Bank Account Takeover Attacks: How to Keep Safe
Published: April 18, 2023
Scammers use account takeover (or “ATO”) tactics to target individuals, businesses, and banks daily. All stakeholders must recognize the gravity of this issue and take the necessary steps to combat it.
What is Account Takeover Fraud?
Account takeover fraud, or ATO fraud, is a form of identity theft by which a third party gains access to unique details of a trusted user’s online accounts. Fraudsters can pose as the real customer to change account details, make purchases, withdraw funds, and even leverage the stolen information to access other accounts.
Account takeover fraud occurs when fraudsters hijack your online accounts by obtaining sensitive details. They impersonate you to modify account info, make transactions, withdraw cash, or exploit the stolen data to breach other accounts.
Scammers often target accounts holding financial data or personally identifiable info (name, address, Social Security number, etc.). However, they may also target a variety of different profiles, including:
- Social media accounts can be used to mislead and manipulate your followers.
- Email accounts to mine personal info or reset passwords for other accounts.
- Bank accounts to steal money, infiltrate financial services, or secure loans.
- Amazon or other shopping accounts to make purchases and steal card info.
Scammers can use a variety of tactics to get access to your accounts. Here are a few common examples that illustrate how fraudsters can use ATO to their advantage:
Phishing
Phishing refers to any practice by which a fraudster tries to trick individuals into revealing personal information, such as passwords and credit card numbers. This can be done through emails purporting to be from reputable sources, dummy sites, etc.
Best Defense:
Merchants should require users to complete two-factor authentication when they log in from a new device or add a new payment method. Consumers can protect themselves by adding similar methods (see the “Layer Up” subsection below).
SIM Card Swapping
A fraudster contacts a user’s mobile carrier, telling them they have a new device. The fraudster then uses stolen credentials to gain access to accounts they wish to use but is able to subvert the two-step authentication process by tricking device fingerprinting methods.
Best Defense:
If a cardholder’s details are accessed by someone in another region, or they are suddenly unable to access certain accounts, they should change their credentials immediately. Never reuse credentials on multiple sites. If the device they typically use to access sites is no longer recognized, they should contact their mobile provider immediately.
Malware
Malware is software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system. This is the method by which most fraudsters gain access to systems they haven’t been inadvertently invited to, whether through phishing or by other means.
Most often, malware is injected into a user’s computer through faulty apps, unsecured sites, or hardware that is inserted into a drive. The malware then tracks keystrokes or other activity to capture login credentials.
Best Defense:
Cardholders should ensure their systems are secure and that they follow security best practices online. For merchants, your employees should only access necessary data through secured networks.
Mobile Banking Trojans
Banking trojans are a type of malware that tries to obtain access to confidential information that is stored or processed through online banking systems.
This is malware 2.0. Instead of targeting your system at large, rooting for whatever can be sifted from your data, mobile banking trojans are targeted attacks that are designed to escape your notice.
Best Defense:
Cardholders need to guard their banking details carefully. If a site doesn’t look trustworthy, they should never add their payment details. Period.
Man-in-the-Middle Attacks
This attack is a lot like eavesdropping. A fraudster will position themself between your data and its reception point on a network in order to redirect that information or payment elsewhere.
Best Defense:
Cardholders should never transmit sensitive information via public Wi-Fi. Also, savvy merchants provide secured Wi-Fi networks for all in-house use, including any that might be consumer-facing.
Scammers will target anyone they can in hopes that they can use that information to steal from as many sources as possible, using the least amount of effort on their part. If a criminal hijacks your account they can:
- Order a new card for unauthorized purchases.
- Buy a new smartphone via your carrier.
- Redeem credits, rewards, miles, etc. for their own gain.
- Make fraudulent payments from your account.
- Open a bank account under your name.
- Place orders on shopping or delivery platforms.
- Redirect unemployment, pension, or Social Security benefits.
- Steal your personal information.
- Change your account details like phone, email, address, or credentials.
- Access other accounts using the same stolen info.
- Sell your account information on the dark web.
Account takeover fraud is a menacing reality with far-reaching consequences for all parties involved.
Preventing Account Takeover
Cybercriminals are constantly seeking ways to gain unauthorized access to your online accounts. That’s why it's crucial to take preventive measures.
Password Perfection
The foundation of account security lies in creating strong, unique passwords. Forget the days of “password123;” you need to embrace the power of a complex passphrase. Use a combination of upper and lowercase letters, numbers, and special characters.
- PuMpkins37are73Yummy!
Two-factor authentication (2FA)
Adding an extra layer of security is always a good idea. Enable two-factor authentication (2FA) on your accounts whenever possible. This requires a secondary verification method, such as a one-time password (OTP) or biometric data, in addition to your primary password. This ensures that even if your password is compromised, attackers still can't access your account.
Monitor Account Activity
Regularly reviewing your account activity can help you spot any suspicious behavior before it escalates. Set up notifications for unusual transactions, login attempts, or changes to your account information. If you notice anything out of the ordinary, take immediate action by contacting your account provider or changing your password.
Learn how to enable advanced card control features on your USSFCU cards >>
Beware of Phishing Attacks
Fraudsters often use phishing emails or messages to trick you into revealing sensitive information. Be vigilant about scrutinizing any email, text message, or social media communication that requests your login credentials or personal data.
Remember: legitimate companies will never ask you for your password or sensitive information through these channels.
Keep Software Up to Date
Outdated software can be a goldmine for cybercriminals looking to exploit vulnerabilities. Regularly update the operating system, web browsers, and security software on all your devices to stay protected against new threats.
Account takeover fraud can have serious consequences. But, by implementing these simple steps, you'll be well on your way to securing your online presence. Stay informed, stay vigilant, and stay one step ahead of fraudsters.
Article courtesy of Chargebacks911. For educational purposes only.