Account Takeover Fraud (ATO)

In Account Takeover Fraud (ATO), cyber criminals deliberately gain unauthorized access to a victim's online bank, payroll, health savings or social media account, with the goal of stealing money or information for personal gain. Cyber criminals may gain access to a victim’s online account through a variety of methods:

Brute Forcing username/password

A cybercriminal exploits weak password and lack of multi-factor authentication.

Phishing emails

A cybercriminal sends a deceptive email to trick the victim into giving away their login credentials.

Phishing domains/websites

A cybercriminal uses a phishing website that appears as a legitimate online banking or payroll website to trick the victim into giving away their login credentials.

Social engineering

A cybercriminal manipulates the victim into giving away their login credentials by impersonating a bank employee, customer support or technical support personnel.

Data breaches

A cybercriminal obtains victim's login credentials from past data breach or criminal forums that sell data breach data on the dark web marketplaces.

Malware

A cybercriminal obtains victim's login credentials via malware on the victim’s device.

The goal of the cybercriminals is to steal funds, redirect paychecks, or otherwise affect funds of the targeted victim.

In one specific type of scam, cyber criminals buy ads that masquerade as legitimate companies to misdirect victims searching for a specific website through popular search engine such as Google, Yahoo, or Bing. The search engine may return a fraudulent website URL that is very similar to the legitimate website, or slightly misspelled, or re-directed to another website with the URL that appears legitimate.

When victims click on the fraudulent search engine ad, they are directed to a sophisticated fraudulent phishing site that mimics the real website, tricking victims into providing their login information. Cyber criminals then capture victims' credentials as they access the fraudulent site.

If the account requires multi-factor authentication, cyber criminals may utilize social engineering to obtain the One-Time Passcode (OTP). For example, cybercriminal pretends to be a bank employee or technical support personnel and requests the victim to provide their phone number via fraudulent website's chat box. The cybercriminal then contacts the victim while pretending to be the bank employee/technical support and ask for the OTP.

If the account is a corporate account which requires two individuals to authorize a transaction (dual control) then, cyber criminals may utilize social engineering in a similar manner as above, and insist that the second individual go to the same website, and/or go to the open browser of the first individual to complete the transaction.

Cyber criminals then use the captured credentials to gain full access to the victim’s financial account. If a bank account is compromised, cyber criminals can transfer money from the accounts. If an employer payroll account, health savings account, or retirement account is accessed, the cybercriminal can change the direct deposit information in the real site and redirect funds. If cyber criminals gain access to full personally identifiable information (PII) for victims, they can also create new account relationships, including loans or accounts that defraud victims.

To remain on guard against ATO, follow the tips below:

• Be careful about the information you share online or on social media. By openly sharing things like a pet's name, schools you've attended, your date of birth, or information about your family members, you can give scammers all the information they need to guess your password or answer your security questions.
• Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.
• Always use unique complex passwords, enable two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
• Use Bookmarks (Chrome) or Favorites (Edge) for navigating to login websites rather than clicking on Internet search results or advertisements. Multi-factor authentication will not protect you if you land on a fraudulent login page. Carefully examine the email address, URL, and spelling in any correspondence.
• Stay vigilant against phishing attempts. Be suspicious of unknown "banking" or "company" employees who call you; don't trust caller ID. Offer to call them back after you look-up the phone number yourself. Remember that companies generally do not contact you to ask for your username, password, or OTP.