How Did Account Takeover Attacks Lead to More than $262 million in Losses This Year, and Were You a Target?

It’s 11:45AM on Thursday night. You’re sleeping, and your phone is charging on the nightstand. 

But right now, someone is logging into your payroll system and changing direct deposit instructions. In 15 minutes, Friday’s payroll will re-route to accounts in three different countries.  

This isn’t the work of midnight hackers, but threat actors exploiting identity gaps to scale payroll theft.  

You wake up Friday to chaos. Productivity is stalled because people are worried. The office is tense as HR freezes further payroll processing and Finance frantically tries to initiate a wire reversal. 

The bottom line? AI-powered phishing scams combined with the use of leaked credentials led to $262 million in losses this year. 

If you reused passwords or clicked a phishing link in 2025, you were a target. 

The good news is: You can secure your future, but time is of the essence. 

What is ATO in cybersecurity and why should you care? 

An ATO (account takeover) attack occurs when attackers gain unauthorized access to your accounts – emails, payroll, banking, and SaaS apps – and use that access to steal your money, identity, and data.  

As mentioned, these attacks have resulted in $262 million in losses this year, with more than 5,100 complaints received. 

But here’s what should make you sit up:  

• About 1.4 million phishing sites are created every month. 

• Over 3.4 billion phishing emails are sent daily. 

• Phishing scams cost the average business $187,000 per incident. 

AI has been the force multiplier here. It’s transformed account takeover techniques, making fraud more scalable and harder to detect. So, even low-skilled hackers can run sophisticated campaigns with minimal expertise. 

And the data feeding these attacks? It's infostealers, which harvested a whopping 2.1 billion credentials in 2024 alone.  

All of which means your credentials - and accounts - are almost certainly at risk. 

Can one simple message empty your bank account? 

According to veteran hacker and analyst Davey Winder, the answer is yes. It only takes one simple message to empty your bank account. Here’s how:  

• Attackers gain your trust by impersonating a bank, popular retailer, or technical support employee to obtain your credentials. Both the FBI and Amazon have warned that impersonators are behind the current surge in ATO attacks. In December 2025, Amazon-themed scams have already led consumers to call fake support hotlines, where they’re pressured to hand over Amazon login details and bank account numbers. 

• Attackers mimic trusted name brands and trick you into clicking links that redirect to fake e-commerce stores, where they steal your banking info to authorize payments for non-existent goods. 

Since 2008, LastPass has made logins more secure for consumers and businesses across the world.  

Our dedicated threat intelligence team works closely with PhishLabs to identify malicious sites that mimic LastPass, often taking them down within 48 hours or less.  

This partnership means LastPass is actively monitoring threats, reacting fast to phishing scams, and working tirelessly to disrupt infostealer networks. 

With AI-powered credential stuffing campaigns, attackers can now test millions of password combinations across hundreds of platforms in one setting.  

But in the next few minutes, I’m going to show you exactly how these attacks work, the red flags you don’t want to miss, and the four (4) easy habits that prevent you from becoming a statistic. 

Credential stuffing versus account takeover: What’s the difference? 

Here’s what makes most people confused, and why that confusion costs them dearly. 

Credential stuffing is the method used in account takeover (ATO) attacks. Here, attackers use stolen password and username combinations from one breach and test them across thousands of other sites. They’re betting that you – or most people – reuse passwords. 

Meanwhile, account takeover is the outcome of a credential stuffing attack. Once the credentials work, the attackers can control not just one account, but all accounts linked to it.  

Here’s the terrifying part: According to Verizon’s 2025 Data Breach report, 88% of web application breaches involve stolen credentials, and the top motive is espionage. 

This means attackers are actively ramping up credential stealing to advance espionage campaigns. 

And that’s not all. While traditional credential stuffing could be blocked with basic security measures like rate limiting or CAPTCHA challenges, adaptive account takeovers are another ballgame. Attackers are: 

• Using Adversarial Machine Learning to train on CAPTCHA datasets and create an AI that can predict correct answers 

• Outsourcing CAPTCHA solving to human labor farms 

• Using AI agents to mimic human-like activity - like typing rhythms and mouse movements - to outsmart the CAPTCHA 

• Using IP rotation and low-velocity campaigns across thousands of IP addresses to bypass rate limiting 

• Leveraging machine learning-based OCR (Optical Character Recognition) to beat conventional versions of CAPTCHA, which rely on distorted text. With OCR, attackers can easily decipher distorted text.  

The result? AI now solves CAPTCHA with 96% accuracy, surpassing humans by 50-86%. 

Before we get to prevention, let’s talk about how you can detect an account takeover attack. 

What are the red flags of an account takeover? 

Most people don’t realize they’re compromised until it’s too late. The Microsoft Entra ID ATO attack that affected 80,000 corporate accounts took up to 47 days to discover. So, what can you do? To protect yourself, keep an eye out for these (4) red flags of an account takeover: 

• Unusual login activities 

• Unauthorized account changes 

• Suspicious post-login actions 

• Communication anomalies 

#1 Unusual login activities 

• Logins from unfamiliar locations, such as an employee in Chicago logging in from Romania 

• Access at odd hours, such as logins at 3AM 

• Hundreds of failed login attempts followed by a successful login 

• One user logging in from multiple locations simultaneously 

#2 Unauthorized account changes 

• Password reset requests you didn’t initiate 

• MFA settings changed or disabled 

• Recovery email addresses or phone numbers modified 

• Loyalty points redeemed without your permission 

• Changes to subscription services 

• Admin privileges granted to unknown accounts 

#3 Suspicious post-login actions 

• Bulk downloads of customer data or financial records 

• Mass deletion of files 

• Unauthorized bulk data transfers 

• Unauthorized wire transfers or changes to direct deposit information 

#4 Communication anomalies 

• Employees reporting suspicious emails from colleagues 

• Customers receiving phishing emails from your domain 

• Unexpected email invoices for services you never ordered 

• Internal requests for information via unusual channels like text or messaging apps 

Now that you know what the red flags are, let’s talk defense. 

Account takeover attack prevention: How do I prevent an account takeover? 

If you’re still relying on just passwords or SMS-based MFA, you’re at high risk of an account takeover. In a previous article on SIM swapping, we showed how SIM swaps can bypass SMS-based MFA. 

But preventing an account takeover is possible. It means upgrading credential security with: 

• The LastPass generator 

• SaaS Monitoring + SaaS Protect 

• Adaptive MFA 

• Dark Web Monitoring 

#1 Using the LastPass generator to stop password reuse in its tracks 

Perhaps you already know that your organization’s single greatest weakness is password reuse. 

But who can remember 50+ unique passwords? This is where a Secure by Design password manager like LastPass comes in. 

With the LastPass generator, every employee gets a strong, unique password for each account. This means your IT team stops spending 10+ hours a week on password resets, and you get to sleep through the night knowing stolen credentials can’t unravel your entire business overnight. 

#2 Installing SaaS Monitoring + SaaS Protect to identify and disrupt SaaS sprawl 

Here’s a question that should terrify you: Do you know every single SaaS app your team is using right now? 

Not just the ones you’ve approved. All of them. Each one is a potential entry point, and each one also stores credentials and intellectual property that can be stolen. 

With LastPass SaaS Monitoring + SaaS Protect, you can see logins for every app your organization uses. This means you can identify weak security habits and risky apps before they’re exploited, saving you from sleepless nights and 2AM panic attacks. 

#3 Implementing adaptive MFA to overcome the limitations of basic MFA 

Let’s face it: We’re creatures of habit and text-based MFA is what we use. 

But with MiTM (man-in-the-middle) and SIM swap attacks bypassing exactly this type of MFA, you need adaptive MFA that considers context, such as location, biometrics, or working hours. 

With LastPass adaptive MFA, you can block attackers from hijacking your account, even if they’ve stolen your credentials. Our FIDO2 MFA options - like passkeys and hardware security keys – are phishing resistant and compliant with certifications like SOC 2, SOC 3, and ISO 27001. 

#4 Deploying Dark Web Monitoring to uncover leaked credentials 

Remember those 2.1 billion leaked credentials? You need active monitoring that alerts you immediately when your organization’s email credentials appear in Dark Web forums and infostealer logs. 

Here’s why: According to the 2025 SpyCloud Identity Exposure report: 

• The average exposed individual has 141 credential pairs across 229 records tied to highly sensitive PII like physical addresses, SSNs, and passport numbers   

• 97% of phishing logs include an email address, a critical foothold in identity fraud 

• Of the 3.1 billion exposed passwords SpyCloud uncovered in 2024, 70% of exposed individuals reused old, compromised passwords across multiple accounts 

With LastPass, you get immediate alerts when you or your team’s email credentials are compromised. This means you can: 

• Quickly update your passwords before credential stuffing bots escalate to data exfiltration, identity theft, or financial fraud 

• Drastically slash breach dwell times - the length of time an attacker remains undetected in your system – to protect both your revenues and reputation 

Here’s the cold, hard truth: If you’re reading this article, you know you need better defenses. 

Maybe it’s because you’ve already had a close call. Or maybe it’s that nagging feeling of not knowing what SaaS apps your team members are using.  

Whatever brought you here, the question isn’t whether you need protection. The question is how you’re going to get it. 

If you’re running a business today, you need a solution that: 

• Eliminates password reuse across your organization 

• Gives you complete visibility into every SaaS app without adding hours to your day 

• Protects against credential stuffing and ATO attacks 

• Works without requiring a full-time security team to manage it 

This is where Business Max comes in. It combines enterprise credential management with SaaS Monitoring + Protect, the two critical defenses that actually help prevent account takeovers. 

Want to see how LastPass SaaS Monitoring + Protect works?  

Watch our free training now to see how LastPass gives you the visibility and control you need to sleep through the night. 

In the training, you’ll discover: 

• The three (3) critical items your SaaS monitoring dashboard tracks that let you put credential security on autopilot 

• How easily you can track SaaS logins to spot suspicious activity and revoke access at a moment’s notice 

• What your most used apps and sensitive tools are so you can monitor them more closely 

• How to configure usage rules for apps (Allow, Warn, Block) in minutes 

• How to send customized warnings about sharing sensitive info, so attackers can’t exploit it to carry out ATO attacks 

Still not sure if this applies to your business? Here’s a test: Do your employees use cloud or SaaS apps? And do these apps contain customer data, financial info, or business-critical operations?  

If you answered yes to one or both questions, watch the free training now and see how the Axxor Group, a leading global manufacturer, is embracing credential & account security with LastPass. 

Then, unlock it for yourself with a free trial of Business Max (no credit card required). You’ll have access to the same benefits within minutes.  

Sources 

The Hacker News: FBI reports $262M in ATO fraud as researchers cite growing AI phishing and holiday scams

Forbes: FBI warns Gmail and Outlook users— ‘Do Not Click’

Experian: Here's what your data sells for on the Dark Web

Forbes: Urgent new FBI warning: 1 simple message can empty your bank account

AAG: The latest 2025 phishing statistics

SQ Magazine: Phishing email statistics 2025: The growing threat and how to protect your organization

The Hacker News: How new AI agents will transform credential stuffing attacks

GraVoc: Are CAPTCHAs enough to stop bots from spamming web forms?

CyberPeace: Who is winning the war with AI: Bots vs. CAPTCHA?

Security.org: Account takeover fraud: A consumer’s guide to protecting yourself

2025 SpyCloud Identity Exposure Report

CNET: Best identity theft protection services (Nov 2025)