Account takeover prevention

Use Sumsub rules to protect your users' accounts from unauthorized access.

Account Takeover (ATO) is when an unauthorized individual gains access to someone else's account and takes control of it.

This can happen through various methods, such as phishing, hacking, or using stolen credentials.

Once the attacker has control, they can make unauthorized transactions, change account settings, or perform other malicious activities.

Our account takeover prevention solution is based on device intelligence and KYC checks. It lets you minimize or eliminate double payouts or chargeback disputes.

We offer you the checks to identify the following behavior:

  • Suspicious log-in. The fraudster uses an unknown device to log in to the account.
  • Changes to account information. Attackers may modify payment methods and details to prevent the legitimate owner from regaining access to the funds.
  • Unfamiliar transactions, such as withdrawals, deposits, or transfers.

How it works

Account takeover prevention is a security measure that combines automated detection mechanisms with user verification processes designed to detect and prevent unauthorized access to user accounts.

Here's how it typically works:

  1. Monitoring user activity. The system monitors user activity for unusual patterns or behaviors that may indicate a potential account takeover. This could include login attempts from unfamiliar locations, multiple failed login attempts, or sudden changes in account settings.

  2. Anomaly detection. Advanced algorithms are used to analyze user behavior and detect anomalies. For example, if a user suddenly logs in from a different country or device, the system may flag this as suspicious activity.

  3. IP address tracking. Sumsub monitoring systems track the IP addresses used to access an account. If an account is accessed from an IP address that has not been used before or is associated with suspicious activity, it may trigger an alert.

  4. Device recognition. Sumsub can identify when a new or unrecognized device attempts to log in by tracking the devices used to access an account.

  5. Payment method check. Sumsub checks the payment method on withdrawal to ensure it was used before within the specified period.

  6. Applicant action request (if applicable). Users may be required to verify their identity through additional steps.

  7. Transaction status assignment. Depending on the results of the checks, each transaction receives a status:

    • Normal — transaction is approved.
    • Suspicious or Gambling Addiction — transaction matched one of the selected rules and requires attention.
  8. You handle monitoring results.


The following table explains the checks performed when monitoring transactions to detect account takeover:

Device IPThe IP address of the applicant’s device used to log in.
CoordinatesThe geographic location of the applicant’s device used to log in.
Device FingerprintInformation about the software and hardware used on the applicant’s device.
Payment method informationThe information about the selected payment method. It depends on the method specifics and may include a unique hash string, IBAN, SWIFT, Card Number, Crypto wallet, etc.

Enable account takeover prevention

To enable account takeover prevention:

  1. If you have never used Sumsub, visit our website and click Get started to begin your journey or contact our sales department. If you are already a Sumsub customer, contact our customer support.
  2. In the Dashboard, open the Rules Library and install the rules below.
  3. Open the Rules page and enable the installed rules.

Once you enable the rules, all transactions are going to be monitored by these rules. Each transaction that matches the rule conditions will be taken care of in accordance with the rule configuration.

Create transactions

You can create transactions in the Dashboard using a convenient constructor or with the help of the API methods.

Use Dashboard

To produce a transaction in the Dashboard:

  1. Go to the Transactions page.
  2. Click Create transaction manually.
  3. From the drop-down list, select an applicant on behalf of whom you want to produce the transaction.
  4. Switch between the simplistic (visual representation) form and JSON payload (digital data).
  5. When using a simplistic form, from the Use Case drop-down list, select the type of transaction you plan to check.
  6. Provide required transaction information.
  7. Set the custom transaction date by selecting the associated checkbox if necessary.
  8. Click Create transaction.


To produce a transaction via API, use this API method and set the type field to your transaction type, as the following example demonstrates:

  "txnId": "631f268442d8290001e1eee9_newTxn",
  "applicant": {
    "externalUserId": "uniqueRemitterId",
    "address": {
      "country": "DEU",
      "street": "Chauseestr. 60",
      "postCode": "101115",
      "town": "Berlin"
    "device": {
      "ipInfo": {
        "ip": ""
    "institutionInfo": {
      "code": "DEUTDEDB101",
      "name": "Deutsche Bank"
    "paymentMethod": {
      "type": "card",
      "accountId": "eg_hash_of_credit_card_number",
      "issuingCountry": "DEU"
    "counterparty": {
      "externalUserId": "uniqueBeneficiaryId",
      "fullName": "John Smith",
      "type": "individual",
      "institutionInfo": {
        "code": "CRESCHZZXXX",
        "name": "Credit Swiss (Schweiz)"
    "info": {
      "direction": "out",
      "amount": 101.42,
      "currencyCode": "GBP",
      "paymentDetails": "Birthday Present"
    "props": {
      "customProperty": "Custom value that can be used in rules"

Handle monitoring results

Once a transaction is checked, it can be found on the Transactions page.

All suspicious transactions which get the Requires action status appear in Queues. Such transactions must be carefully evaluated by your experts and an appropriate action must be taken.

You also receive any of the following webhooks, depending on the transaction status: