Account takeover fraud

Compared to a one-off theft, account takeover offers a better and longer return on investment. Compared to a credit card hack, the consequences and hassles for consumers are higher with account takeover. Federal laws and most issuers' zero-liability policies mean you usually don't have to pay fraudulent charges.

What types of crimes can be committed by criminals with your information?

Phishing:  Mobile, Email, Web Site & Social Media phishing rely on social engineering tactics to fool you into either clicking on a link, sharing a link, downloading a file or entering information into an online form.  Having more of your personal information makes it easier for criminals to convince you that the "phish" is legit.

Stolen or Compromised Credentials:  Armed with stolen, up-to-date PII data, criminals can more easily impersonate you in order to get into your account.  Stolen information will be used to take over existing accounts, such as banking, brokerage, phone service, tax refund fraud, social security, government benefit fraud and retirement accounts. Call centers and online systems rely on these pieces of information to verify account holders.  Criminals can use this information to correctly answer the call center knowledge-based authentication questions.

Passwords: Reused passwords multiply consumer risk  Once a fraudster hacks one of your accounts, the next account often is easier to crack if you use the same username and password combination.

Email Account: With access to an email account, the fraudster can reset site passwords on commercial websites using your trusted email address. 

eCommerce Account: Once a fraudster accesses your e-commerce account, they now have access to all of the payment methods linked to that account.  You may have a stored account where you have linked a few of your credit cards and PayPal account to easily use when you check out.  Gaining access to this account is far more lucrative to a hacker as they now have access to your multiple stored payment methods versus trying to use a list of one-off stolen credit card numbers, which may or may not be valid.

Rewards accounts: Another goldmine for fraudsters is rewards points stored online in retail store accounts.  Thieves who get access to those accounts can use the stored information to buy expensive items. 

Banking: If a fraudster cleans out your bank account or takes out a loan in your name, your money is gone.  One way that this can happen is if click on a link that downloads keystroke logging malware onto your computer. That keystroke logging tracker will note that every time you click on your bank’s website and record the user name and password.  The malware sends the login info to the fraudster’s network. The malware works in the background and van be very difficult to detect. 


What can you do:

  • Reconcile or balance your bank account every month. The beauty of online accounts is that you can monitor them almost in real time. That means you can catch crooks long before a statement arrives in the mail. Learn more
  • File your taxes promptly:  While thieves may use stolen information to create fraudulent bank accounts, they may also use it to file fraudulent tax returns. File your taxes as soon as you have the tax information you need and respond promptly to letters sent to you by the IRS. Note that the IRS will never communicate with you via email, so watch out for this type of fraud and don’t open emails purporting to be from the IRS
  • Be extra careful about emails and attachments.  Avoid clicking on links or downloading attachments from suspicious emails that claim to be updates from any company connected to a data breach. Learn More
  • Use Two-factor authentication.  Two-factor authentication adds a second level of authentication to an account log-in. When you have to enter only your username and one password, that's considered a single-factor authentication. 2FA requires the user to have two out of three types of credentials before being able to access an account. Learn More
  • Check your Credit Cards accounts often. Reviewing your recent account activity is fundamental to credit card safety—and it’s easy. You can do it online or by phone. If your credit card issuer offers email or text alerts about unusual activity, sign up to receive them.
  • Monitor credit reports.  Check your credit report for any accounts that crooks may have opened in your name. Credit reports are available for free, from each of the three national credit reporting agencies — Equifax, Experian and TransUnion — every 12 months from http://www.AnnualCreditReport.com. Some monitoring services and credit card companies now allow you unlimited access to credit information, so you could theoretically check every day. 
Data breaches like the Equifax breach will help phishers trick you.

Fact: The likelihood that your personal identification is in the hands of criminals increases with every new data breach.

Data breach information goes way beyond just login credentials and credit card numbers.  Here are all the types of personal identification information that can be stolen during a data breach:

  • Social Security Numbers 
  • Date of Birth 
  • Credit Card Numbers 
  • Telephone Numbers 
  • Public records of criminal and civil cases
  • Your credit history (current and previous loans, credit cards, credit card balances & utilities)
  • Transaction history and length of accounts
  • Bankruptcy filings
  • Companies with which you have an existing or prior relationship.
  • Your medical information or payments
  • Drivers license number and driving records
  • Work Records
  • Current & previous addresses and property ownership
  • Voter registration
  • Professional licenses
  • Associates
  • Family, relatives and neighbors
  • Car, homeowners and renters insurance claims
  • Opening or using bank accounts (including bounced checks or overdrafts)

Data breaches may not play out for a really long time as hackers might not use stolen data right away.  The following suggestions should become habits that last well into the future.  This way if hackers are sitting on your information to use it in the future, you'll know.

What to do:

Order specialty free reports outside of the big three credit reporting agencies.
  Specialty reporting companies may disclose information that can help prevent fraudulent accounts and other identity theft crimes:

LexisNexis Full File Disclosure. It’s one of the more comprehensive databases out there, containing all the information LexisNexis gathers to create its various reports about you. And, like credit reports, you can order one free copy per year. Please visit: https://personalreports.lexisnexis.com/access_your_full_file_disclosure.jsp

Complete List: For a complete list, please visit the Consumer Protection Financial Bureau at: http://files.consumerfinance.gov/f/201604_cfpb_list-of-consumer-reporting-companies.pdf