Avoid Fraud

Customer Account Takeovers: What They Are and How to Protect Yourself
Closed Padlock On Keyboard ©iStockphoto.com/canbedone

Brokerage firm customer account takeover incidents are on the rise, according to FINRA, which has seen a notable increase in this type of fraud. As this threat grows more sophisticated and frequent, understanding how these cybercrimes occur and taking proactive steps to secure your accounts has never been more important. 

What’s a Customer Account Takeover?

A customer account takeover occurs when criminals steal customer information—such as usernames, passwords, or other security information such as multi-factor authentication (MFA) codes—or engage in cyber-enabled fraud to gain unauthorized access to personal accounts, including online financial accounts. 

How Do Account Takeovers Happen?

Customer account takeovers might start in a number of ways, including the following:

  • Phishing Emails and SMS Smishing – You might receive a phishing email or a text message (SMS smishing) that appears to come from a legitimate firm or a financial regulator and asks for information these entities would never request through email or text message—such as an account number, password, credit card information or Social Security number.
  • Fake Websites – Cybercriminals might create phishing websites in an effort to steal your login and account credentials—such as websites mimicking a financial institution’s account login page or support center. They might try to lure you to these malicious sites by including links in emails or texts or via online search engine results for terms related to the financial institution.  
  • Social Engineering – Other times, cybercriminals might engage in sophisticated social engineering attempts, perhaps calling and pretending to be a representative from your financial institution as a ruse to obtain your personal information or account details.
  • Stolen Credentials – Account takeover attempts can also result from data breaches or the sale of stolen customer login credentials on the "dark web." Some identity thieves might send text messages, emails or freeware infected with malicious software that captures your keystrokes to steal your usernames and passwords. And others still rely on the old-fashioned method of "dumpster-diving" to recover your discarded account statements or other records that haven't been properly shredded. 

What Are Some Signs of an Account Takeover?

Signs there might be a problem with your account include:

  • unfamiliar or unauthorized transactions, money movements or deposits;
  • missing funds or securities;
  • incorrect or unauthorized updates to account information, such as a change of address, email or phone number;
  • unexpected notifications indicating a change to your account that you didn’t request;
  • receiving large amounts of spam text messages / emails shortly after trying to log in to your account;
  • unexpected loss of your mobile phone service, especially if SMS is used for MFA to your account (a tactic known as SIM swapping);
  • missing account statements, confirmations or other financial documents;
  • unfamiliar accounts or creditors on your credit report; and/or
  • funds that have been frozen by your financial institution.

If you access your accounts online or through apps, most financial institutions offer optional text and email alerts or device notifications whenever a change is made to your account, if a purchase meets certain criteria (such as being made in a different state or over a set amount), or for any online transaction. Paying attention to these notifications can help you spot unusual or unauthorized activity when it occurs.

If your financial institution has identified a potential takeover of your account, they may freeze the account to help protect you against any further losses.

How Can I Safeguard My Accounts?

To help protect yourself and deter cybercriminals from accessing your personal financial information, be proactive. Take the following steps to secure your accounts.

1. Watch What You Click. The best way to protect yourself from a malicious link is to not click on it. Even if you feel confident that a link is valid, the only way to be sure you’re safe is to not engage. Instead of clicking on a link, responding to a suspicious email, or downloading an attachment from an unknown source, go directly to your financial institution’s website or use their app to confirm the financial institution sent the information. Any interaction with fraudulent communications increases your risk of compromise and exposing your personal information.

2. Use Strong Passwords. Don’t share your passwords with others or leave them unprotected. Use a different password for each of your accounts, and change your passwords regularly. To keep track of and protect your multiple passwords, consider using a password manager—an app that protects online accounts by suggesting and saving individual, strong passwords for each account. Password managers are offered by well-known mobile devices and storage providers.

3. Enable Multifactor Authentication. Enabling multifactor authentication (MFA) can significantly reduce the likelihood of a cybercriminal taking over your account. Unlike single-factor authentication (e.g., a password), MFA offers added protection by using two or more different types of factors—such as a password and a code sent by text message or a physical identifier or biometric, such as a fingerprint, voice or facial recognition. 

4. Maintain Device Security. Security software packages with antivirus, anti-spam and spyware detection features are a must if you engage in online financial transactions. Use up-to-date computer security software, and configure the software for automatic updates and patching. For all devices, install security updates on a regular basis. Check your computer hardware and software providers' websites for tips to check and improve the security of your system. And if you’re considering storing your personal financial information in the cloud, research the provider and its security policies thoroughly. Verify that they use MFA and data encryption, and be sure you understand the terms of service, including all costs, before you sign an agreement.

5. Use Your Own Device. If possible, avoid using public computers or devices that aren’t yours to access your financial accounts. Public computers might contain software that captures passwords and PINs, which others can then access. If you do use another computer, be sure to delete your "Temporary Internet Files," or "Cache," and clear your "History" after you log out of your account. And use strong passwords, passphrases or biometrics to protect not only your mobile devices but also any financial apps you use.

6. Browse Carefully. When you access your financial accounts online, make sure that you’re on a secure site. A secure website address starts with "https" instead of just "http" and has a key or closed padlock in the status bar. Avoid multitasking on multiple webpages when logged into your accounts; if you must visit another site, use a different browser. Otherwise, you potentially expose yourself to “session stealing.” And when you’re done, always click the "log out" button to terminate access to your account. If you simply close your browser or type in a new web address, other users might be able to reenter the site and view your financial information. 

7. Be Cyber Safe When Using Wi-Fi. Many public hotspots, such as wireless networks in airports, hotels and restaurants, reduce their security settings so it’s easier for individuals to access these networks. However, this also increases the possibility that someone could intercept your information. Some hackers will even create their own public networks with familiar-sounding names to lure in unsuspecting internet-seekers. Red flags include slow connections or networks that don't ask for you to agree to their terms of service. Wait until you can connect to a trusted, encrypted network to access your financial accounts. And when using Wi-Fi at home, secure your network with the strongest available encryption and a strong password.

8. Review All Correspondence From Your Financial Institutions. Review your account activity and monthly account statements thoroughly as soon as they’re available. Be sure your financial institution has your current contact information and that you regularly receive statements. If you see a mistake or unauthorized activity in your account, contact your financial institution immediately.

Additional Actions

If any of your accounts are breached, even non-financial accounts, be sure to change your username and password for the breached account and any other account that used the same login information. You might also want to place a fraud alert or security freeze on your credit report with each of the credit bureaus.

If you suspect your identity has been stolen or want additional resources on identity theft, visit the Federal Trade Commission's IdentityTheft.gov resource. You can also report concerns about your investment accounts to FINRA, the U.S. Securities and Exchange Commission (SEC), and your state securities regulator.

Learn more about how to protect your money.