TL;DR: ATO attacks are shifting from password stuffing toward intercepting recovery links, step-up checks, and verification flows, while Veriff reports a 300-fold increase in fully AI-generated or altered media and 26 billion exposed credentials. The governance problem is no longer just login hardening, but controlling the account moments attackers can weaponise after entry.
NHIMG editorial — based on content published by Veriff: Chapter 2, Account Takeover Prevention in the Customer Identity Verification guide
By the numbers:
- In Veriff's 2026 Fraud Identity Report, the company documented a 300-fold increase in media that was fully AI-generated or otherwise altered.
- The FBI's IC3 received approximately 4,700 consumer ATO complaints in 2025, with losses reaching US$359.7 million.
Questions worth separating out
Q: What breaks when account recovery is easier to abuse than login itself?
A: When recovery is weaker than login, attackers bypass the strongest controls by targeting the account lifecycle instead of the password.
Q: Why do AI-assisted phishing and synthetic media make ATO harder to stop?
A: AI-assisted phishing improves the quality and scale of deception, which makes it easier to intercept credentials, tokens, and verification steps in real time.
Q: How do security teams know whether ATO controls are actually working?
A: Effective ATO controls reduce successful abuse across recovery, step-up, and session channels, not only failed logins.
Practitioner guidance
- Treat recovery flows as privileged access paths Map password reset, magic-link, and step-up verification journeys as high-risk access paths with the same scrutiny used for admin workflows.
- Correlate device, network, and behaviour signals Use cross-signal detection to identify campaigns, not just single events.
- Bind verification to the active context Require context continuity for sensitive actions by checking device reputation, recent session history, and step-up origin before approving recovery or transaction authorisation.
What's in the full article
Veriff's full guide covers the operational detail this post intentionally leaves for the source:
- Step-by-step detection patterns for credential stuffing, session hijacking, SIM swap, and magic-link interception
- Operational examples of device, network, and behavioral signals used to identify campaign-level abuse
- Practical guidance on verification design, including liveness, risk-based authentication, and anti-spoofing checks
- Response workflow detail for containment, account closure, and post-incident review after ATO events
👉 Read Veriff's chapter on detecting and stopping account takeover attacks →
ATO verification-step abuse: what IAM and fraud teams need now?
Explore further
Verification-step abuse is the new account takeover failure mode. The article shows that stronger login controls do not eliminate ATO when attackers can seize the moment after authentication. That shifts the problem from password compromise to the governance of recovery, magic links, and step-up checks. Practitioners should treat verification-stage controls as first-class identity controls, not secondary UX flows.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why hidden identity paths keep undermining controls.
A question worth separating out:
Q: Who is accountable when a compromised verification flow leads to fraud?
A: Accountability usually spans IAM, fraud, customer operations, and application owners because verification flows cut across multiple control domains. The key governance question is who owns the risk when the platform trusts a recovered or stepped-up session that was later abused. That ownership must be explicit before incidents occur.
👉 Read our full editorial: ATO account takeover is shifting to verification-step abuse