What Is an Account Takeover?
Account takeover is an attack in which cybercriminals take ownership of online accounts using stolen passwords and usernames and then use these credentials to commit fraud. These bad actors purchase cardholders’ Personally Identifiable Information (PII) via the dark web, often obtained from data breaches or from social engineering schemes such as phishing, vishing, or smishing attacks. Stolen PII (e.g., name, address, email, phone number, date of birth, business name, cell phone provider, social media and login accounts and passwords) provides the necessary credentials for a fraudster to pose as a cardholder.
With this information, fraudsters can engage with the cardholder’s financial institution and make changes to accounts or card settings to execute fraud. They may make demographic changes (e.g., phone numbers, emails, passcodes), or apply for increased limits, Personal Identification Number (PIN) changes, and/or travel exemptions to suppress or interfere with our fraud-monitoring tools.
ALSO READ | Internet Crime Complaint Center: Account Takeover Fraud
Common Fraud Schemes That Can Contribute to Account Takeover
1. Skimming and Malware
Criminals are getting smarter—and some are targeting the places you shop. One common method is called skimming or using malware on point-of-sale (POS) terminals (that’s the machine you swipe or insert your card into).
Thieves use hidden tech to steal your card information and send it through criminal networks in a matter of seconds.
The good news? Quick action can make a big difference. If you notice suspicious activity on your account, report it right away to help prevent further loss.
Pro tip: Use chip cards or mobile payments when possible—they’re more secure!
2. Phishing
The prevalence of phishing (tricking people into revealing confidential information) and its variants continue to rise. Phishing schemes are becoming more targeted and more difficult to identify than in the past. Instead of using only suspicious links in poorly designed emails, phishing emails are mimicking legitimate websites and appear more polished and credible.
The use of web address shortening tools, such as TinyURL, make detection of suspicious links more difficult, even by savvy users.
ALSO READ | Can you spot a phishing scam?
3. Vishing and Smishing
Smishing is the practice of sending text messages claiming to be from reputable companies to induce you to reveal personal information, such as passwords or credit card numbers.
Vishing is the fraudulent practice of making phone calls or leaving voice messages. You may be sent a voice or text message with transaction details and a request to confirm transactions.
You may also be asked to call back a number to provide account information. In some instances, fraudsters send a onetime passcode, and ask you to reply “No Fraud” to text/voice messages.
It is important to be on the lookout for these kinds of fraudulent messages that disguise themselves as legitimate fraud notifications. These schemes use sophisticated methods combined with social engineering to deceive people into revealing critical information and disregarding legitimate fraud warnings.
4. Malicious Software (Malware)
Malicious software (malware), including software which can compromise your computer, are a significant threat to the security of financial data. These "Man-in-the-Browser" attacks install malicious software in the background to monitor and hijack your web sessions. Fraudsters are then able to transfer funds or harvest payment cards and online banking credentials, while redirecting you to a fictitious error page. This type of malware is often deployed automatically when a user visits a compromised website.
Maintaining a secure, up-to-date operating system, along with robust security and anti-malware software, is a critical first step in preventing this type of fraud. Availability and deployment of automation and crime-ware is increasing in the card fraud world. Both all-in-one malware packages, which are designed to compromise computer systems and individual tools, which are able to crack passwords and automatically carry out brute force attacks, are available for purchase on underground websites and on criminal forums.
Non-Card-Related Scams That Can Lead to Account Takeover
Fraudsters like to take advantage of what is going on in the world, such as tax season, the Olympic games, and national sporting events. These types of large events can be prime times for criminals to take over cardholder identities, leading to account takeover, loans being opened in their names, cards being used for fraud, and other fraudulent activities.
An explosion of similar scams, such as imposter, online shopping, lottery, and romance scams, is quite common as well. Some of the scams are similar to those used in other countries, which target victims by SMS/text messages and often falsely direct the recipient to provide personal identifiable information (PII) and/or to make a payment for an unpaid parcel allegedly pending delivery.
Resource: Fiserv
Heartland Bank Tools to Help You Fight Fraud
At Heartland Bank, we are committed to your security and well-being. We offer tools and resources to help protect your finances:
- Credit Sense: Monitor your credit score and receive alerts for suspicious activity, which can help you detect potential fraud early.
- HB Mobile App: Manage your accounts on the go and monitor transactions in real-time, ensuring you're always aware of what's happening with your money.
- HB Alerts: To maintain your financial security, sign up for instant alerts on check activity and account transactions.
Stop by your local Heartland Bank branch for more information about these products. Together, we can fight fraud and keep your finances safe.
Heartland Bank is a family-owned bank located in 15 communities across the heart of Nebraska. Its vision is to improve the lives of customers, associates, and communities. Heartland Bank is a six-time recipient of American Bankers' Best Banks to Work For award.
