One Treasure Island, a San Francisco-based non-profit, lost $650,000 to account takeover fraud. Scammers did an email account takeover of their accountant and changed their suppliers’ credentials on invoices, so the organization paid criminals. With proper account takeover protection, this wouldn’t have happened. Read on to learn how to protect your business against this rising risk of fraud.
Trustpair blocks the financial effects of account takeover. Thanks to ongoing account validation, any unknown or suspicious transaction is blocked before the money is sent. Request a demo to learn more!
What is account takeover and how does it work?
Account takeover definition
Account Takeover ATO is when a cybercriminal manages to take control of a user’s account.
ATO happens when scammers get unauthorized access to the user’s login credentials by using:
- Cyberfraud, exploiting any weaknesses to take control of the account.
- Social engineering techniques, leveraging human vulnerabilities for their gain.
The goal? Impersonating the original user and taking action in their name. Once scammers have gotten access to the account, they use it to:
- Carry out unauthorized activities (such as wire transfer fraud),
- Commit loyalty fraud,
- Establish new fake accounts,
- Leverage the information to access other accounts.
This can happen to different kinds of accounts, even with the best security:
- Bank and financial assets,
- Email accounts,
- Retail,
- Travel,
- Social media accounts,
- Mobile apps,
- Any account with personal information.
Account takeover is also called account compromise. It’s a form of identity theft that damages both individuals and businesses. We’ll see below examples of security measures to set up to protect your business from ATO.
How does ATO work?
Before we dive into account takeover protection, we need to understand how an account takeover attack works. Account takeover ATO can happen through:
- Credential cracking: criminals with access to a user’s username or email address use bots to make various login attempts. They try a combination of most-used passwords on multiple websites and social media to gain access to their accounts. As most people use the same email account over several websites, it’s fairly easy to do.
- Credential stuffing: scammers with access to login data (because it was previously stolen) and try fitting them on various websites to see which one(s) works. Once more, this is made easier because people often reuse the same password for multiple accounts.
- Malware: users unknowingly download software on their laptop or mobile that will get their usernames, either by accessing their network or by changing the DNS file in the case of a pharming attack.
- Phishing: users click on a link to access a website, download an attachment, or take a dangerous action that will lead to stealing funds and/or personal data.
- SIM swap attack: using social engineering, a malevolent person manages to swap over a user’s mobile SIM card. When authentication codes are sent, the criminal receives them and can authorize many transactions. A SIM swap victim lost millions of cryptocurrency tokens to hackers and sued AT&T for $224M.
These are just examples — ATO can happen through a number of account takeover techniques. It’s not only damaging to individuals: your company will suffer too.
Why is it important to protect your business from ATO?
According to Juniper Research, account takeover fraud ATO cost US businesses $25.6 billion in 2020.
ATO attacks can lead to CEO fraud, vendor fraud, credit card fraud, invoice fraud… Any of these schemes where criminals use spoofing to impersonate someone else and get your employees to wire them money and/or confidential information.
This sensitive data will then be used to:
- Commit a more lucrative fraud scheme.
- Sell to the highest bidder on the Dark web.
The worst thing is? It can be months before you realize it has happened.
96% of US companies have been targeted by at least one fraud attempt in 2023. If you want to save your cash (and reputation), you need adequate protection for account takeover.
The best account takeover protection strategies
Let’s have a look at some measures you can take to prevent account takeover and common examples of business fraud.
Strong password policy
The simplest measures are often the most efficient — and yet can be the hardest to enforce. But it’s key that your employees know how to set up a strong password.
Often, account takeover happens because users use the same login information over multiple accounts. Ensuring it doesn’t happen in your organization grants you a first layer of protection.
Encourage your employees to use a unique, strong password for each of their account.
Multi-factor authentications
Next: use multi factor authentication (MFA) across your organization. We recommend a minimum of two-factor authentication to ensure the person sending a request is the right account owner.
This means users have to log in using their username and password but also need to confirm their identity by inputting a code or using biometric data (like their face or a fingerprint).
This way, all transactions will have to be authorized twice. It’s a common method of user verification that is due to be adopted more widely with the new PSD3 regulation.
Ongoing cybersecurity training
One of the most important, and yet often overlooked, cybersecurity measures every organization should deploy is employee education.
Ongoing and regular training is important to ensure that everyone takes security seriously. By understanding the underlying risks, employees are more likely to follow and detect fraud risks in your company. They’ll recognize the signs of phishing attacks and compromised accounts, making them more responsive.
This will lower your overall risk of fraud in business, from internal fraud to money laundering.
Showing employees the importance of changing their password, maybe even using simulated attacks, is paramount to your overall protection.
Training should be regular to stay top of mind and relevant with the latest fraud schemes — fraudsters take their own training very seriously and constantly upgrade their skills.
Anti-fraud software
Last but not least: using anti-fraud software. Even with the best account takeover protection measures, the risk of fraud still looms over every organization: Mark Zuckeberg’s own Facebook profile has been hacked several times.
So, what’s the solution? Using fraud detection and prevention software. Using Trustpair means even successful account takeover attacks won’t lead to third-party fraud.
Our software does automatic and ongoing account validation in real-time. We check that:
- The account numbers are correct,
- The name on the account is correct,
- Both sets of information match
Three-way matching means that even if a cybercriminal manages to change your suppliers’ credentials manually (like in our previous example from the SF based non-profit), the money won’t be sent.
We use AI and predictive modeling to accurately conduct fraud detection. If we detect any bank accounts suspicious activity, we block the transaction before it is sent. This means you are 100% protected against third-party fraud risks.
Trustpair integrates with the main software (CRM, ERP, accounting software) to make your experience seamless and secure.
We work with many large international companies, so we can check your vendors’ credentials across the world. We make international account validation easier, having access to otherwise hard-to-reach data.
Key Takeaways:
Account takeover protection should be taken seriously to avoid fraud in your business. Setting up a few measures (strong password, multi-factor authentication, employee training) can protect you against those risks. But the ultimate protection comes from using Trustpair, which effectively blocks any unauthorized transaction even in case of account takeover.