Written By: Security.org Team | Published: February 18, 2021

Account takeover is a type of cybercrime where a user accesses someone else’s online account by obtaining their credentials. Since the COVID-19 pandemic, cybercrime has increased significantly, including account takeovers. 

This report examines account takeover prevalence, awareness and prevention based on research conducted by Security.org and data from cybersecurity firm Deduce. Here are our key findings: 

  • 22 percent of U.S. adults have been victims of account takeovers, which amounts to over 24 million households. 
  • The approximate average value of financial losses from account takeovers of financial accounts is nearly $12,000. 
  • 60 percent of account takeover victims used the same password as the compromised account across multiple accounts. 
  • 58 percent of the reported account takeovers had occurred within the past year. 
  • Social media accounts made up 51 percent of the accounts taken over, while banking accounts were the second-most common accounts taken over at 32 percent. 

Table of Contents

  1. Account Takeover Prevention Market
  2. Awareness of Account Takeovers
  3. How Many People Have Had Account Takeovers?
  4. How to Prevent Account Takeovers
  5. Recap
  6. Methodology

Account Takeover Prevention Market

Deduce CEO and co-founder Ari Jacoby estimates that account takeover prevention is a $15 billion market “growing significantly year over year.” Moreover, according to internal data from Deduce, account takeover fraud increased by 250 percent in 2020 compared to 2019, fueled by discounts of up to 90 percent in dark web data and discounts of up to 50 percent on botnet time. Given these increases, many people and businesses have turned to account takeover prevention software. The cost of this software varies by the number of active monthly users but starts at a few hundred dollars per month, Jacoby said. 

Awareness of Account Takeovers 

Nearly three-quarters of U.S. adults are aware of account takeovers, while 18 percent are unaware, and nine percent are unsure.

Prior to reading the above definition, were you aware of account takeovers? Response Percent

Yes

74%

No

18%

Unsure

9%

How Many People Have Had Account Takeovers?

According to our research, 22 percent of U.S. adults have had their accounts taken over. As there are 110 million internet-enabled households in the U.S., that means that approximately 24 million U.S. households have experienced account takeovers. 

Have you ever had an account taken over? Response Percent

Yes

22%

No

66%

Unsure

12%

Of the accounts taken over, 57 percent had passwords shared with other online accounts, contradicting the online password strategy to use unique passwords for each online account. 

Did the account taken over have a password that you use across multiple accounts? Response Percent

Yes

56%

No

44%

Another digital safety practice is to add security questions or advanced authentication to accounts to prevent unauthorized access. However, over 60 percent of respondents had security questions, two or multi-factor authentication, or both when their accounts were taken over, implying that these measures do not guarantee account fraud prevention. 

Did you have security questions or advanced authentication turned on while your account was taken over? Response Percent

Security questions

36%

Two-factor or multi-factor authentication

13%

Both security questions and two or multi-factor authentication

13%

Neither

39%

For 32 percent of account takeover victims, they had multiple accounts taken over, while 68 percent of victims had only one account taken over. 

Did the initial account takeover lead to other account(s) being taken over as well? Response Percent

Yes

32%

No

68%

The majority of the account takeovers, 58 percent, had occurred within the past year. The plurality of account takeovers had occurred within the last month at 32 percent. 

How long ago was your account takeover? Response Percent

Within the month

32%

Within the year

26%

Within the last 2 years

18%

More than 2 years ago

24%

What Types of Accounts Were Taken Over?

Of the accounts taken over, the majority were social media accounts at 51 percent. Banking accounts comprised 32 percent of account takeovers, while email and messaging platforms comprised 26 percent. 

What type of account(s) were taken over? Select all that apply: Response Percent

Social media

51%

Banking

32%

E-commerce

8%

Email / messaging platform

26%

Education

9%

Food or travel

5%

Entertainment (music, movie/TV streaming, etc.)

9%

Other (please specify)

7%

Data from Deduce confirmed that about one-third of account takeovers are for banking accounts, as a third of login attempts for financial services and financial technology (fintech) companies are suspected account takeover attempts. “[The] e-commerce and fintech [industries] are the hardest hit by account takeover, but it happens broadly,” Jacoby said. In general, attempted account takeovers make up about 15 percent of all login attempts across all industries, he continued.

Moreover, our research indicated that 80 percent of the accounts taken over were personal, while only 13 percent were business accounts only. Altogether, 93 percent of accounts taken over were personal accounts or a combination of business and personal accounts. 

Was the account taken over a business or personal account? Response Percent

Business account

13%

Personal account

80%

Used for both business and personal

7%

Consequences of Account Takeovers 

Most account takeovers had consequences, including identity theft at 29 percent, financial losses at 20 percent, and subsequent account takeovers at 16 percent. But while 52 percent of account takeovers came with some consequences, 47 percent did not have consequences, making consequences more likely by about six percent. 

What were the consequences of the account takeover? Select all that apply. Response Percent

Identity theft

29%

Financial losses (specify how much)

20%

Subsequent account takeovers

16%

No consequences

47%

Other (please specify)

10%

Of the financial losses from account takeovers, over 80 percent of respondents recovered the funds, compared to 16 percent who were unable to recover the money. 

Were you able to recover the account(s)? Response Percent

Yes

82%

No

16%

Unsure

2%

Recovering lost funds happened quickly, within a month of the account takeover for 97 percent of victims. 

How long did it take you to recover the account? Response Percent

Within the day

43%

Within the week

38%

Within the month

16%

Within the year

4%

Longer than a year

0%

Our research indicated that the average financial loss from an account takeover was nearly $12,000. 

How to Prevent Account Takeovers

Jacoby is clear that “using the same username and password leads to [account takeover] fraud.” “Using different usernames and passwords or, better yet, a password manager, can help,” he continued. In accordance, 64 percent of account takeover victims changed the passwords of the affected accounts. Jacoby’s other piece of advice is to get suspicious login alerts, if they’re available. “Ask the companies you do business with to offer suspicious login alerting so that you can stop an account takeover before it becomes a massive headache,” he said. 

What actions did you take to prevent account takeover in the future? Select all that apply. Response Percent

Changed password

64%

Added two or multi-factor authentication

35%

Added security questions

32%

Installed antivirus software

22%

Installed VPN

22%

Installed password manager

19%

Installed identity theft protection services

17%

Other (please specify)

9%

None of the above

3%

While the majority of account takeover victims changed their passwords, 35 percent added advanced authentication methods, 32 percent added security questions, and 22 percent added both antivirus software and VPNs. Only 19 percent installed a password manager, while 17 percent installed identity theft protection services.

Recap

Given the large increase in account takeovers throughout the global pandemic, the account takeover market is increasing with it. Business and personal internet users can lessen the likelihood of account takeovers by choosing strong passwords for their accounts and adding multi-factor authentication and security questions when available.

Methodology

The information in this piece comes from a survey of 686 U.S. adults conducted from February 8 through February 11, 2021. We also received data from cybersecurity and account takeover prevention software company Deduce, and used data from the U.S. Census Bureau.