Account takeover fraud is when a hacker gains unauthorised access to a users account. They happen because companies and individuals do not know how to protect their personal information from fraudsters.
The threat is becoming a bigger threat everyday. Fraudsters know how lucrative this type of attack can be, and so companies increasingly need to ask themselves what account takeover is doing to their business, and what they can do to protect themselves against it.
The good news is there are many known best practices to prevent account takeover fraud. For example, companies should use an eCommerce fraud prevention solution that analyses a user’s on-site behavior to identify known fraudulent patterns. Companies should also secure their login experience by requiring two factor authentication (2FA) and requiring frequent password changes. Customers must also help by choosing strong passwords and remaining vigilant for phishing attacks.
In this article, we talk about what account takeover fraud is and how to prevent it.
What is account takeover fraud?
Account takeover fraud is the use of an online account by someone without the account owner’s permission in order to commit some kind of fraud or crime. Common account takeover targets are corporate accounts and personal bank accounts.
For example, a fraudster can trick a company employee into sending cash to a known vendor at an account the fraudster controls. Or, an employee can enter the login information for the corporate account into a site that looks like it belongs to the legitimate financial institution but in reality is controlled by the fraudster to collect the user’s keystrokes.
Personal bank account takeover is when a fraudster gains unauthorised access to an account and makes purchases or transfers money to accounts they control. For purchases, the fraud is most common at eCommerce stores where fraudsters can purchase things quickly and easily before the breach is discovered. Online gift card fraud is another common scam because fraudsters can use gift card balances interchangeably with cash to purchase things on the dark web.
Account takeover protection is so important because the consequences of attacks are high. For businesses, chargeback prevention is very difficult when a purchase is made from an account that made legitimate purchases in the past. For account holders, there is a huge loss of time trying to get their money back and also a lot of inconvenience in having to repair their reputation with online merchants.
How do hackers steal your information?
The most common ways hackers steal information are by either compromising the software in your computer, or tricking you into thinking you are providing account information to a legitimate vendor when you are in fact providing it to the fraudster.
Here are the most common ways hackers steal your information:
Phishing attack account takeovers are when a fraudster tries to trick you into clicking on a link in an email that downloads malicious software to your computer. Once you download the phishing attack software, the fraudster can steal account information in order to perform account takeovers without being detected.
There are two types of phishing attacks: phishing and spear phishing. The difference between them is that phishing does not personalize the attack emails sent to potential victims and there is no specific target—the fraudster sends a huge number of generic emails with the expectation that some people will click on them.
In contrast, spear phishing attacks target a specific merchant and will personalize the email with details that increase the likelihood the victim will believe it is legitimate. Spear phishing attacks require more work, but fraudsters can pick high-value targets to make the potential payoff worth the effort.
Rogue Mobile apps
Account takeovers on mobile apps have exploded in the last few years. One common type of attack is when a fraudster purchases stolen account credentials and then tries them on other applications. The goal is to find an application with the same credentials and then use the account to make unauthorized purchases.
Another type of mobile app account takeover is when hackers create unauthorized clones, which are basically fake mobile applications that appear to be legitimate but are actually designed to steal your data. In this scam, fraudsters will log the keystrokes from your application and then use them to commit fraud either on the legitimate version of the application, or by finding other applications with the same login credentials.
Bank account takeovers are usually accomplished by the use of banking trojans. A banking trojan is a piece of software code known as malware that infects a user’s computer and allows hackers to steal login credentials to their accounts.
Banking trojan account takeovers are difficult to spot because the malware is hidden by hackers in a way that makes it look like a piece of code that provides benefits. Common examples of banking trojans are anything people find fun or useful like games, apps to increase mobile phone performance, or even entire programs like messaging or location services. All of these programs will provide the service as described, and run the malicious hacking software in the background.
One a device is infected, the banking trojan will steal login credentials, use the device to build botnets, and sometimes even steal money directly.
Brand abuse account takeovers are when fraudsters impersonate the online properties of a brand such as its website, mobile application, or social media accounts in order to trick users into providing sensitive personal information.
Brand abuse protection involves constantly scanning the internet to find any websites or accounts that mimic your brand. This includes your company name, logo, promotional material, or anything else that might cause a user to believe they are interacting with your brand. In addition, fraudsters will falsely claim your brand has a partnership with them—anything to gain the trust of the user so they will let their guard down.
Brand abuse social media fraud is when fraudsters set up a fake social media account that deceives users into believing it is controlled by the brand itself. From this account, the fraudsters can vouch for websites and mobile apps that are fraudulent, trick users into providing account information to fake brand representatives, and sell counterfeit goods. Sometimes, they can even trick employees into providing information about sensitive internal systems.
Credential stuffing account takeover fraud is when hackers use software to automate the entry of username/password combinations in order to find ones that match an existing account. They are closely tied to data breaches because they use known login combinations stolen from the dark web in order to increase the rate of success.
Credential stuffing defense for companies requires monitoring their systems to detect variations in the volume of attempted logins and failed logins. Spikes in both can indicate automated login attempts. Companies should also require customers to frequently change their password, which decreases the amount of time stolen login credentials remain valid to access an account.
How to Prevent Account Takeover Fraud
Individuals and companies need to know how to fight account takeover fraud. However, their are different strategies and tactics for each one. In this section, we’ll explain the best practices to prevent account takeover fraud.
Individuals need to take the security of their accounts into their own hands. They cannot rely on businesses to prevent account takeover fraud for them. Companies have consistently shown themselves unable to rise to the challenge, and so you should follow these best practices to keep your personal information safe online:
- Practice good password hygiene. This means having unique, strong passwords for every account you create. If you can’t keep track, get a password manager to keep track for you—they’re free and many have browser extensions that will auto-fill credentials when you land on a site.
- Check to see if your login credentials have been compromised in a data breach. The Have I been Pwned password check will tell you if your email has shown up for sale on the dark web.
- Enable two-factor authentication (2FA). Two-factor authentication requires you to provide an additional method of identity verification beyond your password/username combination to enter your account. There are numerous options such as devices and biometrics.
- Never click on links in emails if you don’t know the sender. Fraudsters capitalise on you mindlessly clicking through links. Google and other email services will alert you when a sender isn’t in your contacts; if you see this warning, be extra-vigilant before clicking on anything.
- Ignore ‘urgent’ email requests. Fraudsters often sow fear or urgency in order to provoke thoughtless action. If you receive an email threatening you, or professing ‘urgent action’, take a deep breath and assess the situation before clicking any links or going to any sites.
- Don’t use public wifi. Hackers will get access to your machine through unsecured wifi. If you are away from home, use a personal mobile hotspot.
Account takeover costs to business are high.
On the consumer facing side, the damage to a brand’s reputation from a successful attack is huge. Today’s shoppers know the risks, and increasingly expect businesses to keep them protected and know how to keep customer accounts safe. In addition, there is chargeback prevention. Although eCommerce fraud prevention companies know how to prevent account takeover chargebacks, nothing is foolproof. The best strategy is still to prevent account takeovers to begin with.
Corporate account takeover is another major concern. Thieves are increasingly adept at tricking employees into handing over sensitive account information. Common examples include tricking an employee into thinking a bill is from a vendor and sending money to a fake account, or even changing the default account for a vendor that receives a monthly payment.
Here are some best practices to consider to stop these frauds:
- Increase authentication protocols. Any mechanism that will move a lot of money quickly should be secured. Things like wires and ACH files must have multiple layers of authorization to be executed.
- Strict employee access controls. Employees are routinely given access to sensitive information and authorization chains, and are often the weakest link in the security chain. Make it a priority to know who has access to what, and that all employees are given only the minimum amount of access required to accomplish their job.
- Use anti-virus software. Commercial security software will help detect phishing attacks as well as other potential security breaches and vulnerabilities.
- Monitor you login systems. The anatomy of account takeover attacks leave lots of traces and you can detect them. Things like increased login attempts, sudden spikes in password reset requests, and high chargeback volumes can all be algorithmically flagged to provide real-time warnings that your systems are under attack
- Flag suspicious customer behavior. The login screen is not the only place you can detect account takeover fraud. You should get notifications for any abnormal customer behavior. This includes frequent purchase volumes for specific account or geographic regions, increased order values, massive reward point transfers, and changes to multiple data points like delivery address, IP address, and passwords.
If you need additional information and want to read more, you can also check out our in-depth look at how to detect account takeover fraud.