The account takeover playbook that most fraud detection programs were built to counter is roughly five years old. Credential stuffing against login endpoints, high-velocity attempts from recognizable IP ranges, failed authentication spikes, account modifications followed immediately by fund transfers. That playbook still works against some targets. But the operators running sophisticated ATO campaigns in 2025 have largely moved past it.
The detection gap isn't theoretical. Across our customer base, we're seeing ATO attack patterns that clear legacy detection controls at rates that suggest the controls were designed for a different era — which, in most cases, they were.
How credential stuffing died — and what replaced it
Classic credential stuffing is noisy. Automated login attempts at scale generate authentication failure spikes that are visible to any monitoring system with basic anomaly detection. IP blocking, rate limiting, and CAPTCHA deployment have made large-scale stuffing operations significantly less efficient against institutions with competent security operations.
What replaced it isn't better stuffing — it's a different approach to initial access entirely.
Pre-validated credential markets. Criminal markets now sell access to pre-validated accounts rather than raw credential lists. The stuffing happens elsewhere, before the credentials reach the buyer. By the time an account credential enters an ATO campaign targeting a specific bank, it's already been validated against a test authentication that may have occurred weeks or months earlier. The buyer knows the credential works; they just need to use it.
SIM swapping and SS7 attacks. Mobile carrier compromise allows attackers to intercept SMS-based authentication codes, defeating one-time password controls that many institutions rely on as a primary MFA layer. A SIM swap combined with a compromised credential is sufficient to take over most accounts protected by SMS OTP, regardless of how strong the original password was.
Adversary-in-the-middle phishing kits. Modern phishing kits proxy real-time traffic to the legitimate institution, capturing session tokens rather than just credentials. The victim authenticates normally — including completing legitimate MFA — while the kit captures the authenticated session and relays it to the attacker. This bypasses password and MFA controls entirely because the authentication is real; the session is just being stolen at the token level.
Insider-facilitated access. Lower-profile but significant: social engineering targeting bank employees and contractors, particularly those with administrative or customer service system access. These attacks don't touch authentication systems at all.
The low-and-slow account modification pattern
The second major shift in ATO methodology is timeline. The old pattern was fast: gain access, initiate transfer, exit. This is detectable because the behavioral deviation is acute — an account that has been static for months suddenly shows a large outbound transfer immediately after a login event.
Sophisticated operators in 2025 are running longer timelines. After initial access, they observe account behavior for days or weeks without making changes. They identify the customer's normal transaction pattern, payment method set, typical transfer destinations, and device footprint. Then they make changes gradually — a new device added to the profile, a small payment to a new payee, a modest transfer amount — all falling within the customer's apparent behavioral envelope. The fund extraction event, when it comes, is spread across multiple transactions over multiple sessions, none of which individually triggers velocity or amount thresholds.
Detecting this requires behavioral baseline analysis over time, not just transaction-by-transaction scoring. A model that scores each event in isolation misses the pattern because no individual event is anomalous — only the cumulative sequence is.
The authentication bypass gap
Most banking security architectures assume that a successfully authenticated session is a legitimate one. Authentication controls are designed to verify identity; fraud controls are designed to detect anomalous transactions. The gap between these two assumptions is exactly where advanced ATO operates.
When authentication is compromised through session hijacking or SIM swap, the fraud system sees what looks like a legitimate session. The authentication logs show successful MFA completion. The session token is valid. The IP address may even match a typical geography for the customer, if the attacker is using proxy infrastructure. The only signals that something is wrong are behavioral — and those signals are only visible to a system that has been building behavioral baselines across sessions over time.
We've seen cases where account modification activity consistent with pre-fraud staging went undetected for 11 days before the fraud event occurred. The staging period included two login sessions with no suspicious actions, a minor profile update (email address change), and a small test transfer to a new payee. None of those individual events triggered controls. The test transfer was actually reviewed by a human analyst and cleared — it was within the customer's normal transfer range and the new payee had a legitimate profile. The subsequent large extraction, executed six days later, was the first event that registered as anomalous at the transaction level. By then, the account modification that enabled it had been in place for over a week.
What effective ATO detection requires
Defending against contemporary ATO requires several capabilities that many institutions don't have in their current architecture:
Cross-session behavioral baselines. A model that understands what normal looks like for each account across dozens of sessions — not just the current one. Device patterns, time-of-day login distribution, geographic range, typical transaction recipients, authentication method used, session duration, and action sequencing within sessions.
Account modification sequencing analysis. Detection logic that flags sequences of account changes even when individual changes are within normal parameters. A password reset followed by email update followed by new device registration followed by new payee addition is a staging pattern, regardless of whether each step individually looks reasonable.
Session integrity scoring. Beyond authentication, assessment of whether the session behavior matches the expected behavioral profile for the authenticated account. Legitimate users have consistent navigation and interaction patterns; attackers using compromised accounts don't know those patterns and produce distinctive behavioral signatures.
Cross-account correlation. ATO operations targeting a single institution often use similar staging patterns and similar destination account sets across multiple victim accounts. Detecting the pattern in aggregate, across accounts, surfaces the campaign before individual account-level detection triggers.
Banks that have upgraded their ATO detection in the past 18 months are seeing meaningfully better outcomes. The institutions still operating on pre-2022 authentication-focused models are carrying exposure that their controls aren't currently designed to detect.