Documents in Portable Document Format (.PDF) require Adobe Acrobat Reader 5.0 or higher to view. Download it now.
FDIC-Insured - Backed by the full faith and credit of the U.S. Government
Enterprise Bank
Online Banking
Enroll Now | Forgot password or PIN?
HomeResources

Account Takeover Fraud

What It is and How to Avoid It?

Account takeover fraud (ATO) is an increasingly common type of identity theft where a criminal uses a person’s login and password to take over the account. The fraudster can then change the access information, steal funds, and gather information used to access the person’s other accounts. This cybercrime has happened to about one in five adults, according to Security.org, with bank accounts and social media accounts being the most frequent targets.

ATO a multi-step process that can start with malicious software (malware) designed to give criminals access to passwords and other private information. Whether through malware or using stolen login credentials, the thief may sell the login credentials or keep them to use. From there, they access the account and monitor it to gather information so they can access other accounts belonging to the same person and commit additional fraud.

An ATO attack may involve changing the account’s:

    • Name
    • Contact information
    • Shipping address
    • Multi-factor authentication (when the account sends a text or email to confirm login)
    • Security questions

If account access information is changed, the account’s owner won’t be able to log in or prove it’s their account. For shopping sites, the shipping address can be changed and a shopping spree begins. For financial accounts, a fraudster can log in, change the account credentials – locking out the true owner – and drain the funds through wire transfers or other means.

How ATO Attacks Begin

Fraudsters can initiate ATO fraud in a number of ways, many of them beginning with login credentials stolen in massive data breaches like the ones that hit UScellular, T-Mobile, and Microsoft recently. Any information gathered in those breaches may grant access to the affected accounts and others using the methods below.

Phishing

You may have heard of phishing attempts where a would-be thief sends an email that looks like it’s from a bank or other official source in order to trick the recipient into revealing account numbers and other personal information. Other variations include a phone call version called vishing, where the attacker calls a person and pretends to ask about suspicious account activity only to trick the person into giving out account information. Smishing is the same scam via text or SMS message.

Credential Stuffing

When fraudsters use bots, or automated programs, and huge purchased lists of stolen credentials to log into (stuff) many websites at once, hoping to find a match it’s called credential stuffing. When people reuse passwords for different websites, this becomes a highly successful technique. A similar type of attack, called brute force or credential cracking, occurs when a bot uses passwords and security question answers stolen during a data breach to try and guess passwords for other accounts.

Man-in-the-Middle

Man-in-the-middle attacks occur when hackers take over unsecured public Wi-Fi and use it to spy on the digital activity of anyone using the network. These attacks capture information going from phones and laptops to e-commerce sites and financial institutions. Another version involves the scammer setting up their own Wi-Fi that looks like it’s the official network for the coffee shop, restaurant, movie theater, etc. and using it to collect private information when patrons log on to it and shop or bank.

Malware

Malware often gains access to someone’s machine through a phishing attack. But it can also sneak into a phone or computer via apps or plug-ins downloaded over compromised Wi-Fi networks or from dubious websites. Once it self-installs, malware can steal information, rewrite programs, corrupt or delete information, or render the device unusable. Malware for ATO fraud, however, is more likely to operate undetected in the background, gathering security information and funneling it to the attacker.

Overlay Attacks

Malware can also launch overlay attacks by creating a fake login screen for banking or shopping sites. It can steal credentials as well as intercepting and redirecting funds.

How to Detect ATO Fraud

Because an ATO is designed to quietly change account details or monitor account activity without detection, it can be hard to spot. There are signs, if you know what to look for.

Some ways you might notice that your account has been taken over are:

    • New information in your account like a new contact email, shipping address, or phone number
    • Transactions you don’t recognize in your bank account or shopping accounts
    • Password reset notifications when you didn’t request the change
    • Loyalty points missing when you didn’t use them

Make sure you keep your contact information current and take advantage of settings that notify you when account details change.

Targets of ATO Fraud

ATO fraud primarily targets individuals but it damages businesses as well. You may be locked out of your accounts and have to go through the aggravation of closing or regaining access to accounts. A thief may make thousands of dollars of unauthorized purchases on your e-commerce accounts. Any fraudulent purchases should be credited by the merchant, which is one of the ways ATO fraud hurts businesses. It’s also possible that your financial accounts could be drained after the thief gains control of your accounts.

Don’t make the mistake of thinking only wealthy individuals are targets of ATO attacks. While fraudsters may start there when utilizing stolen data, they eventually try to access accounts linked to all the credentials in the file. People from households with incomes between $25,000 and $49,999 are most likely to be victims of account takeover. Other groups that are statistically more likely to be targeted include Android phone users, people more than 45 years old, and residents of New England.

These types of accounts are the most common targets for takeover, according to Security.org:

    • Social media
    • Financial
    • Shopping
    • Email
    • Loyalty cards
    • Streaming services
    • Government benefits
    • Cell phone
    • Travel

The most common consequences of ATO are identity theft, financial losses (about $12,000 per person on average), and takeovers of other accounts. However, more than 80% of those affected were able to recover the affected account.

How to Avoid ATO Fraud

Since the pandemic forced so many people to conduct more activities online, ATO has risen significantly – about 250% from 2019 to 2020. Given how many much the average person does online, and how insidious ATO is, it’s very difficult to completely avoid it. But there are steps you can take to make your accounts as secure as possible. Using as many of these techniques as possible provides the greatest digital security.

Use the following to reduce the chance of ATO:

    • Link skepticism – don’t click links in emails or texts, even from a trusted source, before going to the site directly or contacting the sender
    • Enhanced authentication – apply two-factor or multi-factor authentication when possible
    • Password hygiene – use strong, complicated passwords that are unique for each account
    • Security questions – choose answers that aren’t obvious or easily discovered from your social media posts
    • Virtual privacy network (VPN) – set up to hide your online activity from fraudsters
    • Identity theft protection – often available for free from credit card companies or companies that lost your data in a breach, this service monitors your credit, the dark web, and other areas looking for signs of attempted fraud
    • Antivirus programs – regularly scans your computer and/or phone for signs of hacking, malware, and other scam attempts

How To Respond to ATO Fraud

Even the best avoidance attempts can sometimes fail to prevent ATO fraud. In that case, it’s important to act fast so you can retake your account and minimize the damage.

If you have been a victim, take the following steps:

    1. Alert the company – preferably by phone
    2. Tell your contacts – warn the people on your contact list so they don’t click on something that looks like it came from you
    3. Install antivirus software – if you weren’t using one before, an antivirus program may be able to isolate malicious code or programs and prevent further damage
    4. Check all accounts – look for signs of a problem, especially on social media
    5. Change all passwords – update PINs and security questions as well
    6. Use all available tools – if there are any methods to avoid ATO that you weren’t already using, now is the time to put them in place

Learning about a threat like ATO fraud can be alarming. But awareness can also lead to preventative measures. Something as simple as not using the same password for multiple accounts will make you more secure since 56% of compromised accounts had the same password as the victim’s other accounts, according to Security.org. Good password hygiene and the rest of the steps outlined above will reduce the odds that you’ll have to learn about account takeover fraud firsthand.