Online systems have never been more secure, providing multiple ways to protect your personal information. Because these systems are so safe, fraudsters have to look for new ways to access this sensitive information.
In the early 2020s, a technique called account takeover fraud (ATO) pushed its way to the front of the line—and has persisted ever since. Because online security systems like SELCO’s digital banking—with its layered and robust security options, featuring multi-factor identification and fingerprint/face ID—are so difficult to penetrate now, ATO goes straight to the source—you. Fraudsters attempt to entice you to reveal your information—whether it be through fraudulent links or codes via email, text, or over the phone. These attacks have become so rampant that they’re now considered a routine enterprise threat to organizations that included financial institutions.
Thankfully, as with all online fraud, there are ways to prevent—or at least slow down—these attacks.
The following is an overview of Account Takeover Fraud, describes what trends we’re seeing, and provides tips for turning away social engineering.
What is an ‘account takeover’?
Unfortunately, an “account takeover” is as alarming as it sounds—fraudsters access a user’s login credentials to take control of legitimate accounts. From phishing attempts to social engineering attacks, bad actors initiate fraudulent transactions via ACH transfers, wire transfers, bill payments, etc. These types of scams can take over checking accounts, savings accounts, credit cards, and more.
The fallout from one of these attacks can be severe. Not only can ATO fraudsters make unauthorized purchases with stolen accounts, they can also steal the victim’s personal information, which can have ramifications well beyond financials.
What has SELCO been seeing?
Like other financial institutions, SELCO members started receiving an increasing number of emails and texts claiming to be from SELCO, mentioning fraudulent charges or a supposedly locked account. Members were then prompted to click on a fraudulent link that tricks them into thinking they’re logging in to SELCO’s digital banking. In turn, fraudsters are then able to access the member’s digital banking and generate fraudulent transactions.
Members also received calls from someone claiming to be with SELCO or SELCO fraud prevention. In this example, the impersonator sends a code to the member’s phone to verify their identity. In reality, the fraudster is trying to access the member’s digital banking. And once the member “verifies their identity” by sharing the code, the fraudster can use it to log in as them.
SELCO will never ask members for their digital banking password or security code.
“Fraudsters aren’t going anywhere, so it’s essential to practice caution in scenarios like these,” said Stephanie Ziegler, Director of Financial Investigations at SELCO. “If an email or text doesn’t sit well with you—or if it comes as a surprise—call SELCO first and verify that the communication is legitimate. If you receive a suspicious phone call, hang up and call us at a verified SELCO number to confirm we were trying to reach you.”
What can you do to prevent ATO?
A great place to start is by making it extra difficult for fraudsters to access your information. Establishing strong passwords and usernames and opting in to push authentication or an authenticator app help build your personal firewall.
But in the event that you do receive questionable requests, follow these tips to keep the scammers at bay:
- Be skeptical. If you receive an unexpected text message, email, or phone call from someone claiming to be your financial institution, use caution. Don’t click links and contact SELCO directly using a known number to confirm that the message is legitimate.
- Don’t rush. Fraudsters use urgency to keep victims from thinking through a situation. Take a moment to step back and carefully review the communication:
- Are there typos? Is the grammar unusual for business correspondence? Either is a big red flag.
- Does the sender have a legitimate SELCO phone number or email address? If not, delete the communication and report it. With that said, spoofing can still occur even if the caller ID or sender's name appear to be legitimate, so don't rely solely on these factors for verification.
Another red flag occurs when someone claiming to be from SELCO has an aggressive attitude and tries to rush or threaten you into taking action on your account.
“We pride ourselves on quality member service, and a legitimate SELCO representative will never try to pressure you into providing information,” Ziegler said.
- Contact SELCO immediately. If you feel like you may have received a fraudulent communication, the sooner we can look into your account and put precautions in place, the better.
Account takeover attempts aren't going away, so be sure to fortify your personal firewall, monitor your accounts, and look for red flags. If you do receive questionable communications, be very skeptical. Awareness and vigilance will help put a lock on your accounts and sensitive information.
“It can be tricky to navigate all the new tactics the fraudsters are rolling out, so don’t be afraid to ask for help,” Ziegler said. “Our representatives can share tips on password safety, setting up alerts, and other ways that you can keep your accounts safe. That’s why we’re here.”
