How to Spot—and Prevent—Account Takeover Fraud

If the term sounds ominous, it’s because it is: Account takeover (ATO) fraud is a form of identity theft that occurs when someone gains access to or control of your personal accounts online. Then they can make unauthorized purchases or transactions, and change the log-in credentials and personal information so that you can no longer access your accounts.

And, identity theft is on the rise. According to the Federal Trade Commission, the number of identity theft reports filed with the FTC increased by 46% in 2019. They accounted for 20% of all reports filed, more than any other type of complaint. Credit card fraud topped the list of identity theft complaints, accounting for 42%. Also on the list were loan or lease fraud, phone or utilities fraud, bank fraud, and email or social media identity theft fraud.

The fact is, anyone who has an online account with a bank, credit card company, mobile phone service or internet provider, among many others, is at risk of ATO. Its victims are left scrambling to work with financial institutions or service providers to have charges reversed, accounts secured and control restored. The key to prevention is understanding how it can happen and then employing tactics to reduce the chance it will happen to you.

How Do Account Takeovers Happen?

Cybercriminals gain access to people’s accounts in many ways, ranging from easily preventable breaches of security to sophisticated tactics that are more difficult to spot and prevent. Here is a sampling of the common methods cybercriminals use:

  • Insider knowledge. Say someone knows your email address, cellphone number, home address and birthday. This may be half of what they need to gain account access. Now all they need is your password, which they might be able to guess or infer. And, if they’re able to use your computer or phone for any reason, it could be a done deal.
  • Classic theft. Cybercriminals can steal items like wallets, mail and credit card/bank account statements, then use those to create or access online accounts. This is easier if they have your cell phone number and email address, too.
  • Purchase. Offenders can purchase compromised or breached personal credentials sold through nefarious websites on the dark web.
  • Intercept. Tricksters may use Wi-Fi traffic monitoring programs to intercept and record your activity on public networks, which may include collecting usernames and passwords you enter.
  • Card skimmers. Criminals place devices on the swipe mechanisms of ATMs and credit card readers to capture credit and debit card information. Then this data is used to make fraudulent charges.

How Can You Prevent an Account Takeover?

By understanding how account takeovers happen, you’ll find it easier to adopt prevention measures.

  • Use password best practices. Strengthen your account log-in passwords and follow the latest best-password practices. Longer is stronger: Password strength should be at least 15 characters, where possible. Also, use a unique password for every account; don’t use common or actual words for your passwords; and incorporate a mix of uppercase and lowercase letters, numbers, special characters and symbols.
    Don’t use personal information like your name, age or pet’s name. Be mindful about where you’re using your passwords. Avoid entering them when using unsecured Wi-Fi connections or on computers that don’t belong to you.
  • Use multi-factor authentication. Always select multi-factor authentication (MFA) when given this option in account portals. This security feature requires you to prove your identity in multiple ways. Besides entering your log-in credentials, you may also have to enter a code sent to your device or in an email. When you use MFA, hackers can’t get into your account unless they also have access to these other channels.
  • Be smart to phishing schemes. Phishing is the use of emails or phone calls to trick recipients into providing personal or sensitive information that is then used to access their online accounts. Look out for these common telltale signs: emails or phone calls with offers that seem too good to be true, or conversely, threats with urgent requests for information; emails with hyperlinked text that differs from the destination URL; emails with unexpected attachments; and emails from unrecognized senders.
    If you see any of these signs, vet the authenticity of the message before any interaction, and alert your institution through another, previously established channel, such as by calling a known phone number. You might employ spam filters to help reduce phishing emails. And keep in mind that financial institutions are not in the habit of requesting personal information via email or threatening to lock your account if you don’t reply quickly.
  • Stop the skimming. Anytime you swipe a credit or debit card, you risk having your data “skimmed” from your card with the use of card skimmers. One of the biggest targets: card readers at gasoline pumps or on ATM machines.
    Visually inspect card readers before use. Check for signs of tampering, such as unusual wear around the edges, broken security labels, or loose keypads and reader components. With a debit card, consider using it as a credit card instead, if possible. This makes the transaction take longer, since the funds are not directly withdrawn, as in a debit transaction. And because the purchase is routed through credit card networks, rather than debited directly, the transaction may offer additional fraud protection.
  • Stay vigilant. Consider setting up fraud alerts with your institution, so that transactions will be monitored closely. Also, make a habit of reviewing your financial activity or statements regularly—even daily, if possible. This will help you spot unauthorized transactions quickly, ideally while any fraudulent activity is easier to minimize and reverse.

What if an Account Takeover Happens to You?

If you see charges you don’t recognize, can’t access your accounts online or have some other reason to believe an account has been compromised, first alert your financial institution and the Federal Trade Commission, using the IdentityTheft.gov website. Ask that your card or account be frozen.

In most cases, reporting the incident to the FTC eliminates the need to file a police report. But there are some situations when you should alert the police, too, such as if the thief is using your identity during a traffic stop, or when your financial institution specifically asks you to do so.

Certainly, account takeover fraud can be worrisome. But it can be managed. By being aware of the risks, implementing precautions and staying alert to red flags, you’ll build a strong defense against this type of attack.

The information and recommendations contained herein are compiled from sources deemed reliable, but are not represented to be accurate or complete. In providing this information, neither KeyBank nor its affiliates are acting as your agent or is offering any tax, accounting, or legal advice.