Featured Savings Rates

Popular Posts

Featured Accounts

How to Keep Thieves From Taking Over Your Bank Account

POSTED ON BY

How to Keep Thieves From Taking Over Your Bank Account

There’s no need to get paranoid, but there’s more bad news about bank accounts. Thieves are having greater success in stealing folks’ information and accessing their bank accounts. According to Javelin Strategy & Research, account-takeover fraud was up 31% from the previous year. The price tag soared too. Losses due to that fraud eclipsed $2.3 billion, a 61% increase over 2015.

It’s enough to keep you awake up at night, but don’t let it. Here’s what you need to know.

How tricksters work

There is no shortage of creative ways to do serious mischief. “A common way a thief gets access to a consumers account is their email account gets compromised. If a hacker has access to someone's email account, all they need to do is go to different banks and ask for a password change for that email address. The request will get emailed and the thief now has access to the bank account,” explains Richard Lowe, a security expert and author of Safe Computing is Like Safe Sex.

Another strategy, is by phishing. The thief sends out emails to a list of tens of thousands of people. This email says something alarming like, "your account has been compromised, log in to reenable service. You will not have access to your money until you do." Lowe says, “A percentage of people will click on the link in the email which supposedly goes to the bank but really goes to a fake bank site. They log in, and the thief now has their username and password.”

According to Javelin Strategy & Research, account-takeover fraud was up 31% from the previous year.

Then there are the robocalls. Fraudsters will use the phone channel to socially engineer people to reveal personal information. Fraudsters and scammers will impersonate the IRS, FBI, law enforcement, or even known relatives to attempt to get unsuspecting victims to reveal information like passwords, PIN numbers, or account details, says Tim Prugar, director of customer success for Next Caller, a phone fraud identification and prevention firm.

Spoofing is the intentional manipulation of the Caller ID display to obscure your identity. “Once fraudsters have obtained personal information, they will often spoof the victim's number to impersonate the victim to their bank, cell phone provider, or any number of other companies to take over their accounts and make changes or financial transactions,” says Prugar.

What kind of damage can be done?

Once accounts are taken over, the hackers then can do multiple things to extract value like make fraudulent purchases. “The hacker will purchase goods or services using saved payment preferences on file within the account they have just taken over and sell the goods on the black market,” says Daniel Desko, senior manager, IT Risk Advisory Services with Schneider Downs.

Furthermore, they could sell the accounts. “Genuine hacked accounts for certain sites (with saved payment preferences) sell for more on the dark web than do credit card numbers themselves,” he says. They can also change payment or beneficiary settings to themselves or their criminal fronts. Hacked email accounts can be used to further thieves’ fraudulent ways.

Protect yourself

Crafty as crooks can be, you are not defenseless. Phishing and spear phishing are two of the largest contributors to account takeover. That can occur when keystroke logging malware is downloaded on to the victim's computer, smartphone or other portable electronic device after the victim has been lured into clicking on a link or downloading an attachment to an email or a text message.  “Trust me, you can't trust anyone.  Never click on links or download attachments unless you have absolutely confirmed that they are legitimate,” warns Steven Weisman, attorney and a college professor at Bentley University, where he teaches white collar crime prevention.

Be vigilant when opening and reading emails

If it’s an email that sounds too good to be true or something you weren’t expecting, be extra careful before clicking any links or opening attachments. “Always hover your mouse over a link before clicking, hackers will often mask the true destination of the URL in phishing schemes,” says Desko.

Go for a belt and suspenders

Set up two factor authentications on the really important accounts like banking and investments. “This means to log into a site requires a PIN number which is texted to your cell phone. Also, using strong passwords which are a mixture of upper and lower case, numbers and symbols, and at least 20 characters long can help keep the account secure,” says Lowe.

Know too, that you can set up account alerts for when changes are made to your account settings or passwords.

“You know those challenge questions, ‘What city were you born in?’ Don’t chose the challenge questions that can be answered by a quick look at your Facebook profile! Chose challenge questions and provide responses that only you would know,” says Desko.

Keep track of your mail, especially bank and credit card statements.  “If a statement or bill does not arrive, it may have been stolen, and criminals could then be in possession of your account number and other important security data. E-statements offer a potential solution for some people who could be vulnerable to mail theft.  Always monitor statements to ensure that all activity is appropriate,” says Evalina Robinson, Fraud Loss Prevention Manager for Teachers Federal Credit Union.

Use a password manager

“We're always told to use a unique password on every website we've signed up on, but that can become unreasonable if we're signed up to a large number of websites. This is where a password manager comes in,” says Andrew Swindlehurst, an outreach executive with PPC Protect. A password manager allows you to create as many unique, uncrackable passwords as you require while you only need to remember one. “There are many free password manager programs you can find online, but we would recommend you use one that stores your passwords on your hard drive (make sure you do back it up though),” says Swindlehurst.

Fake them out

Says Swindlehurst, “If you're like me, you can be very skeptical of what people will do with the information required from you when you sign up to a website. In these situations, you can use a throwaway email address, of which you'll find many online, and fake or alter details about yourself so any information you give away cannot be used against you in any way.”

Editor's Note: Regulation E helps to protect consumer bank accounts. For more details, please refer to the article, Safety of Your Money at Banks - Fraudulent Transfers.

Comments
FI32124
FI32124   |     |   Comment #1
Unless things have changed a drivers license is required to change anything on an account in a branch if they do not personally know you. The drivers license is or was scanned. If done over the phone security questions are asked and that is why you should make up answers to the security questions. I have a daily balance sent to me by email on accounts I use a lot. CD balances are sent only weekly. I mark the balances down in a notebook. I have a phone call made to my home even for I cloud before anyone can use it. If you are doubtful where the email is coming from (even from friends) click reply and there is a little thing you can click on to see the email address where it was actually sent from. You can verify bank phishing especially and get the email address from where it was sent from and forward the email received to the bank security department. They then can contact your internet company and follow up where it came from.
ed
ed   |     |   Comment #2
thanks, that reply click is a good tip
LuvCD
LuvCD   |     |   Comment #4
Heading...numbers at top of email. As to Martin comment ...no different than Feds tracking ANY surfing child/porn sites...fed crime..and the Feds think "you" are one even on/from unsecured router (no personal experience)....just read the cases! Be careful out there!
Martin
Martin   |     |   Comment #3
People do not realize, but most of the IDs and bank log-in and personal info is hacked right of the cell phone banking.
Imagine, you seat in your home and try to transfer or pay bills using your cell phone, now follow the links:
Your cell phone transmits analog signal to connect to the cell tower#1, then it proceeds to connect to the regional tower#2 and so on until it reaches your bank. Now the bank reverses the signal and send the signal back asking for secure connection using the same signal path.
I hacker just need to connect a recording device on your established connection with the bank and record the signals (Wi-Fi or off your wireless router), no need for passwords or other IDs, the user entered all that for the hacker.
The banks will never admit that to you and if something bad happens, they will blame you for sharing personal info with others, because everything matches in the bank computer info when the hacker replays the signals back as if you are the user.
Lrdx
Lrdx   |     |   Comment #10
That's not how cell networks work. Also replay attacks are even killed by something as simple as SSL, what is FAR from being secure.

Just don't use a public WiFi, default password or weak passwords on your home WiFi, and yes you probably should not use cell networks, they are hilariously unsecured - though by far not for the reasons you listed.
Martin
Martin   |     |   Comment #15
Lrdx #10, that is exactly how the cell phone works, the analog signal is intercepted and converted and decrypted into digital sound or picture or text.
http://www.truthandaction.org/stingray-local-police-listen-cell-phone-calls/

http://www.npr.org/sections/alltechconsidered/2014/10/21/356191015/whos-catching-your-cellphone-conversations

If you are interested, please let me know, I can even tell you who sells them.
rzelman
rzelman   |     |   Comment #5
I use a dedicated notebook computer for all my bank accounts and do not access any other websites other than bank home pages with it. No email or web surfing while using this computer and the device is registered when requested by the bank. I also only access the net on my secure home network, never a public one.
LuvCD
LuvCD   |     |   Comment #6
If "you" don't have a dedicated line between all...it can be hacked since signal is "through" air using a device that looks like "you"....phishing.
Martin
Martin   |     |   Comment #9
rzelman, in reality you are using public network, your ISP is a public network and not a private secure home network. It is very easy to become victim, never register your device, doing so, you bypass one extra layer of security.
The security of your home network has nothing to do with the connections with the bank, the public and private key is sent by the bank to you to make HTTPS locked connection and not the other way around.
rzelman
rzelman   |     |   Comment #16
If the bank does not recognize your computer it will automatically ask for a secondary security code. Agreed there is no absolute protection but using a computer that is only used to access online bank accounts and nothing else protects you from malicious emails, worms and phishing ploys. I suppose I could also employ a VPN but then you must trust that provider as well. There is no perfect solution bit a dedicated computer is inexpensive, convenient and provides a basic layer of security that you would not have if using a device that receives emails and regularly visits hundreds of websites.
Martin
Martin   |     |   Comment #17
rzelman #16, I believe you did everything you could to stay germ (virus) free at home, but what I'm arguing is that once you send that signal down your cable or DSL modem or wireless cell connection, you expose yourself to all kinds of perils and there is nothing we can do to protect ourselves. Your service provider can be compromised, the bank can be attacked or someone will install taping device on the wires or if you use wireless connections, the signal can be recorded and decrypted using special device available to anyone.
Please see comment #15 for NPR.ORG findings.

We can not live in a bunker 24/7, once we exit outside for fresh air, we get attacked by germs, viruses, bacteria, dirt and dust and pollen and so on. That is the analogy I feel is attached using Internet banking.
Att
Att   |     |   Comment #7
Your bank or other institution can be hacked and your information can be obtained even if you don't have an on line account. Also, I was on a federal grand jury and we inditited several bank tellers for theft not just from the bank but customer accounts. Also, at work we send fake emails to see if employees open scam likes and they often do that could leave our business open to intruders. You don't hear how often hacks happen at companies. Some are denial of service which crash networks. There are also companies that are hacked and don't even know it.
Bogie
Bogie   |     |   Comment #8
You are so right, Att. Nothing is totally secure that is connected in any way to the internet! Just as our government, military, utilities, major corporations, etc. have discovered.
Att
Att   |     |   Comment #11
Not only the I internet. Employees at institutions commit fraud too. They can steal from accounts or sell info. My wife had her credit card info and private info stolen from a medical facility by an employee. They were caught trying to get credit from Dell. We had to freeze our credit. Sell had the information on the people but our local police would not pursue the case.
Bozo
Bozo   |     |   Comment #12
Att, it's not just fraud. Sometimes, it's just gullibility. Lower-level employees in payroll departments are targets. My wife and many of her fellow employees were targeted (successfully) by a relatively simple scam. The scammer found the name of a junior person in the payroll department, played with the logical e-mail address for said person, then sent an e-mail essentially as follows:

"Dear (fill in the blank). The HR Department is doing its annual compliance report for the IRS on 401K deposits. Please send me the W-2s for all employees earning over $106,000/annum (gross salary) and who have 401Ks".

The poor person assumed the e-mail request was legit, and sent all the W-2s to some scammer. My wife's identity was stolen, a bogus tax return was filed, and the only way we caught it was because the Franchise Tax Board actually issued a check, and sent it to our PO Box. Which we never use for tax filings.

Credit alerts for as far as the eye can see. Paper filings for the IRS and FTB. Getting to know the folks in the Fraud divisions at both agencies by their first names. Identity theft is not fun.
CuriousDave
CuriousDave   |     |   Comment #21
When receiving an email that asks for that kind of confidential info, it's helpful to either call or, in a separate email, contact the person who appears to be giving the instruction to confirm the instruction. That way, you also have it on the written record in case of legal issues. The golden rule is NEVER to assume the message came from the ostensible sender.
deplorable 1
deplorable 1   |     |   Comment #13
Exactly I had a credit card that I opened specifically for a 0% no fee balance transfer offer. I never put it in my wallet or used it for any purchases. I was notified of suspicious activity on my card even before I signed up for online access. I thought the only way this was possible is either 1. The bank got hacked 2. A employee stole the information. When I asked the fraud department how this was possible they refused to answer. So basically you can get your information hacked at any time without warning no matter how strong your passwords are or how vigilant you are. At least there is 0 liability protection though for when this does happen.
deplorable 1
deplorable 1   |     |   Comment #14
With all the different bank accounts and credit card accounts I have a just figure fraud is a way of life now. There really is no way you can protect yourself 100%. Even a service like Lifelock has to admit this in the fine print. I would never use a service like that because if something happened and they locked my credit it would be a nightmare. I am always opening a new bank account or credit card for bonuses, rewards and higher rates. Just imagine you are at a restaurant for example and run up a big bill and all of your credit cards are locked out. This has happened to me with Discover when I was paying for a dinner for 12 people and my card got declined(good thing I carry a arsenal of cards). When I called Discover and asked them why my card was declined since I pay my bill in full every month they said it was because I don't usually spend that much. It's embarrassing when that happens because people falsely assume you are broke and can't pay your bills.
Anon
Anon   |     |   Comment #18
Could someone explain this example from the article: "If a hacker has access to someone's email account, all they need to do is go to different banks and ask for a password change for that email address. The request will get emailed and the thief now has access to the bank account,"

I don't think any bank would allow you to email them new password in email and would just accept it like that. You'd have to specify old bank password on bank website first. Even if you ask bank to reset the password, would not they first verify you in other ways before just giving you new password or allowing you to set new password online?
Anon
Anon   |     |   Comment #19
To reset the password, would not theif also need to know your banking user name and other identification information for bank website (SSN, secret questions, etc)?
Anon
Anon   |     |   Comment #20
Yes but because of various data breaches e.g. OPM hack most of this info is out there
Martin
Martin   |     |   Comment #22
If a hacker has access to your e-mail and you are not aware of it, lots of bad things can happen to you.
Most of the banks, investment firms and credit cards send monthly statements, where a hacker can get your account number, address, SS#, phone and the bank branch.
Most banks allow you to reset the user ID and password if you know the account number, SS# and associate that info with your e-mail, where a temporary password and or user ID will be sent. Since you are not aware that a hacker can read your e-mails, after receiving the new log in info, he/she will delete that e-mail and all of the traces.
Now you are shut down from your account for a day or two and that is all the time a hacker needs to empty all of your money from that bank. No crime exists in the eyes of the bank and no authority is called, because you will be investigated first and asked to whom you gave the rights to your account and why, I'm innocent defense will not work in this case.
Police do not investigate private bank accounts and you will not be allowed to file a police report, unless you know who did it, when and how.
LuvCD
LuvCD   |     |   Comment #23
Minimal $s in accounts with no overdraft!
Martin
Martin   |     |   Comment #24
LuvCD #23, Unless you close the account, you are still exposed to fraud. You think a hacker can not remove the overdraft opt out, it takes one click on the web site to do opt in. A new credit card can be issued or line of credit applied for. How about cash advances from your credit cards sent to your account without your approval but accessible to the hacker. How about your external accounts linked for ACH are summoned by the hacker to pull all of your money from the other banks and to pile them up in the hacked account?
The limit to fraud is only the imagination of the hacker.
LuvCD
LuvCD   |     |   Comment #25
Should have added ...do not use ebanking
LuvCD
LuvCD   |     |   Comment #26
PS
And, by US letter to institution that esignatures are not applicable to any accounts
Martin
Martin   |     |   Comment #27
LuvCD, you are correct in your observation, here is an insert from SunTrust bank about losses in the account and what to do in such case.
" Bank’s Stipulations
We may at any time in our discretion, refuse to open an Account,
refuse any deposit, limit the amount which may be deposited,
return all or any part of a deposit or close the Account without
advance notice to the Depositor. We may at anytime in our
discretion, rely on existing Account documents or through
transactions you perform on the Account, including checks you
have signed, deposited items you have endorsed, and debit
card transactions, to determine ownership of an Account and/
or record your ownership of an Account on which your name
appears. In addition, SunTrust may discontinue or refuse to offer
you any account, service or product at any time.

If there are any unauthorized transactions or suspicious activity
on your Account, including unauthorized checks or debits on
your account or lost, stolen or missing checks, we strongly
recommend that you close your current Account and open a new
one. If you do not do so, you agree that the Bank is not liable to
you for any subsequent debits, unauthorized transactions, losses
or damages that occur on your Account. "

Please pay attention to the second part, if you do not close the account on time as soon as you notice something is not right, the bank washes the hands off of you and you eat the loss.
Anon
Anon   |     |   Comment #29
Hi Martin, this is Anon #18 and #19.

I understand that my name, address and phone are likely easy to find and bank branch is not even relevant for internet banks / credit unions. However, **none** of my banking or any other statements contain my SSN# and I think most don't even list my account number in full. None of them list my security question passwords either (that I keep separate and unrelated to real life).

So, I still don't get what hackers can do with my email address that my bank has.

Also, I do NOT have estatements sent to my email address for most banks. Mostly I use paper statements, but even those few cases of estatements that I do get will just send email saying that the statement is ready to view and I have to login to the bank site to see the statement itself.
Martin
Martin   |     |   Comment #30
Anon #29, We were talking about someone having access to your e-mail account without you knowing about it.
Like I said many bad things can happen to you. The hacker can attached key logger to your e-mail corespondent files and the moment you click on it your key strokes are send or recorded in a hidden file accessible to the hacker only. Furthermore, he can replace an official e-mail from the bank to direct you to a phishing side where you will enter the log in info for that particular bank and voluntary give your password and user ID to the hacker.
Again, you have no idea what just happen. Like you said the bank send you a notice that the estatement is ready to view and you always click on it to access it and expose yourself again to other tricks of the hacker who already prepared a mirror image of your bank web site for you to visit.
You may get an urgent notice "from the bank" prepared by the hacker and innocently you click on it and get scammed.
You get happy birthday notices from friends and even the banks send you congratulations that is exposing you to ID theft. You apply for new bank account and the new bank send you temporary password and other instructions on how to log in, again exposed to theft when the hacker direct you to create new password and or new ID.
I believe you can see how easy it is to be scammed if a hacker can read your e-mails without you knowing about.
The above is just a small example, but the imaginations of the hacker go much deeper than that.
Anon
Anon   |     |   Comment #32
Martin, all your examples involve me clicking some link in an email. First, they don't need access to my email to do all these: they can just email me phishing attempts like these without hacking into my email. How would that be different?

Second, I never click on links in emails and I download and scan all attachments before opening if I expect someone to send me attachment. This includes estatement emails and all others.

My question was about statement in the article saying

"If a hacker has access to someone's email account, all they need to do is go to different banks and ask for a password change for that email address. The request will get emailed and the thief now has access to the bank account,".

I still don't understand how hacker would get access to my bank account if they have access to my email. They would need more information about my SSN and other pieces first it seems. And that info is not available on email.

Sorry, I don't mean to be argumentative - just trying to understand if I am missing some sequence of events here.
LuvCD
LuvCD   |     |   Comment #33
Again, suggest everyone from time to time google their name, address, etc....and see what comes up, e.g. Soc Sec, income, etc.
And bank checks have account info and ACH...and the basis to challenge an ACH request is...? Dream on...see also the PenFed main website...what is the basis to challenge an improper ACH transfer? Isn't that something the banks/CUs should be telling their customers???
Martin
Martin   |     |   Comment #35
LuvCD comment#33, Bad idea, never ever google your name, unless you want to tell google who you really are. They connect your IP number with your name and then they can pull everything about you from the Internet service provider, including your present location, address, credit card given to your ISP, SS# ran by your ISP when the account was open, they can even put trace on all of your web sites visits, purchases you made, e-mail addresses and so on and so on in infinity back to your first Online presence, social media accounts, present income from the credit bureaus and........well there is no end, including mortgages, banks, CUs, associations with political parties....I can go on for a long long list, but my advise is to hide your Internet foot print as much as you can and never expose yourself by bragging about yourself Online, google is part of NSA and I will stop with that statement.
If we do not have privacy, we do not exist as individuals, we just become a number in an evil system.
Bogie
Bogie   |     |   Comment #36
I immediately thought the same thing when I first read comment #33. Very bad advice. Not just Google, but any site that says enter your own name and see what information appears. Never, never, never.
LuvCD
LuvCD   |     |   Comment #37
Ignorance is bliss!
Bogie
Bogie   |     |   Comment #40
#37, Who's, yours?

Why Google your own name? Don't you know all your own personal information? Hackers can find it too, but why hand it to them or make yourself a conspicuous target when you could have been bypassed. It only brings unwanted attention to yourself even on a public computer.
LuvCD
LuvCD   |     |   Comment #41
Bogie, "Knowledge/awareness" of what's out there
LuvCD
LuvCD   |     |   Comment #39
Google from a public computer only your name. Another time/place your address....
Martin
Martin   |     |   Comment #34
Anon #32, You said: "Second, I never click on links in emails and I download and scan all attachments before opening", you answered the question yourself, the e-mail itself can be a land mine just by opening it and second land mine will be the download of the attachment itself. Scanning for viruses is after the fact, I believe you can see that. The hacker sent you an e-mail that looks like is from the bank, opening it can be fatal, the attachment can be double fatal mistake just by running a virus scan on it, it will activate the virus before it will alert you of an existing virus.
SMARTGUY
SMARTGUY   |     |   Comment #38
WHY DO I GET THE FEELING THAT THIS WHOLE BLOG, SITE OR WHATEVER IT'S CALLED IS NOTHING MORE THAN PUBLIC RELATIONS FLACKERY, CHEERLEADING AND RAVE REVIEWS WITH POINTLESS CLUTTER DUMP LISTS FOR A MISERABLE DIRTY ROTTEN BUSINESS THAT BANKING AND CREDIT UNIONS HAVE BECOME SINCE JAN 2001.
TRUTHMOUTH
TRUTHMOUTH   |     |   Comment #43
has anyone ever read a hard hitting SMASHMOUTH article critical of the banking and credit union industry and their product schemes???......." A FORTIORI" NOTHING EVER CRITICAL OF THE BLOOD SUCKING PARASITES AT THE FED AND OUR D.C. GOVT OF ANY STRIPE.
TRUTHLIEST
TRUTHLIEST   |     |   Comment #45
OBVIOUSLY NOT.
#51 - This comment has been removed for violating our comment policy.
#52 - This comment has been removed for violating our comment policy.