Cybercriminals are impersonating financial institutions, creating malicious websites, and manipulating them to appear at the top of search results, ultimately compromising user accounts and causing devastating financial losses to victims.
Since the start of the year, crooks using this type of fraud have already pilfered $262 million, according to the Federal Bureau of Investigation (FBI).
The FBI has received more than 5,100 complaints reporting account takeover losses, which result in an average loss of $51,400 per victim.
“The cybercriminals target individuals, businesses, and organizations of varied sizes and across sectors,” the FBI said in a public service announcement.
“Cybercriminals gain unauthorized access to the targeted online financial institution, payroll, or health savings account, with the goal of stealing money or information for personal gain.”
No sophisticated hacking is used to steal the massive amounts of money – attackers rely on psychological influence to trick people into compromising their own security, a tactic known as social engineering.
Cybercriminals send text messages, make calls to their victims, and send fraudulent emails. The lures are often targeted and personalized, and they also create fraudulent websites that imitate legitimate login pages. They pretend to be bank employees, customer support agents, technical support specialists, and so on.
“Cybercriminals impersonate the financial institution’s staff or website to obtain access to the account,” the FBI explains.
“They manipulate the account owner into giving away their login credentials, including multi-factor authentication (MFA) code or One-Time Passcode (OTP).”
In many reported cases, attackers convinced victims that fraudulent transactions had been detected in their accounts, or that their information had been used to make fraudulent purchases, including firearms.
In some cases, fraudsters tricked victims into “reporting the fraud” using their provided phishing link. The crooks also persuade users to provide their account details to another conspirator, acting as a law enforcement officer.
Phishing sites are nearly indistinguishable from legitimate online financial institutions or payroll websites, and in many cases, unaware account owners give away their login credentials.
Fraudsters also manipulate search results by buying ads that imitate legitimate banks or other businesses to appear legitimate and target customers who use search engines to locate websites. Visitors are also tricked into providing their login details.
“Once the impersonators have access and control of the accounts, the cybercriminals quickly wire funds to other criminal-controlled accounts, many of which are linked to cryptocurrency wallets,” the FBI said.
Once the funds are lost, they’re quickly disbursed, making it very difficult to trace and recover.
In nearly all cases, cybercriminals lock the legitimate owners out of their accounts by changing passwords.
How to protect yourself?
The FBI shares five tips to recognize account takeover fraud attempts, as follows:
- Always use unique and complex passwords with multi-factor authentication enabled, and never disable it.
- Do not click on links and navigate to websites directly – use Bookmarks, or Favorites, or enter the website address yourself. Carefully examine email addresses, URL links, and spelling in solicited correspondence.
- Monitor financial accounts regularly for any irregularities, such as missing deposits, unauthorized withdrawals, transfers, or expenditures.
- Be careful about what you share online – your pet’s name on social media, schools you’ve attended, date of birth, and information about your family members may serve to scammers guessing passwords or answering security questions.
- Do not trust the caller ID and be suspicious of any unknown calls – hang up, verify the correct number, and call the company yourself. If the caller asks for a username, password, or one-time password, it's a major red flag.
If you’ve become a victim, immediately contact your financial institution to request a recall or reversal, as well as a Hold Harmless Letter or Letter of Indemnity. These documents may reduce the financial losses. Reset all compromised passwords, file a detailed complaint at www.ic3.gov, and notify the impersonated company.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked