What is Account Takeover Fraud?

March 1, 2024/ Jarrod Wright /

Account takeover fraud happens when a cybercriminal gets access to a cardholder’s online account. This could be anything from your bank account to an email or social media profiles. Once they’re in, they can do a lot of damage, like stealing money, buying things on credit, or even scamming their initial victims’ friends and family.

Common Account Takeover Fraud Tactics

Fraudsters have a number of tricks up their sleeves to take over accounts. Some of the most common tactics include:

• Phishing: This is the practice of sending emails or other messages, impersonating another individual or company, to trick individuals into revealing personal information, such as passwords and credit card numbers.
• SIM Swapping: This is when criminals convince a phone company to switch their target’s phone number over to a SIM card in the scammer’s possession. Once they do this, they can get any texts or calls meant for that user, including one-time codes sites send for security verification.
• Credential Stuffing: Credential stuffing is a brute force tactic that involves using bots to rapidly and repeatedly attempt to enter username and password combinations into a web form.

What Do Fraudsters Do With Hijacked Accounts?

Once a scammer gains access to a user’s account, they can conduct a number of malicious activities.

For example, a scammer may log into a user’s bank account, then transfer the funds into a different account, effectively stealing all the money the victim has in their account. Or, the scammer could gain access to a victim’s credit card, and make purchases without the cardholder’s knowledge.

It’s also easy to take one successful ATO attack and turn it into a compounding event. For example, the scammer may take the stolen credentials and sell the account information to other criminals. Or, sometimes they want to use the account to scam other people, making it harder to trace back to them.

10 Ways to Prevent Account Takeover Fraud

Now for the important part: keeping users’ accounts safe. Here are ten tips that cardholders can use to protect themselves:

• Use Strong, Unique Passwords: Make sure each account has a different, complex password. A password manager can help with this.
• Turn on Two-Factor Authentication: This adds an extra step to the login process, usually a code sent to a phone, which makes it harder for hackers to get in.
• Watch for Phishing Scams: Users should be skeptical of emails or messages asking for personal info or directing them to log in to your accounts.
• Keep Your Software Updated: Regular updates help protect against malware and other vulnerabilities.
• Use Security Questions Wisely: Don’t pick answers that someone could easily find or guess, like the name of a high school.
• Secure Your Email: Since one’s email can be used to reset passwords, make sure it’s especially secure.
• Monitor Your Accounts: Users should regularly check bank statements and account activity for anything fishy.
• Be Careful on Public Wi-Fi: Avoid logging into accounts when connected to public WiFi. Users may even opt to use a VPN to encrypt their connection.
• Secure Devices: Use a PIN or biometric lock on phones, and be cautious about who has physical or remote access to a device.
• Educate Yourself and Others: Stay informed about the latest security threats and share what’s learned with friends and family.

Last Update: March 1, 2024