What is Account Takeover Fraud and How Can You Protect Yourself?

Man sitting in front of their laptop and an open notebook with red warning symbols

Fraudsters will stop at nothing to gain personal information, and when they succeed, the end result can be disastrous. One type of fraud that is gaining traction is account takeover fraud, or ATO. Account takeover fraud, also known as account compromise, occurs when a cyber-attacker gains control of a legitimate account.

Once they have control of an account, attackers can launch a variety of attacks, such as:

Internal phishing: Emails sent from employee to employee within the same organization using a compromised corporate account.
Supply-chain phishing: Most organizations do business over email. An attacker who gains control over a legitimate account can assume your employee’s identity to defraud customers and business partners.
BEC-style attacks: Think of account takeovers as the ultimate impersonation tactic. In ATO, attackers hijack an email account to essentially become the person it belongs to. ATO attacks bypass many email authentication controls.
Data exfiltration: Gaining access to someone’s mailbox, attackers can access not just email, but also calendar events, contacts and sensitive data in file shares.
Financial fraud: If attackers gain control of someone’s bank or account or other financial services, they can steal funds directly with fraudulent wire transfers and purchases.

Account takeover techniques are usually automated using scripts that contain potentially thousands of credentials and user accounts. Revenue generated from a successful attack can reach millions on darknet markets for an advanced attack.

Account Takeover Fraud Protection and Prevention

Users and website owners should take basic precautions to prevent ATO fraud. Financial and healthcare sites are common targets for attackers. These sites usually have fraud detection systems in place, but most send emails to the registered account holder when data changes.

Users should always read emails sent from financial institutions and call customer service as soon as they receive suspicious alerts. For instance, if new credit cards were sent and the account holder didn’t request them, call customer service to verify that the account was not hacked.

Using the same password across several accounts makes it easy for attackers. Always use unique, strong passwords across several accounts online. To keep track of numerous passwords, use cryptographically secure storage services such as LastPass, 1Password or Bitwarden. Be aware of phishing attacks to avoid being the victim of stolen credentials.

Website administrators must also take precautions. Account takeover detection infrastructure should be deployed to detect suspicious activity.

Should systems detect suspicious activity, the IP address should be blocked. Suspicious activity can later be reviewed by analysts. For instance, an unusually high number of authentication attempts on different accounts from the same IP address and operating system should trigger fraud detection. Analysts can later review the logged activity to determine if the site is a target for attackers.

Instead of locking out an IP address, fraud detection systems can display a CAPTCHA after a specific number of authentication attempts. The CAPTCHA could be required for a specified duration after too many authentication requests from the same IP address.

Deploying multifactor authentication (MFA) helps protect users as well. Attackers with legitimate site credentials would be unable to authenticate without the secondary PIN sent to a user's smartphone. Automatically sending the PIN to the user’s smartphone can also alert the user to a potential account takeover attack. The targeted user can then change their site password.

With better fraud detection, website owners can protect their customer data. But customers can also ensure their data privacy by: