Sift’s Q3 2025 Digital Trust Index reveals that account takeover attacks targeting the fintech and finance industry have surged 122% year-over-year. Travel and ticketing platforms also faced significant increases with a 56% year-over-year rise in account takeover attacks, as fraudsters target accounts rich with loyalty points, stored payment methods, and personal data.

Despite a measurable increase in attack rates, consumer awareness of account takeover remains low. While 14% of consumers report experiencing an account takeover attack in the past year, the actual impact is likely much higher, as many victims fail to recognize when their accounts have been compromised. In fact, account takeover attack fraud losses are projected to climb to $17 billion in 2025, up from $13 billion in 2024.

Consumer behavior also reveals a disconnect between awareness and action when it comes to account security. While 77% of consumers are most worried about their banking and credit card accounts being hacked, nearly one in four admitted to reusing a password they knew had been compromised. This gap between concern and security practices leaves consumers vulnerable to account takeover attacks across all account types.

AI commerce agents will intensify this challenge, as fraudsters leverage these tools to automate and scale account takeover attacks at unprecedented speed. Gartner predicts that within two years, AI agents will halve the time attackers need to hijack exposed accounts by automating key steps of attacks.

Sift’s report also highlights the growing threat of agentic AI in fraud, raising questions about consumer trust in AI-managed purchases and financial information; 74% of people express concern that AI-powered shopping agents could lead to ATOs. Further, only 14% would let an AI make purchases. But trust varies by generation: 50% of Millennials and 48% of Gen Z are comfortable with AI managing purchases and finances, compared to just 31% of Gen X and 15% of Baby Boomers.

While 60% of consumers believe account takeover attack prevention is a shared responsibility between users and businesses, companies are ultimately held accountable when protections fall short. The business implications of these trends are serious; 75% of consumers say they would stop using a site after experiencing an account takeover. Meanwhile, 87% would share their negative experience with others, amplifying reputational damage for affected businesses.