passwords make account takeover fraud so effective?
A: Reused passwords turn one leaked credential set into access across many services.
Q: What do organisations get wrong about biometric verification for fraud prevention?
A: They often treat biometrics as a blanket replacement for other controls.
Practitioner guidance
- Harden customer recovery flows Remove weak knowledge-based recovery questions, add device and channel risk checks, and require stronger step-up verification before any password reset or account detail change.
- Deploy bot-resistant login controls Use breach-password screening, rate limiting, behavioural signals and CAPTCHA alternatives where credential stuffing is most likely to hit high-value customer accounts.
- Tie biometric checks to high-risk transactions Apply liveness detection and biometric consent only when the action creates financial exposure, such as payments, profile changes or beneficiary updates.
What's in the full article
Seamfix's full article covers the implementation detail this post intentionally leaves for the source:
- Face Match and liveness detection workflow details for onboarding and authentication
- Biometric consent patterns for high-value transactions in mobile and web applications
- Automated KYC verification flow with AML, PEP and CFT compliance considerations
- AWS deployment components used to scale identity verification services
👉 Read Seamfix's analysis of account takeover fraud and identity verification controls →
Account takeover fraud: what IAM teams are missing now?
Explore further
Account takeover fraud is a human identity control failure before it is a fraud event. The attack works when password reuse, weak recovery and manual verification create a path of least resistance for the attacker. That is why IAM and fraud teams need to treat customer identity proofing and authentication as one joined control surface, not separate problems. Practitioners should align login, recovery and transaction authorisation under one risk model.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Our research also shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% only partial visibility.
A question worth separating out:
Q: Who is accountable when account takeover fraud succeeds despite identity checks?
A: Accountability usually spans IAM, fraud operations, support and customer experience teams because the failure often sits in a chain of weak controls. If login, recovery, support verification and transaction approval are owned separately, no single team sees the full attack path. Governance needs one owner for customer identity risk across the lifecycle.
👉 Read our full editorial: Account takeover fraud is exposing identity control gaps at scale