Table of contents

    Account Takeover Protection Strategies for Hospitals

    Account takeover attacks (ATOs) happen when a bad actor acquires the credentials or otherwise gains unauthorized access to a business's or individual's online account. Once accessed, the attacker can use the account for fraud, monetary theft, identity theft, or perpetuating additional cyberattacks.

    Incidences of this type of attack are on the rise, and they can be devastating for many organizations, especially healthcare providers. According to a recent Global Identity and Fraud Report, “57 percent of businesses are reporting higher losses associated with account opening and account takeover fraud in [2020], compared to 55 percent in 2018 and 51 percent in 2017.”

    The harm that ATOs inflict on hospitals is multipronged and compounding in nature. They can damage the organization’s reputation, result in lost funds, and generate chaos in terms of transaction disputes and chargebacks. All of that further promotes defection among existing clients while discouraging new ones.

    Cyberattacks continue to grow in diversity and sophistication, meaning healthcare organizations need to be vigilant about cybersecurity and email security now more than ever. Fortunately, the knowledge, tools, and strategies defenders need to counteract these dangers are rapidly evolving as well.

    Account Takeover Methods

    Credential Stuffing

    Many people reuse the same password across multiple accounts, enabling attackers to capitalize on one breach and take over the maximum number of accounts possible. This technique is known as credential stuffing, and it is why repeating passwords results in such a high degree of vulnerability.

    Phishing and Social Engineering

    In phishing attacks, bad actors use social engineering techniques to solicit personal, often financial, information. Attackers disguise phishing emails as to appear legitimate and manipulate victims into giving away login credentials or access into sensitive information. The attackers will then use these credentials to enter the user's account on a legitimate application or website.


    Most commonly spread through phishing emails, malware is another primary means of account takeover attacks. Clicking a link or opening an attachment from an email can install keyloggers and other malware on the victim’s computer, and sending the passwords back to the cybercriminals. Then, they can use this information to take control of the victim’s account.

    How Account Takeover Works

    In a typical ATO email attack, a bad actor first attempts to gain access to a user's email. If this initial phase is successful, the criminal can leverage the trust and access capabilities the email account provides. They can direct further attacks on others from the user's email, resulting in lost funds, stolen data, or additional account breaches. This ATO strategy is especially effective and difficult to detect because the attacker weaponizes a trusted account from within.

    Phase 1: Gain Account Access

    Cybercriminals gain account access either by utilizing malware or phishing attacks. Another option is to purchase credentials on the dark web that other bad actors have already harvested (sometimes via mass data breaches).

    Phase 2: Establish Account Control

    After acquiring account access, cybercriminals want to establish control and maintain it. That allows them ample time to gather information and carry out as much planned activity as possible. As such, attackers will take steps to ensure they remain undetected during this time. Their strategies might include:

    • Setting up email-forwarding to discreetly monitor activity
    • Alter password-change processes to prevent loss of access
    • Automate rules and programs to cover up evidence of malicious actions

    Phase 3: Monitor Account Activity

    If the cybercriminal is patient enough to implement this largely passive third phase, it will pay off in the degree to which they can exploit the user and their account. The attacker will lie low and conduct all the reconnaissance they can to determine the full extent of vulnerabilities and opportunities present. For example, they may want to find out:

    • Whether the account gives them direct access to funds or data that they can profit from
    • Whether they can exploit the user's contacts for their purposes if the account itself does not prove advantageous enough (perhaps by inserting themselves into a transactional conversation or otherwise impersonating the user)
    • Whether they can gain access to other accounts (especially those of high-profile individuals) employing the user's email

    Phase 4: Launch Attack

    After a cybercriminal has identified the best avenues for exploitation, it is time to launch the next attack. If the user's account proves to be a direct path to extracting money or sensitive data, the attacker will go ahead and exfiltrate what they want. They may also launch one or multiple types of attacks on the user's contacts. This activity might come in the form of mass phishing campaigns to garner more credentials (infiltrating deeper into the organization) or more targeted scams such as business email compromise.

    Phase 5: Exfiltrate Sensitive Information or Funds

    The end of each ATO attack cycle involves acquiring either data or funds from the targeted accounts. A bad actor may continue malicious activities until the organization stops them or until they have exhausted all exfiltration possibilities. They may also repeat similar attacks on various user accounts compromised through the initial breach. Profit is typically the goal of any ATO attack.

    How to Protect Your Organization against Account Takeover

    Employee Training

    Strengthen Password Requirements

    In the interest of email security and cybersecurity overall, organizations should not be neglectful about password practices. Passwords for company accounts should follow stringent rules, and user passwords must be challenging for anyone to guess.

    Attackers routinely research individuals. They will capitalize on publicly available information such as birthdays or family names to better their chance of success. Avoiding this low-hanging-fruit type of information when creating passwords lowers the possibility of a breach via "brute force" techniques (exhaustive trial-and-error guessing).

    Use Multi-factor Authentication

    Implementing multi-factor authentication whenever possible strengthens security because it means that credentials alone are not sufficient to allow an attacker access. It is not uncommon for many account providers to require a user to provide a phone number or answers to security questions, for example, when setting up an account.

    Even more robust methods involve possession of something physical in addition to known information like passwords. This physical key could be an object such as a token or a user's biometrics, which a camera or sensor could assess while logging in.

    A Proactive, Machine-intelligent Email Security Solution

    Machine-intelligent programs are ideal for email security, as they can learn what a normal workflow looks like within an organization. They can look for patterns within data sets and then utilize that background knowledge to identify communication anomalies. If anything unusual or suspicious occurs, the program will flag it.

    For example, if one user emails another person they do not usually interact with, that can raise concerns. Or, if someone who dependably logs in from one location suddenly appears to be logging in from elsewhere, the program will detect and flag this aberration. From there, the security team can investigate to determine whether the suspicions were justified.

    With the help of these advanced systems, healthcare organizations can proactively protect themselves against ATO attacks. Machine intelligence can process vast swaths of data faster and more decisively than any cybersecurity team. However, the best setups combine this type of detection with human oversight, so every potential threat is handled appropriately.

    If you’re looking to protect your organization against account takeover attacks, xorlab ActiveGuard can help. Get a look at how the solution can work for you with a free demo.