When a major US airline realized that over 25% of web traffic was coming from bots, the team knew that something suspicious was going on. But by that time, it was too late to save the thousands of customer accounts that were hijacked, as criminals made away with stored credit card details for their own financial gain. This example of fraud, account takeover fraud (ATO), is a real threat to companies today. It’s hard to know exactly how to deal with the risks without impacting business operations. Learn how to prevent account takeover fraud, and help block the effects of the fraud with Trustpair.
How does account takeover work?
Account takeover (ATO) fraud happens when cybercriminals are able to gain access into the victim’s account. Once inside, the fraudsters either harvest information, or attempt to transfer money out of the account, and into their own. The most important aspect of account takeover fraud is that the perpetrators are not discovered until they are finished. Otherwise, the real user could easily get in contact with the IT team and shut down the fraudulent activities.
Account takeover can encompass identity theft on bank accounts directly, or another account such as their email, work portal, or even an online shop login. In a b2b setting, account takeover has been linked with seriously harming your reputation and client relationships.
Account takeover techniques
Phishing
The most common way that criminals access an account is through phishing. Typically, the victim will receive a spam email that looks legitimate. It’ll contain links to a virus (disguised as a valuable web page or download), which when clicked, will grant the perpetrator access to your system or device.
Alongside phishing, vishing (voice phishing) and smishing (SMS phishing) are also used. Phishing is social engineering at its worst, especially when the fraudsters impersonate trusted partners like vendors – this is referred to as vendor fraud. From there, it’s all about tracking your log-in details, either with a screen reader or keystroke analysis.
Brute force
Another way that cyber criminals attempt ATO fraud is through brute force attacks. Those with generic or weak passwords are most at risk from this type of attack, which typically uses AI to guess as many password combinations as possible.
Stolen credentials
Finally, an account takeover could also occur through a data breach or leak, leaking card and personal credentials. Millions of credentials are listed and sold on the dark web every day, often as a result of an older hack. Users who don’t follow cybersecurity best practices to change their passwords after being notified of a leak are most at risk of this technique.
What are the consequences of ATO fraud on businesses?
In early 2024, the cloud-based platform Snowflake was breached in an account takeover attack. What followed was pretty dire. First, the hacking group ShinyHunters claimed to be behind the attack and listed 560 million data records (addresses, credit card info and more) for sale from one of Snowflake’s biggest clients, Ticketmaster. They also listed over 30 million customer records from global bank Santander, who were also a client of Snowflake.
Clearly, this affected the reputation of Snowflake and is likely to present a significant barrier in signing new clients, especially because the trust of the company is in question. As a secondary consequence, Live Nation, the owner of Ticketmaster, was required to notify regulatory authorities and perform an expensive forensic investigation into the unauthorized breach. The team also stated that they were monitoring and adjusting the risk assessment to mitigate risk to customers.
This event has likely cost Snowflake financially in current recurring revenue, too, since existing customers are forced to look elsewhere to a security provider who can keep their information safe.
How to detect account takeover fraud?
Detecting ATO fraud is about preparing for attacks. The best detection measures include:
- Account monitoring: how is your team expected to spot suspicious behavior if they can’t recognize it? Use tools to automatically track online activity and flag when the user isn’t performing their ‘normal’ behavior.
- IP address: if you’re expected to log in at work, check whether the IP address matches. If you have a remote working culture, check the reputation of the IP address attempting to log in.
- Device changes: apply a device detection method to let employees select their usual device to ‘trust’. Then, set up automatic notifications when usernames and passwords are used on an unrecognized device.
As mentioned, it’s hard for victims and users to recognize account takeover attempts, due to the social engineering manipulation in phishing tactics. Moreover, they often won’t realize that their data has been breached until financial transactions occur, or password data is leaked. Therefore, it’s worthwhile to set up machine learning technology in order to detect account takeover fraud attempts with more consistency.
How can businesses prevent ATO fraud?
Alongside detection, preventing ATO fraud requires a dedicated plan. Real-time prevention is the most important factor to any measures you put in place, as it’ll help you block attackers before they can get away with your information or money.
Implement multi-factor authentication
Multi-factor authentication (MFA) requires the user to input extra information upon login, outside of the standard username and password credentials. Typically, MFA follows the rule of Strong Customer Authentication, which requires two of the following three information points:
- Knowledge: “What is your mothers maiden name?”
- Biometrics: facial recognition scan or fingerprint match
- Possession: a code sent to another account like email, or texted to a phone Multi-factor authentication has been proven to reduce the compromise of accounts by 99.22%.
Even when credentials like passwords have been leaked, it still decreases the chance of fraudster success by 98.56%.
Upgrade the firewall
One of the strong barriers your organization can put in place is spam filtering and firewalls. These technologies help your IT team to automatically spot suspicious activity and block access to the internal network.
If you’ve decided to upgrade, look out for features like:
- Automatic blocking after a number of failed login attempts
- Suspicious activity tracking, such as through cookies or IP address tracking
- Remote-friendliness to ensure it’ll work even if your employees aren’t onsite
- High visibility over threats, but an easy-to-manage dashboard
Web Application Firewalls (WAFs) are browser add-ons that can increase the layers of protection. They work by filtering out malicious traffic before it can access your systems. For robust protection, it’s worth looking into both WAFs and software.
Use a fraud prevention platform like Trustpair
Individual methods are useful in decreasing the chances of success, but dedicated fraud prevention software encompasses all of the market-leading practices in one platform. For example, Trustpair works to block the financial effects of any successful account takeover attempts.
We validate account ownership both locally and internationally before any payment is made (even if it’s a vendor or account you’ve paid before). When suspicious activity is discovered, we automatically block the payment from leaving your account, and alert your team of the errors or anomalies. You’ll eliminate the need for manual callbacks and controls, because Trustpair handles it all for you. Get your demo to confidently issue payments with 100% traceability.
Fraud can have disastrous consequences for companies and employees alike. Lee-Ann Perkins, a treasurer with decades of experience, shares her story in our latest video series.
Block account takeover fraud from your business
ATO fraud usually happens through social engineering like phishing or brute force attacks. They can significantly impact a business’ reputation, customer experience, income and operability. Detect and prevent ATO attempts through monitoring for suspicious activity, MFA and a dedicated platform like Trustpair.