Jump to Content
Security & Identity

Protect your organization from account takeovers with reCAPTCHA Enterprise

May 19, 2020
Tyler Davis

Security & Compliance Customer Engineering

As more enterprises are requiring customers to create accounts to do things like access services or make a purchase, attackers have increased their focus on account takeovers. These attackers are highly motivated and can be extremely evasive when trying to avoid detection during campaigns. For example, bad actors often attempt to hide their activities by acting during normal traffic times to blend in with genuine customer activity. 

reCAPTCHA Enterprise can help protect your websites from fraudulent activity like this. Last week, we talked about how reCAPTCHA Enterprise can help keep your end users safe against a variety of attacks, including fraudulent transactions, scraping, synthetic accounts, and account takeovers. Today, we’re going to take a deeper look at how reCAPTCHA Enterprise can help you combat account takeovers and hijacking. 

Account takeover and hijacking basics

Account takeovers and hijacking are when a bad actor uses a stolen or leaked credential to login and take over a legitimate user’s account. Account takeovers happen when an attacker uses someone else’s login credentials, successfully gets into his or her account, and then starts to perform fraud, such as the transferring of money or gift card and purchase fraud. 

How do these bad actors obtain stolen credentials? There are a number of ways, but the easiest is simply to purchase them from the dark web or other sources. This can be done extremely inexpensively, and in the last several years, billions of account records have been leaked from breaches. With exponential growth anticipated for credentials available after a data breach, that number will only continue to increase. 

When a malicious actor has a large set of these stolen or purchased credentials, it’s not financially feasible for them to manually attempt to login to an account. So, they rely on automated credential stuffing attacks to login and verify the accounts before they manually perform fraud on the accounts. 

This process of validating stolen credentials typically requires three parts: 

  1. a list of potential credentials and accounts

  2. a distributed botnet (large swaths of infected “zombie” machines)

  3. some type of automation software or toolkit to orchestrate the attacking botnet 

Since these credentials have a long list of potential username and password combinations, attackers usually use a botnet to see which logins are correct. Botnets generally attack through proxy servers or ephemeral addresses that can be hard to blacklist or block, which also allows attackers to quickly change where the attacks are originating from. Determined attackers will pivot and attempt to evade detection as quickly as possible if they realize they’ve been noticed. 

Account takeover and hijacking attacks have been on the rise over the last years, and they are very costly to the organizations that are targeted. According to a study by Javelin Strategy & Research, billions of dollars are spent each year cleaning up and containing the stolen accounts to try to combat fraudulent activity. 

How reCAPTCHA can help

Due to the growing sophistication of attacks, it has become increasingly difficult for security teams to manage the line between letting valid customers in and keeping out fraudulent attackers and bots. reCAPTCHA Enterprise is here to help. 

reCAPTCHA Enterprise is a frictionless fraud detection service that leverages our experience from more than a decade of defending the internet with reCAPTCHA and data for our network of four million sites. A simple JavaScript snippet enables reCAPTCHA Enterprise to verify that requests on your webpages are coming from real humans. This is done through behavioral analysis that uses site-specific training and models. reCAPTCHA Enterprise will detect malicious requests and give you actionable insights to help protect your enterprise. 

reCAPTCHA Enterprise gives you the granularity and flexibility to help protect your webpages in the way that makes the most sense to your business. Our enterprise API provides risk scores for an interaction with your site. With 1.0 being a likely good interaction and 0.0 likely being an abusive one, you can decide which action to take based on that score. This means there’s no one-size-fits-all approach to managing your risk, you can have different levels of protection for different web pages. For example, a suspected fraudulent request on a login page could force a two-factor authorization challenge, while you could just block the request on a less valuable webpage.


Using reCAPTCHA Enterprise, you can train your site specific model by sending reCAPTCHA IDs back to Google labeled as false positives or false negatives. SDKs are available for both iOS and Android to provide the same controls for your mobile applications. 

The danger of bot-led account takeover and hijacking attacks are on the rise, costing organizations large amounts of money and consuming the time of valuable internal resources in security, legal, and fraud teams. reCAPTCHA Enterprise can help detect these botnets and give you the insights you need to block the requests while allowing real users into your website and their account.

To learn more about how you can help protect your enterprise from account takeovers and hijacking, visit our documentation. To get started with reCAPTCHA today, contact sales.

Posted in