There’s no need to get paranoid, but there’s more bad news about bank accounts. Thieves are having greater success in stealing folks’ information and accessing their bank accounts. According to Javelin Strategy & Research, account-takeover fraud was up 31% from the previous year. The price tag soared too. Losses due to that fraud eclipsed $2.3 billion, a 61% increase over 2015.
It’s enough to keep you awake up at night, but don’t let it. Here’s what you need to know.
How tricksters work
There is no shortage of creative ways to do serious mischief. “A common way a thief gets access to a consumers account is their email account gets compromised. If a hacker has access to someone's email account, all they need to do is go to different banks and ask for a password change for that email address. The request will get emailed and the thief now has access to the bank account,” explains Richard Lowe, a security expert and author of Safe Computing is Like Safe Sex.
Another strategy, is by phishing. The thief sends out emails to a list of tens of thousands of people. This email says something alarming like, "your account has been compromised, log in to reenable service. You will not have access to your money until you do." Lowe says, “A percentage of people will click on the link in the email which supposedly goes to the bank but really goes to a fake bank site. They log in, and the thief now has their username and password.”
Then there are the robocalls. Fraudsters will use the phone channel to socially engineer people to reveal personal information. Fraudsters and scammers will impersonate the IRS, FBI, law enforcement, or even known relatives to attempt to get unsuspecting victims to reveal information like passwords, PIN numbers, or account details, says Tim Prugar, director of customer success for Next Caller, a phone fraud identification and prevention firm.
Spoofing is the intentional manipulation of the Caller ID display to obscure your identity. “Once fraudsters have obtained personal information, they will often spoof the victim's number to impersonate the victim to their bank, cell phone provider, or any number of other companies to take over their accounts and make changes or financial transactions,” says Prugar.
What kind of damage can be done?
Once accounts are taken over, the hackers then can do multiple things to extract value like make fraudulent purchases. “The hacker will purchase goods or services using saved payment preferences on file within the account they have just taken over and sell the goods on the black market,” says Daniel Desko, senior manager, IT Risk Advisory Services with Schneider Downs.
Furthermore, they could sell the accounts. “Genuine hacked accounts for certain sites (with saved payment preferences) sell for more on the dark web than do credit card numbers themselves,” he says. They can also change payment or beneficiary settings to themselves or their criminal fronts. Hacked email accounts can be used to further thieves’ fraudulent ways.
Crafty as crooks can be, you are not defenseless. Phishing and spear phishing are two of the largest contributors to account takeover. That can occur when keystroke logging malware is downloaded on to the victim's computer, smartphone or other portable electronic device after the victim has been lured into clicking on a link or downloading an attachment to an email or a text message. “Trust me, you can't trust anyone. Never click on links or download attachments unless you have absolutely confirmed that they are legitimate,” warns Steven Weisman, attorney and a college professor at Bentley University, where he teaches white collar crime prevention.
Be vigilant when opening and reading emails
If it’s an email that sounds too good to be true or something you weren’t expecting, be extra careful before clicking any links or opening attachments. “Always hover your mouse over a link before clicking, hackers will often mask the true destination of the URL in phishing schemes,” says Desko.
Go for a belt and suspenders
Set up two factor authentications on the really important accounts like banking and investments. “This means to log into a site requires a PIN number which is texted to your cell phone. Also, using strong passwords which are a mixture of upper and lower case, numbers and symbols, and at least 20 characters long can help keep the account secure,” says Lowe.
Know too, that you can set up account alerts for when changes are made to your account settings or passwords.
“You know those challenge questions, ‘What city were you born in?’ Don’t chose the challenge questions that can be answered by a quick look at your Facebook profile! Chose challenge questions and provide responses that only you would know,” says Desko.
Keep track of your mail, especially bank and credit card statements. “If a statement or bill does not arrive, it may have been stolen, and criminals could then be in possession of your account number and other important security data. E-statements offer a potential solution for some people who could be vulnerable to mail theft. Always monitor statements to ensure that all activity is appropriate,” says Evalina Robinson, Fraud Loss Prevention Manager for Teachers Federal Credit Union.
Use a password manager
“We're always told to use a unique password on every website we've signed up on, but that can become unreasonable if we're signed up to a large number of websites. This is where a password manager comes in,” says Andrew Swindlehurst, an outreach executive with PPC Protect. A password manager allows you to create as many unique, uncrackable passwords as you require while you only need to remember one. “There are many free password manager programs you can find online, but we would recommend you use one that stores your passwords on your hard drive (make sure you do back it up though),” says Swindlehurst.
Fake them out
Says Swindlehurst, “If you're like me, you can be very skeptical of what people will do with the information required from you when you sign up to a website. In these situations, you can use a throwaway email address, of which you'll find many online, and fake or alter details about yourself so any information you give away cannot be used against you in any way.”
Editor's Note: Regulation E helps to protect consumer bank accounts. For more details, please refer to the article, Safety of Your Money at Banks - Fraudulent Transfers.