Financial institutions have an obligation to safeguard your personal financial information, but you have an important role to play as well. While even the best procedures can’t prevent all instances of cybercrime, understanding how customer account takeover incidents and theft of personal financial information might occur and taking steps to minimize your risk can make a difference.
What’s a Customer Account Takeover?
A customer account takeover occurs when criminals steal customer information, such as usernames and passwords, to gain unauthorized access to personal accounts, including online financial accounts. Some attackers use synthetic identities, combining real and fake information to create a new identity. The real information is often stolen and then used to open a fake account benefiting the fraudster.
How Do Account Takeovers Happen?
Sometimes an account takeover starts with a phishing email that appears to come from a legitimate firm or a financial regulator and asks for information these entities would never request through email—such as an account number, password, credit card information or Social Security number. Other times, cybercriminals engage in sophisticated social engineering attempts, perhaps calling and pretending to be a representative from your financial institution as a ruse to obtain your personal information or account details. Account takeover attempts can also result from data breaches or the sale of stolen customer login credentials on the "dark web."
Some identity thieves send text messages, emails or freeware infected with malicious software that captures your keystrokes to steal your usernames and passwords. And others still rely on the old-fashioned method of "dumpster-diving" to recover your discarded account statements or other records that haven't been properly shredded.
Signs there might be a problem with your account include:
- unfamiliar or unauthorized transactions, money movement or deposits;
- missing funds or securities;
- incorrect or unauthorized updates to account information, such as a change of address, email or phone number;
- unexpected notifications indicating a change to your account that you didn’t request;
- missing account statements, confirmations or other financial documents; or
- unfamiliar accounts or creditors on your credit report.
If you access your accounts online or through apps, most financial institutions offer optional text and email alerts or device notifications whenever a change is made to your account, if a purchase meets certain criteria (such as being made in a different state or over a set amount), or for any online transaction.
Be Proactive: Safeguard Your Accounts
To protect yourself and deter cybercriminals from accessing your personal financial information, take the following steps to secure your accounts.
1. Watch What You Click. The best way to protect yourself from a malicious link is to make sure you don't click on any. Even if you feel confident the link in question is valid, the only way to be 100 percent sure you’re safe is to not engage. Instead of clicking, responding to a suspicious email, or downloading an attachment from an unknown source, go straight to your financial firm's website or use their app to confirm they sent the information. Any interaction with fraudulent communications increases your risk of loading malware onto your device and exposing your personal information.
2. Use Strong Passwords. Don’t share your passwords with others or leave them unprotected. Use a different password for each of your accounts, and change your passwords regularly. To keep track of and protect your multiple passwords, consider using a password manager—an app that protects online accounts by suggesting and saving individual, strong passwords for each account. Password managers are offered by well-known mobile devices and storage providers.
3. Enable Multifactor Authentication. Enabling multifactor authentication (MFA) can significantly reduce the likelihood of a cybercriminal taking over your account. Unlike single-factor authentication (e.g., a password), MFA offers added protection by using two or more different types of factors—such as a password and a code sent by text message or a physical identifier or biometric, such as a fingerprint, voice or facial recognition.
4. Maintain Device Security. Security software packages with antivirus, anti-spam, and spyware detection features are a must if you engage in online financial transactions. Use up-to-date computer security software, and configure the software for automatic updates and patching. For all devices, install security updates as soon you receive an update notification. Check your computer hardware and software provider's websites for tips to check and improve the security of your system. And if you’re considering storing your personal financial information in the cloud, research the provider and its security policies thoroughly. Verify that they use MFA and data encryption, and be sure you understand the terms of service, including all costs, before you sign an agreement.
5. Use Your Own Device. If possible, avoid using public computers or devices that aren’t yours to access your financial accounts. Public computers might contain software that captures passwords and PINs, which others can then access. If you do use another computer, be sure to delete your "Temporary Internet Files," or "Cache," and clear your "History" after you log out of your account. And use strong passwords, passphrases or biometrics to protect not only your mobile devices but also any financial apps you use.
6. Browse Carefully. When you access your financial accounts online, make sure that you’re on a secure site. A secure website address starts with "https" instead of just "http" and has a key or closed padlock in the status bar. Avoid multitasking on multiple webpages when logged into your accounts; if you must visit another site, use a different browser. Otherwise, you potentially expose yourself to “session stealing.” And when you’re done, always click the "log out" button to terminate access to your account. If you simply close your browser or type in a new web address, other users might be able to reenter the site and view your financial information.
7. Be Cyber Safe When Using Wi-Fi. Many public hotspots, such as wireless networks in airports, hotels and restaurants, reduce their security settings so it’s easier for individuals to access these networks. However, this also increases the possibility that someone could intercept your information. Some hackers will even create their own public networks with familiar-sounding names to lure in unsuspecting internet-seekers. Red flags include slow connections or networks that don't ask for you to agree to their terms of service. Wait until you can access a trusted, encrypted network to access your financial accounts. And when using Wi-Fi at home, secure your network with the strongest available encryption and a strong password.
8. Review All Correspondence From Your Financial Institutions. Review your account activity and monthly account statements thoroughly as soon as they’re available. Be sure your financial institution has your current contact information and that you regularly receive statements. If you see a mistake or unauthorized activity in your account, contact your financial institution immediately.
Additional Actions
If any of your accounts are breached, even non-financial accounts, be sure to change your username and password for the breached account and any other account that used the same login information. You may also want to place a fraud alert on your file with each of the credit bureaus.
If you suspect your identity has been stolen or want additional resources on identity theft, visit the Federal Trade Commission's IdentityTheft.gov resource. You can also report concerns about your investment accounts to FINRA, the SEC, and your state securities regulator.