Social engineering, phishing, and account takeover (ATO) attacks are some of the most common methods cybercriminals use to commit fraud. And data shows these tactics are getting more sophisticated and widespread, with ATOs increasing a staggering 427% in Q1 2023 when compared to the entirety of 2022.
To combat this rising fraud, there are multiple prevention strategies businesses can leverage in order to protect themselves and their customers. Some of these best practices to prevent ATOs include strong passwords, multi-factor authentication (MFA), monitoring accounts for unknown devices and IP addresses or account changes, and setting rate limits for login attempts.
In this blog, we will explore the common methods employed by attackers to execute ATO, delve into emerging trends in ATO vectors, and provide actionable best practices to effectively shield against these threats.
How do account takeovers happen?
Account takeovers can be executed through several methods, each designed to exploit specific vulnerabilities. Here are some common approaches used by fraudsters to launch ATO attacks:
- Phishing attacks and social engineering techniques: Phishing attacks involve the use of deceptive emails, messages, or websites to trick users into revealing their login credentials or other sensitive information. Cybercriminals often employ social engineering tactics to create messages that appear legitimate, leading unsuspecting users to unwittingly share their account details. Increasingly, phishing campaigns are incorporating AI to create more convincing automated attacks.
- Data breaches, credential stuffing, and password reuse: Data breaches can expose mass amounts of usernames and passwords, which can be used to enable ATO. Adding fuel to the fire, many users have the unfortunate habit of using the same username and password across multiple online platforms. Attackers take advantage of this behavior by utilizing breached username-password pairs from one site to gain unauthorized access to other accounts where the user has reused the same credentials. Brute force attacks can automate the process of easily guessed passwords, such as “password.”
- Malware and keylogging: Malware, such as keyloggers, can secretly infect a user’s device, recording every keystroke made on the keyboard or stealing stored login credentials. Through keyloggers, attackers can harvest login credentials and sensitive data entered by the user, granting them full access to the victim’s account.
Trends in account takeover vectors
Fraudsters are continuing to use these tried-and-true tactics, but they’re also constantly innovating and coming up with new ways to commit fraud faster and more effectively. AI-enabled fraud and one-time password (OTP) bots, for example, are among the biggest trends in account takeover attacks.
Malicious actors are utilizing AI to efficiently conduct sophisticated scams by generating targeted messages and quickly scale fraud campaigns through automation. In the six months since ChatGPT launched in November 2022, nearly half of consumers admitted to finding it more difficult to identify scams.
Fraudsters have also been turning to MFA bypass techniques such as SIM-swapping and MFA prompt bombing to gain access to accounts. More recently, there’s been a surge in automated MFA attacks, including one-time password (OTP) bots. These bots are an automated fraud service used to bypass MFA by targeting its victims with fake phone calls and SMS messages. The bot works by spoofing a company or financial institution’s caller ID to trick victims into providing their OTPs for anything from bank logins to payment service apps. Fraudsters can pay for use of the bot on a daily, weekly, monthly, or yearly basis.
Account takeover prevention best practices
Blocking account takeover attempts is key to preventing downstream payment fraud, which can leave your business liable and lead to brand abandonment. In order to proactively prevent account takeovers, consider implementing some of the best practices below.
- Require strong passwords: Enforcing complex and unique passwords for each online account significantly reduces the risk of successful brute-force attacks and credential stuffing attempts. Strong passwords typically consist of a combination of uppercase and lowercase letters, numbers, and special characters. Encouraging users to create unique passwords, combined with periodic password changes, strengthens the overall security posture.
- Check credentials against breached credentials database: Breached credentials databases contain data exposed in previous data breaches. By regularly checking user credentials against these databases, organizations can identify compromised accounts proactively. Implementing such checks allows users and administrators to take faster corrective actions, such as changing passwords or enabling multi-factor authentication.
- Set rate limits for login attempts: Limiting the number of login attempts is an effective measure to prevent brute-force attacks. Attackers often use automated tools to guess login credentials through repeated login attempts. By setting rate limits, organizations can thwart these malicious attempts, denying attackers the opportunity to gain unauthorized access.
- Enable notifications for account changes: Real-time notifications are crucial for early detection and mitigation of account takeovers. Immediately sending users email or SMS notifications about any changes made to their accounts, such as password changes or login attempts from new devices, enables users to take prompt action if the changes were unauthorized. Additionally, providing users with the ability to verify or dispute account changes adds an extra layer of security.
- Monitor login attempts from unknown IP addresses: Geolocation data can be used to pinpoint the source of login attempts, allowing organizations to assess the legitimacy of those access attempts. For example, if a user that establishes a pattern of logging in from the United States suddenly connects from Europe, it could be a sign of account takeover.
- Look out for changing account details: Account takeovers can sometimes be part of coordinated attacks targeting various accounts. By monitoring for multiple accounts updating their information to the same details (e.g., email address or phone number), organizations can detect suspicious activities and take immediate action. Promptly investigating and taking action on such account changes, such as locking affected accounts or notifying the account owners, can prevent further damage.
- Check for unknown devices: Implementing device recognition and monitoring tools enables organizations to track devices used to access user accounts. Flagging and verifying new or unrecognized devices accessing accounts can help identify potential unauthorized access. Offering users the option to review and approve new devices provides an additional layer of security and control over their accounts.
- Implement 2FA or MFA: Two-factor authentication (2FA) and multi-factor authentication (MFA) significantly enhance the security of user accounts. 2FA requires users to provide two forms of identification before gaining access, typically a combination of something they know (password) and something they have (like a one-time code sent to their phone). Encouraging users to enable these authentication methods offers a robust defense against account takeovers.
Preventing ATO with Sift Account Defense
To effectively prevent ATOs and get the full picture of your fraud problem, it’s important to manage all aspects of account security with a single solution. Sift Account Defense simplifies account security and accelerates growth by proactively detecting and blocking ATOs, cultivating customer trust, and building flexible fraud operations within one holistic platform.
The Sift Platform enables businesses to pinpoint risky account activity with intelligent automation powered by Sift’s real-time machine learning models. Leveraging dynamic friction is also crucial for ensuring a smooth experience to trusted users and can automatically apply controls to suspicious activity, including review, enforcing MFA, or removing them from your site completely. With Sift Workflows, fraud prevention teams can customize and automate risk decisions to manage fraud at scale.
One Sift customer, Rently, a property management service, was able to reduce ATOs by 65% and eliminated hours of manual reviews. According to Sahil Farooqi, Head of Customer Care and Security at Rently, “I have great confidence in Sift. It’s learning from manual reviews, making decisions, and pinpointing the bad actors from trusted customers. The automation saves us a lot of time, even when we’re not working.”
Farooqi continued, “Sift is a game changer that’s keeping us ahead of ATO and scammers. Its flexibility makes it easy for us to change our rules as needed, and it’s constantly updating with new signals, which is critical for staying ahead of scammers who are always changing tactics.”
Another Sift customer, Traveloka, was able to double its number of orders while maintaining a low ATO rate. According to Wayan Tresna Perdana, Sr. Product Manager at Traveloka, “Sift helps us to identify more trusted customers and reduce the number of transactions that have to be authenticated, thus reducing payment friction and increasing overall conversion. It also detects more ATO than our rules-based system could, and the console makes it easy for our team to investigate suspicious cases and take action quickly.”
Learn more about how Sift Account Defense can help you prevent account takeovers.