Our financial fingerprints are scattered all over our computers and devices: banking, credit card and retirement account data; tax returns; travel loyalty clubs; digital payment apps; online accounts for megastores; and much more. What resides on your smartphone alone is like a “candy store” to cybercriminals, warns John Buzzard, the lead fraud and security analyst at Javelin Strategy & Research in Pleasanton, California.
Of growing concern to him and others who battle cybercrime is a scourge known as an account takeover. In this type of attack, a criminal gains access to one of your digital accounts. The crook may not stop at a single account, either. Multiple critical accounts — and hard-earned cash — can eventually be at risk, Buzzard says.
What’s an account takeover?
It’s worse than a cybercrook’s stealing your credit card number and going on a buying binge at a big-box electronics store. In an account takeover, your username, log-on information and the mobile number associated with your account are manipulated or changed in a way that prevents you from accessing your account and receiving notifications about possibly fraudulent activity. Account takeovers reached a six-year high in 2019, striking an estimated 4.4 million adults in the U.S. and causing $6.8 million in losses, Javelin Strategy & Research estimates.
Account Takeovers in the U.S.
GRAPHIC BY AARP
COURTESY JOHN BUZZARD
“There are thousands of organized criminals out there who work hard every day to go directly to the consumer and trick them into giving up their information.” —John Buzzard, cybersecurity professional
Once the victim of an account takeover, Buzzard remembers the experience as “jarringly invasive.” When it happens, “the creep factor is up 100 percent,” he says. “There’s somebody hard at work; they don’t care if they ruin your life, but they’re certainly chiseling away at your financial freedom and access to things that are important to you. It’s strange. The natural, visceral reaction is, What’s next? Is this it? Is there another shoe to fall?”
Data breaches galore
In light of persistent, troubling data breaches, a trove of sensitive consumer information is already in the hands of bad actors, Buzzard notes. Breaches can expose databases from entire organizations, and, according to Verizon’s 2020 “Data Breach Investigations Report,” there were 3,950 breaches last year.
Mike Stamas, 44, cofounder of GreyCastle Security in Troy, New York, observes that at the same time these crimes are soaring, our digital presence has grown. “Compared to 15 years ago, we have a much larger presence of online assets, whether it’s Facebook, Twitter, online banking, multiple email accounts, [crowdfunding site] GoFundMe and [payment app] Venmo,” he says.
Consider a designated tablet for finances
Stamas, his firm’s vice president of business development, says computer tablets and notebooks are so inexpensive now that consumers should consider buying one exclusively for online banking and other financial accounts. Without email, social media and internet browsing on that designated device, he explains, “you would significantly reduce your risk posture” by decreasing the incidence of phishing emails, spyware and malicious payloads.
COURTESY MIKE STAMAS
Stamas also endorses designating one credit card, with a low credit limit, for use on accounts such as eBay, to more easily track spending.
Different accounts? Different passwords
Buzzard and Stamas, both 20-year cybersecurity veterans, say the smartest first step to thwart crooks from hacking into your accounts is this: Set up different, complex passwords not just for your financial accounts but for every online account. “Many people will use the same password and same log-in for their Yahoo email account and their J.P. Morgan account,” Stamas observes.
He urges people to avoid passwords featuring dictionary words, because computers, in what are called brute-force credential attacks, can sort through thousands of words to try to guess a password or passphrase. Stamas also suggests inserting a special character in the middle of a password — or someone’s nickname.
Get a digital password vault or manager if you need one, Buzzard advises, though writing down passwords and storing them in a safe place is an alternative.
Save 25% when you join AARP and enroll in Automatic Renewal for first year. Get instant access to discounts, programs, services, and the information you need to benefit every area of your life.
Here are 10 more tips to protect your financial accounts
1. Never give a stranger who contacts you remote access to your computer. “There’s absolutely no (legitimate) scenario in the world where someone will call you up on the phone unexpectedly and say, ‘We understand your computer is infected, and we’d like to help you,’ “ Buzzard says. If you suspect that your device has a problem, such as malware (malicious software), contact a trusted technician for service.
2. For another layer of security beyond a password, require two-step authentication to access sensitive accounts; it may be a number given in a text or call.
3. Ensure that your antivirus and anti-malware software is up to date.
4. Perform software updates as available on your computer, laptop, tablet and mobile device.
5. Set up your smartphone to stay locked until you provide biometric data such as a fingerprint or facial scan.
6. Contact your bank, credit card company and investment firm and ask what additional security measures they recommend for digital accounts; examples include fraud alerts and dollar limits on transactions. “They would love it if their customers took more initiative like that,” Buzzard says.
7. Write down your mobile device sign-on information and store it safely. You will need it to find your phone or, if stolen, to wipe the device.
8. Periodically review the “last log-in” time stamp on websites you frequent. Check if the stated times match your activity.
9. If you need to contact a customer service department, call using a phone number you know is legit, such as one from a billing statement. Stamas says his mother-in-law once ran into trouble by Googling “Amazon tech support” and phoning the first number that popped up. It wasn’t Amazon but a “malicious organization” that induced her to turn over financial information.
10. If you receive an email directing you to log on to a financial account to check out a transaction, ignore it. Instead, bookmark your financial websites and log on through a secure, trusted website. Stamas says an unexpected email “has a high likelihood of being malicious or a phishing scam,” in which a bad actor tries to steal something of value, like a credit card number or account number.
Katherine Skiba covers scams and fraud for AARP. Previously, she was a reporter with the Chicago Tribune, U.S. News & World Report and the Milwaukee Journal Sentinel. She was a recipient of Harvard University’s Nieman Fellowship and is the author of the book Sister in the Band of Brothers: Embedded with the 101st Airborne in Iraq.