Account takeovers (ATOs) rarely make headlines, but as a credit union, we are all too familiar with the tactic fraudsters use to invade member accounts. They simply log in! It’s quick, easy, and profitable. With the correct username and password, they can appear to be a legitimate user.
With ATO fraud on the rise, it is necessary to be proactive about preventing it. By adhering to best practices, utilizing fraud detection resources, and being diligent about monitoring, the likelihood and consequences of an ATO fraud attack can be significantly reduced. Read on to learn more!
Account Takeover (ATO) Fraud is a type of malicious identity that happens when a fraudster poses as a financial institution to get your personal or account information. Once the fraudster has access to your account, they can make unauthorized transactions. The motivation behind most ATO fraud campaigns is financial gain, which is why our credit union (along with other financial institutions and credit card companies) are often among the first to be targeted.
What is an "account takeover"?
According to a study published by Aite Group
, “over one-third (38%) of consumers experienced account takeover (i.e., unauthorized access to a consumer’s existing account) over the past two years.”
When left unaddressed, ATO fraud can cost both consumers and businesses significant amounts of money and time. Though there are ways to reconcile accounts that have become victims of ATO fraud schemes, the best thing to do to remain safe is to take proactive measures. The good news is, you've already taken a proactive step by reading this article!
How does an account takeover work?
- First, a fraudster sends a text message to your mobile phone. They usually claim they‘re from a financial institution‘s fraud department. They ask you to confirm a suspicious payment that was sent from your account — this may not be true and could be part of the fraud.
- If this is a fraud attack, the fraudster typically follows up with a phone call and asks for your personal information to “cancel the payment.”
CCCU will not call or text you to ask for your account number, password, PIN, or other personal info, unless we are confirming a wire transfer that was initiated by you.
- The account takeover fraud usually begins on a Friday, after business hours, and runs through the weekend.
What do fraudsters do with stolen accounts?
Once they get access to your account, criminals could do a number of things to cause trouble, including:
- Order a new card from your credit card company and use it to make purchases.
- Buy a new smartphone from your mobile phone carrier.
- Access and redeem your account credits or rewards points for their own benefit.
- Make a payment to a fraudulent company from your bank account.
- Open a new bank account in your name.
- Place orders on a shopping or restaurant delivery site.
- Redirect unemployment benefits.
- Access and steal personally identifiable information.
- Change account information, including your phone number, email, home address, or login and passwords.
- Use the information they obtain to access other accounts.
- Sell the account information on the dark web.
How can you prevent this fraud?
For all the problems account takeover can create, it can be difficult to detect. Often, criminals take the extra step of changing your account preferences so you don't receive notifications that might otherwise tip you off that something is amiss. That's why it is important to pay attention to password change notifications and other account alerts as they come in before fraudsters have the chance to disable them. If you're notified of activity you don't recognize, look into it right away.
Remember, if someone posing as CCCU contacts you by phone, email, or text message and wants you to share your personal information, consider it fraud.
If you receive a text (or email) like the one shown here, do not reply to the sender. Ignore the message and do not call any phone numbers listed in the text.
If you receive a phone call that seems to be a phishing attempt, end the call immediately. And be aware that area codes can be misleading: a local area code does not always guarantee that the caller is local.
Other fraud prevention tips:
Sign up to receive free consumer alerts from the Federal Trade Commission (FTC)
. This is a quick, easy way to receive news on the latest scam alerts — so you can stay informed.
Be meticulous with your passwords. Hackers will be more successful with their attacks if you tend to use the same logins and passwords on multiple sites. Ideally, you should have a unique, secure password for every online account. Using a secure password manager to generate and store these passwords across devices could be a great help.
Use multi-factor authentication. Simply setting up security on your accounts to send a one-time passcode by email or text can help thwart an account takeover. Adding biometrics like face recognition or fingerprints (available on the CCCU mobile banking app) can also be effective. Multifactor authentication isn't available on all accounts, but it is available on many critical ones. Activate it wherever you can.
Safeguard your credit. Even before you fall victim to account takeover, you might want to consider placing a credit report fraud alert or credit freeze with all three credit bureaus. With a fraud alert, credit bureaus will ask creditors to take steps to verify your identity before issuing credit in your name. A credit freeze prevents potential creditors (and others) from viewing your credit report and scores unless you deliberately "thaw" your credit information.
What to do if you feel that you have been a victim of fraud
- Report the fraud immediately to the company or agency involved.
- Check your accounts. Assess whether your other accounts have been affected, especially those that use the same password. You may need to close your account or upgrade your account security.
- Change your passwords. Update account information for the affected account and any others that share passwords with it. Better yet, you may want to take this opportunity to change and upgrade your passwords across the board.
- Consider your credit. If you haven't already, you may want to freeze your credit or add a fraud alert to your credit reports and activate credit monitoring. Credit bureaus like Experian offer free credit monitoring.
Now that you've learned about fraud prevention best practices and fraud detection resources, you can start taking preventative measures to significantly reduce the likelihood and consequences of an ATO fraud attack.
A trusted financial partner since 1954
Here at CCCU, we're committed to keeping your hard-earned money secure and your personal information safe. However, you’re the best and first line of defense against fraudsters. As your financial partner, our role is to take several steps to protect our members' accounts, including multi-layer login authentication, Secure Socket Layer (SSL) encryption, 24/7 monitoring, and continual cybersecurity updates. And, we'll continue to work on new ways to help our members fight fraud.
We proudly serve people who live, work, worship, own a business, or attend school in Multnomah, Clark, Washington, Hood River, Clackamas, and Yamhill, Columbia, and Skamania counties, or are a relative of a current member.
We have three physical branches in Portland and one in Hood River, convenient mobile banking, plus access to 5,600+ CO-OP Shared Branches and over 30,000 surcharge-free CO-OP ATMs nationwide!
Join us today!