Social engineering, phishing, and account takeover (ATO) attacks are some of the most common methods cybercriminals use to commit fraud. And data shows these tactics are getting more sophisticated and widespread, with ATOs increasing a staggering 427% in Q1 2023 when compared to the entirety of 2022.
To combat this rising fraud, there are multiple prevention strategies businesses can leverage in order to protect themselves and their customers. Some of these best practices to prevent ATOs include strong passwords, multi-factor authentication (MFA), monitoring accounts for unknown devices and IP addresses or account changes, and setting rate limits for login attempts.
In this blog, we will explore the common methods employed by attackers to execute ATO, delve into emerging trends in ATO vectors, and provide actionable best practices to effectively shield against these threats.
How do account takeovers happen?
Account takeovers can be executed through several methods, each designed to exploit specific vulnerabilities. Here are some common approaches used by fraudsters to launch ATO attacks:
- Phishing attacks and social engineering techniques: Phishing attacks involve the use of deceptive emails, messages, or websites to trick users into revealing their login credentials or other sensitive information. Cybercriminals often employ social engineering tactics to create messages that appear legitimate, leading unsuspecting users to unwittingly share their account details. Increasingly, phishing campaigns are incorporating AI to create more convincing automated attacks.
- Data breaches, credential stuffing, and password reuse: Data breaches can expose mass amounts of usernames and passwords, which can be used to enable ATO. Adding fuel to the fire, many users have the unfortunate habit of using the same username and password across multiple online platforms. Attackers take advantage of this behavior by utilizing breached username-password pairs from one site to gain unauthorized access to other accounts where the user has reused the same credentials. Brute force attacks can automate the process of easily guessed passwords, such as “password.”
- Malware and keylogging: Malware, such as keyloggers, can secretly infect a user’s device, recording every keystroke made on the keyboard or stealing stored login credentials. Through keyloggers, attackers can harvest login credentials and sensitive data entered by the user, granting them full access to the victim’s account.
Trends in account takeover vectors
Fraudsters are continuing to use these tried-and-true tactics, but they’re also constantly innovating and coming up with new ways to commit fraud faster and more effectively. AI-enabled fraud and one-time password (OTP) bots, for example, are among the biggest trends in account takeover attacks.
Malicious actors are utilizing AI to efficiently conduct sophisticated scams by generating targeted messages and quickly scale fraud campaigns through automation. In the six months since ChatGPT launched in November 2022, nearly half of consumers admitted to finding it more difficult to identify scams.
Fraudsters have also been turning to MFA bypass techniques such as SIM-swapping and MFA prompt bombing to gain access to accounts. More recently, there’s been a surge in automated MFA attacks, including one-time password (OTP) bots. These bots are an automated fraud service used to bypass MFA by targeting its victims with fake phone calls and SMS messages. The bot works by spoofing a company or financial institution’s caller ID to trick victims into providing their OTPs for anything from bank logins to payment service apps. Fraudsters can pay for use of the bot on a daily, weekly, monthly, or yearly basis.
Account takeover prevention best practices
Blocking account takeover attempts is key to preventing downstream payment fraud, which can leave your business liable and lead to brand abandonment. In order to proactively prevent account takeovers, consider implementing some of the best practices below.
Preventing ATO with Sift Account Defense
To effectively prevent ATOs and get the full picture of your fraud problem, it’s important to manage all aspects of account security with a single solution. Sift Account Defense simplifies account security and accelerates growth by proactively detecting and blocking ATOs, cultivating customer trust, and building flexible fraud operations within one holistic platform.
The Sift Platform enables businesses to pinpoint risky account activity with intelligent automation powered by Sift’s real-time machine learning models. Leveraging dynamic friction is also crucial for ensuring a smooth experience to trusted users and can automatically apply controls to suspicious activity, including review, enforcing MFA, or removing them from your site completely. With Sift Workflows, fraud prevention teams can customize and automate risk decisions to manage fraud at scale.
One Sift customer, Rently, a property management service, was able to reduce ATOs by 65% and eliminated hours of manual reviews. According to Sahil Farooqi, Head of Customer Care and Security at Rently, “I have great confidence in Sift. It’s learning from manual reviews, making decisions, and pinpointing the bad actors from trusted customers. The automation saves us a lot of time, even when we’re not working.”
Farooqi continued, “Sift is a game changer that’s keeping us ahead of ATO and scammers. Its flexibility makes it easy for us to change our rules as needed, and it’s constantly updating with new signals, which is critical for staying ahead of scammers who are always changing tactics.”
Another Sift customer, Traveloka, was able to double its number of orders while maintaining a low ATO rate. According to Wayan Tresna Perdana, Sr. Product Manager at Traveloka, “Sift helps us to identify more trusted customers and reduce the number of transactions that have to be authenticated, thus reducing payment friction and increasing overall conversion. It also detects more ATO than our rules-based system could, and the console makes it easy for our team to investigate suspicious cases and take action quickly.”
Learn more about how Sift Account Defense can help you prevent account takeovers.
