Industry

Account takeover fraud recovery: What businesses need to know

Actionable steps for recovering from account takeover fraud

Blue rectangle with outline of people and caution sign in the middle
Last updated:
8/21/2024
Read time:
Share this post
Copied
Table of contents
⚡ Key takeaways
  • Bad actors can break into and take over accounts using various techniques. These can be as simple as trying leaked usernames and passwords, and as complex as sophisticated spearphishing campaigns.
  • Monitoring passive signals such as device footprints and user behavior can help you detect account takeovers and limit potential damage. 
  • More companies are turning to online identity verification and reverification requests to prevent account takeovers and automate account recoveries.

Everyone wants to keep their online accounts and information secure. Companies introduce more complex password requirements and additional security measures with this in mind. Still, for businesses, keeping accounts safe can still feel like an uphill battle. 

The latest step in the wrong direction? The release of RockYou2024 in July 2024, which brought the total number of leaked passwords up to nearly 10 billion. Bad actors can also get in by purchasing leaked data, like as usernames, Social Security numbers, and answers to knowledge-based authentication (KBA). This gives them a scary amount of information—enough to potentially break into millions of users’ accounts. 

For businesses, this is a difficult situation. If your users can accrue loyalty points, store payment information, or send public or direct messages, then bad actors can extract value from taking over accounts.

You can and should focus on creating systems to prevent Account Takeovers (ATOs). But given the current state of managing identities online, you also need processes for detecting when bad actors take over an account and helping users recover their accounts. 

What is account takeover fraud?

Account takeover (ATO) fraud is when an unauthorized person gains access to someone else’s account, such as an email, bank, social media, loyalty, or gaming account. The bad actor can then make changes to the account, authorize transactions, or use the compromised account as a launchpad for additional scams and fraud. 

How does ATO fraud happen?

Bad actors can gain access to accounts in many ways, including:

  • Social engineering: Bad actors manipulate victims into directly or inadvertently sharing login credentials. These types of attacks can take different forms, including phishing attacks that trick victims into entering their information on a fake lookalike website or getting them to install malware. 
  • Credential stuffing and password spraying: Bad actors sometimes use bots to make educated guesses about a victim’s likely password. With a credential stuffing attack, they try passwords based on information specific to the victim, such as leaked passwords from data breaches. Alternatively, they might repeatedly try to log in to accounts by spraying (guessing) commonly used passwords. (So don’t make your password “password1234”!)
  • Willingly shared access: Victims sometimes share information with someone, such as a family member or significant other, who then accesses their account without permission. Note that an ATO that happens this way is different from people sharing access to an account against a company’s terms and conditions.

Bad actors are also using generative AI to improve some of these attempts. For example, a bad actor might use GenAI to write a phishing email that gets past spam filters and sounds authentic to the victim. Perhaps the email “warns” the recipient that their account was hacked and shares a link to a replica password reset page. When the victim clicks the link and enters their information, the bad actor captures their login credentials and session data. Later, they use the information to attempt to get into the victim’s account. 

How does account recovery work?

Typically, identifying a compromised account starts the clock ticking on two timelines: stopping the fraudster and reinstating the account. Here’s how it can play out:

1. Discover the takeover 

You might learn about an ATO when a user reports unauthorized activity. Or, you notice suspicious activity in your system that leads you to believe someone has compromised an account.

For example, if a user logs in from an unusual location or device, that could be a sign of suspicious activity. You might want to treat the account as compromised if the user then attempts a suspicious activity, such as a large transfer or redemption. 

2. Freeze the account and contact the user

Once you suspect a takeover or fraudulent activity, you can freeze an account to prevent bad actors from using it or doing more damage. 

You can then contact the account holder and have them reset their password. Depending on the situation, you might ask them to verify or reverify their identity before restoring access to the account. 

Users might see the account takeover as a failure on your part to keep the account secure — even if the ATO was the result of them reusing passwords. It can be hard to get the tone right, but try to give context and suggestions without pointing fingers. 

For instance, explain the importance of using unique passwords to keep a data breach at one company from putting all their accounts at risk. Or outline how multi-factor authentication can help protect their accounts even if a fraudster knows their password.

3. Conduct a broader analysis

Discovering that bad actors took over an account can present an opportunity. Try to collect as much information as you can about the bad actor and how they used the account. This might include: 

  • New personal information, such as a changed name or date of birth
  • Large number of failed login attempts, or irregular login behavior 
  • New contact information, such as a new address, email account, or phone number.
  • Device fingerprints, such as their IP address, time zone, and screen resolution.

Using link analysis, you can look at other accounts that share these markers. You could then flag those as suspicious and investigate whether a bad actor created or took over the account. 

An in-depth analysis should also include variations of the above, such as physical addresses with slightly different naming schemes. For example, fraudsters may use 123 Main St. Apt 1 and 123 Main St. Apt A interchangeably.

Additionally, link analysis may be able to help you identify patterns in how bad actors act once they take over an account. You could then use these to quickly identify ATO attempts going forward.

Guide
Learn how to stop the revolving door of fraudsters with link analysis
Read now

4. Rinse and repeat

Continuously monitoring for suspicious activity and fraud signals can help keep bad actors out of your systems. Repeat the steps above as you identify new accounts that may be fraudulent or taken over. 

5. Focus on prevention

Although you might not be able to prevent every ATO attempt, focusing on prevention can help stop bad actors, minimize the impact on your teams, and create a good experience for your users. 

Some proactive steps you can take are:

  • Enforce strong password requirements.
  • Offer and consider requiring multi-factor authentication.
  • Limit multiple login attempts during short time periods. 
  • Use web application firewalls to stop attempts from known attackers and bots. 

Monitoring behavioral and passive risk signals for signs of fraudulent activity can also help you detect and prevent account takeovers without interrupting your users. However, sometimes adding friction can be important. 

For instance, you can conduct a risk assessment to find high-risk moments and map how bad actors could monetize taken over accounts. You can use the results to determine when you’ll require more robust identity checks or ask users to reverify their identities.

How Persona helps prevent ATOs and improve account recovery

You can configure and customize Persona’s identity platform based on your needs. Companies like Instacart and Lime use Persona to create and customize their identity verification and reverification flows for users. And Empower, a mobile-first fintech, partnered with Persona to onboard new users and improve its process for helping users recover accounts after they got locked out. 

“Persona's combination of document verification and live facial comparison ensures a speedy, automated and highly secure account recovery experience for our customers,” said Mac Muir, the previous head of operations and current CFO at Empower. The company can now securely and confidently automate account recovery instead of relying on a highly manual process. 

If you’re focused on account recovery, you can use Workflows, a no-code tool for creating user flows and automating identity verification and reverification requests. You could choose from various types of verifications depending on the situation and risk signals, including government ID, selfie, document, and database verifications. 

When you want to investigate suspicious activity, you can use Persona’s Cases to consolidate information about an account from various sources onto a single dashboard. And with Graph, Persona’s link analysis tool, you can identify connected accounts and prevent new account takeovers. 

Contact us to learn more or get started for free.

Published on:
8/21/2024

Frequently asked questions

No items found.

Continue reading

Continue reading

Identity proofing: what it is and why it matters
Identity proofing: what it is and why it matters
Industry

Identity proofing: what it is and why it matters

Learn what identity proofing entails and how to incorporate it into your business to prevent fraud.

Employment identity verification: what it is and why it matters
Employment identity verification: what it is and why it matters
Industry

Employment identity verification: what it is and why it matters

Find out why you need to verify prospective employees’ identities — and how to actually do it.

How to check if a company is legitimate: a step-by-step guide
How to check if a company is legitimate: a step-by-step guide
Industry

How to check if a company is legitimate: a step-by-step guide

Find out which verification methods to use — and how a KYB tool can streamline the process.

What is account creation fraud?
Industry

What is account creation fraud?

Learn what account creation fraud is, what it can look like, how it typically works, and how to protect your business and legitimate users.

What is account takeover fraud?
Industry

What is account takeover fraud?

Account takeover fraud can negatively impact both your customers and business. Learn what it is, how to prevent it, and more.

Automate school account recovery requests with risk-based identity verification tools
Industry

Automate school account recovery requests with risk-based identity verification tools

Learn how online identity verification can help you automate and simplify your school’s account recovery process.

Ready to get started?

Get in touch or start exploring Persona today.