When Nicole Brandes, 54, did a routine check of her three linked Bank of America accounts online recently, she noticed something alarming: $10,000 was missing.
The Washington, D.C., art teacher looked closer to find that $9,300 from her business account and $700 from her personal checking account had first been transferred to a fourth account in her name that she’d never opened. It was then promptly withdrawn by the cybercriminal.
Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP the Magazine.
“I’m worried, I don’t have any explanations,” Brandes said a week before the bank compensated her for the loss. “It’s totally confusing and disorienting.”
And it’s all too common.
There was a 90 percent increase in account takeover fraud and a 109 percent increase in new account fraud — when a criminal opens an account in a victim’s name — in 2021, according to a report from Javelin Strategy & Research. Total combined losses for traditional identity fraud and scams related to identity fraud totaled $52 billion and affected 42 million consumers in the United States.
“These kinds of account takeovers have been increasing over the last number of years,” says Mark Solomon, vice president of the International Association of Financial Crimes Investigators, who notes that chip technology has made it more difficult to make counterfeit credit cards, so criminals will “steal the person,” meaning their identity, “instead of the card.” They’ll then use that identity theft to, among other crimes, access or open bank accounts and steal money.
And because they generally have built up more savings than their younger counterparts, older people are often the target.
How criminals can access your account
There’s a reason that choosing smart passwords — and using a different one for each of your accounts — is one of the top rules (if not the top rule) for protecting yourself from identity theft and fraud.
Websites are frequently hacked, compromising sometimes millions of passwords, as occurred with LinkedIn last year in a data breach that compromised the personal information of 700 million users. Once stolen, usernames and passwords are often sold on underground markets to cybercriminals, who can then test them on bank login pages.
Criminals know that many people use the same or similar passwords across dozens of accounts. “Every time I talk to people, I hear the same story when I ask, ‘Is your pet store account password the same as your Citi account, the same as your coffee shop account?’ ” says Mike Steinbach, a former federal law enforcement officer and head of Citi’s fraud prevention unit. “You hear, ‘Well, yeah.’ Or people will say, ‘For the coffee shop I have Fido123, but for Citi I have Fido321.’ Modern tools can hack through that in a matter of seconds.”
Criminals will also send phishing emails — advertising a product, telling you you’ve won a prize, you name it — with a link that, when clicked, can infect your computer with credential-stealing malware, says Laurie Iacono, an associate managing director at the business services and cyber risk firm Kroll. This allows them to harvest all of your saved login credentials. Or they might try to obtain identifying information through a survey or quiz. The more personal information they have, the easier it is for them to impersonate you and access your accounts without the bank flagging their transactions as suspicious.
These criminals are incredibly adept at using the latest technology to achieve their ends — more so than the general public, says Steinbach, “because they’re not constrained by laws or morality, so therefore fraud is occurring at a speed and scale that we’ve never seen before.”
How to prevent account theft
“Unfortunately, there are a lot of different ways to commit fraud,” Solomon says, “and nothing’s 100 percent foolproof to be able to lock down your information and prevent fraud completely.”