You’ve likely heard of someone having an email address or social media account hacked. Or maybe you’ve had it happen to you. Friends may see spam posts from your social media account or report strange emails coming from your address. Unfortunately, while these scams are a pain to deal with, they’ve been happening regularly for a long time.
More recently, criminals have stepped up their attempts at account takeovers. Now they’re coming after your financial accounts, which can cause even more issues than having an email address or social media account hacked. And these account takeovers can come at a steep financial cost.
Below we cover exactly what an account takeover scam is, examples of how it can happen, and ways to detect and prevent it.
What is an Account Takeover Scam?
An account takeover scam occurs when a fraudster gains access to your financial account and changes the contact information on your account. This allows them to divert your account information, such as statements or notifications, and make unauthorized transactions without you knowing.
How Does an Account Takeover Scam Happen?
Most account takeover scams occur as a result of an individual being tricked into providing their digital banking login credentials to a fraudster. This happens most often over the phone but can occur at any time when you provide someone with your login information.
Account Takeover Examples
Below are examples of how this can play out with your account at PSECU or another financial institution. It’s important to note that this list is not all-inclusive, as scammers are constantly coming up with new ways to trick you into providing them with your account information (i.e., there’s a recent trend where fraudsters will ask for your full debit or credit card number rather than digital banking credentials).
Account Takeover Via Phone
- A fraudster calls you, posing as an employee of PSECU’s fraud department. Unfortunately, it is very easy for scammers to access apps that can make it appear that the call is coming from PSECU’s actual phone number.
- The scammer tells you that they’re calling you regarding suspicious transactions on your account. The transactions they reference are completely made up so the scammer can be sure that you say you haven’t made them. For example, if you live in Harrisburg, PA, they may say that someone attempted to make a purchase at a store in San Antonio, TX.
- You state that you did not authorize these transactions.
- The fraudster, posing as PSECU’s fraud department, tells you that to secure your account, they need your digital banking credentials (the username and password you use to log into your PSECU account online or via the mobile app).
- The scammer logs into your account. Because they’re logging in from a new device or location, they may be asked to provide a code that is texted or emailed to you via two-factor authentication. They ask you for the code, claiming they need it to verify your identity. (Please note that this code is likely a legitimate message from PSECU, which is a security measure put in place to prevent others from accessing your account. As noted in the text you receive with the code, you should not share it with anyone.)
- You end the call believing you’ve resolved the (fake) issue on your account. However, this is when the real trouble begins because the criminal now has access to your account and, after ending the call, changes important information such as the mailing address, phone number, email address, and password. They can fully control your account.
Account Takeover Via Internet Pop-Up
- You’re surfing the web when you suddenly see an ad on your screen. This pop-up says that your computer has been compromised, and you must call the number on the screen to secure it.
- In a panic, you call the number. You believe you’re talking to Microsoft or another computer company that is going to help you.
- This pop-up was a scam, so when you call the number, you’re actually calling a criminal who is trying to gain access to your financial accounts.
- To “help” you, the fraudster says they need to remotely access your computer. For payment, they ask you to direct them to your online banking login page and provide them with your username and password. Or, they may instruct you to install software that they claim is anti-virus software, but in reality, it’s spyware that allows them to see everything you do on your computer, including your online banking activity.
- The fraudster pretends they’ve fixed your problem, but really, it’s only just begun. Once you end the call, they now have access to all of your account information and can take it over.
Account Takeover Via Email
- You’re checking your email and open a message without ensuring you know the person first. Or you get an email from someone posing as a friend or family member.
- Once you open the email, you click on a link inside. It could be to look at pictures from a trip, get a good sale on an item you typically buy, or something else entirely.
- Unknowingly, when you click on the link, it causes malware to be installed on your computer.
- Via this malware, fraudsters can now monitor your actions on your computer. This includes logging any keystrokes you make.
- Because you don’t know someone is tracking your activity and the keys you push, when you need to make a financial transaction, you go to your online banking page like always. The fraudster is then able to record the username and password you enter. Without even knowing it, you’ve handed your login credentials to a criminal who will change the contact information on the account and/or make unauthorized transactions.
Consequences of Account Takeover Scams
The impact of an account takeover scam can be quite severe. To begin, the fraudsters can change the contact information listed on the account so that you’re no longer contacted about account activity (i.e., change the phone number that account alerts are texted to, change the email or mailing address for statements).
Most often, criminals will also complete unauthorized transactions on the account such as making purchases, wiring money, or transferring funds to another account. In more sophisticated versions of this scam, fraudsters will take things a step further - ordering duplicate credit or debit cards, posing as you in communication with your financial institution, or even attempting to redirect your phone calls to them.
How to Detect and Prevent Account Takeover Scams
Account takeover scams are scary. Fortunately, you have the power to prevent them.
- Never share your digital banking username and password. Most account takeover scams occur because someone is tricked into providing their digital banking username and password to a fraudster. What’s the safest way to avoid it? Keep your login information to yourself.
- Know your financial institution’s policies and practices. PSECU will NEVER ask you for your digital banking credentials, account number, credit and debit card numbers, or PIN in a call, email, or text that you don’t initiate. If you don’t contact us first, we’re not going to ask for these items.
- Don’t share two-factor authentication. PSECU will NEVER ask you for a two-factor authentication code in a call or text that we initiate.
- Be cautious when clicking links or opening files. Before you click on a link or open a file in a text message or email, stop and think. Do you know the person? Is the email address or phone number correct? Are you expecting them to send this? (Pro tip: hover over the button or link to see the real URL of the site it is taking you to and verify it is correct.)
- Hang up and call PSECU directly. If you get a strange call, text, or email claiming to be from PSECU and asking for personal or financial information, hang up and call us directly. We can confirm what legitimate communication was sent regarding your account and help you determine the best next steps if needed.
Avoid Account Takeover Troubles with PSECU
Fraudsters are always coming up with new ways to steal your hard-earned cash, and when it comes to keeping yourself safe, knowledge is power. Stay informed by checking out the fraud section of our Resource Center to help you learn tips and tools for protecting yourself and your finances.
The content provided in this publication is for informational purposes only. Nothing stated is to be construed as financial or legal advice. Some products not offered by PSECU. PSECU does not endorse any third parties, including, but not limited to, referenced individuals, companies, organizations, products, blogs, or websites. PSECU does not warrant any advice provided by third parties. PSECU does not guarantee the accuracy or completeness of the information provided by third parties. PSECU recommends that you seek the advice of a qualified financial, tax, legal, or other professional if you have questions.