What is Bank Account Takeover and How to Protect Yourself

The nightmare begins when you wake up and realize someone has gained access to your bank accounts and drained them overnight. It may sound like a fantasy, but bank account takeover is a real problem for many Americans, and in 2017, U.S. citizens lost more than $5.1 billion to this type of scheme.

What is Bank Account Fraud?

Bank account fraud, also called account takeover (ATO), is when an identity thief gains access to a bank account that is not their own. They use stolen credentials to access the account(s) and initiate unauthorized transactions. The scariest part about this is when the hackers gain access, they change the login information and security questions, so the rightful owner is essentially locked out of their own bank accounts. When the victim calls the bank to find out what is going on, they appear to be the ones pulling a fast one.

How Does Bank Account Fraud Occur

Unlike credit card fraud that is usually discovered and contained within a few days, bank account takeover is much more serious. It can go on for weeks and even months without the user knowing anything has gone wrong. The damage is also more substantial. Some of the ways account fraud occurs are through:

Phishing emails - you receive an email that looks like it came from your bank. It alerts you to some problem and says you have to verify your login credentials. Without thinking, you click the link, and it takes you to what appears to be the normal bank login, you enter your username and password, and nothing happens. You have handed your login over to criminals who faked the email and the website. Now, these fraudsters have control of your bank account and all your money

Data breaches - there have been dozens of data breaches in recent years. Most of us have had at least some of our personal data stolen or compromised in this way. Even the tiny thread of email addresses, usernames, and passwords can lead a cybercriminal on the path to more of your private information. A lot of this stolen data shows up on the dark web for purchase or up for grabs. Hackers could use your breached data in credential stuffing schemes and might get lucky if you used the same username/password combination on multiple websites.

Phone scams - sometimes criminals who have a small amount of information about you will call pretending to be the IRS, Social Security Administration, or some other figure who you might feel comfortable giving information to. They use scare tactics and threats to get you to provide your social security number, credit and debit card numbers, and even banking information to use in identity theft schemes or fraud.

Malware - another very profitable way that fraudsters get a hold of your banking information is through malware which can be through mobile apps or emails. A lot of this could be avoided. Malware gets on your computer when you click a link in an email, download attachments from someone you don’t know, or visit an infected website. It may appear as a free download of software or a Flash update.

Once you install it, however, the hacker can gain access to all areas of your computer, including bank account logins. Some of these malicious programs called “keyloggers” will copy your keystrokes when you go to log in, and the damage may be unlimited.

Sometimes malware will redirect you to other malicious websites instead of your intended destination. A serious threat facing mobile device users is Mobile Banking Trojans via texts, which overlays the mobile device when the bank app is opened, so you essentially enter your credentials into a false front, and now the hackers have it. These programs are so sophisticated they can even intercept wire transfers from your mobile device.

Man-in-the-middle attacks - this type of account takeover is perpetrated by infecting public Wi-Fi spots so that when you connect your mobile device to it, the hacker can spy on your activities and even take over, copying your bank login and accessing your accounts. Basically, he or she stands between you and your financial institution, hence the name man-in-the-middle.

How to Prevent Bank Accounts Fraud

Unfortunately, the bad guys keep coming up with inventive new ways to steal your information and get at your money. However, as the old adage goes, “An ounce of prevention is worth a pound of cure.” That statement is appropriate with bank account fraud. It’s much easier to prevent account takeover from ever happening than to recover from it after the fact. Some of the ways you can protect yourself are:

Don’t Be Lazy with Your Passwords

Always use complex, strong passwords for all your accounts, especially bank and credit card logins. Every website with a checkout section demands a username, password, PIN, and the name of our childhood pet. It’s easy to get lazy and start using the same login combination for every website.

Creating unique passwords is only part of the solution. A password must be unique AND complex to be effective. This means including a combination of letters, numbers, and special characters. If the website recognizes case-sensitive letters, you should include at least one of each.

Additionally, your passwords should NEVER include your personal information. Keywords, including your name, birthday, address, and the names of close friends or your kids, are off-limits. This restriction makes any pet names off-limits as well. Using this type of information makes it easy for criminals to brute force (guess) your credentials with just a little research on your social media accounts.

You might be intimidated by the idea of remembering dozens of password combinations. Some people choose to write their passwords in a notebook or save them on a Word document. However, this creates a severe security risk. Using a password manager gets around this by automatically filling in login credentials and synchronizing your passwords across multiple devices.

For protection, they use industrial-grade encryptions and are undesirable targets to advanced hackers.

Use Two-Factor Authentication Whenever Possible

Two-factor authentication is a tested security feature that makes a stolen or leaked password less threatening. It requires users to create a form of verification outside of their username and password. Typically, the second security factor involves a unique code sent to your mobile device or a third-party security key.

There is also the option of using MFA, or multi-factor authentication. This option uses a variety of multiple different authentication methods to ensure that the person logging into the device or account is actually you. Some options include username and password plus answering personal questions, using a handheld token to provide a code, using authentication apps, and even biometric authentication. 

With this level of protection, it doesn’t matter if a criminal guesses your password, steals it from malware, or buys it on the dark web. Unless they also steal or hack into your phone, they won’t be able to access your accounts.

Immediately Update Vital Programs

Things like web management services, operating systems, and mobile applications must be updated as soon as the notification pops up.

Updating vital programs on each device is crucial to online safety. These updates initiate bug fixes that improve performance and enhance the program’s stability and efficiency. They often include security patches that address known vulnerabilities and give criminals less time to capitalize on them and steal your information.

Additionally, it may be harder for support teams to help you if you’re using an outdated program, and the service provider’s safety tips may not apply to you.

Install Antivirus Software with Scheduled Scans

Antivirus software is critical in protecting the information stored on your computer. It serves the dual purpose of prevention and detection through browser warnings and in-depth scans. Updating your antivirus shuts down viruses, worms, Trojans, ransomware, and spyware. Many services even come with built-in password managers to add another layer of security to your browsing.

Users with solid security habits might get away with using the many available free antivirus versions. However, investing in more substantial options is highly recommended for individuals with public-facing or business accounts.

Paid antivirus goes the extra step and incorporates artificial intelligence (AI) when detecting suspicious behavior. This real-time monitoring of your system scans links, emails, downloads, and web pages to remove the dangers of human error, which is the leading cause of successful malware attacks.

Use a Virtual Private Network (VPN)

VPNs do a lot to create a more comfortable web experience. They let you stream movies and shows only available in other countries and get around various censorship restrictions.

However, it’s their least flashy features that should be the most appreciated. All your data is filtered through one of the VPN provider’s dedicated servers, which encrypts your internet traffic and creates a safer connection for your device.

This encryption prevents hackers, government agencies, and other malicious third parties from intercepting your sensitive information. This protects you while logging into your bank accounts, credit statements, or any other online wallets, even if you’re on a dangerous public network.

Don’t choose the first VPN that gives you their number. Many providers offer free trials so you can assess their user interface and check internet speeds. You must also not view a VPN as a “fix-all” and use it alongside the other security measures mentioned in this post.

Monitor Your Bank Accounts

Most people don’t need or want to comb through their bank statements every day. However, doing so at least once a week would be best. Just choose a day and look through your recent purchases. This habit lets you quickly identify suspicious activity and paints you a detailed view of your spending habits—two birds, as they say.

The problem with the “monitor your accounts” advice is that a hacker can completely lock you out for a while. This threat stops you from viewing your spending history and even regaining access through the bank’s support line. That’s why it’s crucial to set up preventative measures ahead of time.

Many banks offer alert services that ping you when there’s suspicious activity on your account. You can choose between any combination of email, text messages, or automated calls to warn you. Above-average purchases, transfers, withdrawals, and login attempts usually prompt these alerts.

All the alerts in the world are useless if you never see them. Events in the past few years have caused many people and businesses to move to new states. The problem is that many people don’t think about updating their bank’s contact information. Keeping your phone number, email address, and physical address up to date ensures that your bank can reach out to you quickly in case of an emergency.

Sign up for credit monitoring with a company like IDStrong.com to alert you of data breaches that you may be included in, and your information showing up on the dark web.

Additionally, never trust an email even if it looks legitimate. Fraudsters are very skilled at making emails and websites that look real but are fake. Do not click links or download attachments from inside it. Always open a new browser window and log onto your bank or credit card company from there. Use common sense and if you notice anything out of place, take quick action to secure your accounts safely