Account Compromises In the United States

Security

February 27, 2025

According to 2024 statistics, the United States is one of the top countries for account compromises or account takeovers (ATOs). Microsoft and Amazon are among the top five domain sources for these attacks. The percentages of targeted and impacted industries are relatively prevalent across the board. The NJCCIC continues to receive reports of compromised accounts for New Jersey residents, businesses, and local governments. These reported compromised accounts include email accounts, social media platforms, bank accounts, cryptocurrency wallets, and utility companies.

One of the ways threat actors compromise accounts is by using information from data breaches to target potential victims via social engineering tactics. Threat actors convince their targets to take action, divulge sensitive information, or inadvertently install malware to gain unauthorized access to legitimate user accounts. Besides phishing campaigns, threat actors increasingly exploit mobile devices and their apps in mishing attacks to compromise accounts, infiltrate networks, and steal data. Mobile platforms contain unique features and vulnerabilities, including text messages, voice calls, and QR codes. Mishing is a growing threat to individuals and organizations, as evident in recent SMiShingvishing, and quishing campaigns. The prevalence of mishing is due to increased mobile usage, the expanded attack surface of remote work on personal devices, extensive access to sensitive information, and little or no security protections.

Once an account is compromised, threat actors impersonate the victim to conduct further malicious activity, such as changing account information, sending communications on their behalf, transferring funds, installing malware, exfiltrating data, and more. On average, threat actors can move from initial compromise to privilege escalation to lateral movement in approximately less than an hour, and the objectives of their full targeted attack can take four hours and 29 minutes. These timeframes are concerning as users or administrators take longer to identify and remediate.
Recommendations
  • Refrain from responding to unsolicited communications, and exercise caution with communications from known senders.
  • Be wary when scanning QR codes, even from trusted sources.
  • If unsure of the legitimacy, contact the sender via a separate means of communication – such as by phone through official and legitimate sources – before taking action or disclosing sensitive information.
  • Set up alerts, maintain unique passwords for each online account, and enable multi-factor authentication (MFA), choosing biometrics and authentication apps over SMS text-based codes where available.
  • Refrain from posting sensitive information and images online to reduce your digital footprint.
  • Review the Mobile Device Security NJCCIC product for more information about the mobile threat landscape and best practices.
  • If victimized, report the scam directly to the respective platform, the Federal Trade Commission FTC, the FBI’s IC3, and the NJCCIC . If PII compromise is suspected or detected, contact your local law enforcement department.
  • Review the Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources, including credit freezes and enabling multi-factor authentication (MFA) on accounts.