What Is Account Takeover Fraud and How Can You Prevent It?

Concerned young couple looking at the papers while using the laptop in the living room

Account takeover fraud—in which bad actors use stolen credentials to commandeer real credit card, shopping or even government benefit accounts—is one of the most common forms of identity theft. In fact, a 2020 study by Aite Group found that 38% of consumers surveyed had recently experienced account takeover fraud in the prior two years. It's pervasive and difficult to detect, and it can cost you money, wreak havoc with your finances and consume your valuable time while you try to undo the damage and secure your accounts. Here's what you need to know about account takeover fraud and how to protect yourself.

What Is Account Takeover Fraud?

Account takeover fraud occurs when cybercriminals gain access to your online accounts and use them to withdraw money, make purchases or extract information they can sell or use to access your other accounts. Potential targets of account takeover fraud include social media and email accounts, as well as those you use to shop or handle bank and credit card transactions. During the pandemic, there's been an uptick in government benefits, such as unemployment payments, involved in account takeover fraud—a good example of the opportunistic thinking that drives this trend.

How Do Criminals Get Your Account Information?

Fraudsters can buy stolen credentials off the dark web and use them to access your accounts. Where does data on the dark web come from? Data breaches are a prime source. The Identity Theft Resource Center (ITRC) reports that just over 300 million individuals were impacted by publicly reported data breaches in 2020. As massive as that sounds, it was a 66% decrease since 2019. Since its inception in 2005, the ITRC has tracked more than 12,250 data breaches involving billions of individual records. The first half of 2021 saw 846 publicly recorded data breaches, putting this year on pace to break a record for the number of breaches in a single year.

Additionally, criminals may use malware, phishing or other methods of identity theft to obtain your login and password information. Once they have credentials, they may attempt credential stuffing, where the login and password from one site is used to try to log in to others. Alternatively, they may execute a brute force attack, which uses bots to try multiple passwords on a single site.

What Do Fraudsters Do With Stolen Accounts?

Once they gain access to your account, criminals may do any number of things to cause trouble. They may, for example:

  • Order a new card from your credit card company and use it to make purchases.
  • Buy a new smartphone from your mobile phone carrier.
  • Access and redeem your account credits or rewards points for their own benefit.
  • Make a payment to a fraudulent company from your bank account.
  • Open a new bank account in your name.
  • Place orders on a shopping or restaurant delivery site.
  • Redirect unemployment benefits.
  • Access and steal personally identifiable information.
  • Change account information, including your phone number, email, home address or login and passwords.
  • Use the information they obtain to access other accounts.
  • Sell the account information on the dark web.

For all the problems account takeover can create, it can be difficult to detect. Often, criminals take the extra step of changing your account preferences so you don't receive notifications that might otherwise tip you off that something is amiss. Play defense: Pay attention to password change notifications and other account alerts as they come in before fraudsters have the chance to disable them. If you're notified of activity you don't recognize, look into it right away.

How Can You Protect Yourself From Account Takeover?

What else can you do to reduce your risk of account takeover fraud? Following general best practices for reducing the risk of identity theft is a good place to start. Some factors may be out of your control. For example, your information may be leaked in a data breach without your knowledge or the opportunity to secure your information. You can, however, take steps to limit the ways bad actors can use your data.

Be meticulous with passwords. Hackers will be more successful with their attacks if you tend to use the same logins and passwords on multiple sites. Ideally, you should have a unique, secure password for every online account. Using a secure password manager to generate and store these passwords across devices could be a great help.

Use multifactor authentication. Simply setting up security on your accounts to send a one-time passcode by email or text can help thwart an account takeover. Adding biometrics like face recognition or fingerprints can also be effective. Multifactor authentication isn't available on all accounts, but it is available on many critical ones. Activate it wherever you can.

Safeguard your credit. Even before you fall victim to account takeover, you might want to consider placing a credit report fraud alert or credit freeze with all three credit bureaus. With a fraud alert, credit bureaus will ask creditors to take steps to verify your identity before issuing credit in your name. A credit freeze prevents potential creditors (and others) from viewing your credit report and scores unless you deliberately "thaw" your credit information.

Consider identity theft protection. You can get help tracking your identity, accounts and credit file with an Experian Premium membership. With Experian's credit monitoring services, you can keep close tabs on your credit report and scores, receive alerts when changes are made to your financial accounts, scan the dark web and get help if your identity is compromised.

What to Do if Your Account Has Been Hacked

If you discover your account has been hacked, follow these basic steps for dealing with account fraud and identity theft:

  • Report the fraud to the company or agency involved. You may need to close your account or upgrade your account security.
  • Check your accounts. Assess whether your other accounts have been affected, especially those that use the same password.
  • Change your passwords. Update account information for the affected account and any others that share passwords with it. Better yet, you may want to take this opportunity to change and upgrade your passwords across the board.
  • Consider your credit. If you haven't already, you may want to freeze your credit or add a fraud alert to your credit reports and activate credit monitoring. Experian can help you start the recovery process.

Taking Account of Identity Fraud

Account takeover fraud is potentially damaging to your finances—and your sense of well-being—and there is no failsafe protection against it. Yet, you can take steps to limit your vulnerabilities and stop account takeover fraud when it happens. Maintaining strong account security and remaining vigilant are both critical. If you need help monitoring activity related to your identity and credit, consider identity theft monitoring and protection, available through an Experian Premium membership.