Account Takeover Incidents are Rising: How to Protect Yourself in 2024
29% of internet users have now experienced ATO, up from 22% in 2021.
Last Updated on Jan 17, 2024
The notification pops up on your phone: it’s a friend request from someone you don’t quite remember, but who lists your college as their alma mater. You have some friends in common, so it probably can’t hurt to connect, right?
In the best possible outcome, you gain another friend on social media, but in one insidious scenario, you open yourself up to an increasingly common type of fraud — account takeover, which can lead to financial losses of thousands of dollars.
To see how account takeover has changed since our first report in 2021, we gathered insights from 1,000+ Americans about their experiences with and losses from this all-too-common crime. Here’s a look at some of our key findings:
- 29% of people have experienced account takeover, an increase from 22% in 2021. This equates to about 77 million adults. Takeovers of accounts used for business or work also increased since our last study.
- About one in five victims said their account takeover happened within the last year.
- Social media accounts were most commonly hacked, accounting for 53% of account takeovers.
- The typical victim of an account takeover lost about $180, and 40% of victims also experienced identity theft due to an account takeover.
- 70% of victims reported that their compromised accounts didn’t have unique passwords, making them susceptible to having multiple accounts stolen.
What is account takeover? Account takeover (ATO) is a cybercrime in which someone accesses another person’s online account by obtaining their sign-on credentials. Since the COVID-19 pandemic, cybercrime, including account takeovers, has increased significantly.
Account Takeover: A Growing Problem
When we first researched account takeover in 2021, we found that 22 percent of U.S. adults had experienced it at some point. Today, that figure has risen to 29 percent of American adults. Based on government population figures, this equates to about 20 million people having suffered this type of attack. About one in five victims said their account takeover happened in the last year.
While the majority of people we talked to who had experienced account takeover (ATO) were able to regain access to their accounts, the threat of extensive damage is profound — to individuals and families as well as to businesses. Risks include leaks of sensitive personal information, identity theft, financial losses, malware attacks, data loss, and reputation damage, all of which can happen before the legitimate account holder is even aware there’s an issue.
Most ATO victims had personal accounts breached, but 21 percent of victims suffered a takeover of a work or business account, an increase over the 13 percent who had a business account taken over in 2021.
If a fraudster can access stolen credentials through an account takeover, the consequences can be expensive for a business. According to IBM, the average corporate breach costs nearly $5 million. The bigger the organization, the more ATO attempts they suffer, as they are more attractive targets for cybercriminals.
Wise executives and business owners have adequate policies and procedures to manage passwords and strengthen cybersecurity. This is also good advice for consumers, given that both attempted and successful account takeovers are rising. More than eight in 10 people said they’d received an alert about a suspicious login attempt.
When was the last time you were alerted about a suspicious login attempt not made by you?
| Within the last month | 34% |
|---|---|
| Within the last six months | 23% |
| Within the year | 13% |
| Within the last 2 years | 7% |
| More than 2 years ago | 9% |
| Never | 15% |
Fortunately, awareness of account takeover is also on the rise, with 79 percent of people telling us they know what account takeover is, up from 74 percent in 2021. Awareness is the first step in preventing this insidious digital crime.
Most Vulnerable Types of Accounts
While all types of accounts are potential targets for takeovers, cybercriminals most often gain access to social media accounts. More than half of those who had experienced ATO (53 percent) said their stolen account was a social media profile, up slightly from 51 percent in 2021. Social media account takeover probably happens most often since most U.S. adults use at least one social media platform. Social media accounts are potential treasure troves of personal information and access to other consumers via friends and follower lists.
What types of accounts were taken over (select all that apply)?
| Account type | 2021 | 2023 |
|---|---|---|
| Social media | 51% | 53% |
| Banking | 32% | 42% |
| Email or messaging platform | 26% | 23% |
| E-commerce | 8% | 17% |
| Education | 9% | 13% |
| Entertainment (music, movie/TV streaming, etc.) | 9% | 13% |
| Food or travel | 5% | 9% |
This year, bank accounts were the second-most likely to be taken over, which speaks to the potential for a big payday for a fraudster who can compromise a consumer’s financial profile.
Most account types we asked about saw an increase in how commonly they were taken over, with some having huge increases. Takeovers of e-commerce accounts have become more common, likely owing to the possibility of scammers accessing payment information from those accounts.
Typical Financial Losses Reach $180, But That’s Not the Only Cost for ATO Victims
The median financial loss for account takeover victims was $180, though one person in our research lost an eye-popping $85,000. But direct financial losses, devastating as they may be, are far from the only or even the most common consequence of ATO.
What were the consequences of the account takeover (select all that apply)?
| Consequence | 2021 | 2023 |
|---|---|---|
| Identity theft | 29% | 40% |
| Financial losses | 20% | 35% |
| Subsequent account takeovers | 16% | 27% |
| No consequences | 47% | 29% |
About 40 percent of people who experienced account takeover said that identity theft was among the event’s consequences, along with financial losses (35 percent) and subsequent account takeovers (27 percent). Only 29 percent of people told us they experienced no lasting consequences, compared to 47 percent who suffered no significant effects in 2021.
Direct losses occur when a fraudster takes over a victim’s e-commerce account and makes purchases with their stolen credentials. This is just one way for victims to be financially affected by an account takeover. If victims experience the takeover of an investment account, they can also experience the loss of future gains. They also may have to pay to recover their losses from account takeover by purchasing identity theft protection or remediation services.
Since we already know ATO is becoming more common, the negative repercussions have grown since 2021.
Best Practices for Avoiding Account Takeovers
When we researched account takeovers in 2021, 56 percent of victims said their stolen account had a password they’d used for multiple services. This year, 70 percent of victims reported using their hacked account’s passwords across multiple sites. As a result, 53 percent of ATO victims said hackers took over numerous accounts, an increase of 21 percentage points since 2021.
Aside from having strong, unique passwords for accounts (and changing them regularly) how else can web-surfers ensure their services are secure? Enabling security questions (35 percent) and using two- or multi-factor authentication (34 percent) were the most common tactics among people in our study.
| What actions did you take to prevent account takeover in the future? Select all that apply. | 2021 | 2023 |
|---|---|---|
| Changed password | 64% | 56% |
| Added security questions | 32% | 35% |
| Added two or multi-factor authentication | 35% | 34% |
| Installed password manager | 19% | 27% |
| Installed identity theft protection services | 17% | 23% |
| Installed antivirus software | 22% | 22% |
| Installed VPN | 22% | 22% |
| Other methods | 9% | 4% |
| None of the above | 3% | 3% |
But other helpful practices are emerging, with password managers and identity theft protection services rising this year. Users may often not know if they’re taking risky actions online. For example, specialists recently reported a security flaw in a common social login mechanism, which could have allowed fraudsters to access user accounts in a “pass the token attack.”
Here are some other tips for both businesses and individuals to protect themselves from account takeover:
- Adjust account settings to limit login attempts
- Provide employees with internet security training and policies
- Use VPNs to increase privacy and security online
- Install antivirus software on computers and other devices
- Regularly monitor financial accounts for unauthorized purchases and enable notifications for unusual transactions
Conclusion
Fraudsters make their living by being one step ahead of cybersecurity practices, which can often make it impossible to ensure your safety online. But by implementing good digital habits, including using strong and unique passwords and closely monitoring financial accounts, consumers and businesses can make themselves more challenging targets for fraudsters and thieves.
About Our Data
Using a web-based research platform, we surveyed 1,062 U.S. adults regarding their experiences with account takeover (ATO), including financial and other consequences. The participants represented the U.S. population in terms of gender, age, and ethnicity. Our survey was conducted in December 2023.