What is Account Takeover Fraud?
Account takeover (ATO) is a form of identity theft and fraud. The goal of an ATO attack is for a malicious third party to capture a user’s account credentials in order to facilitate other cybercrimes like sending out phishing emails, launching business email compromise (BEC) schemes, stealing sensitive data, planting malware or accessing other accounts within the organization.
Is account takeover fraud a cyberattack?
Yes. ATO not only breaches a company’s security in and of itself, but it can also pave the way for another cyberattack.
How Does Account Takeover Happen?
Account takeover fraud can be accomplished in a number of ways, but the goal is always the same: to gain control of the victim’s user account. Here are the most common ways that may occur.
In an email phishing scenario, cybercriminals entice a user to provide their password through a phishing email, then render the login unusable by the original user, utilize that user’s account to perpetrate BEC or access a company’s systems for nefarious purposes.
ATO as a phone scam or vishing scam is done substantially the same way as email phishing, but in this case, the cybercriminals obtain the victim’s credentials through a phone call. This is how Twitter was breached in 2020.
Business email compromise scams
ATO is a step in most BEC scams. By obtaining credentials log into a user account, cybercriminals gain a legitimate address for correspondence, adding believability to their scam messages.
What Are Some Common Indicators of an Account Takeover?
A few common red flags can indicate ATO has taken place or is in progress. If you notice any of these things happening in one of your user accounts, the matter warrants further immediate investigation.
A large number of login attempts in a short period of time
Too many login attempts could be a sign of credentials stuffing, a type of cyberattack that can precede ATO.
Unusual password reset requests
Resetting the victim’s password is a classic ATO tactic to prevent victims from recovering a stolen account or removing that account’s access privileges.
Abnormal user behavior
If an employee account is sending out an unusually large number of messages, attempting to access information or parts of the network that it shouldn’t, or generally behaving in a markedly unusual way, ATO may be to blame.
A customer’s account may have suffered ATO if it is exhibiting unusual communication patterns, showing an abnormal number of login attempts or requesting too many password resets.
A large number of account information changes simultaneously
For any account, rapidly making major changes to the account like resetting the credentials and also making changes to the account holder’s profile or other identifying information should raise red flags for possible ATO.
Unusual financial activity
ATO on accounts that have access to financial decision-making tools or the ability to make wire transfers or online payments is especially dangerous, and any out-of-pattern behaviors for that type of account should raise alarm.
How Can Account Takeover Fraud Impact My Business?
ATO can have a wide array of catastrophic results for your business. That’s why it is vital to be on the lookout for signs that a user account has been compromised.
Cybercriminals use ATO to obtain access to a company user account that they can leverage to steal money through wire transfers and BEC scams.
With the credentials to a legitimate user account, bad actors can quickly gain access to sensitive data, especially if they’ve snatched credentials for a privileged account.
Obtaining access to a company’s environment through ATO is not only a credential compromise in itself but also a tool that cybercriminals can leverage to gain access to other company accounts like a privileged user account.
Bad actors can do irreparable harm to a company’s reputation and brand by using an account gained through ATO to conduct BEC attacks and other types of fraud.
How Can I Protect My Business from Account Takeover Fraud?
Protecting businesses from ATO starts with protecting businesses from credential compromise. Implement multifactor authentication for every account and take steps to prevent phishing from causing credential compromise in your organization using an automated phishing defense solution like Graphus.