Account takeovers and trust hijacking: what fraud teams miss

TL;DR: Account takeover attacks now hide inside normal-looking behaviour, with fraudsters changing device, IP, address, and transaction patterns after phishing or social engineering to defeat verification controls, according to Sumsub’s podcast discussion with Monavate. Traditional controls increasingly fail because the account itself remains trusted even when the user is not.

NHIMG editorial — based on content published by Sumsub: Account Takeover: When Trust Gets Hijacked | "What The Fraud?" Podcast

Questions worth separating out

Q: What breaks when account takeover controls focus only on login security?

A: Controls break after authentication, when a fraudster inherits an already trusted account and starts changing device, IP, contact details, and transaction patterns.

Q: Why do dormant accounts create extra account takeover risk?

A: Dormant accounts often regain trust when they wake up, even though the context around them may have changed.

Q: What do security and fraud teams get wrong about behavioural change?

A: They often treat small changes as isolated events instead of a chain that signals takeover.

Practitioner guidance

• Correlate identity drift with transaction risk Link changes in device ID, IP address, email, delivery address, and merchant behaviour to a shared investigation queue so analysts can see takeover patterns as one event, not separate low-signal alerts.
• Re-verify dormant and reactivated accounts Treat accounts that have been inactive for months and then suddenly become active as higher-risk sessions, especially before balance transfers, payout changes, or new payee setup.
• Join fraud and identity telemetry Feed social engineering indicators, suspicious email domains, phone changes, and unusual login context into the same monitoring model so account recovery, step-up checks, and behavioural scoring inform each other.

What's in the full article

Sumsub's full podcast discussion covers the operational detail this post intentionally leaves for the source:

• Direct discussion of how Monavate’s second-line financial crime controls are applied in practice across onboarding and monitoring
• Examples of the behaviour changes that prompted suspicion, including device, IP, address, email, and spending pattern drift
• The panel’s detailed view on how fraud teams analyse common factors across cases to prevent repeat abuse
• The closing discussion on customer education, phishing resistance, and why people still give away trust under pressure

👉 Read Sumsub’s podcast discussion on account takeover and trust hijacking →

Account takeovers and trust hijacking: what fraud teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →