The identity attack surface is expanding faster than ever. Every new cloud application, remote login, and digital touchpoint creates another entryway threat actors can exploit, targeting the very credentials that give employees, customers, and partners access to critical systems.
One of the top, tried-and-true identity attack techniques threat actors have utilised with great success is called an account takeover.
What is Account Takeover?
Account takeover (ATO), also referred to as account takeover fraud, occurs when a threat actor takes control of an online account after obtaining necessary credentials and access requirements.
Once access is obtained, threat actors can then use this newfound control to conduct phishing attacks, steal valuable data, gain access to other parts of a network, or launch a subsequent malware or ransomware attack.
Unlike many other kinds of cyber attacks where the tactics, techniques, or procedures (TTPs) of the attackers are obviously malicious, ATOs are intended to appear benign. Because the adversary simply uses the stolen credentials and/or access requirements to log in as a standard user, the subsequent malicious activities often don’t stand out to defenders because they take place under the guise of an authorised user account.
ATO attacks have traditionally been limited to email – and are considered a form of business email compromise (BEC) – but the rise of software-as-a-service (SaaS) applications, cloud infrastructure, and remote connectivity tools have greatly expanded the variety of account types a threat actor can target for an ATO attack.
While any industry can be targeted, a few trends have appeared. According to a report by Sift, ATO attacks targeting the fintech and finance industry have surged 122% year-over-year; according to Abnormal Security, 83% of organizations had at least one instance of cloud account takeover in 2024.
ATO attacks have long been a tool in threat actors’ arsenals, but it’s clear that the frequency of ATO attacks is on the rise.
How an Account Takeover Attack Works
The crux of any ATO attack is the obtainment of valid credentials by threat actors, which often proves all too easy. Recent research has found that “billions of login credentials have been leaked,” and credential compromise is continually listed as a top attack vector.
While credential theft often occurs during cyber attacks where credentials are exfiltrated and then leaked or sold on the dark web, this is not the only way threat actors can obtain credentials.
Threat actors can gain access to accounts in many ways, including:
- The exploitation of a software or system vulnerability tied to online applications or identity infrastructure
- The breach of a third-party credential provider
- A credential stuffing attack
- A brute-force attack
- A man-in-the-middle attack, where threat actors intercept credentials as they’re put into an application
- A keylogging attack, where malware records keystrokes made on an endpoint, letting threat actors record credential entries
- Other malware attacks, such as a Trojan attack or the use of an infostealer
Learn more about credential theft and its potential impact on an organisation’s cyber risk.
Once credentials are obtained – or a threat actor gains access to an account through more technical means, such as exploiting a vulnerability in the application itself – the threat actor can then take control of the account.
From there, completing subsequent actions or launching further attacks is easy: insider access grants the ability to target any number of additional systems, and organisations frequently fail to detect this sort of malicious activity by what appears to be an authorised user.
While any organisation can be targeted by an ATO attack, there are certain industries likely to be favored by threat actors due to the structure of their operations and the data they contain.
Industries like healthcare, education, e-commerce, financial services, legal, government, and travel not only contain sensitive data that could fetch a high price on the dark web, but they also rely heavily on user accounts, internal and external email communication, and applications that can be hacked through an ATO attack.
Below, we’ll highlight how an ATO attack would occur in two different, highly targeted industries.
E-Commerce ATO
1. A threat actor gains the usernames and passwords for customers of an e-commerce site during a cyber attack on the e-commerce organisation.
2. The threat actor, through a technique known as brute-force, repeatedly attempts to log in to the consumer side of the e-commerce website, eventually finding success with a set of credentials.
3. Now, with control of an account, the threat actor can potentially see (and steal) the credit card data stored in a data repository or make fraudulent purchases on that account.
This can be a “rinse and repeat” activity for the threat actor if multiple sets of credentials are valid, allowing them to gain access to a high volume of credit card and user data all attached to a singular e-commerce platform.
Financial services ATO
Financial services organisations are at high risk of ATO attacks due to the large volume of financial and other personally identifiable information (PII) they often contain.
1. A threat actor, through one of the means discussed above, gains credentials into the email account of the organisation’s CFO.
2. The threat actor is able to go through the emails and download email attachments that could contain banking information for clients (such as accounting and routing numbers), valuable financial data of the organisation itself which can be held for ransom, or even the credentials for financial applications – such as bank accounts – the organisation utilises.
With just one set of credentials, the threat actor has metaphorically opened several vaults, and can now exfiltrate data, commit financial fraud, or use this newfound access and information to launch any number of secondary attacks.
What Are the Impacts of an ATO Attack?
Similar to other kinds of cyber attacks, the impact of a successful ATO attack can have a myriad of consequences for a given organisation.
The main impacts include:
- Direct financial loss. Financial data, such as bank account information, could be compromised, organisations could have to reimburse affected customers, and/or threat actors can use their access to commit financial fraud (such as sending out fake invoices to third parties).
- Data loss. Data may be accessed and exfiltrated during an ATO attack (depending on the privileges of the compromised account), this data can then be held ransom as a ransomware attack, sold on the dark web, or used in future attacks on the original organisation or a connected party.
- Operational disruption. This includes downtime related to incident investigation and remediation, disruptions of business operations to restore user accounts, and other operational measures that would require IT and security resources while potentially putting some or all operations offline.
- Reputation damage. If customer or third-party data and account information is compromised in an ATO attack, it can lead to dissolution of trust, loss of future customers, and even a drop in stock price or business value.
- Regulatory and compliance risks. Regulated organisations that fall victim to an ATO attack can also suffer fines, audits, or lawsuits, as well as operational restrictions for failing to meet compliance obligations.
- Lateral movement or privilege escalation and secondary attack. While ATO attacks may be self-contained, the exposure of credentials can also lead to secondary attacks on the original organisation or a connected third-party, as threat actors now have new access points into an organisation, allowing them to move laterally within a network or escalate their own privileges.
Account Takeover and BEC Attacks
ATO attacks and business email compromise (BEC) attacks are intrinsically linked.
Business email compromise is an email-borne cyber attack technique in which a threat actor attempts to manipulate an individual into initiating a secondary digital or kinetic action for malicious purposes. These actions can include transferring funds, sharing sensitive data, or enabling access to something else of value.
ATO attacks are often paired with BEC attacks. ATO can be an objective of a BEC attack, particularly if the threat actor is seeking but does not yet have insider access to the target organisation. Alternatively, after a successful BEC attack – for example, one that results in obtaining employee credentials – the attacker may launch a follow-on ATO attack, using the compromised credentials to move laterally within the organisation.
ATO attacks are often a precursor to BEC attacks, which are a frequent and costly cyber attack. For a BEC attack to succeed, a threat actor must first gain account access or complete an ATO attack. BEC attacks can also be referred to as email account takeovers (EATs), which is a form of ATO attack.
BEC attacks occur at an alarming rate, accounting for 27% of Arctic Wolf® Incident Response cases in 2024, according to the Arctic Wolf 2025 Threat Report. Additionally, 35% of organisations surveyed in The State of Cybersecurity: 2025 Trends Report stated they have suffered a BEC attack.
How To Prevent and Protect Against Account Takeover Attacks
A strong cybersecurity strategy is one that is effective both left and right of boom, and it’s no different with account takeover attacks. It’s best to guard the fortress at multiple points, deploying varying tactics proactively that lower the risk of an attack taking place, while simultaneously preparing to detect and quickly remediate an ATO attack should one occur.
To prevent and protect against ATO attacks, organisations should:
1. Employ behavioural analytics within your security solutions. Behavourial analytics can assist security teams — and monitoring and detection technology — with establishing a baseline of normal user behaviour (e.g. login times, devices, IP addresses, and navigation patterns) to identify deviations that signal malicious activity.
2. Deploy email security measures, including the use of technology that can remove malicious emails from inboxes, flag suspicious emails and potential impersonations, and block suspicious and/or likely malicious links. This will help prevent the execution of an ATO attack through social engineering (such as phishing) while preventing the attack from escalating if an email account is compromised.
3. Utilise identity and access management (IAM) best practices alongside a zero trust strategy to verify, control, and limit user access. This will reduce the success rate of ATO attacks, which target the identity attack surface, while limiting a threat actor’s ability to move within a network or access sensitive assets and resources if initial access is obtained.
4. Require multi-factor authentication (MFA) across all applications. A critical piece of the IAM puzzle, MFA not only prevents threat actors from gaining access to accounts, but the automatic need for verification can also alert users and security teams to suspicious account activity. Arctic Wolf found that 56% of organisations that experienced a significant breach in 2024 did not employ MFA, highlighting the access control’s potential to prevent serious incidents.
5. Implement security awareness training that offers engaging content around ATO attacks and subsequent BEC attacks. This can reduce overall human risk while helping users spot suspicious activity that may point to an ATO attack.
6. Deploy comprehensive 24×7 monitoring that ingests telemetry from multiple sources, including identity, cloud, endpoints, and applications. An ATO attack doesn’t always start and end with an email account, so having broad visibility that allows your security teams to both monitor and act on multiple parts of the attack surface can help your organisation respond quickly and swiftly to an ATO attack before it escalates.
7. Invest in endpoint security that can block credential-stealing malware, detect anomalous behaviour, contain compromised devices, and take other actions to both detect and stop the escalation of ATO attacks. While ATO attacks can infect email accounts, the cloud, and SaaS applications, they often start on the endpoint, making it a critical component for complete security.
Reducing ATO Risk with Arctic Wolf
Arctic Wolf understands both the threats organisations face, and the technology, people, and processes needed to stop tried-and-true attacks like ATO. Not only does Arctic Wolf have multiple solutions that help organisations prevent and respond to threats across their attack surface, but the Arctic Wolf Aurora™ Platform is also built on open-XDR technology, allowing Arctic Wolf to work with the security your organisation already has in place while adapting to your existing tech stack.
Arctic Wolf partners with Mimecast to help organisations better secure their email, reducing the risk of ATO and BEC attacks. This is in addition to Arctic Wolf’s partnership with Okta, a technology that enables organisations to better control access and reduce identity risks.
Learn more about how Arctic Wolf’s Security Operations approach reduces risk while improving organisations’ security postures.
Better understand the threat landscape and what risk points may exist for your organisation with the Arctic Wolf 2025 Threat Report.
