Account Takeover Fraud at a Glimpse
A specific type of identity theft, account takeover fraud occurs when cybercriminals steal one or more of the following:
- Usernames
- Passwords
- Email addresses
- Social Security number
- Other information of value
The ultimate goal for these fraudsters is to infiltrate banking, credit card, email, and social media accounts. Typically, the information used in ATO attacks against individuals comes from previous data breaches and other vulnerabilities criminals have exploited.
Account takeover fraud is unique in that attacks are centered around fraudsters stealing access to and leveraging their victim’s already-existing accounts versus stealing an identity to take out a line of credit. However, they are both illegal and can cause serious damage to consumers and businesses. To put it in perspective, ATO attacks and other types of identity theft crimes made up nearly 36 percent of the United States’ 5.3 million fraud reports filed with the Federal Trade Commission (FTC) in 2022.
How DCU Protects Accounts From ATO Attacks
Banks and credit unions are often targeted by platforms called CaaS, otherwise known as cybercrime-as-a-service. These commercial solutions, often developed and sold on the dark web, are powerful and sophisticated, making it easy for fraudsters to overwhelm many IT professionals. DCU takes cybersecurity seriously. From sophisticated transaction monitoring solutions to behavioral analysis, our experts work tirelessly to protect members from cybercriminals. However, the best protection against ATO fraud is consumers knowing what to be on the lookout for, which we’ll dig into below.
Real-World Examples of Account Takeover Fraud
Explore the following scenarios to learn how you can identify account takeover fraud.
Scenario 1: Phishing Emails
Fraudsters often target victims using sophisticated social engineering tactics, including forms of impersonation where the criminal pretends to be someone you can trust, such as a representative from your bank, local government office, or popular retailer. The criminal will then attempt to create urgency by presenting a set of dire circumstances that the targeted individual needs to address immediately in order to avoid consequences.
Phishing emails are widely used because they’re often successful. They offer recipients a false sense of security and they are more difficult for anti-phishing solutions to identify since the communications come from accounts that would normally be legitimate. Other phishing emails–ones that don’t come from legitimate accounts–are easier to identify, but there are still best practices to follow. These emails may include:
- Communications with an incentive that seems too good to be true (i.e. winning a lottery you never entered)
- Spelling mistakes that indicate the communication isn’t coming from a professional or even human source
- Formal salutations that seem robotic (i.e. “Greetings Honorable Friend”)
You should never open a communication from a source that seems suspicious or is unknown to you. If you think you’re being phished:
- Do not open the communication
- Avoid clicking links
- Do not download anything
- Check the sender’s email address against previous communications to compare and contrast
Scenario 2: Malware and Spyware Tools
Malware is malicious software designed to infect computers and networks, targeting system vulnerabilities for the purpose of data theft or damaging networks. Spyware is a specific type of malware that’s used for ATO attacks, as these programs are designed to gather personal data that is then sent to third parties without you ever knowing it. Keyloggers, a type of spyware, are especially dangerous. Keyloggers record every keystroke a user makes on their device, making it easy to steal passwords and other personal information.
An example of a successful account takeover fraud attack from malware is if you are sent a fraudulent email or text with a link you choose to click on that downloads a keylogger onto your device without you realizing it.
A variety of reputable anti-virus programs and firewall solutions are available to help prevent and remove malware from your devices. Many are available from reputable software providers and device manufacturers, and some require an active subscription.
Other best practices include:
- Avoid using public Wi-Fi
- Use strong, unique passwords for all your accounts
- Ensure your computer systems are up-to-date
- Multi-factor authentication (MFA) solutions should be leveraged where possible
Scenario 3: SIM-Swapping To Hijack Authentication
SIM-swapping is when cybercriminals hijack control of a mobile device. With a SIM-swap, fraudsters take control of a device by convincing a phone carrier representative to transfer control of the number to a SIM card that’s controlled by them. Once they have that capability, they can leverage the device to help take control of accounts belonging to their victims.
SIM-swapping is a newer type of ATO attack that’s been dangerous, successfully targeting even the highest levels of government agencies. In January 2024, the Securities and Exchange Commission (SEC) had its account for X, formerly known as Twitter, hacked. At the time, the agency had its MFA functionality turned off for platform use, which helped aid the criminal party. Since regaining control of the social media account, MFA authentication has been turned back on.
Recovery Steps After Account Takeover Fraud
Regular monitoring of your accounts could make all the difference between successfully stopping an ATO attack before any damage is done and facing serious consequences. Should you face a breach, do the following:
- Report any accounts you believe to be compromised
- Work with your credit union or bank to secure your accounts and finances
- Review your account settings
- Change usernames and passwords
- Carefully examine your credit report periodically
- Regularly review transaction activity
DCU members impacted should call 800.328.8797 so affected accounts and/or cards can be turned off, to prevent future losses, and for replacement cards. In addition, place a fraud alert with one of the credit reporting agencies:
Contacting each of the three isn’t required, as the one you call will report fraud to the other two credit monitoring companies.
Building a Fraud-Resistant Community Together
To secure accounts, DCU member numbers are encrypted but never shared or visible to outside parties. Mobile data is also protected using the highest level of security. In addition to our security measures, being vigilant and following the best practices outlined above will help prevent falling victim to a successful ATO attack.
A not-for-profit credit union catered to its members, DCU is dedicated to sharing education and the latest findings on financial literacy and fraud prevention. Learn about becoming a member.
This article is for informational purposes only. It is not intended to serve as legal, financial, investment or tax advice or indicate that a specific DCU product or service is right for you. For specific advice about your unique circumstances, you may wish to consult a financial professional.
Federally insured by NCUA.
