Genome Blog / articles / What is an account takeover: how to protect your personal data
Feb. 29, 2024
The internet is too much sometimes: you answer emails, browse the web, scroll social media, get messages, and so on. All these can make you let your guard down, which is what scammers want. Especially when it comes to account takeover fraud.
However, there are ways to prevent it, and Genome‘s team is ready to share our insights.
What is an account takeover?
An account takeover (ATO) occurs when a malicious actor gains unauthorized access to someone’s personal account, varying from social media to a banking app. After that, the scammer steals the individual’s money or personal information.
How serious can the account takeover become? Take a look at some statistics.
According to research conducted by Sift, in Q2 of 2023, the account takeover attacks across the company’s network jumped a staggering 354% year-over-year. The situation was especially grim for the fintech industry, which faced an 808% year-over-year increase in ATO attacks.
You can read more about corporate account takeover problems specifically to learn how to protect your business.
But what about personal accounts?
According to a US survey, 73% of respondents faced at least one case of identity theft, which usually occurs when sensitive data gets leaked. In most cases, the surveyed said they discovered identity theft through unauthorized credit card charges by fraudsters.
Average losses from identity theft varied between $100-$500 while experiencing identity fraud; about 15% reported financial losses greater than $1000.
According to the US government, online fraud — of which identity theft is a major component — cost Americans $8.8 billion in 2022.
As for account takeover incidents, the report from Security.org suggests that the number of people in the US affected by it only increased from 22% in 2021 to 29% in 2023, which is about 20 million people. Interestingly, most of the accounts affected were personal ones – 75%, in fact, compared to 21% for business accounts.
How the account takeover occurs: examples
Account takeovers can occur in various ways, with scammers using different methods to get access to user accounts. Here are some examples of the most common account takeover scenarios:
Phishing attacks
Fraudulent emails, SMS in messengers, or websites that look like legitimate platforms to trick users.
Example: A user receives an email that appears to be from their bank, asking them to log in to resolve an issue. The link leads to a fake website that captures their login information.
Data leak aftermath
Criminals use previously leaked username and password combinations obtained from data breaches to gain access to your bank account.
Example: after a data breach of a streaming service, hackers use a list of usernames and passwords they obtained to systematically attempt login on various websites, exploiting users who reuse passwords.
Focused brute force attacks
Attackers attempt to gain access by systematically trying all possible password combinations until the correct one is found.
Example: hackers, after a data breach, obtained your login but not your password, so they were using automated tools to repeatedly try different combinations until they successfully picked the right one.
Social engineering
Attackers manipulate individuals into divulging sensitive information by exploiting trust or creating a sense of urgency.
Example: A scammer poses as a tech supporter from the bank and tries to convince the user to provide their account credentials under the pretext of fixing a non-existent issue.
Malware problem
Malicious software installed on a user’s device can capture login credentials and send them to criminals.
Example: A user unknowingly downloads a malware-infected file; after that, the malicious program will capture all the user’s login and password on the device.
How to prevent personal account takeovers
With the rise of artificial intelligence technologies, the issue extends beyond the usual ‘create a strong password’ advice. The traditional methods of fraud are still here, but AI has enabled some dramatic new areas of attack.
A data breach we mentioned earlier offers a “gold mine” of usernames and passwords. With this, bots could conduct brutal attacks using that data to access user’s accounts. With the power of AI, it can be upscaled significantly.
Here are the primary tips on how to secure your personal accounts:
Use unique credentials and passwords for every website and app. At some point, you may face compromising your personal info or experience a data breach with the use of your credentials. Having unique passwords will be very handy in this case.
Enable multi-factor authentication. Enable MFA whenever possible. Two-factor authentication requires that the account holder provides an additional identity verification method beyond just a password. For instance, push notifications on your phone number or WhatsApp, or even biometric authentication (fingerprint, facial recognition), will be massive in terms of security.
Beware of phishing. Be cautious when clicking on links from unfamiliar people in emails, messages, or social media. Verify the legitimacy of the sender before doing that. If you have doubts, access the website directly rather than clicking on the provided links.
Stay informed. Keep track of the news regarding data breaches. Once a breach is reported, whether you use the services of a company attacked or not, you’d better change your passwords to all accounts as soon as possible. This can potentially secure your data if your credentials were leaked during a breach.
Regularly monitor your accounts’ activity. Keep an eye on your personal accounts’ activities and financial statements for any unauthorized or suspicious transactions.
Avoid public Wi-Fi connections for business use. Public Wi-Fi networks aren’t immune to breaches and malware, so do not try logging into your accounts using it. If necessary, use a VPN to encrypt your internet connection.