The Severity of Account Takeover Fraud for Businesses and Consumers
Cybercriminals are constantly threatening online security and safety, as they attempt to steal sensitive data for themselves to sell to the highest bidder or to try and grow their scam. Oftentimes, what’s stolen in ATO attacks is sold in bulk on darknet markets. When it comes to account takeovers, fraudsters are successful in one of two ways: they take advantage of a mistake made by their victim or they find a vulnerability in a targeted business.
Merchants aim to protect their digital storefronts from account takeover fraud by maintaining secure websites, implementing machine-learning algorithms, and by having trained staff who know what to look out for. Consumers, on the other hand, must rely on their own vigilance and follow best practices to keep their data safe.
When ATO attacks are successful, both consumers and businesses suffer. Failure to keep customer data secure can severely damage a company’s reputation, leading to chargebacks and significant financial losses. Customers, meanwhile, may see their credit score and personal finances impacted negatively, in addition to the emotional distress one faces when their identity is stolen.
Common Techniques Used in Account Takeover
Three techniques fraudsters often rely on for ATO attacks are phishing, malware, and social engineering. Learn the basics of these concepts below.
Phishing
How do cybercriminals usually make initial contact? They may have taken control of a legitimate corporate email account or stolen the account of a loved one. Phishing attempts can also come from text messages. You should never open communications or click on links or attachments from an unknown sender. If anything seems suspicious, avoid the communication altogether. It’s not worth the risk.
Malware
Credentials can be stolen by keyloggers and other types of malicious software known as malware. These programs are installed on your computer without your permission or knowledge. Malware often comes from successful phishing attempts, but it can also come from visiting compromised websites. Anti-virus software can help identify threats as you visit websites.
Social Engineering
This scheme is designed to trick you into willingly sharing your login information. It could come disguised as emails from someone posing to be a friend, they may have a business proposition or they may even gather information from you over the phone. Never share sensitive information via email, text, or phone unless you know it’s for a legitimate purpose.
Recognizing the Signs of Account Takeover Fraud
According to SpyCloud, which specializes in cybercrime analytics, 22 percent of adults living in the United States have been the victim of at least one ATO attack, meaning over 24 million households have been impacted. This begs the question, if so many people have fallen victim to an ATO attack, what can be done to avoid becoming a statistic? It starts with regular account monitoring.
ATO attacks generally begin with non-monetary changes. This means a cybercriminal will do the following with account information they’ve stolen from their victim:
- Change personal information
- Update the password or pin
- Add a new authorized user
- If it’s a credit or debit card, request a new card
Regularly check your email accounts and smartphone. If you are getting alerts and notifications of account changes you don’t remember initiating, that’s a key indicator that your data and identity may be compromised.
Strategies and Measures for Preventing Account Takeover Fraud
In addition to monitoring your accounts, safeguard your data by being proactive and following these best practices:
- Set security questions that are hard to guess. It’s easy to stick with the easy-to-remember answers, like your mother’s maiden name or where you graduated from high school, but that’s often information that can be learned from looking at social media profiles. It will be harder for criminals to answer questions like your first pet’s name or what street you grew up on.
- Use strong, unique passwords and leverage multi-factor authentication (MFA). Make it hard for your attacker. Don’t use generic passwords or scale them across a variety of accounts. Also sign up for MFA authentication, an extra layer of verification which is more effective than relying on passwords alone.
- Run malware detection software. Use firewalls and anti-virus software on your devices to ensure you’re malware-free. Some programs are designed to run in the background automatically, making them convenient to stay protected.
How To Take Action if You're a Victim of an ATO Attack
If you think you’re the victim of an ATO attack, take action immediately by doing the following:
- Report any accounts you believe to be compromised
- Review your account settings
- Change passwords
- Carefully examine your credit report
If you are a DCU member and your accounts with us are impacted, call 800.328.8797 so we can shut off your cards, prevent future losses, and mail you replacement cards.
In addition, place a fraud alert with one of the three credit reporting agencies. Choose from:
Equifax
Experian
TransUnion
It’s not necessary to reach out to more than one of the credit reporting agencies, as the fraud will be reported across each of the companies. You may be required to file a police report with your local police department to help establish proof of a crime.
To secure compromised social media accounts, such as Facebook or LinkedIn, go to your settings. Sometimes you can identify which type of device has logged into your account, and where the login occurred. Confirm you are still in control of your account, update your password, and reach out to customer service with questions or concerns.
It could take months to fully realize how deep identity theft can cut, which means you must stay vigilant in order to protect yourself. Keep records, stay organized, and continue monitoring your credit and other accounts so that you can identify any new suspicious activity.
Keeping Up With Account Security Best Practices
Account takeover fraud prevention starts with you. Billions are lost every year due to ATO attacks. Due to how successful they often are, that’s not a figure that’s likely to change anytime soon. However, you can do your part to keep from becoming a victim. Stay current on digital security education and best practices, and remember to never open or click on anything from a source you don’t trust.
DCU takes your financial security seriously and will never ask for your PIN or password information. We also offer a range of educational resources, including information on privacy and fraud, to help keep you and your money secure. Interested in membership? Our not-for-profit credit union has over 1.1 million members and we are actively growing.
This article is for informational purposes only. It is not intended to serve as legal, financial, investment or tax advice or indicate that a specific DCU product or service is right for you. For specific advice about your unique circumstances, you may wish to consult a financial professional.
