Your personal information is a goldmine for thieves. With it, they can steal your identity and your money. In fact, U.S. consumers lost $24 billion to identity fraud in 2021 alone, according to the Javelin Strategy & Research 2022 Identity Fraud Study.
One way thieves can use your personal information is to gain access to your accounts. Account takeover fraud, as it is called, can cost you time and money. According to a report by credit reporting agency TransUnion, consumers spent more than 75 million hours on account takeover issues in 2021.
To avoid becoming a victim yourself, it’s important to understand what account takeover fraud is, how thieves get your personal information and what you can do to protect yourself.
What is account takeover fraud?
Account takeover fraud (ATO) occurs when someone gains access to one or more of your accounts without your knowledge and takes over them. The types of accounts thieves attempt to gain access to include the following:
- Bank accounts
- Credit card accounts
- Investment and brokerage accounts
- E-commerce accounts
- Social media accounts
- Email accounts
- Mobile phone accounts
- Government benefits accounts
After taking over your accounts, thieves can inflict a range of damage. They can make unauthorized transactions such as fraudulent credit card purchases and fund withdrawals or transfers. They can order new credit cards or open new bank accounts in your name. They can change account information such as addresses, phone numbers, usernames and passwords. They can redirect government benefits. They also can steal personal information to sell it on the dark web to other criminals who use it to take over your accounts.
How criminals get your account information
Thieves can get your account information the old-fashioned way: by going through your trash, stealing your mail, or even snatching a wallet with a Social Security card or a list of account passwords or PINs.
However, they’re more likely to take advantage of technology to get your account information.
- The dark web: Criminals can buy personal information, account information and login credentials stolen in data breaches on the dark web and use it to take over accounts.
- Phishing: Thieves can get account information directly from consumers by sending phishing emails that prompt them to download files with spyware or click on links to fraudulent websites that will prompt them to provide account information.
- Smishing: Thieves are increasingly turning to text messages to lure people into giving them their account information by claiming their accounts have been compromised.
- Hacking: Hackers use technology to test countless login credential combinations until they find ones that work to access your accounts. Because people commonly use passwords such as “123456,” “password” or something easy to guess, it’s not all that hard for hackers to figure out login credentials.
Thieves and scammers also reach out directly by phone, claim that there is a problem with your computer and ask for remote access to fix it. If you grant them access, they can then take over your email account or log onto your other online accounts.
How to prevent account takeover fraud
Account takeover prevention begins with basic steps you should take to protect your identity online.
Protect your computer by installing antivirus software to prevent hackers from infiltrating your computer and taking over accounts. Turn on automatic updates for your computer’s software to keep it up to date. Also, make sure the Internet browser you use is the latest version. With your smartphone, run any operating system updates as soon as you get reminders to do so. Most importantly, create a strong passcode to access your phone so thieves won’t be able to get into it if it is lost or stolen.
Use strong passwords that are at least 12 characters long and include a variety of random upper- and lowercase letters, numbers and symbols. Make sure you create different passwords for every account so that thieves can’t access all of your accounts if they get one of your passwords. An even better way to create strong passwords for account takeover prevention is use a password manager service to generate unique passwords for you and securely store them. For example, financial account, credit and identity monitoring service Carefull offers a digital Vault that includes a password generator and stores passwords with military-grade encryption.
Use multi-factor authentication in addition to strong passwords. This will require you to use another verification factor such as a text message with a code you’ll need to enter in addition to your username and password. Make sure you never provide these authentication codes to any unsolicited callers, even if they claim to be with your financial institution, because this is a way that thieves can take over your account.
Don’t click on links in emails or text messages, even if the messages appear to come from a trusted source. If you receive an email or text messagealerting you to an issue with one of your accounts, contact the company where the account is located by looking up the phone number on your account statements or company website.
Hang up on tech support calls or on any unsolicited calls requesting your personal information, access to your computer or immediate payment through a wire transfer, gift card purchase or other unusual form of payment.
Don’t use public Wi-Fi to log into your email, online accounts or social media accounts. If hackers have tampered with the wireless access point, they can gain access to those accounts and do lots of damage.
Set up account, credit and identity monitoring to keep constant tabs on your accounts to catch any suspicious activity. A service such as Carefull to monitor not only your financial accounts but also your credit and identity. Carefull monitors bank, credit card and investment accounts 24/7 for common money mistakes and signs of fraud and will alert you when it spots something unusual. It scours the Internet and dark web to detect misuse of your personal information. And it provides up to $1 million in identity theft insurance to help you recover your identity if it’s stolen.
How to detect account takeover fraud
Account takeover detection requires keeping constant tabs on your accounts to catch any suspicious activity. Signs of ATO fraud include the following:
- Changes to your account contact information, such as your phone number and email address
- Notice of a request to reset a password that you didn’t request
- Notices of unsuccessful login attempts or being locked out of accounts
- Unusual or unauthorized account transactions
- Changes to your social media profile
- Messages from friends about unusual emails or social media messages you’ve sent
- Government benefits that aren’t deposited as usual
Doing this on your own can be a challenge, though—especially when it comes to monitoring for misuse of your personal information. That’s why it’s a good idea to rely on technology such as the Carefull monitoring service to help with account takeover detection.
What to do if your accounts are hacked
Act swiftly to limit and repair the damage by taking the following steps if you detect ATO fraud.
Contact your account providers to alert them that your accounts were breached. Let them know about any fraudulent transactions. If thieves gained access to your credit card numbers, cancel those cards and request new ones.
Scan your computer for viruses, or contact your computer manufacturer’s tech support by visiting its website to find out what steps to take to remove malware from your computer.
Change your account passwords. If you use the same password for more than one account, create new passwords for all of your accounts with the help of a password manager service such as the one included with the Carefull Vault.
Freeze your credit reports. Prevent thieves from using your personal information to open new accounts in your name by freezing your credit reports. Lenders can’t extend new loans or lines of credit in your name if they can’t access your credit reports.
To freeze your credit reports, you need to contact all three of the major credit bureaus:
Report the crime. If hackers got access to your personal information, report it to IdentityTheft.gov. This government website also will provide you with an individualized recovery plan. You also should file a report with local law enforcement and get a copy of the report.