Account takeover fraud (ATO) happens when crooks obtain customer information such as user names and passwords and use it to gain access to online accounts, which could include bank, credit card, social media and email accounts.
The crooks may buy stolen credentials on the dark web, use a phishing email or text message to get the information from the victim or download malware that captures it, steal it in a data breach, or trick people into revealing it through sophisticated scam phone calls.
The Financial Industry Regulatory Authority (FINRA) issued a bulletin in late 2021 saying it’s receiving an increasing number of reports of ATO. Reasons include people performing more transactions of all kinds online, the proliferation of mobile devices and apps, the tendency for consumers to use the same login credentials across multiple accounts, and lapses in security due to more people working from home. SpyCloud cites these statistics on ATO:
- Losses increased 90% in 2021, totaling $11.4 billion.
- 22% of U.S. adults have been victims.
- Nearly a quarter of identity-theft related fraud in North America was related to ATO in 2021.
- 64% of passwords exposed in 2021 data breaches were used in ATO attempts and 70% of passwords compromised in the past are still being used.
FINRA says crooks have used ATO to gain access to victims’ online brokerage accounts. Experian cites other fraudulent activities such as ordering a new card from your credit card company and using it to make purchases, buying a new smartphone from your mobile phone carrier, redirecting unemployment benefits, and selling the information on the dark web.
ATO is often hard to detect. Red flags indicating you may be a victim include unauthorized transactions in your accounts, notices of changes to your address or other contact information that you didn’t initiate, missing account statements, and unfamiliar accounts on your credit report.
FINRA and the BBB offer these tips to avoid becoming the victim of ATO:
- Watch What You Click. The best way to protect yourself from a malicious link is to make sure you don’t click on one.
- Use Strong Passwords. Do not share your passwords with others, do not store them on your computer, use a different password for each of your accounts, and change your passwords regularly. Consider using a password manager that suggests and saves strong passwords.
- Enable Multi-factor Authentication (MFA). MFA uses two or more different types of authentication factors – such as a password plus a code sent by text message or a physical identifier, such as a fingerprint, voice, or facial recognition.
- Maintain Computer Security. Security software packages with anti-virus, anti-spam, and spyware detection features are a must if you engage in online financial transactions.
- Use Your Own Device – and Secure It. If possible, avoid using public computers or devices to access your financial accounts. They may contain software that captures passwords and PINs.
- Be Cyber Safe When Using Wi-Fi. Many public hotspots, such as wireless networks in airports, hotels, and restaurants, reduce their security settings so it’s easier to use them. However, this also increases the possibility that someone could intercept your information.
- Review All Correspondence from Your Financial Institutions.
- Review your account activity and monthly account statements thoroughly as soon as they are available.
Randy Hutchinson is president & CEO Better Business Bureau of the Mid-South. This column is in partnership with Better Business Bureau of Middle Tennessee & Southern Kentucky.