Explore in-depth account takeover from how it happens to its potential impact. Understand how methods and technology can help you prevent it.
Most of us have received emails from friends that, well, sound a little off. The message might ask us to reply to a request that that person would never make. Or he or she might ask you to click on a link included in the message. It’s a modest but potentially dangerous example of a form of digital identity fraud called an account takeover (ATO). Fake emails (or fake Facebook friend requests, to cite another common example) are usually easy to spot and disregard.
Jump to ↓
| What is account takeover? |
| How does account takeover happen? |
| Potential impacts of account takeover |
| How to prevent account takeover |
| Choosing the right technology |
But they’re still potentially dangerous. Clicking on that link can release malware into your computer or your organization’s IT system that can cause a loss of data and functionality. Other forms of ATO, which include bank accounts, brokerage accounts, and credit cards, can be even more damaging. Whatever form they take, ATOs pose significant risks, including financial losses, data breaches (which can also put customers, clients, and executives at serious risk), and reputational damage. While financial institutions and firms engaged in e-commerce have to be particularly vigilant, nearly every type of business or organization is vulnerable to this type of fraud.
All forms of identity theft can put an organization at risk. According to the U.S. Federal Trade Commission, fraud accounted for $10 billion in losses in 2023—much of it due to online activity. Those losses are likely to increase in the future as hackers and other cybercriminals make use of increasingly sophisticated fraud techniques, such as AI-driven deepfakes.
However, there are strategies that businesses can engage in that can proactively prevent account takeover (and digital identity fraud). For those strategies to be effective, organizations need to understand what they’re up against.
What is account takeover?
Account takeover (ATO) is a type of identity fraud where fraudsters leverage a person’s existing credentials to take control of their financial, credit, email, or social media accounts. This unauthorized access to user accounts can lead to various account takeover attacks. A variation on the theme is synthetic identity fraud, which involves combining the stolen information of a real person with completely made-up identification data. The impacts of a successful ATO can range from a one-time purchase to using the stolen account for other fraudulent activity, usually involving some type of illicit direct or indirect financial gain.
Industries at risk
Again, just about every type of industry that holds sensitive data is at risk of ATO-based fraud. These three industries can demonstrate how organizations in general can be vulnerable:
Financial services
To paraphrase 1950s bank robber Willie Sutton, banks and other financial services organizations need to fight financial crime because they are susceptible to ATOs. After all, that’s where the money is, or at least most of it. Fraudsters aren’t necessarily looking just for cash. Client data, including personal identifiable information (PII) and financial account details, is extremely valuable. They also may use ATOs as a way to launder ill-gotten gains. That’s why adverse media screening to is important within this industry.
Healthcare
Healthcare data is extremely valuable on the dark web. Health account takeovers can result in prescription fraud and false insurance claims, among other risks. And as the UnitedHealth Group breach last spring demonstrates, a successful cyberattack can damage the entire healthcare provider network. Even more so, fraudsters continue to impact Medicare and Medicaid, stealing taxpayer money.
E-Commerce
Rising in impact, retailers are frequently victimized by cyber-thieves seeking to obtain goods by paying for them via an account stolen from another customer. This is called organized retail crime (ORC). Online retail customers are particularly vulnerable to having their accounts stolen because they typically save their payment information in retailer databases. Wholesalers and companies that sell online to other businesses (B2B) also can be susceptible to ATO fraud.
How does account takeover happen?
Fraudsters make use of a variety of techniques to initiate account takeover fraud. The following methods are the most common—and no less dangerously effective for being so widely used:
Phishing
Think back to the original example of the fake email. The hacker intended the receiver of the email to click on the link. Once clicked, the link will take the person to an apparently legitimate website where it will ask for personal information in order that the person can win some kind of prize or other benefit. Sometimes the goal is simply to find another email address to hack. More often than not, its purposes are more nefarious—typically stealing the receiver’s digital identity to take over that person’s bank or credit card account.
This is a textbook example of phishing, one of the oldest and most durable techniques for digital fraud. Despite how familiar it has become, it’s remarkable how successful phishing attacks continue to be. People continue to click on those links and provide information. Often the link will come in an email that appears to have been sent by, say, a bank or a government agency. The link will make what appears to be a seemingly legitimate request for a bank account, credit card, or Social Security number.
While many phishing emails are almost comically obvious, others are much more sophisticated. They might appear to have come from one’s manager or the company’s CEO—and not everyone thinks of verifying its legitimacy. By the time the victim realizes what has happened, it’s often too late. These sophisticated phishing attempts are often part of larger social engineering schemes designed to manipulate users into divulging sensitive information.
Malware
In many cases, the link in a phishing email may secretly release malware into the person’s digital device—and from there, into an organization’s IT network. Malware is software specially designed to “infect” IT systems, usually to steal an organization’s internal or customer data (or both). Ransomware, a form of malware, will lock out an organization’s data until it pays a “ransom” to release it. Even then, the ransomware may continue to hide within the network until the hacker chooses to reactivate it.
Credential stuffing
This technique involves using login credentials stolen from one data breach and using it to attempt to access other organizations’ sites. It succeeds simply because a great many of us reuse the same password across multiple sites. This can allow fraudsters to take over accounts with a single set of credentials (that is, a person’s name or email address and a password). Cybercriminals often use bots to automate this process, making thousands of login attempts across various platforms in a short time.
Application flaws
To gain access to data to steal or accounts to take over, fraudsters may exploit vulnerabilities in one of the software applications an organization uses. Why these vulnerabilities exist can get quite technical. Simply put, a flaw in a company’s database management software, e-commerce platform, or email system can provide an open door through which a hacker can walk in and wreak havoc. These vulnerabilities can be exploited through various means, including API attacks and brute force attacks.
Potential impacts of account takeover
ATOs can hurt a business in several ways—all the more reason to prevent fraud before they happen:
Financial losses
These are the clearest negative impacts of an ATO. A stolen account can allow fraudsters to steal goods from retailers or vendors. Banks and financial services companies—and their customers—can see accounts drained. Fraudulent transactions can result in significant financial losses for both businesses and individuals.
Reputation damage
Organizations can be victimized twice via an ATO. Not only might they suffer significant financial losses—but their reputations can be severely damaged. Customers and vendors may come to believe that the organization can’t be trusted with their information. This loss of trust can have long-lasting effects on a company’s brand and customer relationships.
Legal ramifications
The legal fallout from ATO victimizations is interwoven with the impacts of financial and reputational loss. Organizations that have been breached by fraudsters could find themselves taken to court by irate customers or clients. These organizations may also discover that they’re out of compliance with regulations regarding data security and the protection of personal data.
How to prevent account takeover
With instances of digital identity theft and data breaches exploding, organizations of all kinds need to pursue innovative risk strategies to reduce their risk. Here are several approaches that businesses can put in place to prevent ATOs and other forms of identity fraud:
Digital authentication
Successful fraud prevention starts with thorough identity verification. For example, two-factor authentication has been a boon to protecting accounts. However, with fraudsters constantly devising new methods of digital attacks, organizations often need to add new lines of defense to verify customer identities.
More and more businesses are using these solutions:
- Fingerprint matching and retinal scans, which are already being used by many banking entities.
- Live facial verification, a newer-generation technology that can match a person making a transaction with an on-file photograph.
- Behavioral biometrics and analytics, which can allow a financial organization to verify a customer’s identity through his or her online behavioral patterns.
- Multi-factor authentication (MFA), which requires users to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN.
Taking a risk-based approach
Organizations should keep continuously current on new fraud risks so that they can establish proactive protocols and strategies—including technological innovations—to mitigate the impact of those risks. This includes implementing a zero-trust security model, adaptive cybersecurity measures, and a risk management framework that adjusts based on the level of risk associated with each login attempt or transaction.
Using AI-powered technology
Digital tools using artificial intelligence can help organizations detect and prevent a variety of risks, including ATOs. With AI to manage risks, businesses can fight fire with fire since fraudsters are increasingly using AI-generated emails, images, and even phone messages to initiate ATOs. Machine learning algorithms can analyze patterns of user behavior in real-time to identify suspicious activity and potential account takeover attempts.
Training and educating customers, clients, and vendors
Organizations can educate customers about the dangers of digital identity theft techniques, including phishing emails, malware, and fraudulent phone scammers pretending to be representatives of the business. This education should include best practices for creating strong passwords, recognizing phishing attempts, and the importance of not reusing passwords across multiple accounts.
Implementing robust security solutions
Businesses should invest in comprehensive security solutions that can detect and prevent various types of cyberattacks, including ATOs.
These solutions should include:
- Real-time fraud detection systems
- Continuous monitoring for suspicious behavior
- Advanced encryption for sensitive data
- Regular security audits and vulnerability assessments
Secure handling of user credentials and personal information
Organizations must implement strict protocols for handling and storing user credentials and personal information.
This includes:
- Encrypting sensitive data both in transit and at rest
- Implementing least-privilege access controls
- Regularly updating and patching systems to address known vulnerabilities
- Conducting regular security awareness training for employees
Choosing the right technology
Account takeovers are just one of the fraud pain points that businesses and other organizations are having to battle. Happily, ongoing digital innovation can help establish successful identity theft and fraud prevention strategies. Properly crafted digital tools can provide businesses in all industries greater confidence in onboarding new accounts, identifying digital identity fraud, and stopping attacks in real-time.
 |
Thomson Reuters® Risk & Fraud Solutions and Feedzai have partnered to help financial institutions, online retailers, and payment processors seamlessly onboard legitimate clients and silently detect bad actors before they can commit fraud or account takeover.
- Onboard legitimate customers: Utilize a risk-based approach to streamline the account opening process and identify fraudulent accounts.
- Stop online attacks in real-time: Proactively stop malware, phishing, and remote-access trojans before they steal identities and cause harm.
- Prevent account takeover: Establish a robust understanding of each user’s unique behavior to accurately identify suspicious anomalies.
With comprehensive customer verification such as BionicIDs, active defense, hybrid AI, and frictionless customer experience, you can protect your business and customers today and tomorrow.
 |
 |
Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a ‘consumer report’ as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning, establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing, or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.
