How to Prevent Account Takeover Fraud

Want more content?

By subscribing to our mailing list, you will be enrolled to receive our latest blogs, product updates, industry news, and more!

Quick Hits:

  • Account takeover fraud is the most popular kind of cyberattack for hackers looking to make a large sum of money quickly.
  • Businesses affected by account takeover attacks (ATOs) often lose large numbers of customers due to loss of customer trust. ATOs are logistical nightmares that create high volumes of chargebacks, security issues, and customer questions and requests. 
  • Account takeover fraud can be prevented using tools like multifactor authentication, 3-D Secure, and tokenization.
What is Account Takeover Fraud? 

An account takeover attack happens when a cybercriminal gains unauthorized access to an online account. Online accounts targeted most often by cybercriminals are bank accounts, shopping accounts, social media accounts, and email accounts.

Many account takeovers are automated and done at scale, with hundreds or thousands of accounts captured in a single attack. Most hackers will then sell these credentials on the darknet for other criminals to buy and exploit.

How Do Hackers Takeover Accounts? 

In order to prevent account takeover attacks, we must first understand how they occur. Here are a few common ways hackers take over accounts: 

  • Phishing – Phishing emails can lead to a wealth of compromised account details. Mass phishing email campaigns can generate a considerable amount of stolen account details, which will often be sold for profit on the dark web. 
  • Brute-Force Attacks – Hackers with considerable computer power will use a program to try multiple username/password combinations, often using common passwords or phrases. This can lead to a consistent stream of compromised accounts for a hacker to exploit or sell.
  • Credential Stuffing Attacks – This account takeover attack uses a single username/password pair bought from a data breach to search for additional accounts across the web. Because many people will use the same email address and password for multiple accounts, hackers can often gain access to multiple accounts belonging to the same individual.  
  • Targeted Attacks –  Some account takeover attacks try to gain access to certain high value accounts. This could be the social media account of a famous celebrity or world leader, or it could be the email account of a company CEO or executive. Targeted attacks will often use spear-phishing (highly sophisticated social engineering attacks) or brute force attacks to infiltrate specific accounts.  
  • Malware – Certain types of malware, like keyloggers, can capture user credentials and compromise the infected user’s accounts.  

Hackers have numerous ways to gain access to login credentials. These login credentials, for accounts that don’t use multifactor authentication, are often all a hacker needs to access customer accounts and cause serious damage.  

Why Do Hackers Take Over Accounts? 

While the underlying motivation of account takeover attacks is almost always financial, there are many different targets attackers will go after. Here are a few common ways ATO attackers can profit from stolen accounts. 

Exploiting Data 

Attackers who enter an account will often have a wealth of information at their disposal. Many different forms of personally identifiable information (PII) live in online accounts. This data can either be collected and sold or used to steal the account owner’s identity. Phone numbers, addresses, credit card information, and more can be stolen in an ATO and used for malicious purposes.

Using Legitimate Accounts for Scams 

Legitimate accounts are a great asset for scammers. Legitimate email accounts often have a long list of trusting contacts that can be baited with phishing scams. Legitimate social media accounts can also be used for similar schemes. Other accounts, like Ebay or Facebook marketplace accounts, can be used to sell items that don’t exist or create fake reviews for sketchy companies.  

Ransoming Stolen Accounts 

Particularly important accounts, like high profile social media accounts, bank accounts, or email accounts, can be stolen and then held for ransom by malicious hackers.  

Stealing Valuable Assets 

Hacking into accounts can allow criminals to steal assets with financial value. This could be anything from a digital currency (like Fortnight V-bucks) to actual items (like mobile phones bought from the legitimate customer’s phone carrier). Even certain promotional or referral bonuses are targeted by cybercriminals looking to make easy money.  

Stealing Money 

While there are many creative ways to profit from an account takeover, many attacks target accounts that will yield monetary rewards right away. Credit card accounts, cryptocurrency accounts, and shopping accounts with linked payment methods can all be used to funnel money straight into an attacker’s pocket.  

Selling Stolen Accounts 

Many hackers will automate the process of stealing accounts and then sell them to the highest bidder. This allows the initial hacker to focus on acquiring accounts and avoid the trickier nuances of squeezing value out of compromised accounts with the above methods. 

The Importance of Account Takeover Prevention 

Preventing account takeovers is important for consumers and merchants alike.

Consumers whose accounts are compromised can lose money, data, assets, and even their identity. Given these serious consequences, merchants responsible for the compromised accounts will often face a huge blow to their brand’s reputation. After large-scale account takeover attacks, loss of customer trust alone can be enough to sink an affected company.  

Additionally, merchants must carefully guard employee accounts connected to their internal operations. Even a single employee account takeover can compromise internal networks and lead to more internal account takeovers.  

How can you prevent account takeovers for your company and customers? In the next section we’ll outline the best tools for account takeover protection and prevention. 

Tools for Account Takeover Protection and Prevention 

In many cases, account takeovers can be prevented with the addition of multifactor authentication. For merchants that offer online payments, additional authentication in the form of 3D Secure should also be implemented to minimize the damage of a customer account takeover. Finally, utilizing a Zero Trust Security model will minimize the impact of an internal account takeover. 

Multifactor Authentication 

Many hackers are easily able to enter accounts protected by only a username and password. Multifactor authentication methods prevent brute force and credential stuffing attacks by requiring another method of authentication, like a code sent to the user’s email or phone. Multifactor authentication should always be used for high-risk accounts.  

3D Secure 

3D Secure 2.0 analyzes transaction information to request additional layers of authentication if an account takeover is suspected. If you’re interested in protecting your customers from account takeover attacks, read more about 3-D Secure or sign up for a free 3DS demo here:

Zero Trust Security Model 

At the end of the day, there’s no way to guarantee that account takeover attacks will fail. It’s important to set up internal security systems so that sensitive data and systems will be protected even if an employee account is compromised. The best way to protect sensitive data, even in the case of a data breach, is tokenization. Tokenization swaps sensitive data, like customer payment information, for placeholder tokens designed for internal use. The actual sensitive data is stored outside of the company altogether, reducing the burden of compliance and protecting the data in the event of an account takeover.

If you want to shield your company from the consequences of an account takeover attack, tokenization is the only security tool guaranteed to secure your customer’s sensitive data. If you’re interested in finding a tokenization solution, learn the critical questions you should be asking every tokenization service provider here: