Security awareness

The How and Why of Account Takeover Attacks

Susan Morrow
August 30, 2018 by
Susan Morrow

What Is an Account Takeover?

Exactly what it says on the label: an account takeover or ATO is when an account that is used to access company or personal resources is hijacked and taken under the control of a hacker. The credentials used to authenticate to the account are the same ones used by the legitimate user. This makes it hard to tell who is real and who is malicious at the point of login. With many cyber-breaches exposing login credentials, and with the success of phishing emails stealing credentials, it doesn’t take a Ph.D. in cybersecurity to work out that account takeover is a natural next step.

And, the statistics show this to be the case. Account takeover is a serious issue and one which is increasing. According to Javelin Strategy, account takeover tripled in 2017 with losses of $5.1 billion.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

What Happens When an Account is Subject to an Account Takeover?

The beginning of the journey to an account takeover usually starts with a phishing email and/or accidentally or maliciously exposed login credentials. In the case of an organizational account takeover, the cybercriminal often takes advantage of employees, essentially turning them into an inadvertent insider threat to a company — exposing credentials for accounts as they go.

In the case of an ATO that uses exposed credentials available through sources like the Dark Web, a web of automated bots is used to “try out” the credentials against ecommerce sites to find a fit. This was the case in the FitBit account takeover attack of 2015. Here, fraudsters were using a two-pronged attack: exposed credentials were used to login to a customer’s FitBit account, change the email on the account, then call up customer support with a complaint and obtain a replacement under warranty. Scams like this often have a further twist in the tale, where the item purchased is used for further money-laundering purposes.

Because of the very nature of an account, which usually holds personal data and is linked to a service, account takeovers have many malicious outcomes. Fraud is the biggest, and often involves:

  •   Credit/debit cards and company chargebacks
  •   Product warranty
  •   New, fraudulent account creation
  •   Loyalty rewards
  •   Social account takeover

Companies who experience ATO are subject to a number of adverse outcomes. This is not just about the $5.1 billion loss; it’s also about company brand, reputation and customer loyalty, where the losses can be incalculable.

In What Way Is Account Takeover Different From Identity Theft?

Identity fraud, like its cousin account takeover, is at record levels.  In the UK, CIFAS has the highest-ever recorded number of identity fraud attempts in 2017. In the U.S., 16.7 million consumers were victims of identity theft in 2017. This pattern is being repeated across the globe.

The difference between the two type of scams is pretty straightforward:

Identity theft is taking someone’s personal information, like their name and address, and creating an account using that data.

Account takeover is where a hacker has stolen a person’s login credentials, which allows them to access an existing account and use it for nefarious means.

The two can be intrinsically linked and ATO may lead to identity theft.

What Data Is Most Susceptible Once Account Takeover Has Occurred?

An account takeover requires login credentials such as username and password. If you have a second factor associated with the account, such as a mobile device SMS code, the hacker will need to access the account to change/update this requirement. SMS as a second factor is known to have potential security issues; now NIST has identified this as a less secure source for second factor.

Once the hacker has your login credentials, he can pick and choose what he takes. Certain types of data make for especially juicy targets:

Financial data: Credit card details are often held in online accounts and used to fund transactions. ATO results in financial loses when cybercriminals use the financial data stored in an account to process online transactions.

Loyalty points and rewards: Many online accounts, store and allow use of points and rewards associated with the account. Cybercriminals cash these in and use them for monetary gain. This is becoming an especially prevalent type of account takeover fraud because users are less likely to keep track of their online vouchers.

Bank account takeover: This is a very specific and dangerous type of account takeover. Hackers gain access to a bank account, often removing all funds from the account.

Personal data exposure: Account takeover can lead to identity theft, as your personal data can be used to create an entirely new online account.

How to Prevent Becoming a Victim of an Account Takeover

Account takeover is often a crime by stealth. Cybercriminals may not do anything with a hacked account for a long time, or they carry out small, less observable transactions, building up to a final “clear out.”

Certain types of mechanisms can be enabled to help spot when an account takeover attempt has been made. These include:

  •   Setting up rules of account access. For example, a geolocation rule on the account will inform the account user if an account has been accessed from an unauthorized location. The user will receive a text message or email informing them of the access and they can then take steps to stop access or close the account down.
  •   History: Accounts that provide a history of transactions can be very useful in preventing account takeovers. Because an ATO can often be done by stealth over time, observing the history of account use can be a good indicator that there is an interloper.
  •   Robust authentication. SMS text message as a second factor is much easier to circumvent than other methods. Possible better methods include mobile app authentication such as time-based codes, and behavioral authentication, which uses a person’s patterns of use using mobile devices, typing patterns and so forth. Also, rules applied to access based on IP address or known device provide risk-based authentication that can help prevent account hacking.


Account takeover is a sinister and impactful scam that affects not only the owner of the account, but the company providing the account too. The losses for the consumer can be catastrophic on a personal level. For companies, they can result in fines, reputation damage, and financial costs. Understanding how the cybercriminal attacks online accounts provides the intelligence to know how to place barriers in their way.


2018 Identity Fraud: Fraud Enters a New Era of Complexity, Javelin Strategy

Account Takeovers Fueling ‘Warranty Fraud,’ KrebsOnSecurity

Fraudscape 2018, CIFAS

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

NIST is No Longer Recommending Two-Factor Authentication Using SMS, Schneier on Security

Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.