Hackers using stolen credentials to break into online accounts — also known as account takeovers — can lead to fraudulent transactions and loss of access to your legitimate accounts. But, simple actions like enabling multi-factor authentication and using a password manager, can help you stay safe.
"My account has been hacked!”
If you’ve ever said those words, then you know how frustrating an account takeover can be.
When a criminal gains unauthorized access to one or more of your online accounts, they’re usually looking for your personal information or financial details, like your credit card number.
With many everyday actions requiring online accounts, how can you stay safe from account takeover fraud?
Our identity specialists have helped hundreds of our members fight back against account takeover fraud. Read on for their expert advice on what it is, how to spot it, and what to do next if it happens to you.
What is account takeover fraud?
Kelli Starks, Senior Restoration Specialist at Allstate Identity Protection, has firsthand experience helping members battle this fraud type. "Bank accounts and social media accounts are particularly vulnerable," says Starks.
But cybercriminals are known to target any and all digital accounts, including subscription services and retail accounts.
Once a hacker gets unauthorized access to a retail account, they can effortlessly make purchases using the stored payment information. This unauthorized spending can have a serious effect on a victim's finances.
"Cybercriminals are constantly looking for any accounts that hold potential value for them,” says Starks.
Other ways thieves may use personally identifiable information (PII) or financial details found in a hacked account are:
Directly stealing assets like cryptocurrency
Phishing for other’s personal data
Opening new accounts in a victim’s name, including bank and credit accounts
In recent years, account takeover fraud has become more common. As technology advances, more companies are relying on online accounts to access their services — providing more opportunities for hackers and thieves.
Also, many online accounts are not well protected, making them even more vulnerable to account takeovers.
Here at Allstate Identity Protection, account takeovers were the fourth most common fraud type reported by our members in 2022.
A new study from Javelin also illustrates the wide scope of the problem: More than 4.5 million U.S. adults experienced account takeover in 2022, with an average fraud loss of $2,008 per victim.
Altogether, losses from this fraud type reached $11 billion last year and that number has been holding steady since 2021.
How an account takeover happens
An account takeover can occur anytime a fraudster has an up-to-date username and password combination for an online account that isn’t theirs.
A few ways hackers may steal login credentials are:
Data breaches: When login credentials from one organization are leaked in a data breach, scammers often use those usernames and passwords to try and break into other accounts. This type of cyberattack is known as credential stuffing. It’s typically bot-assisted and done on a massive scale — and people who use the same passwords for various accounts are at higher risk.
Malware attacks: A victim’s login credentials can be stolen through browser-hijacking malware, which can infect their computer or phone if they click a malicious link included in a phishing email or text.
Phishing scams: Fraudsters may also use social engineering tactics, such as romance or grandparent scams, to trick a victim into sharing login credentials for a certain account.
SIM swaps: In the case of SIM swap attacks, a fraudster reassigns a person’s SIM card to a phone in their possession, allowing them to control the victim's phone from afar. From there, the hacker may be able to bypass multi-factor authentication safeguards and take over their accounts.
If you’re unable to access an account using your legitimate login credentials, that’s a red flag. When a scammer hacks into an account, they often change the password, locking out the rightful owner.
That’s one reason why account takeover fraud can be particularly tricky to untangle. According to the same Javelin report, account takeover fraud requires a full working day — 10.6 hours — to resolve. Additional warning signs that may signal an account takeover are:
You receive unexpected alerts about unsuccessful login attempts. If it’s not you or someone who you know has access to (and permission to use) your account trying to log in, it’s likely a scammer.
You see that the PII in your account has been altered. For example, you’re online shopping with a retailer and notice that your shipping address has been changed.
Your bank or credit card company alerts you that you’ve changed your account information. Again, this is a warning sign that a hacker has access to your account and is making changes.
You see an unauthorized transaction on your account. A charge you didn’t make is a sure sign of fraud.
Prevent an account takeover
Using a different password for each online account and changing your passwords regularly can be exhausting.
Try a password manager which makes it easy to manage all your logins with one password and create unique passwords for new accounts.
“Setting strong, unique passwords on all of your accounts — and turning on multi-factor authentication — are the best ways to prevent account takeover fraud,” says Starks.
Practicing good password hygiene helps keep hackers and bots from guessing your password, while employing two-factor authentication safeguards your account in the event that your credentials are exposed through a data breach or phishing attack.
Best practices for password hygiene
Use a different password for each of your online accounts
Change your passwords regularly (every three months is a good rule of thumb)
Choose long passwords that include symbols, a mix of upper- and lower-case letters, and numbers
Even with inactive accounts, you should periodically log in and check on the account activity. Look for any unauthorized transactions or changes in account settings.
If you no longer use a retail account or any other account, consider closing it to minimize any risks.
“Another thing that can help is to delete your unused accounts, and to manage your digital footprint in general,” notes Starks.
What to do if you spot a hacked account
If you suspect that an account has been taken over by a thief, fast action is key. We recommend changing your password right away and reaching out to the organization or provider to report the issue.
If you’re a member, give us a call right away. In some cases, we can help you recover loss of funds if there are any.
For example, Tessa Iwan, Restoration Manager at Allstate Identity Protection, recently assisted a member with an account takeover.
“After using a SIM swap scam to take over this member’s bank account, a scammer made several withdrawals totaling more than $110,000,” Iwan says.
But the thief didn’t stop there. “Then, the fraudster opened up several new accounts in the victim’s name,” added Iwan.
With the help of Iwan and our restoration team, the fraudulent accounts were closed, and the stolen money was recovered.
“If you’re a member and account fraud happens to you, we’ll be with you every step of the way,” says Iwan.
