Advanced phishing

Account takeover: Everything you need to know

Account takeover (ATO) is a form of identity theft that enables cybercriminals to send emails from a legitimate account within an organization. Hackers who gain control of an executive's account can request sensitive data and payments from employees in the knowledge that they're more likely to succeed than if they had simply created a spoofed email account.

Our recently published Email Security Risk Report revealed that 58% of the 500 companies we surveyed had experienced instances of account takeover. In 79% of those attacks, credentials were harvested via phishing emails. In total, 47% of Cybersecurity leaders were concerned about account takeover attacks within their own business infrastructure.

With ATO presenting such a significant threat to organizations, it's vital to learn how to detect account takeover and prevent further damage.

How do account takeover attacks happen?

Account takeover is more complicated than some other cybercrimes (such as a singular phishing email) because it involves multiple steps:

Phishing emails: The first step towards ATO

The first step towards ATO is farming login credentials, which hackers achieve through a sophisticated form of phishing known as 'spear phishing'.

Spear phishing is a highly targeted attack, meaning that the scammer will have researched the company upfront to appear more authentic. Impersonating a known contact is more likely to trick victims into handing over sensitive information or financial details because they believe that the email has come from a legitimate sender.

Here are three ways fraudsters may use spear phishing emails to steal login credentials:

Malware: Hackers download malware onto devices if a victim opens a suspicious attachment. The malware steals passwords and other sensitive data.

Social engineering: Cybercriminals manipulate victims into responding to 'urgent' requests. Usually, the hacker impersonates someone in the victim's contact list, so the email appears to have come from a legitimate sender.

Fraudulent links: Phishing emails sometimes contain links to spoofed websites. Believing the website to be legitimate, the victim enters their login details and unknowingly shares them with the scammer.

Defrauding the organization

Once the fraudster has the login details - usually for a senior business leader - they can scam employees, customers, suppliers, and vendors.

Business email compromise

Masquerading as the compromised account's owner, the impostor sends emails out to people around the business. The scammer will ask victims to fulfill a time-sensitive task, which usually involves them supplying private company information or wiring over large sums of money.

Employees who believe the email has come directly from the CEO are more likely to fulfill the request as they want to be seen to do a good job.

An attack of this nature, which targets over 6,000 UK businesses each month, is also referred to as business email compromise (BEC).

Supply chain compromise

A single compromised vendor can result in a high proportion of their customers also becoming compromised, simply because the attacker was able to leverage their trusted relationship as an entry point and socially engineer their victims. This type of attack is called supply chain compromise.

Email threats from compromised accounts have traditionally been hard to detect, but none more so than those from trusted suppliers and business partners. The native security in Microsoft 365 and secure email gateways (SEGs) struggle to detect phishing emails sent from trusted domains, leaving organizations exposed to account takeover, data exfiltration, and financial losses from fraudulent payments.

Why do cybercriminals try to hack accounts?

Account takeover has the potential to be extremely lucrative. By sending an email from a legitimate email account - such as a CEO - hackers know that traditional security software can't flag their fraudulent activity and that employees are therefore more likely to do as they ask.

Posing as a senior business leader, scammers can:

  • Request bank or wire transfers under the guise of a legitimate vendor
  • Trick other executives or finance teams into authorizing large payments
  • Gain access to sensitive information, which they can sell on the dark web or use for future attacks

How to detect account takeover

Here are some signs that will enable you to detect account takeover before it's too late:

Changed password

If your usual email password is being rejected and you didn't change it, there's a good chance that a hacker has altered it to prevent you from getting back into the account. In these instances, try to regain access to your account by changing the password and logging in again.

Unusual activity

Check your 'sent' folder to see if there are any messages you didn't send. If there is, then there is an issue, and you need to speak to someone on your cybersecurity team as soon as possible. It’s highly likely that your account has been compromised.

People tell you

Although ATO is notoriously hard to detect, some people may notice that the fraudulent emails are spam and mention it to you. If you didn't send them, take steps to secure your account immediately. Change your password and, if your email provider allows, check any recent login logs to ensure nobody has accessed your email account from a location that you do not recognize.

How to prevent account takeover

Here are some ways you can defend your login details from fraudsters and prevent account takeover:

Multi-factor authentication

Enabling multi-factor authentication makes it harder for cybercriminals to hack your account because you need to provide two or more pieces of information to log in.

Strong passwords

Choose a unique password that's difficult to guess. A good method is to turn a sentence into a mixture of numbers and uppercase and lowercase letters. For example: "I like walking my two dogs" would turn into "ilk2WALKmy2dgs".

Ensure you don't use identical login details across all your accounts for maximum protection.

Good cybersecurity habits

Never click on a link or open an attachment within a suspicious email, even if it looks like it's from someone you know. To verify that an email has come from the sender it's claiming to contact the individual directly using another contact method.

Intelligent anti-phishing solutions

Traditional anti-phishing filters aren't sophisticated enough to keep up with cybercriminals' ever-evolving tactics, so fraudulent emails can enter your business undetected.

Stay protected against ATO

Intelligent anti-phishing solutions, such as Egress Defend, have a unique advantage. Using machine learning, Defend analyses not only the content of emails but the context too. Consequently, it alerts employees of complex and context-driven phishing attacks, such as BEC, as they happen.

Cybercriminals' techniques are becoming increasingly sophisticated and presenting extensive risks to businesses. You must stay one step ahead.