As the workforce trends younger, account takeover attacks are rising

Account Takeover (ATO) incidents are on the rise, with one recent study finding that 29 percent of US adults were victims of ATO attacks in the past year alone. That isn’t necessarily surprising: what we call an “Account Takeover attack” usually comes as the result of stolen credentials -- and this year’s Verizon Data Breach Investigations Report (DBIR) noted that credential theft has played a role in a whopping 31 percent of all breaches over the past 10 years. Basically, an ATO happens when a cybercriminal uses those stolen credentials to access an account that doesn’t belong to them and leverages it for any number of nefarious purposes.

Those credentials can come from anywhere. Yes, modern attackers can use deepfakes and other advanced tactics to get their hands on credentials -- but the truth is, tried-and-true methods like phishing and business email compromise (BEC) attacks are still remarkably effective. Worse still, because people tend to reuse passwords, a single set of stolen credentials can often lead to multiple compromised accounts. As always, human beings are the weakest point in any system.

Adversaries have evolved their tactics in recent years, no longer relying primarily on email and SMS messages to carry out their attacks. As ATO incidents increase, a growing number of them are being conducted via social media platforms, including Facebook, X (formerly Twitter), and TikTok. Earlier this year, the Securities and Exchange Commission (SEC) had its X account taken over by hackers. Just a month later, Facebook patched a critical vulnerability that could have been exploited to conduct brute-force attacks against any account. And this summer, a number of celebrity TikTok accounts were compromised using a “zero-click” attack conducted via direct message (DM).

Preventing ATO attacks is difficult -- but limiting the damage doesn’t have to be. For today’s organizations, that starts with understanding what makes their employees vulnerable to this increasingly popular attack tactic and putting the necessary policies and solutions in place to ensure attackers can’t run roughshod through your digital environments.

The Surprising Group Most Vulnerable to ATO Attacks

While it’s true that anyone can be victimized by an ATO attack, here’s something that may shock you: research shows that members of Gen Z are falling for online scams at a higher rate than their Boomer grandparents. It’s a stat that defies conventional wisdom -- generally, we assume younger individuals to have a high degree of digital literacy. After all, Gen Zers were raised on the internet. They should know better than anyone how to spot financial scams, phishing schemes, and other signs of nefarious online activity -- right? 

The truth is more complicated. While statistics like this are a fun opportunity for older generations to have a chuckle at their younger counterparts, the “why” is important here. Gen Zers are entering the workforce at an increasing rate, and businesses need to understand what it is that makes them particularly vulnerable. Spoiler alert: Gen Z isn’t inherently more gullible than previous generations. But they have been online for their entire lives -- and so has their personal information. A concerning 58 percent of Gen Zers say they are “very likely” or “extremely likely” to reuse passwords across different accounts -- by far the most of any generation. With the number of online accounts the average Gen Zer has, these statistics have attackers licking their chops. Simply put, younger users who fail to secure their vast digital footprint risk leaving themselves -- and their employers -- open to ATO attacks.

This isn’t to pick on any one generation, but the relative vulnerability of Gen Z does highlight a larger problem. Most breaches aren’t caused by cunning attackers “hacking” through security solutions -- they’re caused by poor digital hygiene, lax authentication processes, and insufficient identity management. Employers need to protect themselves by ensuring a single reused password can’t cause a catastrophic incident -- especially as younger employees continue to enter the workforce.

Protecting Your Digital Ecosystem from ATO Attacks

Fortunately, today’s organizations have a wide range of options that can help limit their vulnerability. First, it’s a good idea to move away from traditional “username and password” credentialing. Between weak passwords, reused credentials, and the potential for social engineering, username and password combinations are just too easy for attackers to exploit. Chances are, at least one employee uses the same password to log into their work device that they use to log into Netflix -- and no one wants to suffer a breach because a sales rep wanted to binge Stranger Things. Fingerprint sensors, facial recognition, and other biometric solutions eliminate the potential for password crossover. And they aren’t just more secure than passwords -- they’re more convenient, too. Passkeys are also becoming more common, presenting yet another simple, secure method of authentication -- and they are particularly beneficial when they are bound to a device with an associated biometric.

Visibility is also essential, and this is where effective identity management comes in. Today’s organizations manage tens (even hundreds) of thousands of digital identities, and the ability to monitor their behavior is critical. For instance, if an identity associated with a human resources employee repeatedly attempts to access financial data, that’s a red flag that might indicate a compromise. It’s important to have a solution in place that understands what normal behavior looks like and can identify and flag any suspicious activity as it happens. This ensures that the response time is minimal even if an ATO attack occurs, and the damage can be mitigated. It can also help address the challenges posed by third parties and non-employee identities, which are often harder to manage. The ability to detect when an identity is behaving abnormally is a critical first step toward limiting ATO-related damage.

Finally, it’s important to keep devices up to date -- including devices that the organization doesn’t directly control. The lines are increasingly blurred in today’s world, with employees often using personal devices for business purposes. It’s important to make sure those devices cannot access sensitive applications or data if there are outstanding security concerns. This isn’t as easy as making sure company laptops and other devices are updated, but there are ways to limit access from devices that have not been updated or patched appropriately. Attackers will often use poorly secured devices as a launching pad into an organization’s broader network, and locking down their access can significantly limit the potential damage of an ATO attack. Employees may chafe at these measures, but generating buy-in by explaining the reasoning behind them can help allay concerns and build much-needed support.

Better Hygiene, Improved Visibility Are Key

ATO attacks represent just one of many tactics modern adversaries have at their fingertips, but they are becoming increasingly popular as younger generations enter the workforce. Fortunately, organizations can protect themselves more effectively by implementing measures to improve their digital hygiene and modernize their approach to identity security. Prioritizing detection and response capabilities and establishing clear visibility across all digital environments can allow organizations to significantly reduce the potential damage of ATO incidents. By understanding why these vulnerabilities exist and taking the appropriate steps to mitigate them, today’s businesses can avoid leaving themselves vulnerable to opportunistic attackers.

Image Credit: Minerva Studio / Shutterstock

Mike Kiser is Director of Strategy and Standards, SailPoint.