Law Technology Today From the ABA Legal Technology Resource Center
Related Articles
Fraud takes many forms, from identity theft to pretending to be a government official calling unsuspecting people to demand tax payments or identity information. A newer form of fraud is called account takeover fraud, when someone takes advantage of weak account protection measures to siphon funds out of another person’s banking, online payment, or other account. Other accounts, such as social media, may be taken over to spread false information or hate messages.
This new tactic is not the same as identity theft, through which hackers use a person’s identifying data such as social security number, address, and other information to create new accounts in the person’s name. Account takeover fraud seeks to infiltrate existing accounts and use them to the hacker’s advantage. All types of fraud have risen during the current pandemic.
Account takeover fraud is growing rapidly, with the number of incidents tripling in a recent year-to-year comparison. The total amount of money lost appears to top $5 billion. Using an email lookup tool may help thwart hackers; 26% of victims discovered identity theft by monitoring accounts.
How it works
Account takeover is a multi-step process that involves gaining access to multiple sources of information in order to crack the big nut, usually a financial windfall created by diverting funds to their own account. Here are a few ways it may happen:
- By using phishing techniques scammers may get an unsuspecting victim to allow malware onto their computer (via email using a fake link to a trusted company/ account or via social media profiles); the malware may be programmed to send password information back to the hacker who can then gain access to more accounts or directly to the financial account that is their goal;
- Social engineering techniques may be used to impersonate the account holder who has “forgotten” some necessary information, such as a password, and gain access or key information about an account from an unsuspecting company employee;
- Weak single-authentication passwords such as “1-2-3-4-5” may allow a hacker to take over a victim’s email, from which he learns which bank the victim has accounts in and then proceeds to gain access by getting a password reset verification code sent to the email address; or
- Loyalty rewards programs are particularly prone to takeover because they’re an afterthought when it comes to security and they’re infrequently monitored. However scammers may gain access and either use the points for travel or merchandise or they may use fake credentials to shift the accrued points to another account, eventually amassing enough to cash in.
Recognizing account takeovers
Account takeovers may not immediately come to your attention unless you have transaction alerts for the account that’s been hacked. It can take weeks or months to learn that your credit card that was on file with a merchant (such as an online retailer that retains the information for easy use when you make a purchase) has been used for transactions you didn’t authorize. Keep checking account activity each month and always keep tabs on your credit report for indications that someone opened new accounts in your name.
The pandemic has been a peak time for scammers to enact frauds like account takeover because:
- they’re aware that people are receiving stimulus checks and may be responsive to schemes that purport to be government or bank officials checking on infrequently-used accounts or offering to help customers unlock their stimulus money by providing a PIN number;
- people are shopping online more frequently, accruing rewards points and opening new accounts with online retailers, all of which create new opportunities for scams;
- many fake websites are cropping up, targeting people with corona virus-related concerns, including access to ordering masks and sanitizing products but these sites exist only to get a person’s credit or debit card information before attempting to break into that account;
- millions of people working from home are using their own personal computers rather than company-provided equipment that may have better security; home internet access is less often behind a password-protected firewall, allowing hackers new opportunities to get into your company’s database or customer information through you.
How to stop account takeover fraud
There are several basic steps that can be taken to prevent account takeover fraud and other types of account hacking. The most important one is to recognize that all accounts are likely to be targeted, whether it’s your Amazon prime, airline points, or your work email, because there is something a scammer may gain from each.
- Opt for multi-point authentication. If a hacker gets into just one of your email accounts he may unlock keys to other accounts, such as by using an email from your bank to “phish” more information or to launch malware. If you have a PIN number sent to your phone each time you log in to an important account it’s likely to frustrate hackers who will go after another person’s account instead.
- Strengthen wifi security. Never use public wifi for anything important, and make sure your home wifi is secure before doing business there.
- Seek account alerts. Ask for text alerts every time your bank card is used or a new computer logs into your account so that you can stop fraudulent use of your personal information as quickly as it starts.
- Use reverse email lookups and other tools to find out if a message you’ve received is authentic. Scammers often spoof bank emails, making them look real but they’re usually one letter or punctuation mark different from actual, official communications. Check websites too which may be similarly spoofed.
- Pause and look for fraud when you receive an emergency message. Think about the situation and do not respond in haste or you may overlook an obvious sign of fraud.
- Close all accounts you no longer use. Rewards cards with your email and a commonly-used password may linger for years until they’re found by a hacker who may use them to unlock your other accounts.
Conclusion
Using difficult-to-remember passwords may slow things down but they’re worthwhile to protect your accounts. Similarly, learning about and putting anti-fraud and fraud-detection practices to use in everyday transactions will save you time and effort later by stopping account takeovers before they can start.
