Why Account Takeovers Are So Hard To Stop

Criminals don’t need your customers’ full credentials to start taking over their accounts. All it takes is one well-crafted phishing email or smishing text—and a momentary lapse in judgment. According to David Maimon, director of the Evidence-Based Cybersecurity Research Group at Georgia State University, “At this point, the banks can do nothing to prevent the fraudulent event from progressing. It’s all about the target’s awareness and vigilance.” 

In a recent Risk Readiness webcast, Maimon explained how the account takeover ecosystem has exploded in sophistication. The barriers to entry are low, and the tools are disturbingly easy to access. On Telegram and other messaging platforms, cybercriminals can buy everything from spoofed login pages to malware bundles that include remote desktop access to a victim’s device. Some listings even come packaged with full bank account access and device fingerprints. 

How They Get In 

Fraudsters start by casting a wide net—sending fake texts and emails to millions of users, hoping a few will click. Once a victim enters credentials on a spoofed site, attackers can use that data to impersonate them convincingly. Remote desktop tools let them log in from the victim’s actual device, bypassing location-based security. Bots can even trick users into handing over one-time passcodes. 

How They Exploit the Access 

Once inside, attackers typically study transaction histories and balances before moving money. They will start sending “$20 here, $30 there,” Maimon noted—small transfers that are likely to go unnoticed. In higher-balance accounts, they may buy gift cards, pay utility bills, or even extract check images to create fake ones. And if they don’t drain the account themselves, they may just sell it—complete with device access. 

What Banks Can Do 

• Focus on customer awareness. The first step is educating users not to click links or give out information—especially via phone or text. 

• Embrace behavioral biometrics. Some fraud prevention tools now track how users type, move their cursor, or interact with specific account features. 

• Monitor for anomalies. Look for deviations in login behavior, transfer patterns, and communication preferences to catch takeovers early. 

• Explore solutions beyond passwords. Voice ID, device fingerprinting, and biometric verification can help—but Maimon warns no solution is foolproof. 

“Being aware of the fact that there are bad actors out there ... is the most important thing,” Maimon said. For banks, that means reinforcing security controls and customer education at every opportunity. 

Watch the complete webcast.