Account Takeover

What is Account Takeover, how to recognize it and how to stop bad actors from taking over.

Online cybercrime activity has seen a significant increase in the past two years. According to Javelin Strategy & Research’s annual identity fraud study, identity fraud losses reached up to $24 billion in 2021 – a 79% increase from 2020. A large component of this uptick is the use of account takeover by cyber criminals.

What is Account Takeover

Account takeover (ATO) is a form of online identity theft in which a criminal illegally gains unauthorized access to an online account belonging to someone else. This includes social media profiles, ecommerce, and financial accounts.

Account access is gained through a variety of methods, including:

  • Social engineering methods, such as phishing, smishing (phishing via text message) and vishing (phishing via voice message)
  • Brute Force Break-Ins – bad actors will spam account log-ins with attempts to break in, especially if the account page doesn’t have a limit on access attempts
  • Credential stuffing – bad actors can use bots to test different credential combinations of leaked account information until they are successful in gaining access to the targeted account
  • Reusing a password for multiple accounts or using common, easy-to-guess passwords like “password” or “123456”
  • Malware attacks, either on individual or mass targets, such as data breaches

Who is Impacted

Anyone and any account can be a target of ATO. The Twitter cyberattack in 2020, where several high-profile verified accounts were taken over, was an example of ATO with the goal of defrauding the targeted accounts’ followers.

Taking Action

While some people may not think to take action for their accounts until news of a data attack strikes, you can practice cyber awareness before the worst happens.

  • Avoid doing financial activity or commerce on public Wi-Fi. While public Wi-Fi is convenient for taking care of things on the go, these networks can be less secure and ideal for attackers to utilize in stealing credential information.
  • Enable multi-factor authentication for your accounts. Multi-factor authentication allows you to review any changes made to your accounts, such as password change requests, as well add another layer of security required to log-in to your account, such as a One Time Passcode .
  • Avoid revealing personal information. Social media quizzes often use personal information utilized in security questions, such as birth dates, pet names and childhood homes. NEVER respond to these – even though they seem harmless, attackers can use this information to crack an account.
  • It’s okay not to trust that email, text or call. Go directly to the website instead of clicking on a provided link or hang up and call a confirmed number you have on file. (For example, the contact number on the back of your credit card, or the number on the company’s direct website.) Don’t respond directly to the communicator themselves – reach out to the company directly.