May 2, 2023
Account takeover is an attack in which cybercriminals seize ownership of online accounts by using stolen passwords and usernames, then use these credentials to commit fraud. They purchase personal information via the dark web—information collected through social engineering or data breaches. This information provides the necessary credentials for a fraudster to pose as a consumer. With this information, scammers can trick a consumer's financial institution to make changes to their accounts or card settings. They may change phone numbers, emails, or passcodes, apply for increased limits, or change the account holder's PIN and/or travel exemptions to interfere with the institution's fraud-monitoring tools.
Deployment of card skimmers or malware to point-of-sale terminals continues to be a widespread method for stealing data. Compared to years past, small local businesses are more likely to compromised and have their data harvested. Stolen data is then passed through remote, wireless technologies with increasing frequency.
Phishing, Vishing & Smishing
Phishing, Vishing, and Smishing are methods of data theft that involve tricking consumers into revealing confidential information. These schemes use social engineering combined with modern technology to deceive consumers into revealing critical information while disregarding legitimate fraud warnings.
Phishing schemes are becoming both more frequent, more targeted (called "spear-phishing"), and more difficult to identify than in the past. They utilize email to trick consumers into revealing personal information such as passwords or credit card numbers. Rather than relying on suspicious links in poorly designed emails, phishing emails mimic legitimate websites and appear more polished and credible. By using URL shortening tools such as TinyURL, scammers make detection of suspicious links difficult for even the most keen-eyed of users. Red flags can include mistakes in hyperlinks, grammar or punctuation.
Smishing is the fraudulent practice of sending text messages claiming to be from reputable companies to induce consumers to reveal their personal information, such as passwords or credit card numbers. Vishing is the same fraudulent practice enacted via phone calls. In both instances, consumers may be sent a voice or text message with transaction details requesting confirmation from the consumer. When they respond, they may be questioned for account details or asked to call back and provide account information. In some instances, they are sent a one-time passcode and instructed to reply "No Fraud" to the message.
Malicious software is a significant threat to the security of financial data. One such type of malware is a Man-in-the-Browser attack, where malicious software is installed to a consumer's computer in the background when the user is downloading some otherwise innocuous file. The malware is then able to monitor and hijack user web sessions to transfer funds or harvest payment cards and online banking credentials, while redirecting the consumer to a fictitious error page. This type of malware often deploys automatically when a user visits a compromised website.
Preventing account takeover is a joint effort between your financial institution and yourself. There are steps you should take to ensure you don't end up the victim of identity theft.