Ask the Expert: Account Takeover Artists Can Steal Your Identity—and Redirect Your Money

Q: What exactly is account takeover? What can consumers do to stop it?

A: Account takeover is a sophisticated form of identity theft. Essentially, it’s the unauthorized takeover by a third party of one or more accounts, such as those with credit issuers, banks and credit unions, utilities, and phone and cable companies.

Here’s how it works: Let’s say a criminal wants to steal your money by requesting a fraudulent wire transfer from one of your bank accounts.

To complete this transaction, financial institutions usually call their customers to confirm the amount and account numbers. To circumvent this security measure, the criminal would take over your phone number. He’d call your phone company and tell them a story. (These guys are great storytellers.) A common one is that you’re leaving town for a day and want your home number routed to a cell phone number—the criminal’s cell phone. Then the crook hacks the account and requests the transfer. When the bank calls your home number to confirm the money transfer, it rings the criminal’s cell phone instead.

But it’s not always a telephone line that is taken over. We see con artists calling credit reporting agencies such as Equifax and doing the same thing. By assuming the identity of their victims, they can request credit reports, which contain personal and account information. From there, they can contact your creditors to change your mailing address, request credit cards, or request money transfers out of your accounts.

Account takeover is a complicated kind of identity theft. It takes a lot of planning on the criminal’s part. But when the score is big, they’ll put in the work. Recently we’ve seen lot of account takeover cases associated with home equity lines of credit—claims ranging from $40,000 to $1 million that can be taken out against a home. When a fraudster has an opportunity for a big payday, they put in more effort.

But you can put some protections in place:

• Put passwords on your accounts. Banks and credit card companies will ask for your mother’s maiden name or last four of your social, but you can ask them to use a different password that’s harder for thieves to figure out. With Facebook it’s not hard to find out anyone’s mother’s maiden name.

• Be cautious about to whom you divulge information. These crooks can pretend to be your bank or even trick a caller ID system. If a financial institution calls to ask you for personal information, ask for a publicly available call-back number.

• Monitor your accounts and financial information. It’s not always enough to just look at a monthly statement. A fraudulent transaction could be 30 days old by the time you see it. Check your accounts periodically throughout the month with online banking services. 

• Report anything out of the ordinary. Timing is important. Contact your insurance provider and financial institution and ask if they offer any type of assistance. Many provide identity theft protection services.

Raul Vargas is a manager in the CyberScout Fraud Resolution Center.