Account takeover fraud can also be known as account hijacking or account compromise. It is where an unauthorised individual gains access to an online account and then changes it to lock out the original owner while granting them full control. The account is then used to carry out illegal and unauthorised activities such as making withdrawals and transfers, purchasing items or services, or conducting other crimes such as money laundering.
A typical example would be: A criminal buys your Facebook username and password on the dark web for a couple of dollars. They use it to log into your Facebook account. They then change the mobile number and email address associated with it and the password. This means that they have full access to your account, and it is linked to a number and email that they now control. Your previous password no longer works, and you are unable to regain control. The criminal could then contact people on your friends list and ask them to send money to a certain PayPal account, claiming they need it for an emergency. Or they could just cause havoc by spam posting under your name. With this simple action they have gained access to your online presence.
There are, of course, other ways they can gain access to your account, including via a device that has been lost or stolen or through brute force. They can also seek to exploit security vulnerabilities and gain unauthorised access through cross-site scripting or server-side request forgery, but this is mainly for the more technically advanced hackers. SEON’s guide to account takeovers does a great job of explaining different scenarios, meaning you can have a better understanding of how you and your password can be at risk.
What is the situation?
Like every other form of online security threat, the situation is that it is getting worse. In 2020, the incidence of account takeovers increased by 20%, rising to a similar number in 2021 as well. This number is likely to increase as more people come online, and more criminals seek to exploit weaknesses for their own gain. Not only are attacks getting more likely, but they are getting faster. For example, a reduction in the time it takes for a criminal to gain access and take it over is also reduced. In 2021, it took criminals less than 24 hours to gain access and take over the account of the real owner. Another concerning statistic is that people can often be victims multiple times. If, for example, they use the same password for multiple accounts, they can find more than one account hijacked. In 2019, over half of victims experienced account take over up to five times, and 80% of them lost money. Social media came out on top, followed by payment providers, gambling sites, and exchanges in terms of the kind of accounts that are most at risk from takeovers.
But how does it impact merchants? In 2021, 43% of US merchants said that this fraud contributed significantly to chargebacks. This is where payments are disputed with the card issuer or bank, and refunds are given with force from the merchant. This can cause the merchant significant losses and issues with their bank account and a payment provider. The same data from Javelin Strategy & Research noted that almost a quarter of adults in the US had been victims of account takeover. Safe to say, it is quite an issue.
How can you prevent it?
There are several ways you can protect yourself from account takeover fraud. Foremost, you must stop reusing passwords or even slight variations of the same password. This could result in you losing access to all those accounts simultaneously. You should also update passwords regularly so that if your data is leaked, it will soon become out of date. It is also important to recognise what accounts are at risk. In particular social media platforms like Facebook, Twitter and Instagram, as well as email accounts are targets. Additionally, payment accounts and apps for making payments are prime, in particular BNPL platforms, according to Fortune.
Another great way to protect yourself is by using password managers. These help you create long and strong passwords that are stored securely on your device auto-filled when needed. It’s also worth activating 2FA on all your accounts to add an extra layer of security.
You should also be very careful when opening links, particularly from senders you don’t recognise or communications you did not solicit. If in doubt, try searching for the site via your browser rather than opening it directly. Always check the spelling and composition of any URLs to look for apparent mistakes which could signify a fraudulent site.
What to do if your account is taken over?
If you suspect your account has been compromised and you still have access to it, the best thing to do is to freeze it if the account gives you this possibility. Then you should take steps to change the password immediately to something unique and very secure. Next, look at the data such as name, phone number, email, and recovery questions and make sure that they apply to you and have not been altered. Some accounts will also give you the opportunity to see what devices are logged into your account and from where. If they do, check this information and remove anyone suspicious or that is not you. It is best practice to log out of all devices and then log in again, with new credentials.
Once you are sure your account is back in your control, it is worth contacting the company. Let them know what happened and approximately what time. This means if any actions were carried out without your consent, they can address them and be aware. They may also be able to take steps to identify the criminal or help you secure your account further.
But don’t forget, you also need to check your other accounts. If you suspect one account has been compromised, it is good practice to check all your other online accounts. Even if you have different login credentials and passwords, it is good to change all of them after a breach. You never know who has gained access to your information and what information they have their hands on. It is better to be safe than sorry.
The reality is that in the age of the internet, fraud is everywhere. We need to understand the risks and take as many informed steps as possible to protect ourselves. Otherwise, the consequences can be dire.