A problem that shows no signs of going away

If anything, the problem of account fraud is getting worse. It seems like every day we see headlines about digital accounts being hijacked.

It is also clear that the list of account types being targeted is getting longer. Bank accounts, phone numbers, email accounts, social media profiles, WhatsApp, gaming, and airline loyalty reward accounts are now all routinely attacked by fraudsters.

These are all examples of what is termed “Account Takeover (ATO) Attacks.”

What is an ATO Attack?

Unlike other kinds of fraud, such as new account fraud and synthetic identity fraud, an ATO attacks existing accounts belonging to real people.

There are many incentives for a criminal to do so, including:

Stealing digital value stored in the account — i.e. to drain money in bank accounts or credits in gaming and loyalty accounts.
Using the account to break into another account — i.e. to use a phone number or email account to break into Crypto accounts.
Using the account to impersonate the owner — i.e. to de-fraud social media contacts or take out new loans.
Making a ransom demand — i.e. to demand money to return the account to the owner.

How are accounts taken over?

The three main culprits are passwords, social engineering, and phishing.

The simplest accounts to take over are those that only use a password. Data breaches and password reuse rules mean that many passwords are already available on the dark web. A further threat is the increasing ability to carry out brute force attacks on passwords with low complexity rules. See our related blog post, Why Passwordless Authentication is the Future, for more information on this topic.

A simple protection measure is to enable multi-factor authentication (MFA) for all accounts. This greatly increases the protection, irrespective of the method chosen.

However, if MFA is in use, social engineering and phishing become the main risk, as they are used to attack the key protection mechanism — the mobile phone number.

The unparalleled convenience of authenticating using the mobile phone number means that mobile phone numbers are used to authenticate and access almost all digital accounts.

While authentication using a mobile phone number increases security, it is still at risk of social engineering and phishing.

Social engineering is used to perform SIM swap and porting attacks, where a fraudster convinces a mobile phone operator to transfer the phone number to a new SIM or eSIM controlled by the fraudster. The fraudster can then receive any texts, phone calls, RCS, and WhatsApp messages including authentication messages.

Another form of social engineering is when a fraudster convinces someone to share security codes sent to their mobile.

What is the impact?

Most ATO Attacks are done for financial gain. The average loss is $12K per account taken over,¹ with total costs rising from $11B to an estimated $13B in 2024.² Besides the direct financial impact, there are also indirect costs due to brand damage and legal fees.

Some ATO Attacks target private data. While the value of the data itself is difficult to assess, data theft can also result in hefty regulatory fines. Example of fines are T-Mobile for $350M in 2022 and Meta for $227M in 2021, both for GDPR data breaches,³under which a company can be fined up to 4% of revenue.

Ransomware attacks can also have dire financial consequences for an organization. In 2024, a single ransomware attack cost a healthcare company over $800M.⁴ Alarmingly the total annual cost of ransomware attacks is forecast to reach $265B by 2031.⁵

How to protect against ATO Attacks

The good news is that there are many ways to protect against ATO.

First, always use MFA, at minimum using SMS for universal coverage, but also look at using WhatsApp and RCS, as well. Second, use mobile identity services, such as Syniverse ATO service, to detect and mitigate SIM swap and number porting attacks. Finally, introduce non-phishable authentication methods, such as Syniverse Frictionless Authentication and Passkey Authentication.

Contact a Syniverse expert today to discuss how to protect your business from ATO Attacks.

Interested in additional techniques to optimize your Mobile Identity and Authentication strategy? Check out our whitepaper, Cracking the Security Trilemma.  

References:

Security.org. Last accessed January 29, 2025. https://www.security.org/resources/.
AARP. April 10, 2024. “Identity Fraud Cost Americans $43 Billion in 2023.” Last accessed January 29, 2025. https://www.aarp.org/money/scams-fraud/info-2024/identity-fraud-report.html.
CSO Online. January 8, 2025. “The Biggest Data Breach Fines, Penalties, and Settlements So Far.” Last accessed January 29, 2025. https://www.csoonline.com/article/567531/the-biggest-data-breach-fines-penalties-and-settlements-so-far.html.
Recorded Future News. “Ransomware Attack Has Cost UnitedHealth $872 Million; Total Expected to Surpass $1 Trillion.” Last accessed January 29, 2025. https://therecord.media/ransomware-unitedhealth-costs-billions-still-climbing.
Cybercrime Magazine. July 7, 2023. “Global Ransomware Damage Costs Predicted to Exceed $265 Billion by 2031.” Last accessed January 29, 2025. https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/.

What Are Account Takeovers and How to Protect Against Them | Syniverse