Account Takeover 2021 Annual Report: Prevalence, Awareness and Prevention
Nearly one-quarter of U.S. households have been victims, financial losses average $12,000
Account takeover is a type of cybercrime where a user accesses someone else’s online account by obtaining their credentials. Since the COVID-19 pandemic, cybercrime has increased significantly, including account takeovers.
This report examines account takeover prevalence, awareness and prevention based on research conducted by Security.org and data from cybersecurity firm Deduce. Here are our key findings:
- 22 percent of U.S. adults have been victims of account takeovers, which amounts to over 24 million households.
- The approximate average value of financial losses from account takeovers of financial accounts is nearly $12,000.
- 60 percent of account takeover victims used the same password as the compromised account across multiple accounts.
- 58 percent of the reported account takeovers had occurred within the past year.
- Social media accounts made up 51 percent of the accounts taken over, while banking accounts were the second-most common accounts taken over at 32 percent.
With 22 percent of U.S adults reporting having accounts taken over, it's no wonder that the account takeover market has grown by 250 percent from 2019 to 2020. Security.org journalist Aliza Vigderman investigates.
Table of Contents
- Account Takeover Prevention Market
- Awareness of Account Takeovers
- How Many People Have Had Account Takeovers?
- How to Prevent Account Takeovers
Account Takeover Prevention Market
Deduce CEO and co-founder Ari Jacoby estimates that account takeover prevention is a $15 billion market “growing significantly year over year.” Moreover, according to internal data from Deduce, account takeover fraud increased by 250 percent in 2020 compared to 2019, fueled by discounts of up to 90 percent in dark web data and discounts of up to 50 percent on botnet time. Given these increases, many people and businesses have turned to account takeover prevention software. The cost of this software varies by the number of active monthly users but starts at a few hundred dollars per month, Jacoby said.
Awareness of Account Takeovers
Nearly three-quarters of U.S. adults are aware of account takeovers, while 18 percent are unaware, and nine percent are unsure.
|Prior to reading the above definition, were you aware of account takeovers?||Response Percent|
How Many People Have Had Account Takeovers?
According to our research, 22 percent of U.S. adults have had their accounts taken over. As there are 110 million internet-enabled households in the U.S., that means that approximately 24 million U.S. households have experienced account takeovers.
|Have you ever had an account taken over?||Response Percent|
Of the accounts taken over, 57 percent had passwords shared with other online accounts, contradicting the online password strategy to use unique passwords for each online account.
|Did the account taken over have a password that you use across multiple accounts?||Response Percent|
Another digital safety practice is to add security questions or advanced authentication to accounts to prevent unauthorized access. However, over 60 percent of respondents had security questions, two or multi-factor authentication, or both when their accounts were taken over, implying that these measures do not guarantee account fraud prevention.
|Did you have security questions or advanced authentication turned on while your account was taken over?||Response Percent|
|Two-factor or multi-factor authentication||13%|
|Both security questions and two or multi-factor authentication||13%|
For 32 percent of account takeover victims, they had multiple accounts taken over, while 68 percent of victims had only one account taken over.
|Did the initial account takeover lead to other account(s) being taken over as well?||Response Percent|
The majority of the account takeovers, 58 percent, had occurred within the past year. The plurality of account takeovers had occurred within the last month at 32 percent.
|How long ago was your account takeover?||Response Percent|
|Within the month||32%|
|Within the year||26%|
|Within the last 2 years||18%|
|More than 2 years ago||24%|
What Types of Accounts Were Taken Over?
Of the accounts taken over, the majority were social media accounts at 51 percent. Banking accounts comprised 32 percent of account takeovers, while email and messaging platforms comprised 26 percent.
|What type of account(s) were taken over? Select all that apply:||Response Percent|
|Email / messaging platform||26%|
|Food or travel||5%|
|Entertainment (music, movie/TV streaming, etc.)||9%|
|Other (please specify)||7%|
Data from Deduce confirmed that about one-third of account takeovers are for banking accounts, as a third of login attempts for financial services and financial technology (fintech) companies are suspected account takeover attempts. “[The] e-commerce and fintech [industries] are the hardest hit by account takeover, but it happens broadly,” Jacoby said. In general, attempted account takeovers make up about 15 percent of all login attempts across all industries, he continued.
Moreover, our research indicated that 80 percent of the accounts taken over were personal, while only 13 percent were business accounts only. Altogether, 93 percent of accounts taken over were personal accounts or a combination of business and personal accounts.
|Was the account taken over a business or personal account?||Response Percent|
|Used for both business and personal||7%|
Consequences of Account Takeovers
Most account takeovers had consequences, including identity theft at 29 percent, financial losses at 20 percent, and subsequent account takeovers at 16 percent. But while 52 percent of account takeovers came with some consequences, 47 percent did not have consequences, making consequences more likely by about six percent.
|What were the consequences of the account takeover? Select all that apply.||Response Percent|
|Financial losses (specify how much)||20%|
|Subsequent account takeovers||16%|
|Other (please specify)||10%|
Of the financial losses from account takeovers, over 80 percent of respondents recovered the funds, compared to 16 percent who were unable to recover the money.
|Were you able to recover the account(s)?||Response Percent|
Recovering lost funds happened quickly, within a month of the account takeover for 97 percent of victims.
|How long did it take you to recover the account?||Response Percent|
|Within the day||43%|
|Within the week||38%|
|Within the month||16%|
|Within the year||4%|
|Longer than a year||0%|
Our research indicated that the average financial loss from an account takeover was nearly $12,000.
How to Prevent Account Takeovers
Jacoby is clear that “using the same username and password leads to [account takeover] fraud.” “Using different usernames and passwords or, better yet, a password manager, can help,” he continued. In accordance, 64 percent of account takeover victims changed the passwords of the affected accounts. Jacoby’s other piece of advice is to get suspicious login alerts, if they’re available. “Ask the companies you do business with to offer suspicious login alerting so that you can stop an account takeover before it becomes a massive headache,” he said.
|What actions did you take to prevent account takeover in the future? Select all that apply.||Response Percent|
|Added two or multi-factor authentication||35%|
|Added security questions||32%|
|Installed antivirus software||22%|
|Installed password manager||19%|
|Installed identity theft protection services||17%|
|Other (please specify)||9%|
|None of the above||3%|
While the majority of account takeover victims changed their passwords, 35 percent added advanced authentication methods, 32 percent added security questions, and 22 percent added both antivirus software and VPNs such as Surfshark. Only 19 percent installed a password manager, while 17 percent installed identity theft protection services.
Given the large increase in account takeovers throughout the global pandemic, the account takeover market is increasing with it. Business and personal internet users can lessen the likelihood of account takeovers by choosing strong passwords for their accounts and adding multi-factor authentication and security questions when available.
The information in this piece comes from a survey of 686 U.S. adults conducted from February 8 through February 11, 2021. We also received data from cybersecurity and account takeover prevention software company Deduce, and used data from the U.S. Census Bureau.
Need additional insights for a story?
Send our research team an email