No business wants to suffer an account takeover (ATO) attack, but few realize the true extent of the damage it can cause. It is estimated that businesses lose up to 9% of their annual revenue due to account takeover. Once a cybercriminal gains unauthorized access to a legitimate user account, the possibilities for fraud abound.
Here are 7 ways that fraudsters can abuse compromised accounts, as well as tips to prevent bad actors from taking over accounts on your site.
Consumers often store credit card numbers, gift card balances, loyalty points and airline miles in their accounts for easier checkout. Attackers who gain access to user accounts are free to go on a shopping spree with the stored payment data, courtesy of the account takeover victim.
Fraudsters can look back in the account purchase history and then call customer support to complain that an ordered item was never delivered or arrived damaged and demand a replacement, shipped to their address. This can cost businesses inventory that they’ll never get back.
Attackers can use the information stored in financial accounts, including names and social security numbers, to take out fake loans and lines of credit. They often quickly convert stolen assets into untraceable cryptocurrencies or move cash to jurisdictions where enforcement is light before fraud is suspected.
Cybercriminals can use the personally identifiable information (PII) stored in a compromised account to open fake accounts using that name across other sites. Fake accounts can be used to distribute malware, post fake reviews and conduct other types of fraud.
Fraudsters may create fake accounts on the marketplace offering fake products or services. Next, they take over legitimate accounts and use stored funds to purchase their own fake services. This allows them to secure the digital currency immediately and then cash it out little by little so the fraud goes unnoticed.
Fraudsters can post fake reviews using compromised accounts, artificially disparaging or praising a product or service. This is a way for cybercriminals to damage a competitor’s reputation or promote their own product or service.
Fraudsters commonly distribute malware through infected links in phishing emails or spam messages on social media. When a bad actor takes over a legitimate account, they can send a malicious link to that person’s address book and trick recipients into believing it was sent from a trusted friend.
Because it is used to steal login credentials, payment data and other PII, malware paves the way for additional account takeover attacks and begins the attack lifecycle all over again.
Account takeover can have long-lasting repercussions for online businesses, including significant financial losses, damage to brand reputation and consumer trust, and operational inefficiencies.
So, how can brands protect themselves and their customers? The following tips are a strong start:
HUMAN's suite of solutions — HUMAN Bot Defender, Credential Intelligence, and Account Defender — provide a layered defense model to stop account takeover attacks at every turn. Our solutions work together to stop bot attacks in real time, reduce your potential attack surface area, and remediate breached accounts.