These articles are for general information purposes only and are not intended to provide legal, tax, accounting or financial advice. PNC urges its customers to do independent research and to consult with security, financial and legal professionals before making any financial decisions. This site may provide reference to internet sites as a convenience to our readers. While PNC endeavors to provide resources that are reputable and safe, we cannot be held responsible for the information, products or services obtained on such sites and will not be liable for any damages arising from your access to such sites. The content, accuracy, opinions expressed and links provided by these resources are not investigated, verified, monitored or endorsed by PNC.
Account Takeover
What is Account Takeover?
Account takeover (ATO) is a form of online identity theft in which a criminal illegally gains unauthorized access to an online account belonging to someone else. This includes social media profiles, ecommerce, and financial accounts.
Account access is gained through a variety of methods, including:
- Social engineering methods, such as phishing, smishing (phishing via text message) and vishing (phishing via voice message)
- Brute Force Break-Ins – bad actors will spam account log-ins with attempts to break in, especially if the account page doesn’t have a limit on access attempts
- Credential stuffing – bad actors can use bots to test different credential combinations of leaked account information until they are successful in gaining access to the targeted account
- Reusing a password for multiple accounts or using common, easy-to-guess passwords like “password” or “123456”
- Malware attacks, either on individual or mass targets, such as data breaches
- Stealing personal information via outside mailboxes and dumpsters, telemarketing scams, computer hacking, and even through thieves bribing retailers or other institutions to copy down information about customers.
Taking Action
Anyone and any account can be a target of ATO. The Twitter cyberattack in 2020, where several high-profile verified accounts were taken over, was an example of ATO with the goal of defrauding the targeted accounts’ followers.
While some people may not think to take action for their accounts until news of a data attack strikes, you can practice cyber awareness before the worst happens.
- Avoid doing financial activity or commerce on public Wi-Fi. While public Wi-Fi is convenient for taking care of things on the go, these networks can be less secure and ideal for attackers to utilize in stealing credential information.
- Enable multi-factor authentication for your accounts. Multi-factor authentication allows you to review any changes made to your accounts, such as password change requests, as well add another layer of security required to log-in to your account, such as a One Time Passcode .
- Avoid revealing personal information. Social media quizzes often use personal information utilized in security questions, such as birth dates, pet names and childhood homes. NEVER respond to these – even though they seem harmless, attackers can use this information to crack an account.
- It’s okay not to trust that email, text or call. Go directly to the website instead of clicking on a provided link or hang up and call a confirmed number you have on file. (For example, the contact number on the back of your credit card, or the number on the company’s direct website.) Don’t respond directly to the communicator themselves – reach out to the company directly.
Read a summary of privacy rights for California residents which outlines the types of information we collect, and how and why we use that information.