You’re a successful account manager. It’s a fine Tuesday morning and you’ve just made it into your home office to prepare for a Zoom business meeting with a cup of freshly brewed coffee. After logging into your company’s account management system, you receive a notification that a client’s email address associated with their account just changed.
“No big deal,” you think, “no doubt the client initiated the request to update their email.”
But on second thought, you want to be sure. So, you contact the client and ask if they changed their email address. They answer in the negative. Well, if they didn’t do it. Who did? You alert the company’s cybersecurity team and after a few hours of investigation, they’re able to track down the fraudster and prevent further damage from being done.
Congratulations! You’ve prevented your company from falling victim to account takeover fraud and protect your client from experiencing fraudulent activity.
What is Account Takeover Fraud?
Account takeover fraud is a type of identity theft in which a fraudster gains access to an account that isn’t theirs. Once they have access, they make seemingly insignificant changes such as requesting a new card, updating an email address, or adding a new authorized user.
With these changes, they are then able to carry out any number of significant unauthorized transactions that can have a costly impact.
When account takeover fraud is carried out successfully, it results in deep pain to the client and long-term damage to the company that failed to keep the client from being compromised. Frustration in explaining and failure to accept how this could happen leads to strain in the relationship between client and company and can eventually lead to the loss of that client.
Because whether the blame is legitimate or not, clients almost always fault the company for not protecting their account from being frauded.
The reason account takeover fraud is so serious is that with the amount of stolen account information, anywhere from login credentials to personal information to banking numbers, fraudsters are able to quickly carry out an extensive attack on a client’s identity.
They often use information gained from one account to take over other accounts the client may have at other companies.
Reports of account takeover fraud continue to rise with no signs of slowing down as fraudsters get craftier, faster. According to fraud prevention technology company Forter’s Fifth Fraud Attack Index(1), there has been a 31% increase in account takeover fraud year over year. Bots are one reason for this increase.
A 2019 white paper from Forter says, “Bots are capable of performing upwards of 100 attacks per second, making it easier and faster for fraudsters to commit nearly limitless account takeover.” Additionally, the 2020 Global Identity and Fraud Report by Experian reports(2) 57% of enterprises report higher fraud losses due to account takeover.
What is Corporate Account Takeover?
Corporate account takeover is identity theft of a business where fraudsters steal employee passwords and other sensitive credentials to gain access to a business’s bank account or other accounts that contain highly sensitive information. Once they have access to a business’s bank account, for example, they can then initiate fraudulent ACH transactions.
According to Security Boulevard(3), there are six main industries in which companies are targeted by account takeover fraud. These six industries are:
Media and entertainment industry
Lately, there is a thriving parasitic ecosystem on the verge of overpowering the music and video streaming industry. Criminals work on a pretty straightforward model here by stealing login credentials from premium customers and selling them at a lower price for illegal access.
Account takeover attacks also threaten bank security, insurance companies, and other financial institutions. Fraudsters steal victim’s credentials or use phishing techniques to trick banks and gain complete control of millions of accounts.
The hospitality industry is a popular and easy target for fraudsters to deploy account takeover strategies. Hackers often seal reward balances and exploit them, resulting in the loss of loyal customers and damage to the brand’s reputation.
The sports industry is a lucrative business. With sensitive information, athlete negotiation figures, medical records, strategy documents, and intellectual property, fraudsters are on the lookout for loopholes to steal those assets.
Account takeover is a complex challenge for the retail industry too. Fraudsters make money from such attacks in a number of ways. Examples include ordering goods with the hacked account, purchasing gift cards, redeeming rewards points, and worst, selling compromised accounts on the dark web.
The gaming platform has always been on the account takeover radar. Cybercriminals steal in-game payment information and make illegal purchases. They use stolen account information to pull off phishing scams by luring other players into opening links with the free character or in-game currency.
Corporate account takeover should be taken seriously not just from those in the above industries, but in all business industries. Such attacks are one of the most dangerous and damaging cyber threats to companies and their clients in the world today.
Also Download – Whitepaper ( Top Trends Impacting Account Takeover Fraud )
Corporate Account Takeover Incidents
Even big companies that have access to all major fraud prevention software and systems can still fall victim to account takeovers.
In February 2020, it was revealed that sporting goods retailer Decathlon accidentally exposed more than 123 million records on an unsecured ElasticSearch server. According to a report by Alex Scroxton(4), the exposed data was discovered by Noam Rotem and Ran Locar of vpnMentor’s security research team and included sensitive information including employee system usernames, unencrypted passwords, API logs and usernames, and personally identifiable information relating to Decathlon staff.
In their disclosure, Rotem and Locar said, “The leaked database contains a veritable treasure trove of employee data and more. It has everything that a malicious hacker would, in theory, need to use to take over accounts and gain access to private and even proprietary information.”
A hacker hit the website of fashion retailer J. Crew in the spring of 2019(5) and accessed sensitive information in some users’ accounts. It wasn’t until this March, however, that the company notified customers who had their accounts unauthorizedly accessed and told them that personal information had been obtained by the third-party hacker, including the last four digits of credit cards, expiration dates of credit cards, billing addresses connected to those cards, order numbers, shipping confirmation numbers, and shipment status of those orders.
Jonathan Knudsen, the senior security strategist at Synopsis, advised affected users to engage in good cyber hygiene such as changing their password on other sites(6). “For users, there is nothing good about the credential stuffing attack at J. Crew, but there are some useful lessons to be learned,” he said.
Account Takeover Methods
Credential stuffing and credential cracking are two of the most common attack techniques related to account takeover fraud.
The OWASP Foundation Defines
Credential stuffing(7) as the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.
Credential cracking(8) as Brute force, dictionary (word list) and guessing attacks used against authentication processes of the application to identify valid account credentials. This may utilize common usernames or passwords or involve initial username evaluation.
Both credential stuffing and credential cracking are used to perform identity theft of both individuals and businesses by monetizing compromised accounts through illegally accessing linked bank accounts and credit cards and exploiting personal data.
Corporate Account Takeover Fraud Risks
There are several risks when it comes to corporate account takeover fraud:
- The lack of virus and malware programs being used to prevent this type of fraud.
- The lack of patch management practices and built-in protection for the new security.
- Employees and team members not being trained on security awareness and updated systems.
- Dual control procedures not being adhered to.
- Ongoing account monitoring and reconciliation practices that have not been updated frequently.
- Changes in login credentials that are not approved by management.
How to Identify Account Takeover
There are several ways to identify account takeover:
Multiple accounts linked to a single device.
Many times, fraudsters don’t try to hide the fact that they are logging in to multiple accounts through the same device. This means that any account that gets affected will be linked to a single device. Note also that if family or coworkers use this same device, there could be other factors that contribute to an attack.
Account details being changed or updated at once.
If an account is flagged as suspicious, to attempt to prevent account takeover, the customer will get an alert. This causes the fraudster to panic and then emails and passwords will be changed rather quickly across multiple accounts.
Multiple IP addresses connected to accounts.
If an account has a high number of IP addresses, there is a good chance account takeover has happened. Mass logins can also be a trigger as it is not possible for a fraudster to know the exact location of an actual customer.
Corporate Account Takeover Warning Signs
Several warning signs are often available to corporate account holders when their system has been or is being compromised. Some of these signs include:
- Inability to log on to account as fraudsters sometimes block access so their theft won’t be noticed until after the fact
- System freezes while the account is logged in to, but the user is unable to do anything
- Unusual request for a one-time password or verification code in the middle of account session
- Unexpected changes in login credentials
- Flooding of distributed denial-of-service (DDoS) attacks to email accounts
Preventing Corporate Account Takeover
Account takeover fraud is basically carried out in six stages.
This stage is when malware designed to cause damage to a system or network is installed on a device.
This stage is when a client’s credentials and personally identifiable information (PII) is stolen.
This stage may or may not happen. If fraudsters wish to use the stolen data for themselves, they’re all set. If they are working for someone else, the stolen data will then be sold.
In this stage, fraudsters validate the credentials to make sure they work.
This stage is when fraudsters begin to monitor account activity. They will make small changes that seem legitimate.
This is the stage in which fraudulent activity begins.
To prevent account takeover from happening, it is ideal if action can be taken before the third stage takes place. Once stolen data has been sold and validated, it is much harder to stop what has already been set in motion. It is still possible, however, to stop an account takeover from happening completely at stage five.
If a small change such as an updated email or addition of a card appears inauthentic, the account should be put on hold and the action investigated so that if it turns out to be a fraudster at work, he can be shut down. If quick, decisive action is taken at stage five, then that will prevent the execution from being carried out at stage six.
Additionally, there are many good technology systems that have been created to reduce the risk of account takeover fraud both at the client and corporate levels. You can make use of digital device intelligence, knowledge-based authentication, and fraud prevention programs. Do your research to determine which is best to protect your company.
( Also Read: Credit Monitoring Tools in Banks )
Challenges With Account Takeover Prevention
Obviously, preventing account takeover before it even happens is the goal of every business. But, as with most preventive measures, there are challenges that arise. Some of those associated with account takeover prevention are:
- Genuine customers have a good spending history
- Fraudsters mimic normal login behavior
- Business responses to the threat
- No clear owner for the account takeover problem
- Different priorities around logging in and ease of use
What Is The Difference Between Account Takeover and Identity Theft?
Account takeover is a type of identity theft, but it is not the same as identity theft. The former is when a fraudster may not know anything about a person except their username and password to access an existing account.
And the latter is when a fraudster knows someone’s personal details including their name, address, date of birth, social security number, etc. With this information, the fraudster is able to open a new account under that person’s name, thus stealing an identity and pretending they are someone else.
“In both situations,” NuDetect explains, “you need to have the other person’s information, but what you do with this information determines whether it is account takeover or identity theft.”
What if You’re a Victim of Corporate Account Takeover Fraud?
If you start to receive chargeback requests or fraudulent transaction claims that are higher than usual than you are most likely the unfortunate victim of account takeover fraud. If you see unusual activity like multiple login attempts or multiple passwords reset requests, then you’ve most likely been hit by a fraudster.
Also, if you receive notifications that information such as a shipping address, credit card, or new user has been updated or added, your account has most likely been compromised.
You can help protect your company and your clients against corporate account takeover fraud by engaging in a layered, proactive, and passive fraud prevention and identification program that provides constant monitoring of customer interactions.
When you know the digital identities of your customers, you will be better able to help reduce false-positive rates and ensure proactive identification and appropriate fraud prevention functions are in place.