# #

January 13, 2023

How to Identify, Prevent, and Remediate Account Takeovers

Have you ever received an email alert on a login attempt you didn’t request? A notification on your phone for a login verification code you definitely didn’t ask for? These are evidence that someone on the other end of that request is trying to gain access to your account. Without the right safeguards in place and the right knowledge of what to do when this happens, your account may be left vulnerable. Fraud detection is critical to ensure that account takeovers are detected and prevented before they can cause damage.


If it happens for one personal site, an account takeover might just be an inconvenience. But on a larger scale, account takeovers are serious business—and can lead to serious damage. What do you need to know to safeguard yourselves and your organization against account takeovers, and what can you do if one’s already happened? It’s critical to know how account takeovers work in order to protect yourself, and your company, most effectively. Fraud detection is a key component of any account takeover prevention strategy.

What is an Account Takeover?

An account takeover is when a third party gains access to an account when they shouldn’t have access. It could be any kind of account—personal or professional—and any kind of third party, but the greatest risk comes from cybercriminals targeting high-value accounts, such as ones containing financial data, in order to exploit a weakness, gather sensitive data, or operate identity theft schemes. Fraud detection systems can help identify unusual activity on accounts and alert the account owner or appropriate security personnel.

What Happens During the Attack?

During an attack, these cybercriminals might do a variety of things, from stealing important personal information, such as social security numbers, credit card numbers, addresses, and other key data, or even change information to benefit them. They might change the security questions, password, and account recovery information to effectively lock you out of your account. Using your information, they might open a new account, transfer funds, make payments, or place orders for high-value items like TVs, smartphones, and other electronics they can resell to be sent to them. 

Whatever they’re doing in your account, they shouldn’t be in there in the first place, but how could all of these actions go unnoticed? Cybercriminals are often prepared for that, too: They turn off notifications before they cause havoc, and before you know what’s going on, it’s already happened. 

How Does an ATO Happen?

There are various ways for an attacker to gain access to an account. The example above—sending out password reset requests over and over, or just plain old brute forcing passwords until one of them cracks an account-wide open—is one method. 

Another technique, called credential stuffing, is when attackers use an automated program to test massive lists of stolen credentials against a variety of sites. The theory is because so many people reuse their usernames and passwords across multiple sites, they’re likely to get a hit. 

Cybercriminals might also use phishing methods to obtain account credentials. Phishing involves sending out cleverly deceptive emails to targets in the hopes that they’ll click on a link, install a virus or keylogger, or otherwise compromise their own account security. 

Whatever the method, the end result is the same: They’re in, poking around where they shouldn’t be. As soon as they get what they need, they can use your stolen credentials to do whatever they like with your account. And you might not even know it’s happening before it’s too late, and damage has been done. 

Who is at Risk of an Account Takeover Attack?

There are certain risk factors that make you more vulnerable to an account takeover attack, but even if you believe it could never happen to you, you still need to be vigilant. If your username and password are the same on every single site, you’re basically leaving the door wide open for a credential-stuffing attack. But even if your password usage is unique on every single site, human error can still cause tremendous issues. As phishing attacks become both more common and more sophisticated, it’s important to have the knowledge and discernment to avoid being drawn in and exposing your own account to an attack. 

The truth is, all companies that have a login portal are vulnerable to an account takeover attack. While there’s a lot you can do on the personal level to protect yourself when it comes to the corporate level, the answer becomes more complex, and risk is amplified. Stolen personal data can definitely ruin your day, and your credit, but stolen data on an organizational level could mean that financial data, private health information, or any number of critical systems become damaged beyond repair. 

Account Takeover Prevention

Whether at the personal level, or at the corporate level, the first step to fighting account takeovers is prevention. A user base that is more aware of cybersecurity protocols can help protect the entire organization, and it starts with the right kind of training and engagement. Some of the best practices for preventing account takeovers include:

Password Hygiene

Don’t share passwords. Even if it would be more convenient, or a second person has a very valid reason to use your login information, don’t do it. On the personal level, it may be tempting to give a password out to a relative or friend for some innocuous reason—a relative who wants to order school photos through a photo-printing site, or someone who wants to use your HBO account—but this happens even in companies, too. Bottom line: Don’t do it. Every individual user needs their own account. This reduces the risk of a password getting out somewhere, and getting misused. 

Also under the umbrella of good password hygiene is not reusing passwords across multiple accounts. Yes, it may be simpler to remember, but that doesn’t make it a good idea. Your work, Facebook, Netflix, and bank account passwords shouldn’t be the same. 

Multi-factor Authentication

Combining a password with a second layer of protection can stop a potential account takeover in its tracks. This might look like adding in security questions that only the user knows, or a code that is sent only to your device. So long as you alone have access to the device and the code, you’re safe. In fact, multi-factor authentication has been shown to be a tremendously effective safeguard against account takeovers. 

Security Monitoring + Response

Adding safeguards that monitor and respond to certain threats can also prevent account takeovers. Implementing limits on login attempts, for example, or blocking suspicious traffic or specific patterns of behavior that look like they could be automated can help prevent account takeovers. But in this respect, like for individual user behaviors, adaptation and upkeep are key. It’s just not enough to use one firewall or one type of strategy and leave it at that. Cyberattackers keep changing, and the methods of attack change, too. It’s important for security leaders to continue to monitor and respond to these threats as they change and adapt. 

How to Recognize and Remediate an ATO?

Sometimes, an account takeover attack might be unavoidable. All of the best password hygiene in the world can’t prevent a data breach or the purchase of credentials on the dark web. If it happens, though, there’s a lot that you can do. 

First, identify the attack. This might mean a continued vigilance of your personal accounts, or a security team that monitors and searches for things like multiple accounts sharing details, device spoofing, or suspicious login attempts. 

Next, lock down the account. Change the login details, remove account permissions, or otherwise sequester or safeguard that specific user’s account in a way that means anyone with account access can’t get into the main system itself. 

Then, remediate the attack. Scan for malware, review what just happened, and incorporate that analysis back into your overall security protocol. What can be learned from this? What needs to change? What vulnerabilities might have been exposed, and what sensitive information was accessed? What needs to happen differently to prevent this from happening again?

Better Cybersecurity for Your Company

At the end of the day, account takeovers are big business, and preventing them is an ever-evolving challenge. The actions you need to take to identify, prevent, and remediate them for your specific organization are likely going to depend on your organization’s needs. However, there are some things that are true across the board: 

  • It’s better to know than to not know;
  • It’s better to train and educate than to remain ignorant;
  • And it’s better to be vigilant than to wait for clean-up. 

How do you gather the information you need, inform your user base, and remain vigilant? You do it with a cybersecurity framework that is built to understand human behaviors. That’s what Living Security Unify does: it gives you the essential analysis of the human risk in your organization, so that you can know what actions people are taking (or not taking) and what impact that could have on their risk level for things like account takeovers. It allows you to see who needs to change their behavior and to accurately monitor what impact that training has on real-time behavior change. 

Sometimes, account takeovers happen. But for a lot of them, they don’t have to. Know what’s happening before it becomes an incident, and empower your team, and your user base, with a vigilance that puts every single user on the front line of defense against account takeovers.

To learn more about what Living Security can help keep your employees cyber-aware and vigilant, request a demo. 

Get a Demo

# # # # # # # # # # # #