Skip to content
English
account takeover

Feb 11, 2025

Account Takeover: Definition, Risks, and Prevention Tips

Account takeover is a fraudulent transaction scheme that causes both emotional and financial damage. Learn more about its definition, risks, and how to prevent it.

Account Takeover: Definisi, Risiko, dan Cara Mencegahnya

Data from the Financial Services Authority (OJK) reveals that Indonesia’s 10 largest banks suffered customer losses of up to IDR 2.5 trillion between 2022 and 2024.

Do you know the main cause of these losses? Customers unknowingly shared their OTP codes with scammers, leading to their bank accounts being hijacked. This is what is known as account takeover.

Meanwhile, in Singapore, account takeover fraud doubled within a year. Account takeover is a global issue. Behind these staggering losses are victims who lose their life savings in an instant. In other words, account takeover is not a minor fraud—it leaves its victims in financial distress.

What is account takeover? What are the risks? And how can you prevent it? Read on to find out!

Definition of Account Takeover

Account takeover is a cyberattack where criminals gain unauthorized access and take control of a person’s online account. Another term for account takeover is account hijacking. This happens when scammers obtain an account’s password, PIN, or OTP through phishing, malware, or other fraudulent methods.

Once an account is taken over, scammers can steal the victim’s personal information, conduct unauthorized transactions, or even drain their bank accounts. Account takeover not only leads to financial loss but also breaches personal privacy.

Some warning signs that your account may be compromised include receiving notifications of suspicious activity. Here are a few red flags to watch out for:

  1. Login Alerts from Unknown Locations or Devices
    If you receive a login notification from a location or device you don’t recognize, be cautious. Security systems usually send these alerts when they detect unusual access attempts.

    These notifications may include recommendations to enable two-factor authentication (2FA). If you receive one, immediately update your password or PIN to secure your account.

  2. Unexpected Changes to Personal Information and Account Activity
    If you notice unauthorized changes in your account settings—such as email, phone number, or password modifications—it may be a sign of account takeover.

    Additionally, unusual activity like unauthorized transactions or messages sent from your email or phone number could indicate that a fraudster is in control of your account.

    To prevent this, regularly monitor your account settings. If you detect any suspicious changes, reset your password or PIN immediately.

  3. Inability to Log into Your Account
    If your usual password or PIN no longer works, your account may have been hijacked. Scammers often change login credentials as soon as they gain control.

    If this happens, try to recover your account using the “Forgot Password” option. If you’re still locked out, contact customer support immediately.

  4. Receiving Unexpected Password Reset Emails
    If you receive an email requesting a password reset that you didn’t initiate, someone might be attempting to take over your account. Scammers often try to reset passwords to gain full control.

    Never click on links in these emails, as they might lead to fake phishing websites. Instead, log in to your account through the official website or app to check for suspicious activity. If necessary, update your password and enable additional security measures.

Risks of Account Takeover

  1. Losing Access to Important Accounts
    The biggest risk of account takeover is losing permanent access to your account. Scammers typically change passwords, recovery emails, and other credentials to lock victims out.

    In Indonesia, a case was reported where a digital lending service user discovered that someone had taken out hundreds of millions of rupiah in loans under their name, without their knowledge. The cause? Their account had been hijacked by scammers.

  2. Misuse of Personal Data
    Once scammers gain access, they can steal sensitive information such as personal details, addresses, bank accounts, and transaction histories. This data can be exploited for illegal activities like fraudulent transactions or online gambling registrations.

  3. Financial Loss
    VIDA’s data shows that financial institutions are the primary targets of account takeover fraud. The damage isn’t just account misuse or data theft but also direct financial losses.

    Fraudsters often use hijacked accounts for unauthorized transactions, loan applications, or even to withdraw all funds from a victim’s account.

  4. Phishing and Further Fraud
    A long-term consequence of account takeover is that stolen data is used for additional scams. For instance, hacked WhatsApp accounts are often used to send fake messages to friends and family, asking for money. This tarnishes the victim’s reputation and spreads fraud further.

How to Prevent Account Takeover

Given the serious financial, emotional, and reputational risks, it’s essential to understand how to prevent account takeover. Many still believe that OTP-based two-factor authentication (2FA) is the best way to prevent account takeover. Unfortunately, advancements in technology have made OTPs less secure.

Scammers now use social engineering techniques to trick users into sharing their OTPs, turning OTPs into an entry point for fraud. So, what’s the best way to prevent account takeover?

The answer lies in device authentication and facial authentication. Here’s how each method works:

1. Device Authentication

Since account takeover fraud can be carried out from any device, it’s crucial to ensure that an account can only be accessed from a single, verified device. This is where device authentication comes in.

When users register on an app, the system authenticates their device, ensuring that only this registered device can access the account.

VIDA provides a device authentication solution called PhoneToken. When users download an app, PhoneToken automatically binds to their device. This means that all account access is limited to the registered device.

This technology embeds Public Key Infrastructure (PKI) into the user’s device. From the user’s perspective, they simply log in as usual. But for fraudsters, accessing the account from an unauthorized device becomes impossible.

2. Facial Authentication

Facial authentication, or biometric authentication, verifies an individual’s biometric data (face, fingerprint, or retina) to ensure only the legitimate account owner can access their account.

VIDA has introduced FaceToken, a facial authentication solution that combines face matching and liveness detection, binding a user’s biometric identity directly to their device.

When users activate FaceToken, their biometric data is securely encrypted and can only be used on their registered device. Even if fraudsters obtain the user’s username and password, they won’t be able to access the account because FaceToken ensures authentication must be performed by the actual, live user.

Account takeover is a serious cybercrime that can cause financial, emotional, and reputational damage. Don’t let yourself become a victim of account takeover in the digital transaction era.

Learn more about VIDA PhoneToken and FaceToken to protect your accounts and prevent fraud.
VIDA

VIDA - Verified Identity for All. VIDA provides a trusted digital identity platform.

Latest Articles

Honest Offers Effortless Digital Credit with VIDA
customer story

Honest Offers Effortless Digital Credit with VIDA

Since implementing VIDA’s identity verification solution, Honest has seen significant improvements in efficiency and security.

March 12, 2025

Simplifying Identity Verification with VIDA WebSDK
Digital Identity Verification

Simplifying Identity Verification with VIDA WebSDK

VIDA Web-SDK is an identity verification solution that can be easily integrated into both desktop and mobile devices. Here’s an overview of...

March 09, 2025

Understanding the Procurement Process: Types and Steps
digital signatures

Understanding the Procurement Process: Types and Steps

The procurement involves several crucial steps to ensure security and regulatory compliance. Let's explore the steps and types of goods or ...

February 28, 2025