Email security

What is account takeover (ATO)?

Account takeover (ATO) is a form of identity theft in which cybercriminals can send emails from a legitimate business account. Scammers who have control of a business leader's emails can request payments and confidential information from employees, knowing that they're likely to be more successful than if they had simply made a spoof email account.

Unfortunately, ATO is on the rise. Statistics show that ATO cases have skyrocketed by almost 300% since 2019. Therefore, organizations and their employees must be aware of ATO so they can prevent an attack.

How does account takeover happen?

Account takeover is a complex cybercrime that involves prior investigation into an organization and multiple steps:

Stealing credentials: The first step towards ATO

Hackers first need to farm login credentials using a sophisticated form of phishing known as 'spear phishing'. 

Spear phishing is a highly targeted email scam, meaning the fraudster will have done some upfront research on the organization to appear genuine. Masquerading as a legitimate contact is more likely to fool people into revealing financial details or sensitive information because they believe the sender is someone they know.

There are three ways fraudsters may use spear phishing emails to steal login credentials:

Social engineering: Social engineering manipulates victims into fulfilling 'urgent' requests. Usually, the cybercriminal will impersonate one of the victim's contacts so the email appears to have come from a credible sender.

Fraudulent links: Some phishing emails include links to spoofed websites. If the victim enters their login details on the website, they unknowingly share them with the hacker.

Malware: Malware can steal passwords and other private information. If a victim opens a suspicious attachment, the hacker can download malware onto their device.

Defrauding the business

Once the cybercriminal has farmed their victim's login details, which usually belong to a senior business leader, they can scam other employees.

By pretending to be the owner of the compromised account, the scammer can target employees with fraudulent emails. Often, they will ask victims to complete a time-sensitive task, which usually involves wiring over a large sum of money or supplying confidential information about the organization.

Employees want to be seen to do a good job so, if they believe the email has come directly from the CEO, they'll be more likely to fulfill the request.

An attack of this nature, which cost US businesses $1.8bn in 2020, is also referred to as business email compromise (BEC).

Why do cybercriminals try to hack accounts?

Account takeover has the potential to be immensely profitable. By sending an email from a legitimate email account - such as a CEO - impostors know that traditional anti-phishing software can't flag their activity as suspicious. Therefore, employees are more likely to do as the sender asks. 

Posing as a senior member of an organization, scammers can:

  • Trick the finance team or other executives into authorizing large payments
  • Request bank or wire transfers, disguised as a legitimate vendor
  • Access private company information, which they can use for future scams or sell on the dark web for profit

Account takeover examples

Account takeover affects businesses countrywide. In fact, identity scams such as ATO were the most commonly reported scam in the US throughout 2020. 

Here are some real-life account takeover examples:

Patco Construction

Patco Construction sued Ocean Bank back in 2011 following an account takeover attack. Patco's computers had become infected with malware, which allowed hackers to make six wire transfers amounting to $588,000. 

The court ruled that Ocean Bank increased the Maine construction company's fraud risk by relying on a 'one-size-fits-all' approach to authenticating large financial transactions. Ocean Bank didn't use multi-factor authentication for transaction verification, allowing fraudsters to compromise the account and drain it.

Account takeover prevention

Here are some ways you can prevent yourself from becoming the victim of account takeover:

1. Unique passwords

Make sure your password is hard to guess. It can help to turn a sentence into a combination of numbers and uppercase and lowercase letters. For example: "I have two dogs and one cat" would become "Ih2DOGSa1c".

Remember to use different login details across all of your accounts for maximum protection.

2. Good cybersecurity habits

Don't open an attachment or click on a link within a suspicious email, even if it looks like it's from someone familiar. Verify that the email has come from the sender it's claiming to by contacting the person directly using another contact method.

3. Multi-factor authentication

Multi-factor authentication makes it more difficult for fraudsters to hack your account because you need to provide two or more pieces of information to log in.

4. Intelligent anti-phishing solutions

Traditional anti-phishing filters can't keep up with cybercriminals' increasingly sophisticated methods, so fraudulent emails can enter your organization undetected.

Intelligent anti-phishing solutions, such as Egress Defend, have a unique advantage. By using machine learning, Defend will analyze not just the content of emails, but the context too. Therefore, it will alert employees to complex and context-driven phishing attacks, such as BEC, as they happen.

Learn more about account takeover

Cybercriminals' techniques are becoming increasingly sophisticated, so you need to stay one step ahead.

Keep up-to-date on the latest hacking tactics and protect your organization by visiting our phishing hub.

You might also be interested in ...

How account takeover (ATO) attacks happen

Account takeover (ATO) attacks cause serious damage before they're detected - learn how they start. 

Guide to DMARC

DMARC is an email authentication protocol that helps recipient domains verify that an email sender is who they say they are and not a cybercriminal spoofing a domain name.

Can new US cybersecurity bills slow the rise of ransomware?

Ransomware is running wild. Will eight new cybersecurity bills aiming to protect US critical infrastructure be enough to slow it down?