Account takeovers are tearing through the business world like a raging tornado that leaves devastation in its wake. In recent weeks, the travel/hospitality industry has been hit with one attack after another – including the hijacking of MGM Resorts’s operations, which will have far-reaching consequences on the company’s reputation and financial health. And recently LinkedIn was comprised by bad actors who committed a widespread seizure of LinkedIn users’ personal accounts. Account takeovers can disrupt both businesses and people, as anyone who has had their personal banking accounts hacked can attest painfully. Businesses face severe consequences to their brands beyond the immediate operational disruption. They need to fight back. Let’s talk about how they can do that.

Account Takeovers Defined

In the increasingly complex world of cybercrime, account takeover (ATO) overlaps with a number of other types of cyber breaches, including ransomware attacks (which is what happened to MGM Resorts). ATO refers to unauthorized access to user accounts and passwords by fraudsters, who gain control of account data for financial gain. The attack on MGM’s operations involved hackers requesting access to an employee’s corporate accounts after claiming they had been “accidentally” locked out. What makes ATO so potent is the way a fraudster cripples a company’s (or a person’s) ability to function by denying them access to their own personal data.

Account takeover fraud cost U.S. businesses $25.6 billion in 2020. This figure represents a 500 percent increase from 2017, according to Juniper Research. As if that were not bad enough, consider also the damage a business suffers to its brand. Whenever a person has their financial data hacked, the institutions that were supposed to be safeguarding their personal information have their reputations damaged, as happened recently when several college students had their personal financial data compromised because of a breach of a concert ticket company’s software. And it’s nearly impossible to calculate the damage that MGM will suffer long term as a result of angry customers having their vacations upended.

ATO results from many types of cyberattacks – almost all of them being common knowledge. And this is an important point: hackers are using tried-and-true techniques, none of which are even particularly sophisticated. They include:

• Phishing: this involves tricking individuals into providing sensitive information (like login credentials) by pretending to be a trustworthy entity, often through email, text, or fake websites designed to mimic legitimate ones.
• Social engineering: techniques are used to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. The recent devastating malware attack on MGM Resorts relied on social engineering to gain access to an employee’s personal information.
• Credential stuffing: fraudsters use stolen or leaked user names and passwords (often obtained from previous data breaches) to get access multiple user accounts. With this type of ATO, fraudsters rely on the fact that people often reuse passwords across different platforms.

These techniques are not new. So then, why is ATO a problem? Because as the volume of online activity has spiked in a post-pandemic world, too often businesses have not kept up with the correct security protocols to protect themselves.

Marketing Technology News: Autoflow Launches its New Email Builder to Boost Business and Prompt Customer Engagement

Educate and Protect

To fight ATO, businesses should adopt a two-pronged approach

1) Educate

Educate your employees and customers about what they can do to protect themselves. A few examples:

• Secure practices promotion: Encourage the use of strong, unique passwords, and promote the use of password managers to help keep track of them. Advocate for multi-factor authentication (MFA) which adds an additional layer of security besides just the password.
• Phishing simulations. Conduct simulated phishing attacks to help employees and possibly customers recognize phishing attempts and understand the importance of vigilance.
• Social engineering simulations. Perform social engineering exercises to educate and test employees on how to respond to social engineering attempts to hack a company’s systems. This includes assessing how employees respond to social engineering attempts, which can help identify areas of weakness and individuals or departments that may require additional training. Doing so should make employees more vigilant as with phishing simulations

There are many, many more steps a business can take. The key is to communicate regularly the importance of security through emails, newsletters, or on-site notifications. This matters because employees and customers usually forget everything they learn after being instructed the first time. Let’s face it – security is not the most exciting topic in the world. Ongoing communication is needed.

2) Protect

Adopt stronger measures to safeguard your IT systems. Here are just some of the security measures we recommend:

• Accumulate verifiable customer information, including confirmed IP addresses and personal biometric details, among other data points. For enhanced security during trusted sessions, businesses might consider deploying mechanisms like one-time passwords (OTPs) or challenge-response protocols.
• Introduce additional verification steps. Incorporation of multi-factor authentication offers a reinforced shield against unauthorized entries. Users may be required to amalgamate knowledge-based information (like passwords or PINs), possession-based items (such as mobile devices or tokens), and inherent characteristics (including fingerprints or facial recognition). Enhancing the verification process mitigates the risk of unauthorized access even as scammers employ increasingly advanced techniques.
• Keep abreast of the evolving toolkit that scammers deploy for account breaches. With fraudsters constantly refining their strategies, utilizing technologies like AI, machine learning, and deepfakes to breach defenses, it’s imperative for businesses to respond with agility, adopting innovative technologies promptly.
• Adopt measures to thwart bots. Employing tools like reCAPTCHA or alternative bot mitigation strategies will complicate efforts by malicious actors to infiltrate and seize control of customer accounts. Implement bot mitigation protocols especially when there’s a spike in the number of validated transactions, signaling potential automated attack attempts.

These are just some steps among many. The most important point to remember: if you don’t act now, you will fall behind. Unfortunately, the rise of AI is going to accelerate ATO because AI makes all the hacking tricks above more powerful. Educate and protect. Now.

Marketing Technology News: MarTech Interview with Kyle Mitnick, President at Mosaic Digital Systems

About the authors:

Sanjay Bhakta, is VP, Global Head of Solutions, and Nitanshu Upadhyay, is Business Solutions Consultant at Centific