An account takeover usually begins when a fraudster gains access to login credentials that don’t belong to them. From there, they may be able to fraudulently make purchases or transfer funds, and then change the account password to keep out the rightful owner. To protect yourself from account takeover fraud, consider using a password manager and enabling multi-factor verification when possible.
These days, many digital actions — like banking online or sharing photos on social media — require you to set up an online account.
While digital accounts can be convenient, there are privacy risks to consider. Most online accounts store some degree of personal information.
Depending on the type of account, your bank or credit card information may even be stored there.
So, it’s important to protect against account takeover (ATO), a fraud type we see often here at Allstate Identity Protection.
What is account takeover fraud?
As the name implies, account takeover happens when a cybercriminal gains access to a victim’s online account without their knowledge or consent.
These cybercriminals are known to target any and all digital accounts, from credit card and banking accounts, to subscription service and retail accounts, to email and social media accounts, and more.
However, according to Kelli Starks, Senior Restoration Specialist at Allstate Identity Protection, "bank accounts and social media accounts are particularly vulnerable."
Once logged in, the fraudster may change the account password to lock the victim out.
From there, using the personally identifiable information (PII) and/or financial information stored on the hacked account, an attacker may do the following:
Purchase goods and services using stored credit card or bank account numbers
Directly steal assets like cryptocurrency
Phish for other people’s personal data (this is particularly common with social media takeovers)
Open new accounts in a victim’s name
Is account takeover a form of identity theft?
Account takeover fraud is an increasingly common form of identity theft. Here at Allstate Identity Protection, account takeovers were the fourth most reported type of identity fraud in 2022.
Other research shows a similar trend. In 2022, Javelin Strategy & Research reported that account takeover fraud has increased every year since 2016.
Far more than just a headache, account takeover fraud can also be quite costly for victims. That same Javelin report revealed that consumers lost $11.4 billion to account takeovers (ATO) in 2021, a whopping 90% increase from the previous year.
How does an account takeover happen?
Account takeovers can occur anytime a fraudster has an up-to-date username-and-password combination (also known as credentials) for an online account that isn’t theirs.
But how they get those credentials can vary. Here are some of the most common ways ATO thieves gain access to victims’ sensitive information:
Data breaches: Fraudsters can use stolen or leaked login credentials for credential stuffing, an attack that involves entering username-and-password combinations into login pages on dozens of websites, such as banking and credit sites, social media sites, and government sites. The goal is to generate as many login attempts as possible to eventually find a perfect match. Credential stuffing is typically bot-assisted and done on a massive scale — and people who use the same credentials for various accounts are typically at higher risk.
Malware attacks: A victim’s login credentials can be stolen through browser-hijacking malware, which can infect their computer or phone if they click a malicious link included in a phishing email or text.
Phishing scams: Fraudsters may also use social engineering tactics, such as romance or grandparent scams, to trick a victim into sharing their login credentials for a certain account.
SIM swaps: In the case of SIM swap attacks, a fraudster reassigns a person’s SIM card to a phone in their possession, allowing them to control the victim's phone from afar. From there, the hacker may be able to bypass multi-factor authentication safeguards and take over their accounts.
Common signs of account takeovers
So how do you know if you’re a victim of an account takeover?
If you’re unable to access an account using your legitimate login credentials, a hacker may be to blame. In many ATO cases, the imposter changes the password upon logging in.
In other instances, however, they don’t change the password so as not to tip the victim off. In that case, here are additional warning signs to watch out for:
You receive unexpected alerts about unsuccessful login attempts. If it’s not you or someone who you know has access to (and permission to use) your account trying to log in, it’s likely a scammer.
You see that PII in your account has been altered. For example, you’re online shopping with a retailer and notice that your shipping address has been changed.
Your bank or credit card company alerts you that you’ve changed your account information when you haven’t. Again, this is a warning sign that a hacker has access to your account and is making changes.
You see an unauthorized transaction on your account. A charge you didn’t make is a sure sign of fraud.
How to protect yourself from account takeover fraud
“Setting a strong, unique password on all of your accounts — as well as turning on multi-factor or two-factor authentication — is the best way to prevent account takeover fraud,” says Starks.
Practicing good password hygiene helps keep hackers and bots from guessing your password, while employing two-factor authentication safeguards your account in the event that your credentials are exposed through a data breach or phishing attack.
Best practices for password hygiene
Use a different password for each of your online accounts
Change your passwords regularly (every three months is a good rule of thumb)
Choose long passwords that include symbols, a mix of upper and lower case letters, and numbers
“Another thing that can help is to delete your unused accounts, and to manage your digital footprint in general,” notes Starks.
To minimize the odds of your data being exposed in a breach, choose “guest checkout” when online shopping to avoid having your PII and credit card information stored to begin with.
Finally, it’s helpful to have a safety net in place should an ATO happen. Monitoring features like those we offer can help detect fraudulent behavior that could indicate a criminal taking over an account.
What to do if you have (or may have) been hacked
If you suspect that an account of yours has been taken over by a thief, give us a call right away. In some cases, we can help you recover loss of funds if there are any.
Earlier this year, Tessa Iwan, Restoration Manager at Allstate Identity Protection, helped a member who was facing a SIM swap scam that resulted in an account takeover.
“A scammer made several withdrawals from this member’s bank account, totaling more than $110,000, and opened fraudulent accounts in her name,” Iwan says.
With the help of Iwan and our restoration team, the fraudulent accounts were closed, and the stolen money was recovered. “If you’re a member and account fraud happens to you, we’ll be with you every step of the way,” says Iwan.
