Account takeover (ATO) is an increasingly strong threat to the world’s businesses. Not only are the resources of the company at risk from unauthorized access through ATO, but customers can also be seriously harmed by it.

If you are short of time and just need to glance over the tools we review below, here is our list of the ten best account takeover prevention systems:

  1. Avanan Account Takeover Prevention An email protection system that focuses on detection phishing and impersonation attempts.
  2. SpyCloud ATO Prevention This provider produces both employee and customer account takeover prevention systems.
  3. Okta Account protection systems for workforce and customer accounts.
  4. Sift Account Defense Roots out fake accounts and protects the accounts of genuine users.
  5. Digital Shadows SearchLight Uses a multi-thread approach to protect employee accounts.
  6. Shieldsquare Bot Mitigation This company produces a range of account protection software focusing on websites, mobile devices, and APIs.
  7. Iovation LaunchKey A range of authentication hardening measures.
  8. Experian Fraud prevention, device intelligence, and knowledge-based questioning to block account takeover.
  9. Agari Advanced threat protection, brand defense, incidence response, and fraud protection.
  10. Netacea Account Takeover Prevention Uses AI processes to identify normal behavior and then spot anomalous actions.

Account takeover prevention is an important part of system security and essential service to customers. An intruder who breaks into a customer account is able to see the personal and financial information stored on your system. That confidentiality breach makes you legally liable and will also break your accreditation to data protection standards. So, there are serious financial and legal consequences for you to your customer’s accounts being compromised, not just for those customers.

Consumer-facing businesses that don’t take proper measures to protect customer accounts will also experience a loss of reputation. That will lead to a loss of customers and it will make it difficult for your company to win new customers. Weak account protection will also be a concern to your business partners. You might find that other businesses are less interested in doing business with your company if the details about them that you hold on your system are not sufficiently protected.

Account takeover prevention is a necessity for any company that uses IT systems in its normal course of business. That means, practically every company.

Security policies

You need to put in place a number of policies before you embark on your account security improvements.

Many account takeover prevention measures can be implemented through working practices and user education because errors by users in the way they use their accounts provide the main access routes for account hijackers.

Account takeover strategies involve how your system administration monitors account activity and how it responds to suspicious behavior as much as it concerns tightening up access procedures.

You need to consider the following approaches:

  • User education
  • Intrusion prevention systems
  • Anti-phishing firewalls
  • Email content filtering
  • Access hardening
  • Account takeover prevention

Account takeover prevention is a category of security software, which we will explain further.

Account Takeover Prevention in ITIL

Account Takeover prevention falls into the Security Management section of ITIL. This is registered as ISO/IEC 27001:2005. The primary goal of this process is to control access to information and that means making access credentials sufficiently tight so that an accidentally disclosed password does not result in data loss.

Access control should ensure confidentiality, integrity, and availability. An access control strategy should be written in conjunction with the service level agreements (SLAs) to which the company is committed within its contracts.

The security management process is divided into four activities:

  • Control
  • Plan
  • Implement
  • Evaluate

The Control action involves defining account protection requirements and setting policy. The Plan action requires the creation of security commitments in SLAs, the creation of contracts to support those commitments, and the definition of operational needs in order to implement those commitments. The Implementation activity requires the creation of asset classification and control documents, personnel security training, security policies, and access control.

The core of the Implementation action is the Access Control sub-activity. This requires fine-tuning the security measures available in existing access rights management systems, and buying in extra security software to reinforce those measures should they have been assessed to be insufficient.

The Evaluation action requires self-assessment from the IT department, an internal audit, and an external audit. Any weaknesses identified at each stage of the Evaluation process should be addressed before progressing to the next sub-activity in the Evaluation action.

Vulnerable accounts

Employee user accounts are easier to protect than accounts open to the general public. This is because you have a clear idea of who needs access to the system. However, with a system that encourages self-created accounts is open to the creation of fake accounts, which are set up purely for the intention of damaging the company’s reputation or exploring ways to exploit the system.

Automatically-generated account requests also need to be rooted out. These fake accounts are created by automated processes set up by hackers.

Another form of unproductive account both in the employee sphere and customer areas are abandoned accounts. These accounts that are no longer active need to be identified and removed from the system because they are gateways for intruders.

Account theft

The main point of weakness in any user account system comes from hijacked accounts. These are valid accounts that get appropriated by intruders. Employee accounts and paid-for accounts have fewer possibilities of credentials disclosure than free accounts. An account that costs the user nothing to set up has less value than credentials that guard important information and financial data that the account holder values.

Accounts that have value to the user can still be compromised through trickery. Phishing scams involve a hacker-controlled copy of a website. The user is tricked into entering the account credentials into the fake site, which gives the username and password to the hacker.

Another trick to win account credentials comes in the form of an impersonation scam. An overworked employee receives a call from a supposed colleague claiming to have been locked out of the system and needing to complete an important task. The victim is asked for his account login details as an urgent measure. This trick often works, but it requires research into the names and habits of at least two employees of the business.

The amount of damage that account hijacking can cause depends on the privileges allowed to the compromised account. Therefore, categorizing accounts by their importance is a strategy that can focus on account takeover prevention actions on the most important accounts on the system.

Account protection measures

There are procedural steps that you can take to prevent account takeover and there is specialist system software that you can buy to help you implement stronger account security.

Whether the account scope that needs to be protected serves in-house users or customers, your account protection strategy needs to be sufficiently intelligent so that it allows genuine users to continue to enjoy full access to their system accounts.

Identifying compromised accounts is the hardest task in ATO prevention. Many of these systems deploy innovative technologies, such as artificial intelligence in order to pick off the intruders without hindering legitimate users.

Remediation methods need to be swift and can be implemented automatically by the account takeover prevention software. You will be able to allow the security software to suspend accounts so that intruders no longer have access.

Post-intrusion actions

The success of your post-intrusion measures will either save or worsen the situation. Compromised accounts should be suspended rather than deleted. Particularly in the case of customer accounts, the user might want to continue having access and shouldn’t be penalized because of the actions of an intruder.

Your automated process might not be able to spot hijacked accounts. However, one hacker strategy is to alter the account recovery processes in the profile’s settings and then change the password, making it impossible for the legitimate user of the account to gain access.

Your system or sites should give clear instructions to users on how to recover their accounts in these situations. Usually, these procedures involve a call or an email to the system’s support desk, where the user can be queried further for identification. Those support technicians should be able to rollback account settings to allow the user to regain access quickly. However, the identification process should be sufficiently rigorous to prevent tricksters from getting access to accounts by posing as legitimate users.

Information about hijacking events needs to be stored for analysis to see what measures should be taken in order to prevent such account takeovers from happening again. However, these should not involve resetting passwords to give technicians access to the account. A hijacker might taint an account knowing that the takeover will be quickly reversed but carry out the action for the purposes of giving access to the account by a corrupt technician.

There are many subtle lines in account takeover prevention – between controlling account access without locking out legitimate users and between shutting down compromised accounts while allowing continued activity by the legitimate owner of the account.

The management of these sensitive decisions shouldn’t be left to technicians. Human intervention leaves too much to the judgment of the individual and results in inconsistent treatment of users. Automated monitoring of accounts and remediation handle the problems caused by account takeover fairly and efficiently. Deploying ATO prevention software is a better strategy than training technicians in the field.

The best account takeover prevention software

Account takeover prevention is a growing specialization in cybersecurity. There are many worthy ATO prevention systems available. They don’t all use the same tactics. As outlined above, your account takeover prevention plan needs to start with a strategy. Once you have a policy that fits the specific activity of your business and its accounts, you will be able to assess which ATP prevention system fits your needs.

In order to present a wide enough selection that will cater to all protection strategies, we have created a shortlist of ten systems.

1. Avanan Account Takeover Prevention

Avanan Account Takeover Prevention

Avanan offers a cloud-based account protection service that is available in three editions. The service is built with modules and each successively more expensive plan includes more modules. One of those modules is the Account Takeover Prevention service.

The ATO prevention system examiners the origins of incoming emails, the behavior of user email accounts, the location of the devices logging into the system, and unexpected measures that undermine account security.

The Avanan system will automatically lock suspicious accounts by resetting their passwords and notify administrators of the discovery.

2. SpyCloud ATO Prevention

SpyCloud Active Directory Guardian

SpyCloud offers two types of ATO prevention: Employee ATO Prevention and Consumer ATO Prevention. Both systems are cloud-based. The employee account protection service includes more actions than the consumer version. This is because the employee protection system includes the monitoring of email activity and extra scrutiny of privileged accounts.

Both systems can be integrated into your existing interfaces through APIs, so the credential protection service doesn’t require the login procedure to be ported to a cloud server.

3. Okta

Okta Dashboard

Okta’s ATO prevention systems are segmented into a Workforce Identity service and a Customer Identity service. Both are cloud-hosted services that can be called into software under development through APIs. The authentication services include multi-factor authentication, a single sign-on system, and a centralized access rights system to unify the various AD and LDAP controllers that run on your site.

4. Sift Account Defense

Sift Account Defense

Sift Account Defense scans new account creation actions to spot fraudsters and prevents them from setting up fake accounts. The service also implements measures to protect genuine accounts from takeover. The purpose of the Sift strategy is to block bad accounts without disturbing genuine users.

The service uses AI techniques to compile a list of regular activities. It also pools the discoveries of threats on all of its clients’ sites to build up a constantly updated threat intelligence database, which informs activity scans and identifies suspicious accounts.

5. Digital Shadows SearchLight

Digital Shadows Searchlight

SearchLight scans a system for account-related vulnerabilities. It also examines user behavior to identify compromised accounts. The service can be integrated into new applications through an API. The Digital Shadow system doesn’t include remediation measures. However, these can be sourced from two partner software houses.

6. Shieldsquare Bot Mitigation

Shieldsquare Bot Mitigation

Shieldsquare’s account protection services focus on blocking automated attempts at takeover. The system can detect the difference between contact by humans, by good bots, such as search engine web crawlers, and by bad bots that attempt to crack passwords on accounts.

The Shieldsquare methodology is AI-based and relies on machine learning to spot anomalous behavior. It also relies on blacklists and a threat intelligence database to spot repeat offenders.

7. Iovation LaunchKey


LaunchKey uses a different approach to account protection. It provides an app for mobile devices that enables access. That is, it adds an extra layer of protection and you make it impossible for users to access your network or website without going through that app.

The authentication process can be customized, allowing you to select from a range of security methods, such as two-factor authentication. The system also has a way to get customers to confirm financial transactions.

8. Experian

Experian Fraud PreventionExperian is a credit reference agency that has branched out into a range of account security services and fraud protection. The company’s Fraud Prevention Platform includes customer account takeover prevention. The Experian Digital Device Intelligence is able to identify fake accounts and block fraud attempts without disrupting the user experience of legitimate customers. The company’s Knowledge-Based Authentication system helps root out impersonators while allowing access to genuine users.

9. Agari

Agari screenshot

Agari Advance Threat Protection and Agari Incident Response combine to provide ATO prevention and mitigation. The Advanced Threat Protection service includes ATO prevention. It monitors the source of emails for known scammer locations and also examines the locations of those attempting to log in to an account.

The app monitors both incoming and outgoing mails, looking for interaction patterns that indicate that the credential might have been given away. Threat intelligence causes the Agari system to block mails from known suspicious actors.

10. Netacea Account Takeover Prevention

Netacea Threat Intelligence

Netacea Account Takeover Prevention uses machine learning to identify credential stuffing and brute force password cracking attempts. The system doesn’t rely on just blocking log-in attempts from a particular source because hackers are known to direct their password cracking attempts through multiple locations.

Selecting an account protection strategy

Now that you have a better idea about account takeover threats, it is time to start making plans to block them. Your starting point needs to be with the formulation of a policy that fits the specific operations of your business. Once you are clear about the vulnerabilities of your system, you can start to investigate suitable software to help you prevent account takeover threats.

Image: Scam Hacker from Pixabay. Public domain.