Account takeover attacks can devastate individuals and organizations alike. By gaining access to a business or consumer account, a cybercriminal can impersonate the victim to steal money or obtain sensitive information. In a report released Thursday, fraud management company SEON looks at the rise in account takeovers and offers advice to businesses and consumers on how to protect their accounts.
How pervasive are account takeover attacks?
A 2021 study by Security.org cited by SEON found that 22% of adults in the U.S. have been victims of account takeovers, comprising around 24 million households. The average value of financial losses triggered by these account takeovers was $12,000.
Among the incidents analyzed in the study, 51% of the compromised accounts were for social media sites, while 32% were for bank accounts. Further, 60% of the victims had used the same password for multiple accounts, showing the value in adopting different passwords for each account.
How cybercriminals take over accounts
In seeking accounts to compromise, savvy cybercriminals know when to pounce. Over the 2021 holiday season, one out of every 140 login attempts was an effort at taking over an account. Criminals also observe the consumer markets for spikes in activity as a signal to attack without being noticed.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
To take over an account, attackers will often buy stolen credentials on the dark web. Otherwise, they’ll use brute force attacks and social engineering tricks to hack into an account. After taking over an account, the criminal will typically change the account information, including the password and notification settings, thereby cutting off the actual user.
How to protect your company against account takeovers
Protecting accounts from takeover is a task for companies. Toward that end, SEON offers advice.
Increase employee awareness
Make sure your employees are trained to know the signs of a phishing email or malware that tries to obtain their account credentials. At the very least, direct employees to a Help Desk or IT contact to whom they can report a suspicious email or other type of content.
Be aware of phishing and spear-phishing methods
CEO fraud is one particular tactic in which the attacker pretends to be the CEO of the company in an attempt to obtain account information or gain access to network resources.
Use a password manager
Trying to create and maintain a different password for each account is virtually impossible without the right tool. A password manager will handle the difficult task of devising, storing and applying unique and complex passwords for each account. Make sure that the password manager is secured by a unique and complex master password. Many password managers offer business editions for organizations through which IT staff can manage and monitor their use for employees.
Block suspicious IP addresses and devices
Make sure your security defenses immediately block any suspicious IP addresses and devices trying to access your network. Criminals often try to hide their real identities by spoofing their device and location. To thwart such attempts, turn to strong fraud prevention and enrichment tools backed by in-depth device fingerprinting.
Set up CAPTCHA security to prevent bot attacks
Criminals sometimes use bots to automatically try to sign into a website or account using different credentials. To stop these bots, consider implementing CAPTCHA security that kicks in after several failed authentication attempts. You may also want to limit the number of attempts granted per user to perform a specific action, such as how many times someone can enter an incorrect password before being locked out.
Protecting consumers from account takeover attacks
SEON also offered the following advice for how a consumer can protect themselves from these attacks.
Use a password manager for strong and unique passwords.
A password manager is still your best bet for adopting a complex and unique password for each account. Just make sure that your password manager is itself protected by a strong master password.
Use multi-factor authentication
MFA is another type of security method that you should set up for all supported accounts and websites. Even if your password is compromised, the attacker won’t be able to log into your account without that second form of authentication. Many accounts and websites support the use of an authentication app, such as Microsoft Authenticator or Google Authenticator. Others allow you to use a physical security key. If so, use either of those methods as they’re the most secure types of MFA.
Verify any request for your account information
Never respond directly to an email or text asking for account information. Instead, look up the phone number or email address of the individual or company trying to contact you to confirm whether the attempt is legitimate.