Imagine going to withdraw funds from your savings account only to discover that the balance has mysteriously dwindled from $10,000 to $1,000. You are devastated by the loss and don’t understand how the bank allowed this to happen.
The bank managers are confused, too. There was nothing even remotely suspicious about the transaction. All the necessary safeguards — such as a password, a personal identification number (PIN) and account number — were correct. The withdrawal was completed without incident.
That scenario is an example of the fastest growing type of identity fraud: Account takeover. In this scam, criminals use stolen account numbers, passwords, PINs and Social Security numbers to access existing bank, brokerage, credit card or e-commerce accounts. Once they have wormed their way in, crooks drain bank accounts or go on shopping sprees. That purloined information also can be employed to create new banking or credit card accounts in your name.
Losses from account takeovers hit $5.1 billion last year, a 120 percent increase over 2016, according to Javelin Strategy & Research, an advisory firm specializing in digital finance. General-purpose credit cards and checking and savings accounts are the most frequent targets for account takeover, according to Javelin, with 1.2 million victims in each of the three categories in 2017 alone.
It’s costly for consumers to recover from account takeovers, with victims spending an average of 16 hours and $290 to resolve the issue, according to Javelin. “Account takeovers are on the rise because they are very lucrative and very easy to execute,” says Brian Lapidus, practice leader of the identity theft and breach notification group at global risk mitigation firm Kroll. “Most of what is needed is for sale on the dark web.”
Dossiers of consumer information routinely change hands among criminals, and the data they have harvested goes beyond bank account and Social Security number. They also may know details such as your birthday, mother’s maiden name and alma mater — snippets that people often use for their passwords and answers to security questions. That fuller picture of you makes it easier for criminals to assume your identity.
The data scoop
Those personal details are amassed through a variety of sources. Some come via major data security breaches, such as those that occurred at Equifax and Hyatt Hotels last year. Millions of Social Security numbers, credit card numbers, birthdays and addresses were stolen. Spyware and malware insinuated onto individual computers can record the user names and passwords people use to bank, shop or pay bills online. Phony emails designed to look like they came from banks or stores, or phishing, can trick people into disclosing sensitive material. People also unwittingly hand over their most personal data to scammers who call posing as representatives of banks, companies or government agencies.
Criminal sophistication isn’t solely responsible for the rise in account takeovers. Banks and brokerage houses don't always inform consumers of unusual activity on their accounts. Customers should set up alerts to notify them about withdrawals over an established amount, low balances and other account activity that might be signs of fraud, says Nessa Feddis, senior vice president and deputy chief of consumer protection at the American Bankers Association.
But a lack of red flags can make it difficult to know a crime has been committed. “In account takeovers, it can be hard for banks to figure out who they are dealing with,” says Al Pascual, Javelin’s senior vice president, research director and head of fraud and security. “It’s hard for consumers to prove they weren’t the one who withdrew the money.”
Federal regulations require banks to reimburse customers for funds withdrawn without their approval, though they must report the theft as soon as they notice the problem. The bank has 10 business days to give consumers a provisional credit and between 45 and 90 days to conduct an investigation, according to Feddis.
She added that consumers should be especially careful about disclosing PINs and passwords to family members, friends or employees. If you give a friend your PIN so he or she can withdraw $100 and the individual takes out $1,000, for example, that counts as an authorized transaction and the bank is not responsible for the loss.
Additionally, victims should quickly file a police report about the theft. Local law enforcement may not be the appropriate agency to investigate the crime, but financial institutions often expect victims to submit a report as part of the fraud-resolution process.
And if you are using the password and PIN for the compromised account to access other accounts, change them immediately.
AARP’s Fraud Watch Network can provide more tips and advice on how to protect your privacy and avoid becoming a victim of a scam.