Articles in this section

ATO Prevention | 3 minute read

Stolen identities have been popular in fraud for years. The pandemic has made it easier to exploit fears, allowing fraudsters to steal highly sensitive business, financial, and medical data. 

Business account takeover is an identity theft where cybercriminals steal employee or payee passwords to access sensitive company information. It is a prevalent problem across industries, and companies should take measures to protect themselves.

Attackers use phishing tactics to access sensitive account information, costing businesses millions annually. Once they have login credentials, they can exploit financial stability and reputation. According to the 2020 Global Identity and Fraud Report by Experian, 57% of enterprises report higher fraud losses due to account takeover.

Organizations Primarily Targeted

Gaming industry

The gaming platform has always been targeted for account takeovers. Cybercriminals steal in-game payment information and make illegal purchases. They then use stolen account information to perpetrate phishing scams by luring other players into opening links offering free characters or in-game currency.

Media and Entertainment Industry
Lately, a thriving parasitic ecosystem has been on the verge of overpowering the music and video streaming industry. Criminals work on a pretty straightforward model here: They steal login credentials from premium customers and sell them at a lower price for illegal access.
Retail Industry
Account takeover is a complex challenge for the retail industry. Fraudsters make money from such attacks in several ways. Examples include ordering goods with the hacked account, purchasing gift cards, redeeming rewards points, and, worst of all, selling compromised accounts on the dark web.
Financial Industry
Account takeover attacks threaten bank security, insurance companies, and other financial institutions. Fraudsters steal victim's credentials or use phishing techniques to trick banks and gain complete control of millions of accounts.
Hospitality Industry
The hospitality industry is a popular and easy target for fraudsters to deploy account takeover strategies. Hackers often seal reward balances and exploit them, resulting in the loss of loyal customers and damage to the brand's reputation.
Sports Industry
The sports industry is a lucrative business. With sensitive information, athlete negotiation figures, medical records, strategy documents, and intellectual property, fraudsters seek loopholes to steal those assets.

 

A business account takeover is a big deal. It is one of the most damaging cyber threats companies, payers, and payees face today. These attacks are difficult to detect as criminals hack into accounts with legitimate credentials. By and large, these attacks hurt business reputations, scare payers and payees, and can even result in companies paying a heavy penalty.

Seven Common ATO Attacks

1. Phishing

Phishing is perhaps the most common of all attacks. During phishing attacks, bad actors pose themselves as legitimate organizations and ask for personally identifiable information (PII) from the individual or company. The goal is to trick the recipient (over a phone call, email, or text message) into action, like opening a link or downloading an attachment with malicious code. PII is any data that can be used to identify an individual, such as name, geographic location, SSN, IP address, passport number, etc.
Tips to detect a phishing attack:

  • Emails that start with generic greetings like "hi there" instead of the recipient's name.
  • Emails that ask you to complete an action almost immediately. For example, your account will be blocked if you do not provide details.
  • Emails that do not take you to a page it claims to, and the URL does not begin with HTTPS.

 

2. Brute force attack

Fraudsters conduct this type of business account takeover to target large businesses. They use automated bots to systematically check and identify valid credentials to crack password codes and log in to compromised accounts.
Tips to detect a brute force attack:

  • Surprisingly, high login attempts on a single account.
  • Failed testing attempts with multiple account IDs and passwords.
  • An exponential rise in account locks.
  • More and more cases of hijacked accounts.
3. Credential stuffing

If your payees have used the same password for multiple accounts, consider it a treat for cybercriminals. Credential stuffing happens when the attacker uses bot attacks to verify login credentials instead of manually testing them one by one.
Tips to detect credential stuffing:

  • High rise in login attempts and failed login counts. Irregular traffic volumes.
  • High use of non-existing usernames during authentication.
  • Abnormal bounce rate on the authentication page.

 

4. Man-in-the-middle attack

A man-in-the-middle attack is a kind of cyber eavesdropping in which the attacker intercepts communication between two entities and manipulates data transfer in real-time. For example, the attacker will exploit the real-time processing of transactions between a bank and its customer by diverting the customer to a fraudulent account.
Tips to detect man-in-the-middle attack:

  • TCP and HTTP signatures during user sessions do not match.
  • Evil twin Wi-Fi networks like lkeaFreeWiFi and lkeaWiFiJoin in the same location.
  • Login pages that look fake.
  • Software update pop-ups that look illegitimate, suspicious SSIDs.

 

5. Password spraying

Password spraying is also a kind of brute force attack where the attacker feeds in a large database of usernames and password combinations in the hope that a few of those will work. It can be a dictionary attack where fraudsters enter the most commonly used passwords to hack into accounts. A lot of people still use the same password for multiple sites.
Tips to detect a password spraying attack:

  • Login attempts from non-existent users.
  • Significant increase in account lockouts.
  • High login failure rate.
  • Repeated login attempts from the same URL.

 

6. Social engineering

Social engineering is a kind of business account takeover attack where the cybercriminal manipulates an employee into giving away login credentials or access to sensitive information. Fraudsters conduct social engineering in stages. First, they gather information about the intended victim. Then, they plan to launch and execute an attack by exploiting the victim's weakness. Finally, they use the acquired data to conduct the attack.
Tips to detect a social engineering attack:

  • Unsolicited emails requesting payment information.
  • Asking for OTP following a two-factor authentication.
  • Suspicious chat boxes popping up.

 

7. Session hijacking

As the name suggests, session hijacking happens when the attacker takes complete control of a user session. A session starts when you log in to a service like your banking app and ends when you log out of it. A successful session hijacking gives the attacker access to multiple gateways, such as financial and customer records and other applications with intellectual properties.
Tips to detect session hijacking:

  • Unusual frequency in the Received Signal Strength (RSS).

Business Practices to Prevent ATOs

Start by building a solid relationship with your payees. Help them understand the security measures they need to implement to safeguard their accounts and prevent unauthorized access to corporate data.

Here are a few standard practices you can follow:

  • Verify the identity of the person contacting you before making any changes.
  • Ask yourself if these changes make sense & are consistent with the profile you are looking at.
  • If the account has been dormant, verify why it's active now & if any changes have been made.
  • Verify the email address of the requester to ensure it's accurate.
  • Educate staff not to open suspicious emails requesting details be changed.
  • Enable 2FA authentication.
  • Enable detect.