DataDome

Global Account Takeover Fraud Statistics for 2023

Table of contents
Last update: 1 Apr, 2023
|
min

The global economy is facing high inflation, slow growth rates, and geopolitical events like the Russia-Ukraine war that increase the risk of further financial and economic instability worldwide. In these strenuous conditions, the last thing your company needs is account takeover fraud.

This isn’t just fearmongering. Several studies and reports conducted over the years have shown both the prevalence and risk of account takeover (ATO) fraud for both businesses and individuals. This article will address the findings of some of these studies and reports. It will also explain what impact ATO fraud can have on your business, what puts you at risk of ATO fraud, and how you can prevent it from ever happening.

The 5 best ways to prevent account takeovers:

  1. Use Account Takeover Detection & Prevention Software
  2. Use Strong Passwords and Multi-Factor Authentication
  3. Educate Your Employees
  4. Be Careful with Access Controls
  5. Ensure the Security of Third-Party Applications

Global Account Takeover (ATO) Statistics

An account takeover happens when a hacker gains unauthorized access to the account of an individual or company. They then use that account to steal someone’s identity, make fraudulent transactions, sell account data on the dark web, destroy a company’s reputation, et cetera.

In 2022, the Federal Trade Commission (FTC) received over 725,000 reports of impostor scams, where a criminal pretended to be someone else to steal money or information. While this was down from a high of almost a million such reports in 2021, the total amount of money lost to impostor scams was the highest it’s been since measurements began in 2018: Consumers lost $2.67 million in 2022, up from $2.4 million in 2021.

Impostor scams are only possible because a hacker has gained access to someone else’s account through ATO fraud. It goes hand in hand with identity theft, where a hacker impersonates someone to create a new account. Together with impostor scams, they made up 35.62% of all 5.2 million fraud reports (p. 7 of the PDF) the FTC received in 2022.

For both impostor scams and identity theft, there’s a company on the other end of the line that has been defrauded. Companies are often not as well protected legally against ATO fraud as individuals are, and can suffer significant damage if left unprotected (something we’ll discuss further down in the article).

US States with the Biggest Losses to ATO Fraud

The three US states that filed the most identity theft reports in 2022 were California, Texas, and Florida. But that’s mostly because so many Americans live there. Adjusted for population, the ten states that suffered most from identity theft were (p. 21 of the PDF):

  1. Georgia
  2. Louisiana
  3. Florida
  4. Delaware
  5. Nevada
  6. Texas
  7. Pennsylvania
  8. Alabama
  9. South Carolina
  10. Mississippi

All Countries Struggle with ATO Fraud

ATO fraud is a global problem that companies from every economy suffer from. Countries with high GDP have more account takeover fraud, because there’s more money to steal (or because data is more readily available). For example, in the first half of 2022, UK Finance recorded 34,114 cases of card identity theft, for a gross loss of £21.4 million ($25.65 million). These were the highest numbers since H2 2018 (p. 13 of the PDF).

The European Union doesn’t escape from ATO fraud either. Data from Finanso showed that identity theft was the second-most common type of fraud attack in Europe, after monetary fraud. One in five European suffered from identity theft between 2020 and 2022. Once more, there’s a company on the other side of every individual suffering from identity theft that will suffer the consequences outlined below.

Impact and Consequences of Account Takeover Fraud on Businesses

Because account takeover is such a broad term, different types of account takeovers go by different names. That’s why it’s sometimes hard to really understand how damaging ATO can be: Sometimes it’s simply called something else. For example, the FBI reported in 2022 that businesses and individuals lost $45 billion between 2013 and 2021 to Business Email Compromise/Email Account Compromise (BEC/EAC). This is a term for a subset of ATO fraud.

The same goes for the infamous 2020 Twitter hack, where the accounts of celebrities like Elon Musk, Bill Gates, Jeff Bezos, and Barack Obama, as well as the accounts of companies like Apple and Uber, were hacked. The hackers sent out a scam message from these accounts asking for Bitcoin (BTC). Over 320 people obliged and sent around twelve BTC to the address (approximately $260,000 at the time of writing). This, too, was a type of ATO fraud.

The list of examples can go on. In general, whether it’s the takeover of a user account or a corporate account, the impact and consequences of account takeover fraud fall into the following five categories:

  • Direct financial losses: When a hacker gains access to a financial corporate account and moves your company’s money before you can stop them. Alternatively, when a hacker gains access to a corporate credit card and buys goods or services with it.
  • Regulatory fees: Chances are you’re under the jurisdiction of a legal framework that protects the privacy and security of your users’ data. If you lose that data to ATO fraud in a data breach, you risk paying fines that, in the case of GDPR, can cost up to 4% of your company’s annual revenue.
  • Reputational damage: The reputational damage of an account takeover can cost much more than the direct financial losses you’re at risk of. When a user of the video messaging app Loom reported in March 2023 that he had logged into someone else’s account instead of his own, it triggered a panic on Twitter that immediately caused Loom users to look for alternatives. 
  • Operational disruption: To continue the Loom example, the service was quickly taken offline for several hours as everyone in the company scrambled to understand what they called “a critical incident.” Any company that suffers from ATO fraud in any form will face immediate and severe operational disruption.

Industries Most at Risk of ATO

The danger of listing the industries that are most at risk of ATO fraud is that companies who aren’t in the listed industries think they’re off the hook. They’re not. All companies have corporate accounts, even if it’s just bank accounts. This means that all companies are at risk of ATO fraud and must protect themselves against it.

Still, some industries are more at risk than others. Industries where companies typically have many user accounts, such as social media, are high risk. Industries where companies store sensitive data digitally, such as healthcare or finance, are high risk too. Industries where companies rely on digital goods and services, such as e-commerce or retail, are high risk as well.

What Puts Businesses at Risk of ATO Attacks

Companies sometimes believe that what puts them at risk of ATO attacks is some technical misconfiguration that’s hard to understand for anyone who’s not a techie. While it’s possible that hackers find an entry in this way, the reason why hackers gain access to corporate or user accounts is often much simpler: Weak passwords.

For example, Chick-fil-A suffered a data breach in early 2023 where 71,000 customer accounts were hacked. Through automated bots, hackers were able to break into the accounts that had weak passwords and weren’t protected with multi-factor authentication. The hackers stole user names, email addresses, and credit card numbers. 

Another way hackers gain access to accounts is through phishing attacks, where they trick an employee or user into giving away confidential information, often pretending to be a high-level executive of the company they’re breaking into. This may not work for most employees, but you only need one victim to oblige and you’re in.

Other security threats tied to account takeovers are malware infections that hackers inject into every layer of your technical architecture, insecure third-party applications that are often gateways into your own systems, and disgruntled employees who go rogue and share sensitive information with hackers or commit ATO fraud themselves.

How Businesses Can Prevent Account Takeover Fraud

While ATO fraud is scary, account takeover prevention needn’t be hugely complicated or technical. A few simple best practices will drastically reduce your chances of being targeted. After all, there are still a huge number of companies that go entirely unprotected against ATO fraud. It’s those companies that hackers prefer to target. Properly protect yourself and they won’t target you. 

Use Account Takeover Detection & Prevention Software

Account takeover prevention software is easily the best way to stop ATO fraud dead in its tracks. Hackers don’t guess login details manually. They rely heavily on automation to identify and attack their targets, and often do so for tens of thousands of accounts at the same time. This is only possible with bots.

The right ATO prevention software blocks these ATO threats in real-time for all your endpoints, whether that’s your website, mobile app, or API. This has the benefit that it not only stops ATO fraud, but also all other types of fraud that rely on automated means, such as scalping, DDoS attacks, and scraping.

Use Strong Passwords and Multi-Factor Authentication

Accounts with weak passwords beg for a break-in. All your corporate accounts should have strong passwords. A strong password means a complex password that’s at least over fifteen characters long. Anything below eight characters takes at most a few hours to break, regardless of its complexity.

The same goes for multi-factor authentication. It should be enabled wherever possible. Even if a hacker guesses your password, MFA adds another layer of security that’s impossible to get past unless the hacker also has access to whatever device you’re using for MFA (which is unlikely). 

When it comes to your users, you can nudge them towards strong passwords and MFA with the right prompts and frequent email notifications. It’s wise to do so, because they will blame you even if was them who didn’t activate MFA or set up an account with a weak password.

Educate Your Employees

All your employees should have a good understanding of what ATO fraud is, what they need to look out for, and what they should do when accessing their accounts. This is especially the case for frontline employees and employees who engage with any type of account, user or corporate.

Employee training should include how to spot phishing emails, fake websites, and suspicious URLs. It should also talk about the importance of updating company hardware and what to do when working remotely (use a password manager, connect to a VPN). Such training should be held regularly, once or twice a year at least.

Be Careful with Access Controls

Many companies aren’t careful with who they give access to corporate accounts. For example, it’s common for startups to share one account between several employees, simply because it’s often much cheaper to do so. This is a big security risk, because the entire company then relies on a single gateway into a corporate account. If a hacker gains access, the account is essentially lost.

In general, companies have to be careful with their access controls. Not everyone who asks for access needs access. Often, they may just require a piece of information that can be obtained in other ways. Make sure your access control are as strict as can be without them becoming too inconvenient.

Ensure the Security of Third-Party Applications

Every business relies on third-party applications for some of their processes. It’s inevitable. You want to make sure that you vet the security of every third-party app, especially when you’re handing them sensitive data. After all, under most regulatory frameworks, you’re still responsible for that data even if they suffer a security breach.

Mostly, ensuring the security of third-party applications means keeping it updated with the latest patches and monitoring the application for suspicious account or network activity. Ideally, you have a failsafe that you can pull to immediately disconnect the application from your systems. 

Start Preventing and Detecting Account Takeover Fraud with DataDome

DataDome is fraud prevention software that detects and prevents ATO fraud. In particular, it identifies and blocks all malicious bot activity in real-time, stopping not just ATO fraud but all fraud that relies on automation. It does so for all your endpoints, whether they’re your websites, mobile apps, or APIs.

DataDome is lightweight and easy to install regardless of the technologies you currently use. It is a hands-off solution with a dedicated 24/7 support team to help and answer your questions. If you’re curious to learn how DataDome works, schedule a live demo today

DataDome
dd product home overview

Still exploring?

Start with an on-demand demo.