How to Protect Yourself Against Account Takeover Fraud

Security continues to be a top priority at Patriot Bank, especially with fraud rates on the rise. Reports have shown that there has been a recent up-tick in account takeover schemes. These sophisticated attacks employ phone calls to cardholders claiming to be from fraud alert contact centers, or are when cybercriminals take ownership of online accounts using stolen passwords and usernames. Those credentials are then used to commit fraud. Cardholders' Personally Identifiable Information (PII) is purchased by the criminals via the dark web and this information provides the necessary credentials for a fraudster to pose as a cardholder.

With this information fraudsters can engage with the cardholder’s financial organization and make changes to accounts or card settings to execute fraud. They can then execute changes to account or card-level settings that assist in the commission of fraud, including demographic changes (phone numbers, emails, passcodes etc.), increased limits, PIN changes, and travel exemptions that suppress normal fraud monitoring. They also can apply for increased limits.

Schemes that Contribute to Account Takeover 

Skimming and Malware

Skimming and deployment of POS terminal malware continue to be widespread methods for stealing data. Smaller, local merchants are now more likely to be compromised than in years past. Stolen data, which is collected using POS malware, is passed to criminal networks through remote, wireless technologies with increasing speed. By reacting to fraud events quickly, your organization can significantly mitigate losses

Phishing

The prevalence of phishing (tricking cardholders into revealing confidential information) and its variants continue to rise. Phishing schemes are becoming more targeted (such as “spear-phishing”) and more difficult to identify than in the past. Instead of using only suspicious links in poorly designed emails, phishing emails are mimicking legitimate websites and appear more polished and credible. The use of web address shortening tools, such as TinyURL, make detection of suspicious links more difficult, even by savvy users. It is important to remind cardholders to safeguard their financial data and their online banking credentials against criminals trying to harvest it.

Vishing and Smishing

Smishing and Vishing schemes use sophisticated methods combined with social engineering to deceive cardholders into revealing critical information and disregarding legitimate fraud warnings. Smishing is the fraudulent practice of sending text messages claiming to be from reputable companies to induce individuals to reveal personal information, such as passwords or credit card numbers. Vishing is the fraudulent practice of making phone calls or leaving voice messages claiming to be from reputable companies to induce individuals to reveal personal information, such as bank details and credit card numbers. Cardholders may be sent a voice or text message with transaction details and requesting the cardholders confirm. When they respond, they may be questioned for account details, or they may be asked to call back a number to provide account information. In some instances, they are sent a one-time passcode (OTP). The caller or text message then instructs the cardholder to reply “No Fraud” to text/voice messages. 

It is important to be on the lookout for these kinds of fraudulent messages that disguise themselves as legitimate fraud notifications. These schemes use sophisticated methods combined with social engineering to deceive cardholders into revealing critical information and disregarding legitimate fraud warnings. Additional red flags of note include hyperlinks and grammatical and punctuation mistakes. 

Malicious Software

Malicious software, including software which compromises account-holder computers locally via Man-in-the-Browser (MitB) attacks are a significant threat to the security of financial data. Man-in-the-Browser attacks install malicious software in the background via “drive by download.” This malware is then able to monitor and hijack user web sessions to then transfer funds or harvest payment cards and online banking credentials, while redirecting the legitimate cardholder to a fictitious error page. This type of malware often deploys automatically when a user visits a compromised website. 

Maintaining a secure, up-to-date operating system along with robust security and anti-malware software are critical first steps in preventing this type of fraud. Availability and deployment of automation and crime-ware is increasing in the card fraud world. Both all-in-one malware packages designed to compromise computer systems (e.g., Zeus, Citadel, Tilon) as well as individual tools able to crack passwords and to automatically carry out brute force attacks are available for purchase on underground websites and on criminal forums. Heavy reliance on one type of security tool or on older tools could lead to more fraud loss. We recommend a dynamic, multi-layered detection and prevention strategy.

Here’s how you can prevent account takeovers and keep your accounts safe:

• Continue to monitor your accounts 
• Never provide your full Social Security number, PINS, or one-time passcodes (OTP)
• Be aware of the information you are sharing online and never easily provide personal information
• If you sense an automated message is suspicious, do not respond to the call, text, or email. Contact the company in question using the official customer service number.
• Keep two-factor authentication codes private

If you think you have become a victim of account takeover fraud contact Patriot Bank at 1.888.PATRIOT. To learn more about protecting yourself from scams tap into all of our financial education resources or financial security resources.