← Back to Glossary

What is Account Takeover?

by Iwan Price-Evans on Security • April 29, 2022

Account takeover (ATO) is when a malicious group or individual gains full access to a user account and performs any activity they wish with the account owner being powerless to stop them.

Account takeover is a form of identity theft. A cyber-criminal who has acquired account credentials can pose as the real user, and change account details so that the owner can no longer access it. Once the owner has been locked out of the account the criminal can then use the account as if it's their own.

If an email account is taken over the criminal can use it to perform any number of fraudulent activities. They may simply use it to send spam emails but they may also use it to reset the owner's login credentials to all of their online accounts. If successful, they could access financial accounts and steal the owner's money and leaving the account owner with no way of recovering that money.

How does account takeover happen?

Our digital footprint gets ever larger as we use more and more online systems and services for work and personal activities. This poses a threat to individuals and organizations of account credentials being compromised by cybercriminals. 

Common account takeover techniques include the following.

Social engineering

Social media is one of the primary targets of cybercriminals when looking for personal information. By identifying an individual and then researching all of their social media profiles they can gather relationship and employment information that is in the public domain. This is called social engineering and it enables them to identify a wide variety of personal information such as:

  • Personal and family relationships
  • Working relationships and line management connections
  • Employment history
  • Social groups
  • Personal data such as email, mobile, and date of birth.

By piecing this information together a criminal can collect the information needed to gain access to a user account.

Brute-force attacks or credential stuffing attacks

People often use poor password practice and make it easy for criminals to guess passwords based on the social engineering they've performed. The criminals will use automated password scripts to try to log in. Thousands of password combinations can be generated by these scripts.

The attacker can narrow down these attempts by using the information they've acquired from social engineering such as pet names or address details. This can be enough for them to gain access to an account. 

Phishing or Spear Phishing

Phishing emails can be used to trick a user into handing over their login credentials by visiting a fake website. Spear phishing is a targeted attack where the criminals have used social engineering to target an individual with messages that seem to be from their known connections. Spear phishing is often targeted at business employees where the attacker pretends to be a senior executive who urgently needs help to log in.

What can happen with account takeover?

A criminal's intention may be to simply access an eCommerce site account and quickly buy as many high-value products as possible, shipping them to their own location. The owner's bank security systems will usually identify this unusual behavior and automatically block the credit card being used.

More seriously, if the criminals can take over an email account they can use it to gather more specific information enabling them to access critical accounts such as online banking. 

By using the email account to find usernames, passwords, security questions, or account ID numbers they can build a complete user profile of stolen information. This can give the criminal all of the information they need to call the owner's bank or service provider and pretend to be them. This can result in the account owner losing huge amounts of money, potentially all of it.