Beware of Account Takeover
May 2, 2023
What is an Account Takeover?
Account takeover is an attack in which cybercriminals seize ownership of online accounts by using stolen passwords and usernames, then use these credentials to commit fraud. They purchase personal information via the dark web—information collected through social engineering or data breaches. This information provides the necessary credentials for a fraudster to pose as a consumer. With this information, scammers can trick a consumer's financial institution to make changes to their accounts or card settings. They may change phone numbers, emails, or passcodes, apply for increased limits, or change the account holder's PIN and/or travel exemptions to interfere with the institution's fraud-monitoring tools.
Schemes that Contribute to Account Takeovers
Skimming & Malware
Deployment of card skimmers or malware to point-of-sale terminals continues to be a widespread method for stealing data. Compared to years past, small local businesses are more likely to compromised and have their data harvested. Stolen data is then passed through remote, wireless technologies with increasing frequency.
Phishing, Vishing & Smishing
Phishing, Vishing, and Smishing are methods of data theft that involve tricking consumers into revealing confidential information. These schemes use social engineering combined with modern technology to deceive consumers into revealing critical information while disregarding legitimate fraud warnings.
Phishing schemes are becoming both more frequent, more targeted (called "spear-phishing"), and more difficult to identify than in the past. They utilize email to trick consumers into revealing personal information such as passwords or credit card numbers. Rather than relying on suspicious links in poorly designed emails, phishing emails mimic legitimate websites and appear more polished and credible. By using URL shortening tools such as TinyURL, scammers make detection of suspicious links difficult for even the most keen-eyed of users. Red flags can include mistakes in hyperlinks, grammar or punctuation.
Smishing is the fraudulent practice of sending text messages claiming to be from reputable companies to induce consumers to reveal their personal information, such as passwords or credit card numbers. Vishing is the same fraudulent practice enacted via phone calls. In both instances, consumers may be sent a voice or text message with transaction details requesting confirmation from the consumer. When they respond, they may be questioned for account details or asked to call back and provide account information. In some instances, they are sent a one-time passcode and instructed to reply "No Fraud" to the message.
Malicious software is a significant threat to the security of financial data. One such type of malware is a Man-in-the-Browser attack, where malicious software is installed to a consumer's computer in the background when the user is downloading some otherwise innocuous file. The malware is then able to monitor and hijack user web sessions to transfer funds or harvest payment cards and online banking credentials, while redirecting the consumer to a fictitious error page. This type of malware often deploys automatically when a user visits a compromised website.
How Should Consumers Protect Themselves?
Preventing account takeover is a joint effort between your financial institution and yourself. There are steps you should take to ensure you don't end up the victim of identity theft.
- If you are concerned about an automated message, do not respond to the call, text, or email. Contact the company in question via their official customer service number listed on their website. Do not contact any number provided by a suspicious caller or message and do not click on any links.
- Respond quickly if you notice unexplained activity on your accounts or suspect you may have been the victim of a data harvesting scheme. Contact your financial institution immediately to help mitigate your losses.
- Always be aware of what information you choose to submit online and never easily provide access to your personal information.
- Maintain an up-to-date, secure operating system along with robust security and anti-malware software. Rely on multiple layers of protection and security tools.
- Keep your two-factor authentication codes private. Never provide them via phone, text, or email. These should only be used to sign into banking, merchant, or payment accounts when the consumer is actively trying to access it.