Account takeover fraud (also known as ATO fraud) is a type of identity theft that occurs when a cybercriminal uses stolen credentials to gain unauthorized access to a victim’s account (think email account, online shopping account, or bank account). According to our recent data security survey, 37% of U.S. workers have experienced account takeover fraud.
In this piece, we’ll explain how fraudsters conduct these schemes, hear from an anti-fraud expert, and share steps you can take to protect yourself and your customers from account takeover fraud.
By now, we’re all accustomed to data breaches that make headlines one day and are forgotten the next. But those breaches continue impacting businesses and consumers for months and even years after they occur, often in the form of an account takeover attack.
“Fraudsters commonly obtain victims’ credentials through data breaches, whether they carry out the data breaches themselves or purchase the stolen data on the dark web,” says Mason Wilder, a senior research specialist at the Association of Certified Fraud Examiners (ACFE). “They also trick victims into volunteering information through social engineering schemes like phishing.”
Indeed, phishing remains a highly effective weapon for conducting account takeover fraud. Account holders are often duped into clicking a malicious email link that takes them to a bogus page where they enter login credentials. Man-in-the-middle attacks and malware such as keyloggers also capture login credentials as they are typed into a legitimate site.
Once a fraudster takes control of your account, they’re able to make changes and perform unauthorized transactions. If it’s a business account, the criminal may gain access to sensitive company information, potentially leading to a data breach.
And this is a very real scenario. Our research found that a data breach was reported by 72% of companies where a worker also reported an account takeover, compared to only 12% of companies where employees did not experience an account takeover.
Account takeover fraud and new account fraud are commonly confused terms, but actually two very different schemes.
“Account takeovers involve fraudsters assuming control over an existing account, whereas new account fraud involves fraudsters using stolen personally identifiable information (PII) to create a new account, often with some line of credit associated."
—Mason Wilder, ACFE Senior Research Specialist
New account fraud is often enabled by synthetic identity fraud, which uses both real and fabricated information to create a new identity. The real information is typically stolen or purchased on the dark web. Many synthetic identity fraud victims are children who won’t find out their information has been stolen until they apply for their first line of credit as an adult.
Account takeovers are primarily carried out via credential stuffing and brute-force attacks.
Credential stuffing is a cyberattack in which hackers use credentials stolen from one breached account to break into other online accounts. In other words: if your email address and password are leaked during a data breach at one company, hackers can use those same credentials to access your other accounts across the internet. More than likely, you're among the significant portion of the population that reuses the same passwords for multiple accounts.
Our research found that more than half (53%) of consumers commit this basic blunder, opening themselves up to account takeover and a host of other online schemes.
A brute-force attack involves a hacker attempting endless character combinations until finding the correct password for an account. Brute-forcing is generally performed using an automated program, often using so-called dictionary attacks that combine commonly used words, numbers, and symbols (e.g. mybirthyear1983!).
This technique is a big reason why it’s so important to use strong passwords and enable two-factor authentication on business applications whenever possible. To help ensure you’re up-to-date, we’ve created a guide to password policy best practices.
We're all spending more time online during the pandemic, and it’s fueling a rise in account takeover fraud.
The National Credit Union Administration recently issued an alert for COVID-19-related schemes targeting online banking applications. Meanwhile, the Federal Trade Commission (FTC) has recorded hundreds of thousands of COVID-19-related fraud reports, the majority of which are related to online shopping scams such as account takeover identity theft.
Making matters worse, the data deluge is upsetting the algorithms used to identify fraudulent activity. “More eCommerce volume from new customers and different shopping patterns makes account takeover attacks harder to detect with built-in preventive controls that eCommerce companies or payment processors employ,” says Wilder.
Fraud detection techniques require dependable data, but few of us have the same patterns we did only one year ago. Years and years of data are being flipped sideways as online shopping overwhelms predictive models used to detect irregular behavior and suspicious activity.
Clearly, consumers and businesses can’t rely on automated fraud detection alone and must take additional steps to ensure accounts are protected. But how?
“The most important things for consumers to do to avoid account takeover fraud are not reusing passwords and setting up multi-factor authentication on accounts.” says Wilder.
Enabling multi-factor authentication for online accounts (e.g., a code sent to your mobile device) is crucial to preventing account takeover identity theft. It adds a second layer of protection and ensures you’ll be alerted to an account takeover attempt as it’s unfolding, rather than after the fact.
You must also:
Guard against social engineering techniques
Utilize biometric authentication when available
Use a password manager to simplify online account security
Use VPN software when connecting to unfamiliar or Wi-Fi networks
Make it more difficult for cybercriminals to obtain your personal information. This means reducing your digital footprint by limiting both the amount and type of information you share online. To help, we’ve created a comprehensive guide to removing personal information from the internet.
“Mandating multi-factor authentication can help prevent customer accounts from being compromised,” says Wilder.
“That’s probably the most effective measure from a consumer or service provider standpoint. Some businesses also correlate IP addresses to user accounts and can block access or freeze an account if a login attempt comes from a new or unfamiliar IP address, and block IP addresses associated with fraud.”
In addition to blocking IP addresses of suspicious users, businesses can throttle login attempts and implement CAPTCHA systems to slow credential stuffing and brute-force attacks. And because cybercriminals often use automated bots to carry out these schemes, using network monitoring software that includes bot detection can go a long way toward mitigating account takeover fraud.
To contend with today's increasingly chaotic security environment, businesses must take steps to improve online account authentication protocols:
Adopt a multilayered security approach to account authentication that leverages behavioral analytics, location/IP address, and device-centric authentication.
Develop strategies to move toward passwordless account security options such as biometric authentication and phone-as-token.
Educate customer-facing employees on the social engineering tactics used to gain access to customer account data.
Promote security awareness among customers with a focus on enabling multi-factor authentication and account activity notifications
Alert customers to targeted phishing schemes and clearly explain what legitimate communication from your business looks like (e.g., "we will never ask for personal information via email").
*GetApp’s 2020 Data Security Survey was conducted from September 10 to September 11 among 868 respondents who reported full-time employment. Of the 868 respondents, 267 identified as IT professionals and 83 identified as their organization’s IT security manager.
**GetApp’s Password Survey was conducted in January 2020 among 487 respondents to learn more about consumer password behaviors.