Account Takeover Attacks Are Surging: How to Protect Your Online Accounts Now

On August 14, 2025, the New York Department of State’s Division of Consumer Protection issued a consumer fraud alert warning of a sharp rise in account takeover incidents. These attacks, where a criminal gains access to one of your online accounts and locks you out, can lead to direct financial loss and long-term identity theft. The alert covers common attack methods and practical ways to prevent them.

What Happened

The Division of Consumer Protection released a public alert titled “Rise in Account Takeover Incidents Prompts Consumer Fraud Alert” on August 14, 2025. According to the alert, reported cases of account takeover have increased significantly in recent months. Attackers typically gain access through:

  • Phishing – fraudulent emails or text messages that trick you into entering your login credentials on fake websites.
  • Credential stuffing – using usernames and passwords stolen from one site (often from a data breach) to try logging into other accounts.
  • SIM swapping – convincing your mobile carrier to transfer your phone number to a SIM card they control, allowing them to intercept MFA codes sent via SMS.

The alert notes that once attackers control an account, they often change the password, email, or phone number on file, making it difficult for the legitimate owner to regain access. They may then use the account to send spam, steal stored payment information, or impersonate the victim to contacts.

Why It Matters

Account takeover isn’t limited to one type of service. Email accounts are frequently targeted because they can be used to reset passwords for other accounts. Banking and investment accounts lead directly to financial theft. Social media and shopping accounts can be used to commit fraud against friends or sell compromised data.

The consequence for the account holder often goes beyond the immediate loss of access. Attackers may apply for credit cards, drain bank accounts, or sell the compromised account credentials on underground markets. Recovering from a full takeover—especially one that involves identity theft—can take weeks or months of phone calls and paperwork.

What Readers Can Do

The Division of Consumer Protection’s guidance focuses on three lines of defense: prevention, detection, and response.

Prevention

  • Use a password manager to generate and store a unique, complex password for every account. Reusing passwords is the main reason credential stuffing works.
  • Enable multifactor authentication (MFA) wherever possible. The alert emphasizes that MFA dramatically reduces the risk of takeover, even if your password is stolen. Where available, use an authenticator app or a hardware security key rather than SMS-based codes, which are vulnerable to SIM swapping.
  • Freeze your credit at the three major credit bureaus (Equifax, Experian, TransUnion). This prevents attackers from opening new accounts in your name, even if they have your personal information.

Detection

Keep an eye out for these common signs that an account may already be compromised:

  • You receive a password reset email you didn’t request.
  • You can’t log in with your usual password.
  • Account settings – such as recovery email, phone number, or security questions – have changed without your knowledge.
  • Your friends or contacts report receiving strange messages from you.
  • You see login attempts from unfamiliar locations or devices in your account activity log.

Response

If you suspect your account has been taken over, act quickly:

  1. Try to reset the password using the “Forgot Password” feature. Many platforms will send a reset link to your recovery email – if that email is still under your control, use it immediately.
  2. If you can no longer access the account, go directly to the platform’s account recovery or support page. Most major services have a dedicated process for compromised accounts.
  3. Change the password on any account that shares the same credentials.
  4. Run a virus scan on your devices (though many takeovers don’t involve local malware).
  5. Report the incident to the platform and, if financial accounts are involved, to your bank or credit card issuer. You may also file a report with the Federal Trade Commission (FTC) at IdentityTheft.gov and with your state’s consumer protection office.

Long-term habits

  • Regularly review the “sessions” or “devices” section of your most important accounts and log out of any you don’t recognize.
  • Avoid clicking links in unsolicited messages, even if they appear to come from a trusted company. Navigate to the site by typing the URL directly.
  • Consider using a hardware security key (such as a YubiKey) for high-value accounts like email and finance.

Sources

The facts in this article are drawn from the August 14, 2025 consumer fraud alert issued by the New York Department of State’s Division of Consumer Protection. Additional context on credential theft and multifactor authentication is based on widely known cybersecurity best practices. For the full alert text, visit the New York Department of State’s website.