Skip to Main Content

All about account hijacking and how to protect yourself 

Imagine this typical scenario involving the imaginary Craig. He’s sitting at his desk and can’t believe what’s happening. Just a few hours ago, he had received an email from his bank, alerting him to suspicious activity on his account. Now, as he frantically tries to log in and check his balance, he finds out that he can’t access his bank account at all…Sorry, Craig. You’re the victim of account hijacking.  

But online users like Craig aren’t alone. According to a 2022 Consumer Impact Report by the Identity Theft Resource Center, hijacking of social media accounts alone has reached epidemic proportions in the last 12 months: Account takeovers have increased by 1,000%.  

So, what is ‘account hijacking’ exactly, what methods does it deploy, and how can you protect yourself? 

Account hijacking has plagued us since the dawn of the internet—but how did we get to this point? 

By definition, account hijacking is the unauthorised access and control of a user’s online account(s). It’s a form of identity theft in which a cybercriminal impersonates you to log in to an online account—this is usually a financial account, but it doesn’t have to be. Account hijacking isn’t new, but dates back to the early days of the internet when users first began to use online accounts to access a variety of services, including email, social media (like Facebook, Twitter, WhatsApp), and e-commerce sites.  As the number of online accounts grew, so did their popularity with cybercriminals. An online account is a virtual treasure trove of sensitive and potentially lucrative information after all! Armed with your login credentials, including a username and password, hackers have free rein. They can make unauthorised changes and purchases or use the account to launch further attacks. Plus, as they’re “being you” it offers them anonymity, so it’s a bit like the mask a real-life gangster would wear when robbing a bank.  

If they’re truly nasty, cybercriminals may even exploit your online account to blackmail unsuspecting individuals, or even publish information (via email, social media, etc.) that is damaging to your company or reputation. So, it’s more than an inconvenience: Account hijacking can cause emotional distress and financial loss.  

Cybercriminals stealing your online persona—the clandestine tactics of account hijacking

Practise makes perfect. So, it should come as no surprise that the methods used by attackers to hijack accounts have become more sophisticated over the years. Look out for these usual suspects:  

Phishing: “Your bank account has been locked! Please log in to resolve this issue!”. Of course, the email isn’t really from bank. It could be a type of social engineering attack in which the attacker tries to trick you into revealing your login credentials or other sensitive information. This might involve sending a fake email or website that looks legitimate but is actually a surreptitious attempt to steal the victim’s information. 

Keystroke logging: This is a technique in which the attacker installs software on the victim’s computer that records every letter you type and sends it back to the hacker. This can then be used to capture login credentials, credit card numbers, and other sensitive information as and when you login to these platforms.  

Malware: Malware is a type of software designed to cause damage to a computer or steal information. Some types of malware are specifically designed to target login credentials and can be used to gain unwanted access to a personal account. For instance, a hacker might try to hijack your cloud account (like Good Drive, Dropbox, or iCloud) by installing malware on your laptop, tablet, or phone that captures your login information automatically. This then allows them to retrieve your files and other documents.  

Password cracking: This is a technique in which the attacker uses specialised software to try to guess the victim’s password. This can be done by trying a list of common passwords or by using dictionary and/or brute force attacks—more on these below. While a cumbersome undertaking, a close connection could crack your password in no time. Do you, for instance, own a cat? A hacker may try these combinations: “Fluffbag’ or ‘Fluffbag12345’. And hey presto—they’re in.  

A dictionary attack is a type of password cracking method that involves trying a pre-arranged list of words, such as a dictionary, as passwords. These lists are often created by compiling common passwords or by combining a list of words found in a dictionary. The attacker tries each word in the list to guess the password.  

On the other hand, a brute force attack is a password cracking method which tries a possible combination of characters until the correct password is found. Usually, an automated programme works its way through these endless character combinations, starting with the most common. Brute force attacks can be very time-consuming, but hackers have patience and automated programmes don’t work regular business hours or need breaks.  

Physical access: In some cases, the attacker might simply try to gain physical access to your computer or device to steal their login credentials or install malware. Do you have a document on your desktop conveniently labelled PASSWORDS that does in fact contain all your passwords? It’s like Christmas for hackers if you serve up gifts like that. 

Think you have very little to lose? Well, think again… 

Account hijacking can have far-reaching consequences, so don’t wait until it’s too late to find out! But just what could this mean? 

  • Financial losses: If an attacker gains access to your financial accounts, they may be able to make unauthorised purchases or transfer money out of your account. This can lead to significant financial losses, which can be difficult to recover. 
  • Identity theft: If an attacker gains access to your personal information, such as your name, address, and birth date, they may be able to use this information to commit identity theft. This can involve opening new accounts in your name, applying for loans or credit cards, or even participating in illicit activities using your identity.  
  • Damage to reputation: If an attacker accesses your social media or email accounts, they may be able to post inappropriate or offensive content or send inappropriate messages to your contacts. Imagine what this would do to your reputation and personal or professional relationships? 
  • Legal issues: Depending on the actions taken by the attacker, account hijacking may also lead to legal problems. For example, if the attacker uses your account to commit fraud or engage in other illegal activities, you may be held responsible.  
  • Loss of access to accounts: In some cases, an attacker may lock you out of your own accounts, making it difficult for you to perform certain actions. This can be especially frustrating if you rely on these accounts for important tasks, such as managing your finances or communicating with others.  
  • Emotional distress: Needless to say, the process of having an account hijacked and the potential consequences can be distressing and emotionally taxing. 

Now that we’ve hopefully convinced you of the dangers of account hijacking, read on for some tips and tricks to elude those trying to snap up your login details… 

Be one step ahead – foil attempts to hijack your account 

Don’t let the threat of potential account hijacking keep you awake at night. Use these simple and effective ways to help protect yourself. Take control now with these five essential steps. 

  1. Strong, unique passwords: Using strong, unique passwords for each of your online accounts can help protect against account hijacking (be sure to avoid using the same password for multiple platforms as this may grant easy access to all your accounts). A password manager like Avira Password Manager, generates complex passwords and helps store them more securely.  
  2. Enable multiple-factor authentication: Many institutions and online services now offer multiple-factor authentication (MFA) which requires users to provide an additional form of verification, such as a code sent to your phone, or answering a security question in addition to the standard username and password prompt. Enabling MFA can significantly increase the security of your online accounts.  
  3. Beware of phishing attacks: Phishing attacks are a common method used by attackers to obtain login credentials. Look out for suspicious emails, SMSs, or texts, and never click on links or enter personal information unless you are sure the request is legitimate. 
  4. Install an antivirus solution: Reputable antivirus solution, like Avira Free Antivirus, can help protect against malware and other cyberthreats that may be used to gain (unauthorised) access to your accounts. Keep your antivirus up to date and run regular scans to ensure your devices have not been compromised! For multiple layers of security and online privacy, consider Avira Free Security or its even more comprehensive and subscription-based counterpart, Avira Prime. 
  5. And finally, please check that you’re using a secure website. Providing personal information on an unsecure website increases the risk of your data being accessed by hackers or other malicious actors who may be able to intercept the information as it’s being transmitted over the internet. As a rule of thumb, always look for a padlock icon that is typically displayed next to the website’s address. This symbol shows that the website is using encryption to help protect your information. 

The reality is that most of us are vulnerable to the threat of account hijacking. However, it’s not all doom and gloom—by implementing the steps highlighted in this blog, you can bolster your security and thwart external attempts to compromise your accounts. Furthermore, it’s crucial to regularly monitor your accounts and immediately report any suspicious activity to the relevant service provider or platform. 

This post is also available in: GermanFrenchItalian

Avira, a company with over 100 million customers and more than 500 employees, is a worldwide leading supplier of self-developed security solutions for professional and private use. With more than 25 years of experience, the company is a pioneer in its field.