Account takeover attacks are on the rise, with an estimated 22% of adults in the US falling victim to this type of fraud, and average losses of around $12,000 per case. It is essential now more than ever not just for private individuals but also businesses to put in place defenses against online fraud.
An account takeover (ATO) happens when a criminal gains access to a genuine consumer account. It can affect anyone and any type of account, including social media, email, online banking, and even credit cards.
Usually, a fraudster will use stolen information to gain access – however, they might also use brute force or social engineering. Sometimes, they will pretend to represent the authorities or a trusted institution, such as a bank, to obtain sensitive data, making this type of fraud increasingly difficult to detect.
We wanted to find out exactly how impactful account takeover fraud is on businesses and consumers around the world and share some key information on how they can protect themselves – including by having fraud prevention and detection systems in place as well as by educating employees and the public on how to identify phishing scams.
We also looked at online crime in the United States and globally, to find which states and countries are most at risk of cybercrime, including account takeovers.
The Consequences of Account Takeover Fraud
A study by Security.org shows the average successful ATO incurs losses of around $12,000.
Around 22% of adults in the US have already been a victim. Given the 110 million households with internet access in the country, an estimated 24 million households have fallen victim to this type of internet attack.
The study found that 60% of victims had used the same password for multiple online accounts, identifying this as one of the most essential changes you can make to avoid becoming a victim of this type of fraud.
Of all account takeovers the study looked at, 51% were of social media accounts, while banking accounts comprised 32% of all breached accounts. Naturally, the latter put much more on the line, but that’s not to say social media takeovers aren’t devastating for victims.
Riskified found that 1 in every 140 login attempts during the 2021 holiday season was an attempt at account takeover. Indeed, studies – our internal data included – show that fraudsters watch the consumer market for activity spikes, waiting to make their move. During these times, sellers find it more difficult to manage fraud risks, and criminals hope they can slip under the radar and go undetected.
If a fraudster has been successful in taking over a legitimate account, the first thing they will do – before setting in motion their schemes in earnest – is attempt to change the account information, password, and sometimes notification settings, so as not to alert the genuine owner. This is one of the several touchpoints at which they can be caught by robust fraud prevention software.
How to Prevent ATO Fraud as a Business
Increasing employee awareness of account takeover fraud, and having a strategy to combat it, is essential for most businesses today.
Account takeover is one of the most prevalent forms of fraud affecting ecommerce businesses in 2022. When a customer experiences account takeover fraud, they often blame the merchant for the breach, even if it was the customer who unknowingly let the fraudster in. This impacts consumer trust and brand image – and can wreak havoc on customer loyalty.
Best practices for staff include being well aware of phishing and spear-phishing such as CEO fraud, and using password managers secured by a unique, highly complex master password.
In terms of defenses, IP addresses and devices demonstrating suspicious activity should be blocked immediately as a precaution and reviewed later by security teams. Fraudsters will try to mask their real identities by spoofing their device and location with every attempt. To catch them, you need robust IP address analysis and enrichment, as well as in-depth device fingerprinting.
Systems should display a CAPTCHA after multiple failed authentication attempts, to help prevent bot attacks. Depending on your industry and risk appetite, you might even want to consider limiting the number of attempts each user gets to conduct an action – for example, how many times they can enter a wrong password before they are temporarily locked out.
Preventing Account Takeovers as an Individual
As an individual too, it is essential to take steps to protect yourself from having your accounts broken into.
Even when it seems like there would not be much of an issue, our user accounts contain more information about us than we probably expect – plus, if one of our passwords becomes compromised, fraudsters will attempt to use it on other websites and apps, because so many people use the same password across multiple services. So there could be a knock-on effect.
Finally, also consider how many consumers store their credit card information in their ecommerce and other accounts, for ease of payment. Indeed, there is much more to lose if you’re a victim of an ATO today than in the past.
Simple steps to protect oneself include using a password manager with a strong master password, setting up multi-factor authentication (MFA) across as many accounts as possible, and making sure you can tell when a message or call is suspicious.
When you are unsure you have been contacted by a legitimate person, look up the number or email address of the individual or company and contact them yourself, independently, to confirm whether they have indeed tried to reach you.
What Are the Biggest Risks to Businesses Today?
1. Cyber incidents
A successful cyberattack can affect many areas of a business, including employees, security, brand image, and consumer confidence. It can also cause significant financial loss, which can cause long-term impacts.
2. Business interruption
Risks including fire, cyber attacks, political disruption, and natural disasters can all cause a business interruption – a period of time when businesses are unable to generate a profit.
3. Natural catastrophes
According to insurance company Aon, natural disasters cost the world $238 billion in 2021, of which only $108 billion were insured.
4. Pandemic outbreak
New variants of existing viruses and the emergence of new viruses are seen as one of the biggest risks to businesses this year.
5. Changes in legislation and regulation
Legislative risk can occur as a direct result of the government’s actions, and can adversely affect investment holdings, taxes, subsidiaries, and tariffs.
6. Climate change
This can take the form of transitional or physical risks for businesses. The risk of hurricanes, drought, and wildfires could affect businesses just as much as changes like the push for greener energy sources amidst the global warming crisis.
7. Fire, explosion
The effects of accidental fires or explosions can be devastating and lead to injuries, and damage to buildings and the environment. These catastrophes can result in lives lost and impact business continuity.
8. Market development
Expanding a company into a completely new market, where local and cultural factors can influence business success, is also a high-risk period for any company.
Which US States Lose the Most Money to Online Crime?
Looking at the most recent Internet Crime Complaints Center report from the Federal Bureau of Investigations, we found the monetary loss per victim of online crime in each state.
1. North Dakota – Loss per victim: $31,711
North Dakota comes out on top as the state losing the most money to online crime per victim. With a total victim count of 670 in 2021 and total monetary losses at $21,246,355, there was an average loss per victim of $31,711 – over $12,000 more than the second most affected state.
North Dakota’s Attorney General’s office reported in December 2021 that in a two-week period, nine North Dakota residents lost a combined $45,000 to gift card scams, which highlights the extent of online crime in the Peace Garden State. The Attorney General also released a warning in July 2022 to all residents in North Dakota, urging them to take great caution if a seemingly trustworthy individual, like law enforcement or even a family member, contacts them to ask for payment in the form of gift cards.
2. New York – Loss per victim: $19,266
Second on our list is New York, with 29,056 online crime victims and losses of $559,965,598 last year. On average, the New York population lost $19,266 per victim of online crime in 2021.
New York also comes in fourth place on the list of the states with the most victims of online crime, right after California, Florida, and Texas. Finally, the Empire State comes in third place for the states with the largest monetary losses to internet crime, after California and Texas.
3. South Dakota – Loss per victim: $19,065
In third place, South Dakota loses on average $19,065 to online crime, based on losses of $18,131,095 across 951 victims in 2021.
Which Countries Lose the Most Money to Online Crime?
Cybercrime can affect anyone, regardless of age, occupation, or location. Software vendor McAfee estimated that cybercrime costs the global economy over $1 trillion – around 1% of global GDP.
We wanted to find which countries in the world are most affected by cybercrime, so we looked at the cost of online crime in the top victim countries identified by the Internet Crime Complaints Center’s most recent report.
1. China – Cost of internet crime: $118,409,760,000 (¥800,000,000,000)
In the first place on our list, China loses the most money to internet crime, at over $118.4 billion in 2019.
With the world’s largest population, it comes as no surprise that cybercrime in China is worth more than in any other country we looked at. The Ministry of Public Security reported that in 2021 alone, Chinese police handled 62,000 cases of cybercrime.
2. Germany – Cost of internet crime: $43,183,395,000 (€43,000,000,000.00)
Second on our list is Germany, with a loss of under $43.2 billion to online crimes as of 2017.
A survey by a German digital industry association found that small and medium-sized companies, which largely support the country’s economy, were particularly vulnerable to online attacks.
3. United Kingdom – Cost of internet crime: $32,856,300,000 (£27,000,000,000)
In third place, the United Kingdom loses just short of $32.9 billion to cybercrime each year, according to statistics released in 2011.
Information technology consulting company Detica reported that UK businesses particularly suffer from IP theft and industrial espionage.
We wanted to delve into account takeover fraud and advise how to best protect yourself from becoming a victim. We wanted to find out how online crime affects different countries around the world and the nature of cybercrime in each state in the US.
Currency conversions were accurate at the time of publication.
The number of victims of online crime and the total dollar loss to online crime by state were sourced from the Federal Bureau of Investigations’ Internet Crime Complaints Center Report 2021.
We sourced the cost of internet crime:
- for China from Intel471
- for Germany from Reuters
- for the United Kingdom from Detica
- for Australia from the Australian Cyber Security Center
- for Brazil, Mexico, France, Italy, Spain and Japan from Norton
- for India from Business Standard
- for the Netherlands from SecurityDelta
- for the United States from the Internet Crime Complaints Center
- for the Philippines from Microsoft
- for Canada from Canadian Anti-Fraud Center
- for South Africa from Accenture
- for Malaysia from Spectrum Edge
The biggest risks to businesses in 2022 were sourced from the World Economic Forum.
Showing all with `` tag