Skip to content 
HOW TO PROTECT YOUR BUSINESS FROM ACCOUNT TAKEOVER FRAUD
With fraudsters’ attack methods evolving, it’s more important than ever for a business to keep a vigilant check on a customer’s account.
As more and more businesses operate online, users turn to online methods to make payments. But, this trend is creating havoc in the payment industry – namely, account takeover fraud.
What is account takeover fraud?
According to SEON, account takeover (ATO) fraud is an online identity theft that a cybercriminal uses to gain unauthorized access to an account belonging to someone else. The malicious third-party gains control and access to an online account, such as social media, bank account, and email address.
Companies are slowly adopting ATO preventive methods to ensure their brand reputation and protect customers from getting looted by criminals.
How to protect your business from ATO Fraud
With an ATO fraud targeting Mark Zuckerberg, Elon Musk, Jeff Bezos, and Kanye West, even small companies are the prime target of these professionals. Here are a few ways using which you can protect your business from ATO fraud:
1. Fortify passwords
The key to preventing account takeover fraud is preventing them from occurring. This involves preventing employees from choosing easily recognizable passwords that they can remember but are extremely difficult to guess. A proactive strategy can prevent employees from choosing previously compromised or simple passwords.
According to NIST guidelines, a user-created password should be at least 8-characters long. Though such passwords might be difficult to fool the cybercriminals, they’re impossible to remember by the user.
2. Update passwords regularly
Apart from creating guidelines for a new password, educate your users on the benefits of updating the passwords regularly. This prevents the account from historic data breaches.
Focus on creating a strong security program paired with employees and user education about the warning sign. When users update their passwords, encourage them to use alphanumeric passwords for every account. Updating your passwords every month or once in three months can help your users prevent account hacking.
3. Use multi-factor authentication
Multi-factor authentication or two-factor authentication is an excellent way of preventing ATO from taking place. A two-step verification method offers another layer of security beyond username and password.
Often, this takes different forms of authentication code, including OTP, retinal scan, code, and fingerprint scan. An MFA is impossible to forge, and they don’t have to remember any password.
With a two-factor authentication blocking 99.9% of automated attacks, implementing it can protect your business from account takeover frauds.
4. Pay attention to suspicious activities
To prevent ATO frauds, look out for unexplained accounts and network activities, unsolicited emails, and pop-up activities.
On detecting any suspicious activity, terminate all online activities to prevent the malware from gaining access to your user’s or employee’s account.
Using Imperva’s malware detection and removal, you can easily detect malicious activities and prevent them from causing damage to your system.
Also, focus on keeping records of what happened as it might help you remain alert for similar instances.
5. Intervene early
Another great way to prevent ATO is preventing any stolen password and user details from being sold to the communities of criminals.
Typically, when passwords are compromised, they’re easily discoverable by crawlers and scanners. This is likely to impact damages.
When you stress the importance of keeping a strong and unique password, you reduce the chances of a hacker gaining access to any unauthorized account.
Proactively managing accounts exposed to ATOs, requires in-depth planning and sophisticated technology. Controlling the damage after it has been done is essential for preventing instances of future ATO.
6. Use risk-based authentication
Many companies use risk-based authentication or RBA. This feature verifies a user’s identity by adding an extra layer of protection in real-time whenever the system encounters a suspicious activity or irregular sign-in pattern.
For instance, an RBA can trigger a response when a user logs-in from a new device or unknown geographic location. Other common criteria for assessing risks include the status of the antivirus program, geographic location, and IP address.
Interestingly, as the level of risk increases, the authentication process becomes restrictive and comprehensive.
7. Cross-verify website URLs
Another simple yet effective way to detect unauthorized ATO includes cross-verifying the website URLs for signs of phishing attempts. When entering credentials or personal information, the website URL should not change or get redirected to another unknown web page.
Looking for such minor signs is a great way to prevent users’ critical information from getting leaked.
8. Don’t rely too much on web application firewalls (WAF)
Web application firewalls can protect web applications against the most prominent software vulnerabilities.
These firewalls are not ideal for detecting real-time and automated threats. They can only focus on cross-site scripting or session hijacking. So, it will not yield desired results as WAF is incompetent in protecting against WAF.
This is primarily because even bots adapt to human behavior. They can click around, stay on a page and even move a cursor. Also, they have the power to move between thousands of other IPs and still go undetected.
9. Use the tokenization technique
The tokenization technique differs from the standard encryption process. It helps protect sensitive payment credentials and business data like credit card numbers, expiration dates, CVV codes, bank account numbers, and cardholders’ names. The tokenization works by substituting the user’s payment details with non-specific IDs known as “tokens.”
These tokens get randomly generated when a customer supplies their payment information at a payment gateway.
There is no clear relationship between the user’s payment details and the tokens generated.
Final advice
No single account takeover strategy can keep your customers protected.
There are too many vulnerabilities and weaknesses in the digital age, most of which no one can control.
The key to stopping ATOs requires investing in a solution that identifies compromised passwords early in the attack timeline.
While there are tools that can make your life a lot easier, constant monitoring of every employee and consumer account is the key to access.
Author’s bio
Priya Jain is a professional copywriter with 8 years of experience. She has an MBA and engineering degree. When she is not writing, you will find her teaching math, spending her day running behind her toddler, and trying new recipes. You can follow her on LinkedIn.
