Account takeover: Everything you need to know

Email security

Account takeover (ATO) is a form of identity theft that enables cybercriminals to send emails from a legitimate account within an organisation. Hackers who gain control of an executive's account can request sensitive data and payments from employees in the knowledge that they're more likely to succeed than if they had simply created a spoofed email account.

With ATO presenting such a significant threat to organisations, it's vital to learn how to detect account takeover and prevent further damage.

How does account takeover happen?

Account takeover is more complicated than some other cybercrimes (such as a singular phishing email) because it involves multiple steps:

Phishing emails: The first step towards ATO

The first step towards ATO is farming login credentials, which hackers achieve through a sophisticated form of phishing known as 'spear phishing'. 

Spear phishing is a highly targeted attack, meaning that the scammer will have researched the company upfront to appear more authentic. Impersonating a known contact is more likely to trick victims into handing over sensitive information or financial details because they believe that the email has come from a legitimate sender.

Here are three ways fraudsters may use spear phishing emails to steal login credentials:

Malware: Hackers download malware onto devices if a victim opens a suspicious attachment. The malware steals passwords and other sensitive data.

Social engineering: Cybercriminals manipulate victims into responding to 'urgent' requests. Usually, the hacker impersonates someone in the victim's contact list so the email appears to have come from a legitimate sender.

Fraudulent links: Phishing emails sometimes contain links to spoofed websites. Believing the website to be legitimate, the victim enters their login details and unknowingly shares them with the scammer.

Defrauding the organisation

Once the fraudster has the login details - usually for a senior business leader - they can scam employees.

Masquerading as the compromised account's owner, the impostor sends emails out to people around the business. The scammer will ask victims to fulfil a time-sensitive task, which usually involves them supplying private company information or wiring over large sums of money.

Employees who believe the email has come directly from the CEO are more likely to fulfil the request as they want to be seen to do a good job.

An attack of this nature, which targets over 6,000 UK businesses each month, is also referred to as business email compromise (BEC).

Why do cybercriminals try to hack accounts?

Account takeover has the potential to be extremely lucrative. By sending an email from a legitimate email account - such as a CEO - hackers know that traditional security software can't flag their fraudulent activity and that employees are therefore more likely to do as they ask. 

Posing as a senior business leader, scammers can:

  • Request bank or wire transfers under the guise of a legitimate vendor
  • Trick other executives or finance teams into authorising large payments
  • Gain access to sensitive information, which they can sell on the dark web or use for future attacks

How to detect account takeover

Here are some signs that will enable you to detect account takeover before it's too late:

1. Changed password

If your usual email password is being rejected and you didn't change it, there's a good chance that a hacker has altered it to prevent you from getting back into the account.

2. Unusual activity

Check your 'sent' folder to see if there are any messages you didn't send. If there are, then you know that your account is compromised. 

3. People tell you

Although ATO is notoriously hard to detect, some people may notice that the fraudulent emails are spam and mention it to you. If you didn't send them, take steps to secure your account immediately.

How to prevent account takeover

Here are some ways you can defend your login details from fraudsters:

1. Multi-factor authentication

Enabling multi-factor authentication makes it harder for cybercriminals to hack your account because you need to provide two or more pieces of information to log in.

2. Strong passwords

Choose a unique password that's difficult to guess. A good method is to turn a sentence into a mixture of numbers and uppercase and lowercase letters. For example: "I go to the shops every weekend" would turn into "ig2tSHOPSew".

Ensure that you don't use identical login details across all of your accounts for maximum protection.

3. Good cybersecurity habits

Never click on a link or open an attachment within a suspicious email, even if it looks like it's from someone you know. To verify that an email has come from the sender it's claiming to, contact the individual directly using another contact method.

4. Intelligent anti-phishing solutions

Traditional anti-phishing filters aren't sophisticated enough to keep up with cybercriminals' ever-evolving tactics, so fraudulent emails can enter your business undetected.

Intelligent anti-phishing solutions, such as Egress Defend, have a unique advantage. Using machine learning, Defend analyses not only the content of emails, but the context too. Consequently, it alerts employees of complex and context-driven phishing attacks, such as BEC, as they happen.

Learn more about account takeover

Cybercriminals' techniques are becoming increasingly sophisticated and presenting extensive risks to businesses.

You must stay one step ahead. 

Get clued up on the latest hacking tactics and defend your organisation by visiting our phishing hub.