Account takeover (ATO) attacks are a growing threat to organizations of all sizes. According to the Sift Digital Trust & Safety Index, ATO attacks increased by 354% year-over-year in Q2 2023. This followed a 169% increase in 2022.
In this article, we explore how ATO attacks occur and some practical security strategies companies can use to protect themselves.
What is account takeover (ATO)?
In an ATO attack, a bad actor uses compromised credentials to gain unauthorized access to user accounts. For example, email, corporate systems and networks, or online banking.
The attackers can obtain the credentials in various ways. Some studies say 80% of ATO attacks originate from phishing, where attackers send fake emails or text messages to trick their victims into giving away their personal information or login details.
Attackers can also buy packages of stolen credentials on criminal forums, some of which are hosted on the dark web and use them for credential stuffing attacks against multiple accounts and systems.
The average cost of an ATO attack for a business is estimated to be between $6,000 and $12,000. The total cost to US consumers was $15.6 billion in 2024. An attack can disrupt your operations and taint your brand. It can also lead to GDPR or CCPA compliance issues, potentially resulting in regulatory sanctions or fines.
How to build enterprise security strategies against ATO
Security awareness programs and phishing training for employees
Your employees are your vital first line of defense against ATO attacks. Therefore:
-
Provide security awareness training to ensure everyone knows how to recognize potential scam messages. Phishing only succeeds when someone falls for it.
-
Send simulated phishing messages regularly to help people stay alert.
-
Set up clear reporting channels so that reporting phishing messages is quick and easy.
Strong authentication methods
Passwords alone aren’t enough. Reinforce your security by implementing:
-
Multi-Factor Authentication (MFA) on all your platforms and accounts.
-
Passwordless authentication and biometrics.
Advanced security protocols and encryption
Advanced threat detection technology, such as behavioral analytics, can spot red flags automatically. Coupled with credential and PII monitoring, this can help your security operations center (SOC) to address threats proactively.
Encryption in transit and at rest
Encrypt all your data. If attackers do break into your systems, encrypted data remains a dead end.
Identity and access management (IAM)
Develop an identity-first security strategy that includes data classification, role-based access control, and the least privilege principle.
If attackers strike, this approach prevents them from moving laterally through your systems to steal information, deploy malware, or disrupt your operations.
Automated IAM tools also make it easy to add or revoke permissions as people join or leave your organization, helping you manage your attack surface.
Credential and PII monitoring, and cyber threat intelligence (CTI)
Passwords and other personally identifiable information (PII) can fall into the wrong hands in various ways without your knowledge. Even one compromised password can lead to an attack.
CTI and dark web credential monitoring solutions like Cybercheck scan criminal forums, marketplaces, and groups for compromised credentials. If bad actors are trading information about you or your organization, you’re alerted immediately. That means you can change passwords and block accounts to shut out attackers before they strike.
Credential monitoring also highlights risky behaviours, such as sharing passwords or reusing them across systems. That means you can guide people towards best practices to strengthen your organization’s overall security.
Preventing ATO attacks is everyone’s responsibility
Preventing ATO attacks is about empowering people, deploying the right technology, and staying alert. Real-time credential monitoring and CTI can play a vital role in a proactive security strategy.
