Understanding Account Take-Over (ATO): A simple, clear narrative

In today’s digital world, most fraud attempts no longer rely on breaking into systems. Instead, criminals try to trick people into giving away access without realising it. One of the most common and harmful examples of this is Account Take‑Over, often called ATO.

Account Take‑Over happens when someone, who is not you, gains access to your online banking environment and uses it as if they were you. Once they are inside, they may try to create or approve payments, change authorisation settings, or gather sensitive information. Criminals do not “hack” into your bank account by breaking through security walls or penetrating the bank’s IT systems. Instead, they rely on one thing: getting you to click a link or use a device they have compromised, so that you unknowingly give them access.

Most account take‑over attempts originate from phishing and malware installed on a customer device.

1. Phishing

This is when criminals send messages (email, SMS, WhatsApp, etc.) pretending to be a trusted organisation such as ING, a partner bank, or a supplier. Their goal is to lure you to a fake website that looks real and convince you to enter your banking credentials or approve something.

The message may convey things like:

• “Your account is blocked—log in immediately”
• “An urgent payment needs approval”
• “You must verify your identity now”

Criminals know that if they create pressure, people act quickly before checking whether the message is real.

2. Malware on your device

Sometimes criminals get access by infecting a computer with a harmful program. Malware can:

• Capture what you type
• Change what you see on the screen
• Redirect you to a fake banking page
• Interfere with payment authorisation

Malware often arrives through fake invoices, unsafe downloads, links in fraudulent emails, or compromised websites.

ING has designed its security model to make phishing and ATO extremely difficult.

1. No username–password login: ING does not use simple login credentials, because passwords can be easily stolen, guessed, or copied.
2. Strong Customer Authentication (SCA): Instead of passwords, ING uses multi‑factor authentication that combines:

• Something you have (a registered device)
• Something you are (behavioural patterns
• Something you approve (authorisation steps)

This provides much stronger protection.

3. Device‑bound security: Your authorisation device or app is cryptographically linked (“bound”) to your identity. Even if a criminal obtains your login details, they cannot log in without your trusted device
4. Real‑time session protection: During an active banking session, ING monitors interactions related to that session and the transaction being sent to the bank. This helps us identify indicators of potential fraud, such as:

• An unusual location or device used during login
• Unexpected navigation behaviour within the banking portal
• Automated or scripted activity
• Signs that malware may be affecting the session
• Payments that show a higher risk profile

If anything appears unusual during a session, ING may temporarily interrupt it or contact you to verify the activity.

Even with strong banking security, your device and actions remain the first line of defence. Here is what you can do:

1. Be cautious with messages:

• ING never sends login links in emails or SMS.
• If a message pressures you to act “immediately”, it is likely fake.
• Do not click links you weren’t expecting.

2. Go to ING directly:

• Always type the web address yourself instead of clicking a link.
• Fraudsters often buy fake advertising slots so their fake website appears first in search results.

3. Keep your devices clean:

• Install updates
• Use antivirus software
• Avoid downloading unknown attachments
• Do not allow scripts or macros from untrusted sources

Only install company approved software on your company device. Never download unknown untested software.

4. Check if the website is secure:

• Look for https:// and the lock icon
• Check that the security certificate is issued to ING Bank N.V. or ING Groep N.V.

5. Think before approving:

• If you see an approval request you didn’t expect, stop immediately, close your browser, and call ING through a known phone number.

6.  Follow the SLAM method for emails:

• Sender: Verify the real address.
• Link: Hover before clicking.
• Attachment: Avoid if you are unsure.
• Message: Is it logical, urgent, suspicious?

Check our other articles on the Banking safely page to learn about:

• practical tips
• examples of phishing
• recognising and reporting fraud
• ING's security measures and fraud measures

With ING’s strong authentication, device‑bound security and real-time monitoring—and with your awareness and cautious behaviour—you can dramatically reduce the risk of falling victim to phishing or malware.