Back 

Account takeover fraud

   read  

  Decrease Text Size Increase Text Size

Hacks and data breaches are all too common. Here’s how to stay safer and what to do if you’re affected.

    Here’s how to shield your money and your existing accounts.

    • Create strong passwords and user IDs, change them frequently, and don’t use the same ones for all your accounts. These steps make it harder for criminals to steal the virtual keys to your accounts and limit the damage they can do if they crack your code.  Learn more here
    • Pay attention to security alerts that inform you about possible data breaches. It is a good idea to change your password if you have reason to believe that your information has been compromised.
    • Keep your antivirus software up to date. The technology environment is constantly changing and antivirus software can quickly become obsolete.
    • Use different passwords for each of your accounts, including email, website logins, social media, etc. If one website gets hacked, your credentials are still safe across all of your other accounts.
    • Consider using a password manager, which generates and stores long, complicated passwords. The basic offerings among companies are the same, though there are differences in price, 
    • Monitor your credit reports and credit score. Thieves can use your information to set up new credit cards in your name with a fake address. This means you’ll never receive bills, so your first clue that something is amiss may be a credit score left in ruins by unpaid bills or delinquent charges on your credit report. You are entitled to receive a free copy of your credit report once every 12 months through AnnualCreditReport.com.
    • Explore putting a lock or a freeze on your credit reports compiled by Equifax, Experian and TransUnion. Both a lock and a freeze block access to your credit reports, making it highly unlikely that anyone could open a credit card in your name. 
    • Don’t give out vital data like Social Security and bank account numbers to strangers calling over the phone. If you think the call may be legitimate, ask for the person’s full name and a number to reach out to him later.
    • Consider buying identity-theft insurance through your financial institution. 
    • Don’t ignore your snail mail. Make sure you aren’t receiving unsolicited credit cards or collection notices for products and services you never purchased.
    • Exercise caution when clicking on websites and emails. Thieves have become expert in forging the look of legitimate sites.
    • If you typically do your banking in person at a nearby branch, consider creating an online account. You’ll be able to closely monitor account activity and spot breaches quickly. You could also prevent a thief from opening an account in your name.
    • Get Account Alerts. Ask your financial institution or brokerage house representative if the institution provides account activity notifications and how to implement them.  Alerts will notify you about activity on your account. Review alerts immediately can protect against fraudulent activity on your account.
    • Don't use your account on an unknown computer. Unless you are sure a computer is secure, be wary of using a unknown computer. Computers can record pages viewed and keystrokes entered among other possible security violations. Granted, this will not be your experience on most computers, but be careful.
    • Check Your Last Login Date. When you logon, your last logon date is displayed on the People's United Bank welcome page. Always check this date to ensure someone else is not using your account.
    • Register Your Computer.  Not only will this make logging on to your account quicker, it reduces the chance that the answers to your security questions will be compromised.
    • Enroll into E-Statements.  Receive your statements electronically. Paper statements can divulge your financial information if stolen from your mailbox.
    • Review Account Activity.  Review your online accounts for any transactions you did not initiate. Early detection may prevent large losses.
    • Don't use your computer at work.  Even if it's on your lunch hour and on your own time, employers can monitor computer usage and even typing (although most don't). While your company might not care how much money is in your accounts, those who are paid to monitor Internet and email use will also have access to this information. You can use your computer at work, just be aware of the risks. 
    • Shred or securely store your paper bank statements. One of the advantages of online banking is that your records are stored securely online. However, if your financial institution sends you monthly statements about your account or another account you have with them, be aware that these statements can include log-in information as well as account numbers that can be used to access your account. You should shred these documents when you are done with them or store them in a secure place.
    • Understand security and online banking. You have taken a good first step by reviewing the information on this site and this list of security measures that you can take, but make sure you continue to be aware of the security measures your financial institution employs.

    What to do if an account is hacked:

    • View and verify account activity. First, go through your account activity to confirm any changes or fraudulent charges. Keep in mind that some legitimate transactions may seem fraudulent if the company does business under a different name.
    • Update your system and delete any malware.  The first thing you should do if your account gets hacked is to run an end-to-end antivirus scan. This means skipping the "quick scan" setting in favor of a deep scan to identify and eliminate not only all forms of malware (including Trojans and spyware to keyloggers that could be tracking your keystrokes even after the hack has been identified) and potentially unwanted applications.  It's important to make sure you're clean before you change any of your other sensitive information to avoid restarting the cycle.  Also, set your security software, internet browser, and operating system to update automatically.  Click here for a list of free online security scanning software.
    • Review Social Media Accounts.  Look for changes your social networking sites, look for changes to the account since you last logged in.  Look at your personal details, review any third-party apps connected to your account, and check your security questions and answers and your backup email addresses and/or phone numbers. If you think your hacker had a chance to scan your security questions and backup accounts, try to change these on the compromised account and on any other account that relies on the same information. This will prevent the bad actor from using your personal details to breach other accounts in the future.
    Once you’ve locked down your other accounts, it’s time to start trying to recover ones you may have lost control of. Many commonly used services offer a suite of tools to help you verify your identity and regain access to your accounts, but some make it easier than others. Here’s how recovery works on some of the services you might be using.

    Google: The company will let you verify yourself by contacting other devices connected to that account. On Android phones, that means you’ll get a notification that you can tap “yes” on to prove you’re the account owner. If you’re using an iPhone or iPad, Google makes that verification message available in the Gmail app. If none of that works, Google will send a recovery email to a backup email address if you’ve specified one in the past. To start, click here.

    Apple: If someone has taken control of your Apple ID, start by visiting iforgot.apple.com. From there, Apple will ask you to verify your phone number and then sends notifications to your other Apple devices to help you reset your password — but only after you’ve confirmed your identity by punching in your Mac’s password, or your iPad’s or iPhone’s passcode.

    Amazon: To start, Amazon will attempt to confirm your identity by sending a verification code to your phone. If that isn’t an option — say, if someone else has control of your phone number  -  your best bet is to call Amazon customer service. As part of the process, you may be asked to upload a scan of your driver’s license, state ID card or a voter registration card to verify your identity.

    Microsoft: Visit the company’s account recovery site and type in the email address associated with your Microsoft account. You’ll be prompted to give Microsoft an account recovery code if you’ve already made one; if not you’ll have to fill out a short form that — among other things — asks you to provide an alternate email you have access to. From there, the company will send a four-digit code to that email address. Once you’ve verified the code, you’ll fill out another short form to start the recovery process.

    Facebook: Visit the company's Help Center.

    LinkedIn: Visit the company's Help Center.

    Instagram: Visit the company's Help Center.

    Visit our Victim Assistance & Support Resources section for more contact information on online service providers and social media companies.
    • Contact Other Online Services.  It's critical to change your passwords with other payment-based accounts such as Hulu, Netflix, LinkedIn, Credit Card Companies, etc. Make sure you use different passwords for every online account.
    • Change Your PINs & Passwords.  Once your computer is free of malware, it's time to change your password. If you've lost access to your account, you may need to contact the company directly, prove who you are and ask for a password reset. Choose a new password that is very different from your old one and make sure it doesn't contain strings of repeated characters or numbers. Your password should be unique for each account, complex (i.e., a mix of letters, numbers and special characters) and at least 15 characters long.  Learn more about passwords here.
    • Notify People You Know.  Tell your friends, family and anyone else on your email contact list that they might have gotten a malicious link. During the period when attackers had control of your account, they could have sent dozens or even hundreds of fraudulent emails to everyone you know, in turn giving them access to a new set of victims. 
    • Change Your Security Questions.  While your password was the most likely attack route, it's also possible that hackers broke into your account after answering your security questions. Many users choose the same answer to common security questions.  In order to further protect your email, be sure to employ the multi-factor authentication that many providers allow to gain access to your password, including using secondary email addresses or text messages, since security questions alone are not enough.
    • Report the Hack.  If you haven't already, contact your financial institution, email provider, or other company and report the hack. This is important even if your hacked account didn't cause you to lose access since it helps providers track scam-based behavior. If possible, freeze your bank account online, on the app or by speaking with customer service.  In addition, your account provider may be able to offer details about the origin or nature of the attack.
    • Contact Credit Agencies.  Contact the three credit reporting agencies TransUnion, Experian and Equifax to monitor your accounts in the months after you've been hacked.  Click here to contact credit report agencies.
    • Consider Your ID Protection Options.  If you've been hacked, another idea worth considering is an ID protection service. These services typically offer real-time email and online retail account monitoring, in addition to credit score reporting, and personal assistance in the event of an identity theft. Your financial institution will offer this program for a small monthly fee.
    • Review All Email Accounts.  If the breach affected a service that includes email, such as your Google account, check the email account for sent messages or for new filters. For example, clever hackers can set up filters that forward all incoming mail to an address you don't recognize. Delete such filters to prevent people from worming their way back into your account in the future. This is particularly important because you can reset many other accounts' passwords, and receive notifications about suspicious activity, over email. You don't want an eavesdropper to nab those recovery messages.  Also, check that your email signature and "away" message don’t contain unfamiliar links or forwards. 
    • Create a New Email Account.  Sometimes it's not worth picking up where you left off. If this isn't the first time hacked email has been a problem, or if your provider doesn't seem to be taking steps to mitigate the amount of spam you receive, it may be time for a switch. Look for a service that offers default encryption of your emails and solid customer service in the event of an issue.

    What types of crimes can be committed by criminals with your information?

    • Phishing:  Mobile, Email, Web Site & Social Media phishing rely on social engineering tactics to fool you into either clicking on a link, sharing a link, downloading a file or entering information into an online form.  Having more of your personal information makes it easier for criminals to convince you that the "phish" is legit.
    • Stolen or Compromised Credentials:  Armed with stolen, up-to-date PII data, criminals can more easily impersonate you in order to get into your account.  Stolen information will be used to take over existing accounts, such as banking, brokerage, phone service, tax refund fraud, social security, government benefit fraud and retirement accounts. Call centers and online systems rely on these pieces of information to verify account holders.  Criminals can use this information to correctly answer the call center knowledge-based authentication questions.
    • Passwords: Reused passwords multiply consumer risk.  Once a fraudster hacks one of your accounts, the next account often is easier to crack if you use the same username and password combination.
    • Email Account: With access to an email account, the fraudster can reset site passwords on commercial websites using your trusted email address. 
    • eCommerce Account: Once a fraudster accesses your e-commerce account, they now have access to all of the payment methods linked to that account.  You may have a stored account where you have linked a few of your credit cards and PayPal account to easily use when you check out.  Gaining access to this account is far more lucrative to a hacker as they now have access to your multiple stored payment methods versus trying to use a list of one-off stolen credit card numbers, which may or may not be valid.
    • Rewards accounts: Another goldmine for fraudsters is rewards points stored online in retail store accounts.  Thieves who get access to those accounts can use the stored information to buy expensive items. 
    • Banking: If a fraudster cleans out your bank account or takes out a loan in your name, your money is gone.  One way that this can happen is if click on a link that downloads keystroke logging malware onto your computer. That keystroke logging tracker will note that every time you click on your bank’s website and record the user name and password.  The malware sends the login info to the fraudster’s network. The malware works in the background and van be very difficult to detect. 

    What can you do:

    1. Reconcile or balance your bank account every month. The beauty of online accounts is that you can monitor them almost in real time. That means you can catch crooks long before a statement arrives in the mail. Learn more
    2. File your taxes promptly.  While thieves may use stolen information to create fraudulent bank accounts, they may also use it to file fraudulent tax returns. File your taxes as soon as you have the tax information you need and respond promptly to letters sent to you by the IRS. Note that the IRS will never communicate with you via email, so watch out for this type of fraud and don’t open emails purporting to be from the IRS
    3. Be extra careful about emails and attachments.  Avoid clicking on links or downloading attachments from suspicious emails that claim to be updates from any company connected to a data breach. Learn More
    4. Use Two-factor authentication.  Two-factor authentication adds a second level of authentication to an account log-in. When you have to enter only your username and one password, that's considered a single-factor authentication. 2FA requires the user to have two out of three types of credentials before being able to access an account. Learn More
    5. Check your Credit Cards accounts often. Reviewing your recent account activity is fundamental to credit card safety—and it’s easy. You can do it online or by phone. If your credit card issuer offers email or text alerts about unusual activity, sign up to receive them.
    6. Monitor credit reports.  Check your credit report for any accounts that crooks may have opened in your name. Credit reports are available for free, from each of the three national credit reporting agencies — Equifax, Experian and TransUnion — every 12 months from http://www.AnnualCreditReport.com. Some monitoring services and credit card companies now allow you unlimited access to credit information, so you could theoretically check every day. 

    Data breaches will help phishers trick you.

    The likelihood that your personal identification is in the hands of criminals increases with every new data breach.  Data breach information goes way beyond just login credentials and credit card numbers.  Here are all the types of personal identification information that can be stolen during a data breach:
    • Social Security Numbers.
    • Date of Birth.
    • Credit Card Numbers.
    • Telephone Numbers.
    • Public records of criminal and civil cases.
    • Your credit history (current and previous loans, credit cards, credit card balances & utilities).
    • Transaction history and length of accounts.
    • Bankruptcy filings.
    • Companies with which you have an existing or prior relationship.
    • Your medical information or payments.
    • Drivers license number and driving records.
    • Work Records.
    • Current & previous addresses, and property ownership.
    • Voter registration.
    • Professional licenses.
    • Associates.
    • Family, relatives, and neighbors.
    • Car, homeowners, and renters insurance claims.
    Data breaches may not play out for a really long time as hackers might not use stolen data right away.  The following suggestions should become habits that last well into the future.  This way if hackers are sitting on your information to use it in the future, you'll know.

    What to do:

    Order specialty free reports outside of the big three credit reporting agencies.  Specialty reporting companies may disclose information that can help prevent fraudulent accounts and other identity theft crimes:

    LexisNexis Full File Disclosure. It’s one of the more comprehensive databases out there, containing all the information LexisNexis gathers to create its various reports about you. And, like credit reports, you can order one free copy per year. Please visit: https://personalreports.lexisnexis.com/access_your_full_file_disclosure.jsp

    Complete List: For a complete list, please visit the Consumer Protection Financial Bureau at: http://files.consumerfinance.gov/f/201604_cfpb_list-of-consumer-reporting-companies.pdf











    eFraud Prevention™, LLC