No business wants to suffer an account takeover (ATO) attack, but few realize the true extent of the damage it can cause. It is estimated that businesses lose up to 9% of their annual revenue due to account takeover. Once a cybercriminal gains unauthorized access to a legitimate user account, the possibilities for fraud abound.
Here are 7 ways that fraudsters can abuse compromised accounts, as well as tips to prevent bad actors from taking over accounts on your site.
1. Make Fraudulent Purchases
Consumers often store credit card numbers, gift card balances, loyalty points and airline miles in their accounts for easier checkout. Attackers who gain access to user accounts are free to go on a shopping spree with the stored payment data, courtesy of the account takeover victim.
2. Commit Warranty Fraud
Fraudsters can look back in the account purchase history and then call customer support to complain that an ordered item was never delivered or arrived damaged and demand a replacement, shipped to their address. This can cost businesses inventory that they’ll never get back.
3. Submit Fake Credit Applications
Attackers can use the information stored in financial accounts, including names and social security numbers, to take out fake loans and lines of credit. They often quickly convert stolen assets into untraceable cryptocurrencies or move cash to jurisdictions where enforcement is light before fraud is suspected.
4. Create Fake Accounts
Cybercriminals can use the personally identifiable information (PII) stored in a compromised account to open fake accounts using that name across other sites. Fake accounts can be used to distribute malware, post fake reviews and conduct other types of fraud.
5. Funnel Digital Currency on Marketplaces
Fraudsters may create fake accounts on the marketplace offering fake products or services. Next, they take over legitimate accounts and use stored funds to purchase their own fake services. This allows them to secure the digital currency immediately and then cash it out little by little so the fraud goes unnoticed.
6. Post Fake Reviews
Fraudsters can post fake reviews using compromised accounts, artificially disparaging or praising a product or service. This is a way for cybercriminals to damage a competitor’s reputation or promote their own product or service.
7. Distribute Malware
Fraudsters commonly distribute malware through infected links in phishing emails or spam messages on social media. When a bad actor takes over a legitimate account, they can send a malicious link to that person’s address book and trick recipients into believing it was sent from a trusted friend.
Because it is used to steal login credentials, payment data and other PII, malware paves the way for additional account takeover attacks and begins the attack lifecycle all over again.
Don't Let Cybercriminals Take Over Your Users' Accounts
Account takeover can have long-lasting repercussions for online businesses, including significant financial losses, damage to brand reputation and consumer trust, and operational inefficiencies.
So, how can brands protect themselves and their customers? The following tips are a strong start:
- Encrypt or hash stored credentials on your website.
- Require good password practices and multi-factor authentication (MFA).
- Proactively monitor compromised credentials to flag and prevent logins with stolen usernames and passwords.
- Adopt a behavior-based bot management solution to stop ATO attacks against your web and mobile apps and APIs.
- Continuously evaluate users’ post-login behavior to determine if their activities within an account are legitimate.
HUMAN's suite of solutions — HUMAN Bot Defender, Credential Intelligence, and Account Defender — provide a layered defense model to stop account takeover attacks at every turn. Our solutions work together to stop bot attacks in real time, reduce your potential attack surface area, and remediate breached accounts.