What is account takeover (ATO)?

by Egress
Published on 29th Jan 2024

Account takeover (ATO) is a form of identity theft in which cybercriminals can send emails from a legitimate business account. Threat actors who have control of a business leader's inbox can request payments and confidential information from employees, knowing that they're likely to be more successful than if they had simply made a spoof email account.

Unfortunately, ATO is on the rise. Statistics show that ATO cases have skyrocketed since 2019. According to our latest research, 58% of Cybersecurity leaders we interviewed confirmed that their organizations had suffered instances of ATO, and 79% of those attacks started with a phishing email. Therefore, organizations and their employees must be aware of ATO so they can prevent an attack.

How does account takeover happen?

Account takeover is a complex cybercrime that involves prior investigation into an organization and multiple steps:

Stealing credentials: The first step towards ATO

Hackers first need to farm login credentials using a sophisticated form of phishing known as 'spear phishing'.

Spear phishing is a highly targeted email attack, meaning the fraudster will have done some upfront research on the organization to appear genuine. Masquerading as a legitimate contact is more likely to fool people into revealing financial details or sensitive information because they believe the sender is someone they know.

There are three ways fraudsters may use spear phishing emails to steal login credentials:

  • Social engineering: Social engineering manipulates victims into fulfilling 'urgent' requests. Usually, the cybercriminal will impersonate one of the victim's contacts, so the email appears to have come from a credible sender.
  • Fraudulent links: Some phishing emails include links to spoofed websites. If the victim enters their login details on the website, they unknowingly share them with the hacker.
  • Malware: Malware can steal passwords and other private information. If a victim opens a suspicious attachment, the hacker can download malware onto their device.

Defrauding the business

Once the cybercriminal has farmed their victim's login details, which usually belong to a senior business leader, they can target other employees.

By pretending to be the owner of the compromised account, the cybercriminal can target employees with fraudulent emails. Often, they will ask victims to complete a time-sensitive task, which usually involves wiring over a large sum of money or supplying confidential information about the organization.

Employees want to be seen to do a good job so if they believe the email has come directly from the CEO, they'll be more likely to fulfill the request.

An attack of this nature, which cost US businesses $1.8bn in 2020, is also referred to as business email compromise (BEC).

Why do cybercriminals try to hack accounts?

Account takeover has the potential to be immensely profitable. By sending an email from a legitimate email account - such as a CEO - impostors know that traditional anti-phishing software can't flag their activity as suspicious. Therefore, employees are more likely to do as the sender asks.

Posing as a senior member of an organization, cybercriminals can:

  • Trick the finance team or other executives into authorizing large payments
  • Request bank or wire transfers, disguised as a legitimate vendor
  • Access private company information, which they can use for future attacks or sell on the dark web for profit

Account takeover examples

Account takeover affects businesses countrywide. Here are some real-life account takeover examples:

Patco Construction

Patco Construction sued Ocean Bank back in 2011 following an account takeover attack. Patco's computers had become infected with malware, which allowed hackers to make six wire transfers amounting to $588,000.

The court ruled that Ocean Bank increased the Maine construction company's fraud risk by relying on a 'one-size-fits-all' approach to authenticating large financial transactions. Ocean Bank didn't use multi-factor authentication for transaction verification, allowing fraudsters to compromise the account and drain it.

Account takeover prevention

Here are some ways you can prevent yourself from becoming the victim of account takeover:

1. Unique passwords

Make sure your password is hard to guess. It can help to turn a sentence into a combination of numbers and uppercase and lowercase letters. For example: "I have two dogs and one cat" would become "Ih2DOGSa1c".

Remember to use different login details across all your accounts for maximum protection.

2. Good cybersecurity habits

Don't open an attachment or click on a link within a suspicious email, even if it looks like it's from someone familiar. Verify that the email has come from the sender it's claiming to by contacting the person directly using another contact method.

3. Multi-factor authentication

Multi-factor authentication makes it more difficult for fraudsters to hack your account because you need to provide two or more pieces of information to log in.

4. Intelligent anti-phishing solutions

Traditional anti-phishing filters can't keep up with cybercriminals' increasingly sophisticated methods, so fraudulent emails can enter your organization undetected.

Intelligent anti-phishing solutions, such as Egress Defend, have a unique advantage. By using machine learning, Defend will analyze not just the content of emails, but the context too. Therefore, it will alert employees to complex and context-driven phishing attacks, such as BEC, as they happen.