A young man learns about account takeover fraud and goes to his accounts to update passwords and security to protect his wealth.

September 11, 2019

Account Takeover Fraud: A Rising Threat for Your Financials

Almost everyone today owns a smartphone — 91 percent of us have one, according to Experian's 2018 Global Fraud and Identity Report, and most of us (88 percent) use it to do our banking online.

That convenience is wonderful, but it may come at a cost. Fraudsters are continuously looking for and finding ways to take advantage of the security risks inherent in online banking.

One of the main risks is something called an "account takeover." This fraud occurs when an unauthorized person obtains access to your bank accounts, usually through your login information. Once they have control, fraudsters can easily transfer or wire money out of your accounts and into their own.

This is a problem that isn't going away and in fact is growing. According to the Javelin 2019 Identity Fraud Study, while overall identity fraud dropped from 2017 to 2018, account takeover fraud rose from 380,000 reported cases in 2017 to 679,000 cases in 2018.

Common Ways Criminals Commit Account Takeover Fraud

Rather than giving up the convenience of online banking, there are many things you can do to protect your valuable information, spot an account takeover attempt and protect your money from thieves.

Phishing Scams and Spear-Phishing Scams

One of the most common ways that fraudsters can obtain your login information is through phishing emails, according to Briane Grey, manager of Corporate Security at City National Bank. These emails appear to come from legitimate sources like your bank or an online retailer. They may also seem to come from people you know, like your spouse, relative or boss, after their email accounts were hacked.

Within phishing emails, you'll find unusual requests for money or fraudulent links to websites that may look like those of a real bank.

If you fall for the scam and login to your bank account through one of these links, fraudsters gain access to your login information. And, if you use the same login information (user name and password) across several accounts, all these scam artists have to do is enter your login credentials at all your other e-commerce and online banking accounts.

Shoshanah Posner, the director of business development at NoFraud, an online fraud prevention company that works with small businesses, found this out the hard way when criminals managed to obtain her login information for an e-commerce account. Because Posner used the same login information across multiple online accounts, the same criminals were able to access another account easily using the first batch of information.

While phishing scams may target multiple people, "spear phishing" scams target you directly based on information fraudsters have gathered about you.

One popular spear phishing attack involves someone pretending to call you from your bank and asking you for a text code to confirm your identity. Scammers use this method to access money from your bank account through payment services like Zelle.

In these cases, the text is from your bank but the caller is a fraudster who uses the code to link your bank account to their own newly-created Zelle account. They then quickly transfer money out of your account using Zelle, which works just like cash.

"If you receive a request for financial action within an email or phone call that is atypical, you should validate the request with a second source before proceeding with a high-risk transaction," recommended Grey. If you receive a request that's out-of-the-norm from your monthly bank emails, don't click any links within emails claiming to come from your bank. Instead, go directly to the website and login or call the bank directly to ensure that the email is legitimate.

"Customers should never share personal banking information such as passwords or text codes with anyone," warned Raman Kumar, digital product analyst lead at City National. Remember, your bank will never ask you for your login credentials or PIN by emailing you or calling you. If you call your bank directly, they may ask for such details to verify identity.

It's always important to vary your password and username information for your online banking accounts, retail accounts, email accounts and social media accounts, and not to use the same combinations repeatedly.

"The lesson that I learned was to have different complex passwords for each of my accounts and to change them regularly," said Posner. "This has since prevented any type of fraud for my online transactions."

Social Engineering Attacks

Another source of fraud to beware of is social engineering. You love sharing details of your life across your various social media accounts, but that information may give away key details to potential scammers looking to take over your bank accounts, warned Grey. "Even with the smallest piece of information about you, a criminal can often socially engineer enough additional details about you in order to take over your accounts."

If everything from your birth date, address, phone number and mother's maiden name are readily available across your social media accounts, scammers can use that information to gain access to your bank account. "Thieves will look to piece together a customer profile from a variety of sources and once they have obtained enough personal information, that's when the biggest damage occurs," said Grey.

Bold scammers may simply send you a direct message posing as a trusted friend or business and ask for personal information that they can use to take over your account.

Be careful of who you friend online and limit the amount of personal information you make available on social media accounts. Grey recommended practicing good "cyber hygiene" and cleaning up any such information that might be of interest to cyber criminals. If feasible, don't make your online profiles public.

"Pay attention to transactions across all of your online accounts — including social media and email — and be sure to investigate immediately if you see something suspicious," recommended Grey.

As for online "friends" asking for unusual personal details, like your driver's license number, ignore these requests and block accounts asking for such information.

Malware and Spyware Installations

"Phishing and malware attacks committed by fraudsters is the most prevalent means of initiating fraud" against bank clients, said Grey. Malware and spyware give fraudsters access to your computer.

Once scammers have installed malware or spyware on your computer surreptitiously, they can use it to capture passwords to your bank accounts when you login. They can also access files on your computer that may contain passwords or other private information.

These types of malicious software programs are typically installed on your computer when you click on a link in an email from a fraudster. They can also be remotely installed by a hacker when you use an unsecured Wi-Fi network through your mobile phone or computer, warns Kapersky, a well-known online security company.

Don't click on any suspicious emails or download files from people and websites you don't know or trust. Opt to use a virtual private network (VPN) when using public Wi-Fi on your phone or computer, recommended Posner. These networks help encrypt your information, making it more difficult for scammers to hack you and install any malicious software.

Most importantly, use antivirus software to detect any malicious files that may end up on your devices.

Knowing how fraudsters operate will help you understand how to protect your information and financial accounts from them.

To keep track of your accounts and immediately catch any unusual activity, signup for email and text alerts, typically available through your bank. "City National Bank clients may set up account, ATM cards, bill payments, and service-related alerts via email and mobile texts," said Kumar.

This article is for general information and education only. It is provided as a courtesy to the clients and friends of City National Bank (City National). City National does not warrant that it is accurate or complete. Opinions expressed and estimates or projections given are those of the authors or persons quoted as of the date of the article with no obligation to update or notify of inaccuracy or change. This article may not be reproduced, distributed or further published by any person without the written consent of City National. Please cite source when quoting.