Imagine being awoken by an urgent message from your team telling you a business bank account is frozen and the money is gone. You quickly find out that this nightmare scenario was caused by one of the simplest mistakes imaginable: A user trying to log in to the account searched for a login page and landed on a fake instead, handing fraudsters all the information they needed to swiftly gain access.

This is not a far-fetched scenario but a classic case of a successful account takeover fraud attempt. In essence, account takeovers are exactly what they sound like: A fraudster obtains login credentials, takes over one or more business or personal accounts, and uses that access to impersonate a user and wreak havoc. Damage from an account takeover can include sensitive information being deleted or stolen, payments being modified or misdirected, and access to critical accounts being lost entirely.

It would be bad enough if this was a niche concern, but it is a massive problem globally. Abnormal Security revealed that 75% of security leaders consider account takeovers a top four security concern. To underscore how large this problem is, in 2024, 99% of accounts monitored by email security firm ProofPoint were targeted by fraudsters in account takeover attempts. 62% of those businesses were victims of a successful takeover.

Those are a lot of numbers that tell a similar story: Account takeovers represent a massive threat to companies who are losing money, time, and data to bad actors, and as we said above, these attempts are rising in sophistication and sheer volume.

The vital question is this: How does your business protect itself and battle back? Fortunately, the advice here is simple, even if ensuring your team follows best practices can be more complex.

 

Why bookmarking login pages works

It sounds laughably simple, but the best protection against account takeovers is starving bad actors of an opportunity to ensnare you. For any systems you log in to, it’s best practice to bookmark them and only access them through that bookmark.

Fraudsters excel at building login pages that look legitimate at first glance and may even closely (though never exactly) match the real thing, counting on users crunched for time simply Googling or using email to access a login they never bothered to bookmark. If a user is in enough of a hurry, they may not notice subtle signs that something is wrong until it's too late.

We’ll discuss email security a little later, but this advice extends to any message urging a user to click a link to access their account. If something is legitimately wrong, a user can login through the bookmarked link to resolve the issue, so it will never be necessary to navigate through a potentially fraudulent link sent to them via email, a messenger service, and so forth.

By ensuring everyone on your team is only using vetted, bookmarked links to access bank accounts, payment platforms, and other critical systems, you can stop account takeover attempts dead in their tracks. As simple as it sounds, this is the single most effective way to protect your business from this kind of fraud.

 

Strengthen your passwords now

Fraudsters who do not lure you in via fake login pages may try to simply power their way into your account. This may take the form of a bad actor purchasing stolen credentials and passwords from the dark web, or it might be an all-out assault where a bad actor tries hundreds or even thousands of common passwords to gain access.

While any third party you work with should have sophisticated monitoring that notices new devices attempting logins and an unusual number of wrong attempts and subsequently shuts them down, your own internal systems need to be protected as well. Mandating that users either use tools to generate highly secure, largely random passwords or simply use stronger ones than “password123” and change them frequently is a best practice to ensure stolen credentials are quickly rendered useless and brute force attacks fail.

 

Train and educate your team today

Account takeover attempts can come in the form of phishing attacks, which in turn can go hand-in-hand with Business Email Compromise. A fraudster may send an urgent sounding email that appears to come from a customer, an executive within the company, or a partner that urges you to click on a link to resolve an issue.

A harried user trying to do the right thing may not take the time to slow down before clicking, and once they click, the red flags that pop up may not be noticed. This is an understandable and even noble impulse—you want to do right by your team, customers, and partners—but it can lead to a terrible outcome.

Training and education are necessary to ensure the first impulse doesn’t result in an account takeover. While counterintuitive, fighting back often means slowing down, something that can only happen when users know what to look for and have their organization’s blessing to take a breath and follow best practices. Training your staff to look for suspicious signs, access logins via vetted, bookmarked links, and quickly escalate suspicious-sounding messages to information security and fraud prevention teams is vital to preventing ruinous mistakes.

 

Make sure your partners protect you

Educating and protecting your team is the number one priority, and the best way to prevent account takeover. You also likely use a web of third-party systems to perform vital functions like making payments, reviewing invoices, and procuring goods, and it’s important that you understand just how secure those systems are, as well.

You want to vet new partners to understand how they protect against account takeover, including the methods they use to monitor systems, shut down illegitimate access, and educate your team about rising threats. For existing partners, have a conversation about these same topics if you do not already understand the level of security they have in place, with a particular focus on multi-factor authentication as a means of protection. Until your account is actively compromised, MFA protections can mean the difference between a fraudster having credentials and gaining access to accounts.

Above all, you want to work with partners who understand the scope of account takeover and the best ways to prevent it. Securing your own in-house platforms and people and then suffering account takeover because the platforms you rely on aren’t willing or able to go to the same lengths is not just frustrating; it’s hugely damaging.

There is no one way to prevent account takeover, but following these best practices will help you avoid this kind of fraud. With account takeover growing in popularity among fraudsters and more businesses falling victim every day, and with the outsized reputational and monetary costs that come with compromised accounts, it has never been more important to ensure you’re well-protected.

Now is the time to audit your best practices, train your team, and ask tough questions of your partners. The alternative is waiting until your accounts are already compromised.