Almost every business or organization is a target for account takeover (ATO) attempts. There’s a good chance that your organization is vulnerable.

What is an account takeover attack? Simply defined, it’s when a cybercriminal gains access and control of another party’s legitimate account (such as a Microsoft O365 or Google Workspace account). An ATO attack is more than just a data breach. An ATO attacker gains full control to make purchases, transfer money, steal bank and credit card information, gain access to sensitive business intelligence, or even disrupt business operations—all before a user even knows the account has been compromised.

How do you know if your organization is vulnerable to account takeover attempts? 

Historically, targets primarily included eCommerce, healthcare, education, insurance, and banking.  Today, however, any small or large businesses may be a target.

Studies show that businesses and organizations are concerned about ATO attempts, but few are able to detect or prevent such encounters. Are you prepared for a takeover attempt?

Let’s do a quick assessment:

• Are you able to recognize if a new account is legitimate or a potential hacker?
• Do you know what data you should be monitoring?
• Are you able to detect when an ATO attack is occurring?
• Can you identify when a bot is attempting access to your site?
• Do you know how to prevent ATO attempts?

If you said no to any of these questions, you’re not alone. Facing these questions is becoming more and more commonplace for organizations of all types and sizes.

Employee accounts, partner/vendor accounts, or even clients can be compromised. In most cases, businesses have no idea that an account takeover attack has occurred. Once an attacker has taken over a business's account, they can do stuff like send fake invoices or send new wire transfer instructions to customers and vendors. And merchants often have no idea that an ATO has occurred until a customer files a claim.

If an ATO attack is confirmed or suspected, it is critical that the compromised account is immediately suspended and logged out of all instances, and then the user needs to create a new (unique and strong password). If it appears that the account has been compromised for days or weeks, it is probably best to force all employees to reset their passwords and alert business partners/vendors that the compromised user works with. 

The impact of an account takeover is huge. You risk: 

• Losing customers and sales. According to a 2020 Riskified survey, “65% of customers say they would likely stop buying from a merchant if their account was compromised. More than half (54%) of customers say they would delete their account, 39% would go to a competitor, and 30% say they would tell their friends to stop shopping with the merchant.”
• Bad reputation, including customers leaving negative reviews across social media platforms.
• External accounts being taken over, as many people use the same credentials across multiple websites and platforms.
• Your employee or client data being sold on the dark web for multiple attackers.

ATO attacks often start with a phishing email, but they can also start with the use of credentials acquired from a prior data breach, sold through the dark web, old phishing attacks, malware, social engineering attacks, and many other methods. Attackers utilize bots to automate brute-force attacks across multiple sites, stuffing them with various username/password combinations based on the compromised information they’ve gathered. 

Account Takeover Detection, Identification, and Prevention

ATO attempts are challenging to detect or prevent, but there are some things that can help such as:

• Employee Training. This includes sending phishing simulation testing campaigns and security awareness training (SAT). This needs to be done on a regular, but randomized, basis to ensure every employee is part of your “defense in depth” approach to security. 
• Use of FIDO2 (OATH/TOTP) based authentication methods via security keys / fobs that require the owner of the credentials to be physically present from where the account is actually being accessed.
• FIDO2 authentication, or at least Multi-Factor Authentication (MFA) that requires your users to authenticate their login beyond a username and password, such as a code via SMS, email, or an authenticator app. It is important to note that attackers are getting increasingly better at intercepting MFA one-time passwords (OTP) via “man-in-the-middle” or “Nag” attacks (used in the recent Uber ATO)

• Monitoring your O365 or Google Workspace accounts for attacks and indicators of compromise (IOC) such as: irregular spikes in login attempts, increased number of failed logins, spikes in account locks, spikes in password reset/reminder requests, or even things like complaints about unauthorized fund movements.

IRONSCALES ATO Protection

The most effective way to protect your organization from ATO attacks is by using a security solution that harnesses the power of artificial intelligence (AI) to identify attempts and suspicious activity. IRONSCALES offers award-winning email security solutions powered by AI and machine learning technology, and are designed to integrate with cloud-based email solutions–which is the only proven method that can adapt to the ever-changing tools and techniques used by attackers.

Detecting an ATO or a compromised email address isn’t easy, as it’s not uncommon for employees to make legitimate changes, such as getting a new smartphone or logging in from a different computer. Accurate detection requires advanced analysis of multiple data points, identity and access management events, unusual email handling rules, and email user behavior.

The number of event combinations across these data sources is massive. To avoid false positive alerts, IRONSCALES analyzes multiple types of data in real-time to identify suspicious behavioral patterns. For example, multiple failed log-on attempts aren’t unusual, but may be a red flag when combined with new email forwarding rules.

IRONSCALES™ Complete Protect™ Account Takeover Protection:

• Detects and stops new and emerging ATO attacks - AI analyzes content and communications styles in order to detect and prevent even the most sophisticated ATO attempts.
• Detects compromised internal email accounts using AI to cross-check multiple factors to detect suspicious travel, mail-forwarding rules, BEC language, and other behaviors.
• Detects and alerts users and IT/Security admins on compromised external email accounts by using AI to analyze and profile normal email communications for user and company business processes, language, and relationships in order to detect fraud or social engineering.
• Delivers MSOAR capabilities using AI and machine-learning to provide automated incident response, proactive threat hunting, virtual SOC, phishing emulation, and employee training.

Account Takeover Remediation: Stop the Spread in Two Clicks

A single successful ATO attack can rapidly lead to data breaches and additional compromised accounts. When an ATO attempt is detected, IRONSCALES does not auto-classify such incidents, but immediately provides the necessary information to remediate such incidents and prevent further spread. This is accomplished in two simple clicks.

Read more about IRONSCALES account takeover protection solutions here.

Download “The Business Cost of Phishing” research report to discover email security trends and data.