Account access control

Perpetrators gain access to a target’s digital accounts through various means - knowing or guessing passwords, exploiting password reset features ("Password-reset attacks"), using shared devices with saved credentials, or social engineering/coercing victims to share login information (Brown et al., 2024). They may also exploit access given under a previously innocuous set of circumstances. In a threat model of intimate partner violence, the perpetrator is likely to either have physical access to the target’s device or know the credentials to their online accounts.

Once inside, perpetrators can use that access for a number of forms of abuse, such as /cyberstalking/ (read private messages, monitor activity, etc), to restrict a target’s access to their own or shared accounts, services, and data, (changing settings, locking victims out by changing passwords, etc) or impersonate[/online impersonation/] them, often as part of a broader pattern of digital abuse.

Skill level

Low to Medium - Basic attacks, like using an intimate partner’s saved account information on a shared device, require minimal skill. However, more sophisticated methods, like exploiting security vulnerabilities, require moderate technical knowledge.

Additional notes on mitigation strategies

• Default to highest privacy settings - e.g. force two factor authentication (aka 2fac, 2FA). Because of country/context specific security awareness and abilities, avoid SMS.
• Know your customer (KYC) - Automated detection of unusual behavior patterns is commonplace in the financial services world.
• Safety onboarding & awareness training - e.g. increase awareness of two factor authentication.

References

• Brown, A., Harkin, D., & Tanczer, L. M. (2025). Safeguarding the “Internet of Things” for Victim-Survivors of Domestic and Family Violence: Anticipating Exploitative Use and Encouraging Safety-by-Design. Violence against Women, 31(5), 1039–1062. https://doi.org/10.1177/10778012231222486
• Lopez-Neira, I., Patel, T., Parkin, S., Danezis, G., & Tanczer, L. (2019). “Internet of Things”: How abuse is getting smarter.. Safe – the Domestic Abuse Quarterly, 63, 22–26. https://discovery.ucl.ac.uk/id/eprint/10070024/1/Safe%20Article%20FINAL.pdf
• Janickyj, M., & Tanczer, L. M. (2025). Tech Abuse Personas: Exploring Help-Seeking Behaviours and Support Needs of Victim/Survivors of Technology-Facilitated Abuse - UCL Discovery. Ucl.ac.uk. https://discovery.ucl.ac.uk/id/eprint/10208803/

AI Risks and Opportunities

Risks

Perpetrators may develop AI tools that allow them to perform current tactics more easily: AI-powered password cracking tools, deepfaking voices for account recovery calls, and automated credential-stuffing attacks.

Opportunities

Similarly, AI may enable trust & safety teams to make the recognition of suspicious behavior more effective: AI-enhanced behavioral authentication, anomaly detection for unusual login patterns, and improved multi-factor authentication systems .

Prevalence

In a recent analysis of 1,525 tech abuse referrals to UK charity Refuge, 49% of tech abuse cases involved "monitoring [the target's] mobile phone, controlling smart home devices, or depriving them of technology" (Janickyj, 2025).

Cultural Variation

In some cultures, family members (especially the parents of a child) or intimate partners may feel more entitled to account access as part of relationship expectations.