Featured Security

Best Practices for Protecting Your Online Accounts: Proactive Steps You Can Take Today to Avoid Account Takeovers

Image courtesy of Pixabay

Most people rely on a variety of online accounts and services today. It’s more convenient ordering products online, and doing so enables you to get your purchases sooner and with less effort. Completing purchases online puts you at risk of an account takeover, though, and could cost you significantly if you don’t know how to prevent account takeovers and protect yourself.

What is an Account Takeover?

An account takeover is a harmful practice where hackers obtain the user login information and password for a bank account, e-commerce store, or another website or application and use the account as their own. An account takeover is normally conducted in an effort to make fraudulent purchases, to withdraw money, and profit from the user being taken advantage of. Millions of customers suffer from account takeovers each year, and it’s essential for businesses to take steps to try and prevent account takeovers from happening.

How Does an Account Takeover Happen?

There are a few ways an account takeover can happen. The most common overall is phishing. This is a tricky attack where a hacker creates a fake email, login form, or even a clone of an application in an effort to get the user to reveal their login credentials. If you’ve ever received a strange email asking you to verify your account with a link within, this was likely a phishing attempt that could have compromised your account. 

Credential stuffing is another way that attackers get into user accounts to steal them. Stolen user credentials are often posted up online, and attackers’ input is known working credentials from one service into many other services as well. For instance, a known Netflix account login may be input into Hulu, Disney Plus, Prime Video, Peacock, and other streaming services with the hope that the user utilizes the same username and password again. 

Finally, brute force attacks are used to break into accounts. Some hackers utilize powerful programs that try countless usernames and passwords for a single account until one finally works. With help from sophisticated software, these attackers can try tens of thousands of combinations each second.

4 Signs of an Account Takeover Fraud

●     Many purchases in a short time

●     Multiple users with the same recovery number or email

●     Many accounts accessed with the same device

●     One account accessed from multiple country IP addresses

Description of Common Warning Signs That An Account Has Been Compromised

If you notice an account is being used for a large number of purchases rapidly, that could be a suspicious activity that indicates the account is compromised. It’s also important to look for multiple user accounts being registered to the same phone number or email address as a recovery method. When accounts are taken over, the attacker wants to maintain a hold on the accounts, and changing the recovery methods is one of the best ways to achieve that goal. 

It’s also important to look at the devices being used for your user accounts if you notice any suspicious activity. One sign of an account takeover is multiple accounts being accessed from the same device. You may also notice the same account being accessed by IP addresses in different countries. This is a sure sign that an outsider has taken control of the account and is making unauthorized use of it.

Examples of Suspicious Activity That Individuals Should Be Aware Of

Individuals should avoid any strange emails they receive at their address, and they should avoid clicking links within emails that they don’t trust. It’s also important to look at the website address that you’re visiting to verify it’s the correct address because you could be on a fraudulent site made to look like the real one. Understanding how to look for possible phishing attempts is one useful way to prevent account takeover.

Best Practices to Detect and Prevent Account Takeovers

As a site owner that wants to prevent account takeovers from tarnishing your business, there are some steps you can take to protect your customers and visitors. Follow each of the suggested tactics below to make account takeovers more difficult to achieve.

●     Require users to utilize strong passwords

●     Utilize Two-Factor Authentication services

●     Limit how frequently a user can try to login

●     Notify users when their credentials change

●     Add specialty security software

Tips for Creating Strong Passwords

If you use a strong password for your account, it will be much more difficult to break into. Choose a password that’s at least 12 characters long, and try to use a mix of letters, numbers, and symbols. Utilizing lowercase and uppercase letters is another way for you to make your password more difficult, and avoiding common words helps as well. Finally, use different passwords for different accounts for added protection.

Understanding Two-Factor Authentication

More sites and services are beginning to rely on two-factor authentication today. This special security precaution forces users to verify an account and log in on a second device before they can get on the site. Often a text message, email, or an authenticator app prompts you to verify your login attempt before you can get on the account. This prevents users from getting on your account if they don’t have access to your devices.

Security Software That Can Help Detect and Prevent Account Takeover

While spotting the signs of an account takeover manually can be difficult to do, it’s not hard for sophisticated software to notice the more subtle signs. Adding cybersecurity software to your site is one of the most effective account takeover prevention steps you can take for your site. The software will actively prevent account takeovers and notify you when strange things are happening on the site.

 An Account takeover is a very real issue plaguing online businesses and consumers around the world. Everyday accounts are obtained illegally and used to place orders, transfer money and enjoy services that haven’t been paid for. Follow the steps above to protect yourself and your site visitors from the risk of an account takeover.

About the author


David Lukić

David Lukić is an information privacy, security and compliance consultant at IDstrong.com. The passion to make cyber security accessible and interesting has led David to share all the knowledge he has.