Your internet search and browsing history can be seen by search engines, web browsers, websites, apps and hackers. You should protect your search and browsing history
An account takeover attack is a type of identity theft that occurs when a cybercriminal gains access to your online account and changes your login credentials to lock you out. Once you cannot log back in, a cybercriminal will use your identity to steal private information or even scam others. You can prevent account takeover attacks by using strong passwords, enabling Multi-Factor Authentication (MFA) and investing in dark web monitoring. According to a recent report, over 77 million adults have experienced account takeovers, with social media accounts being the most commonly hacked.
Read more to learn why account takeovers are so dangerous and how to protect against them, as an individual or an organization.
What makes account takeovers so dangerous?
Account takeovers are very dangerous for individuals and organizations because they can lead to:
- Stolen personal information
- Loss of money
- Vulnerability to identity theft
- Damaged reputation
- Compromised data
If a cybercriminal accesses an online account containing personal or customer information, they could use what they find to log in to additional accounts or sell the data to other cybercriminals on the dark web. Because an account takeover locks the victim out of their account, it becomes difficult for a person or company to regain access, retrieve data, recover finances, and repair their reputation.
How individuals can prevent account takeovers
As an individual, you can protect your information and prevent your account from getting taken over by following these tips.
Use strong passwords for every account
Create a strong and unique password for each of your online accounts. A strong password contains over 16 characters and a combination of uppercase and lowercase letters, numbers and symbols. The longer and more random a password is, the more protected your account will be from cyber attacks. When creating a strong password, avoid using common words or phrases, personal information or sequential numbers.
Enable Multi-Factor Authentication (MFA) whenever it’s available
Multi-Factor Authentication (MFA) is an additional security measure that requires users to provide extra proof of identity beyond a username and password. When you enable MFA, you are required to enter additional verification like a PIN, a code from an authenticator app or your fingerprint. Enabling MFA makes it much harder for cybercriminals to access your accounts since it will require them not only to know your username and password but also an additional way to prove your identity – which only you should have access to.
Learn to spot phishing attempts
Many account takeovers result from people falling for phishing attacks. Phishing occurs when a cybercriminal impersonates a person or company the victim knows to persuade them into sharing private information. Most phishing attempts use urgent language, persuading you to act quickly or threatening you if you don’t follow instructions immediately. Often, phishing messages contain spelling and grammatical errors, which you should be able to spot easily, knowing that most companies review emails multiple times before sending them. Check the sender’s email address to verify that the domain matches a reputable company before believing the sender’s identity.
Never click unsolicited links or attachments
If you ever receive an unsolicited email or text message that contains links or attachments, do not click on or download them. Even if a message appears to come from a company with which you have an account, you should go to the official company’s website or app and log in to your account that way instead. An unsolicited link or attachment could contain malware designed by a cybercriminal to steal your private data once installed onto your device.
You can check if a link is safe by hovering over the link, which will give you a preview of the URL, or copying and pasting the link into a URL checker. Check that an email attachment is safe by double-checking the sender’s email address and using antivirus software to scan any attachments.
Use a dark web monitoring tool
You can use a dark web monitoring tool to see if your personal information is on the dark web, a part of the internet where cybercriminals can buy and sell any information obtained through malicious activities. Some password managers, like Keeper®, offer a dark web monitoring tool as an add-on feature to scan the dark web for the login credentials you’ve saved in your vault.
Try Keeper’s free dark web scan tool to see if your login credentials are on the dark web.
How organizations can prevent account takeovers
There are several ways you and your organization can prevent account takeovers from compromising data and damaging your company’s reputation.
Employ a business password manager
If your organization is not already using a business password manager, this is your sign to start. A business password manager allows your employees to manage and store their passwords safely in a digital vault. Requiring employees to use a password manager within your company ensures they follow best password practices. A business password manager also allows employees to securely share encrypted passwords to collaborate safely. This ensures that passwords are not intercepted by unauthorized users and that login credentials remain secure in each employee’s encrypted digital vault. Password managers can also help enforce MFA by storing MFA codes within a record and autofilling them when a user needs to enter an MFA code on a website or account. Business password managers make storing and sharing passwords secure and convenient for any employee and organization.
Invest in dark web monitoring
Your organization should invest in dark web monitoring to prevent account takeovers. The best dark web monitoring tool your organization can use is Keeper Security’s BreachWatch®. It is an add-on feature of Keeper Password Manager that constantly checks the dark web to see if any records stored in employee vaults match those on the dark web. If BreachWatch detects a match, the employee will be notified immediately so they can change their breached password and update it directly in their password manager.
Enter your email address into Keeper’s dark web scanner for businesses to see if you and employees at your company are exposed on the dark web.
Limit the number of login attempts
Set a limit on how many login attempts someone can make to try and access their account. Brute force attacks occur when a cybercriminal guesses login credentials through trial and error, so if someone is given unlimited login attempts, they might eventually access an employee’s account. Since brute force attacks rely on multiple login attempts, limiting the number of attempts to three or four guesses will give employees enough tries in case they made a typo but will prevent potential cybercriminals from accessing an account.
Set up a Web Application Firewall (WAF)
Your organization can set up a Web Application Firewall (WAF), which helps filter traffic between a web application and the internet. By using a WAF, your organization is protecting any web applications from potential cyber attacks, including account takeovers. WAFs identify and block requests from unauthorized traffic and can even detect when cybercriminals’ bots are trying to infiltrate your accounts.
Implement zero trust
Zero trust is a security framework that assumes every device and account is capable of being compromised. To combat this, every user – both human and machine – needs to constantly verify their identity within an organization through multiple authentication processes. The three core principles of zero trust are to assume breaches will happen, require everyone to verify their identity to access the organization’s network and data and ensure users have least-privilege access. All employee devices used on an organization’s network should be registered and managed to keep track of who is allowed access.
An important aspect of zero-trust solutions is least-privilege access, which grants employees only the access necessary to do their jobs, thereby helping prevent a data breach from spreading. That way, if one employee’s account is taken over, their limited access will not give a cybercriminal as much access to the rest of the organization. For example, if an employee whose account was taken over had access to not only marketing data but also customer information, transactions and social media accounts, the cybercriminal would have access to much more valuable data.
Educate employees on security awareness
Make your employees aware of potential security risks and threats by running phishing tests, which are simulated phishing emails sent company-wide to see how employees react. These tests can help you determine if your organization is prepared for phishing attacks or if employees need further training on security measures. Educating your employees about security threats will protect you and your organization from cyber attacks in the future.
Stay protected against account takeovers with Keeper
Whether you’re an individual or an organization, everyone needs protection against account takeovers and other cyber attacks. Keeper can protect you and your organization with our dark web monitoring tools and password manager.
Start a free trial of Keeper Password Manager for your personal and business accounts today.