Account Takeover Fraud: What You Need to Know

Photograph of a chained and pad-locked computer keyboard.
Lock-up your computer, fraudsters are on the prowl!

Account takeover fraud (ATO) is becoming an increasingly common risk. Cybercriminals are often purchasing user credentials from the dark web and using this information to spy on and control your account. The worst part? Credentials bought off the dark web can’t be traced back to the perpetrator, at least not easily! 

ATO enables cybercriminals to spy on you and cyber-stalk you. Cybercriminals can also commit fraud once they gain access to your account. They can even compromise your company’s private information! As a result, you need to know how cybercriminals commit account takeover fraud. This way, you can protect yourself from it.

First, though, let’s take a look at what an account takeover attack is!

What Is an Account Takeover Attack?

Account takeover attacks allow bad actors to gain control over your accounts. To do that, cybercriminals steal your login details for websites or web applications. Cybercriminals carry out account takeover attacks in a variety of ways. The purpose of an ATO also varies from one case to another. Some use it for financial fraud or theft of intellectual property. Others use it to gain knowledge of a business and its clients. Then, cybercriminals can sell this information to competitors, or even use it to get your company ransomed. Likewise, personal account details can also help with fraud activities and cyberstalking.

But how do you know if your organization is a target for account takeover attacks? Let’s find out!

What Organizations Are ATO Targets?

Often, cybercriminals look for companies that may be large enough to be of interest but small enough not to be protected adequately. Attackers often look at targets that may be weaker than others irrespective of sector. Every business in every field is a potential target. In fact, it helps if companies think they’re too small to be attacked. That’s because their cybersecurity measures will often be weaker due to this outlook. 

Most attackers will avoid companies like Google, Microsoft, and other giants. That’s because their administrators are the best and brightest, so their security is the strongest possible. These large companies will also conduct regular penetration testing. They may even offer rewards to hackers so they can plug any weaknesses that arise. 

Conversely, some SMEs and large to mid-sized companies don’t keep security as a key business objective. That’s because they may not have enough resources to support their cybersecurity specialists. As the business grows, new gaps in security will also pop up. This is a problem rarely found in well-established companies.

Stealing Information to Help Competitors 

Cybercriminals understand that gaining access to an SME won’t yield much financial reward. That is unless they can steal intellectual property that would be useful for a larger company. Even then, getting payment and doing everything under the radar is a problem. In many cases, fraud through stealing payment details is the easiest way to gain money. That said, trade secrets can also be of interest to competitors. 

For example, a fast food chain may want to know its competitor’s secret sauce recipe. This recipe will likely not be written down on a computer. Instead, it’ll be kept as a trade secret. However, the competitor chain will likely keep other relevant information about this recipe. Cybercriminals can conduct an account takeover attack to get the invoices for raw ingredients and other materials used. Then, they’ll piece together this information and sell it to an interested party

Stealing Information to Help Other Cybercriminals

Additionally, cybercriminals can steal account details and sell them on the dark web. This also helps hide the final attacker’s identity and cover their tracks. That’s because the cybercriminal accessing the account will be different from the one who gained the information, to begin with. This is also useful if the data was obtained from an insider at the company.

Many cybercriminals also specialize in a particular activity. For example, one person or group could be great at gaining account information. Yet, they may not know how to ransom a target successfully. To this end, they can mobilize specialists to help them get away with the crime. Remember, the key to successful fraud is not to get caught. 

Now, you know what companies are the main targets for account takeover fraud. You also know how cybercriminals use your stolen info. Next, let’s see how they get access to your accounts in the first place.

What Are the Attack Vectors for ATO?

First things first, cybercriminals need to get your account’s username and password. To do this, they often use the following attack vectors:

  • Social engineering: cybercriminals use ruses to make you give them your username and password. 
  • Brute force: cybercriminals create dictionaries of different usernames and passwords and parse them into login forms.
  • Data leaks: poor security and data management put your username and passwords on the internet.
  • Phishing: emails get you to click a link that downloads a keylogger and relays your information to the bad actor.
  • Spear phishing: email phishing attacks  targeted towards key personnel like administrators or CEOs.
  • Man in the Middle (MIM) Attacks: Wi-Fi intercepted by a router posing as your own. All unencrypted traffic is visible to the attacker, including your login details.
  • Web-scraping: exposed website meta-data helps create an attack vector.

You likely noticed that most of these attack vectors rely on human errors in judgment. Train your users to be aware of these types of attacks. This will reduce the risk of account takeover and other cybercrimes. 

Account Takeover Process

First, the cybercriminal gets a list of account details. Then, they use bots to conduct a credential stuffing process. Basically, credential stuffing includes a list of usernames and passwords that get parsed one at a time into a login screen. When something works, the details are saved and used later to commit fraud. 

You’ll know you’re targeted by credit stuffing through irregular logon events. Most modern firewalls check for this and alert you. 

Now, you know all the ways that malicious actors can use to access your credentials. So how can you protect your company from account takeover fraud?

How to Prevent ATO

Preventing ATO is almost impossible, especially if you store your details online. To this end, many companies are going back to onsite networks for sensitive data. That helps them prevent data leaks for cloud-based solutions from high-profile targets. This also stops businesses from having to trust other parties and their security measures. Instead, on-site storage means the company can trust its own security measures. 

This may not be possible with the cloud. For instance, many companies moved to Amazon cloud to reduce their operational costs. Yet, this made Amazon face multiple data breaches. However, a complete move away from the cloud isn’t possible. In reality, businesses often have to work with some cloud-based solution. This means they’ll still be relying on high-profile companies to stop cybercriminals.

But you can still implement some measures to prevent account takeover attacks. To this end, I’ll highlight 3 preventive measures.

1. Implement Firewalls

Consider using a Web Application Firewall (WAF). These work server-side, and they’re a useful component in a cloud or cloud-hybrid environment. WAF also adds protection for unsecured devices, like guest machines or customer sites. 

That said, most modern firewalls will also have this feature, and they’ll discover any ATO attacks in your network. If you’re working with cloud solutions, you can also use a firewall as a service (FWaaS). It’ll secure and encrypt all transactions in these dynamic environments. FWaaS also protects your cloud-based environment from unsecured devices. 

Illustration of a WAF placed between the networks firewall and the webserver.
WAFs sit between the end-user and web application server.

Use a firewall with an account tracking system that secures payment and bank windows. Ensure your firewall also has IP blocking and address filtering. This will reduce your users’ exposure to nefarious emails.

2. Use Multi-Factor Authentication

Ensure you’re using MFA to help prove the account user is indeed you. Ideally, use dedicated devices to create a security code. Don’t use a mobile device to get the one-time code. That’s because mobiles can get hacked and cloned. Conversely, a security key fob has no wireless components. This simplicity increases your protection. Multi-factor authentication (MFA) also stops credit stuffing completely. Even if it isn’t perfect, MFA is still a robust security measure against account takeover attacks.

3. Customize Application Settings

Often, brute force attacks require the login screen to be active immediately, even after a failed attempt. However, you can change this by customizing your applications. Make sure your login screen doesn’t become active after failed attempts. Even a two-second pause can prevent a brute force attack if you use a strong password with 8 or more digits. Additionally, you can limit the number of login attempts. Lock the users’ accounts and ask them to reset their passwords after failed attempts.

Pro Tips

Besides implementing the 3 measures above, I’ll also give you some more useful pro tips to boost your protection:

  • Implement device tracking. This checks that the computer used for the MFA is where it’s supposed to be. Banks are also using this technology with secure SMS and report it back to the application using end-point encryption.
  • Use a sandbox environment for applications. This makes it difficult for criminals to get your login details because most of their attacks only work in traditional operating environments.
  • Try to make your users change their passwords periodically. This will reduce the validity of stolen details.  
  • Train your users on password best practices. This means your users won’t choose easy-to-guess passwords or write them down. Additionally, consider if a centralized password storage utility is a good idea for your business or not.  

If you suspect your passwords have been compromised, tell the system administrator immediately. Then, they’ll change the relevant passwords. However, they may not need to change all passwords. Ideally, create documentation to help you proceed in these cases. You should also proactively send relevant instructions to users before you’re hit with an account takeover. If you haven’t done that already, now is the time.  

Final Thoughts

Account takeover fraud is a real and growing threat. Cybercriminals may purchase your credentials off the dark web, and hide their identity in the process. This means you may not know who’s attacking your account. 

In this article, we’ve discussed the many ways bad actors  capture your data. You also learned a few ways to protect yourself. Ensure you’re using strong passwords, MFA, and FWaaS when working with cloud-based solutions. Invest in WAFs to help protect your accounts from attack!   

Do you have more questions about account takeover attacks? Check out our FAQ and Resources sections below!


What is account takeover fraud (ATO)?

In an account takeover attack, a cybercriminal gets usernames and passwords  to commit fraud. The attack vectors are numerous, and cybercriminals buy credentials off the dark web to cover their tracks. If you’re using cloud-based solutions, ensure you use a firewall as a service (FWaaS) solution.  

What firewall is useful to protect against account takeover fraud (ATO)?

If you’re using cloud-based solutions or operate a cloud-hybrid network, use a firewall as a service (FWaaS). These are cost-effective solutions that enable users to work flexibly across devices. Additionally, use a Web Application Firewall (WAF) or FWaaS that has a WAF feature. This will stop malware used to gain account details for ATO attacks. 

How can I protect my users from account takeover fraud (ATO)?

You can protect yourself from account takeover fraud with multi-factor authentication (MFA). It helps validate the account user is who they say they are, and reduces the chance for ATO to occur. Additionally, make your users use secure SMS to relay their location. This will boost the MFA security and prevent ATO fraud.

Why do cybercriminals purchase account details to commit account takeover fraud (ATO)?

A cybercriminal can take a company’s account credentials. However, if this cybercriminal commits an ATO with these credentials, they’ll likely get caught. To avoid being identified and prosecuted, cybercriminals sell a company’s usernames and passwords on the dark web. This reduces an investigator’s ability to identify the cybercriminal.

How does MFA protect users from Account Takeover Fraud (ATO)?

Multifactor authentication (MFA) helps accounts verify that you’re the one logging in. It prevents cybercriminals from accessing your accounts, even with your username and password. Take MFA further by only using security key fobs. These devices can’t be hacked like mobile equivalents. You can also implement a security SMS solution to relay a user’s location for MFA. This will help you prevent account takeover fraud.


TechGenix: Article on Firewalls as a service (FWaaS)

Discover how cloud and hybrid networks can benefit from FWaaS.

TechGenix: Article on MFA for Microsoft 365

Learn how to add MFA correctly to Microsoft 365.

TechGenix: Article on Web Application Firewall (WAF)

Understand how to use WAF to protect web application users.

TechGenix: Article on Password Alternatives

Find out how to eliminate passwords.

TechGenix: Article on Credential Stuffing

Discover how cybercriminals implement credential stuffing.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top