A woman in Westchester County, NY learned the hard way that even those who know the tell-tale signs of a cyberattack can be fooled. She fell victim to an account takeover (ATO) of her financial accounts – to the tune of over $30,000 stolen. Know that all types of accounts are vulnerable to ATOs, and not just those that are financial. As a result, looking closer at this ATO may help keep us from personally experiencing how one ends.

Unraveling an ATO

Simply put, an ATO happens when attackers take ownership of an account, effectively stealing it from a victim. Information from countless online sources is available to cybercriminals that provide passwords, usernames, and other PII (personally identifiable information) needed for ATOs. Ultimately, at the heart of every successful ATO is identity theft.

The victim in this story was cybersmart about what online scams can look like, but a very slick and sophisticated fraudster gained her trust and cleaned out her accounts.

While banking online, this person received a message saying her account had been compromised and provided her a phone number to call. The person she spoke with was well-versed in the financial institution’s lingo and sent her authentication codes, including by text. Overall, there was no reason for her to question the validity of this event. Or was there?

Ultimately, she was told to change her password, which she did. Shortly after, she learned her accounts were cleaned out. Three savings accounts for her daughters’ college funds were transferred to her checking account. After that, a transfer from her checking to “Hong Kong Toys LTD” sealed the successful ATO.

Hoping to restore the funds via fraud protection, her plea was rejected by the financial institution. The problem, according to her financial institution, is “...the fraud reported was caused by providing customer account information or authorization for the transactions that were determined to be a scam.” In other words, the victim enabled the ATO by providing information needed for the attack. In the meantime, she’s appealing that decision.

Avoiding ATOs

If there’s one thing to remember for preventing a successful ATO, it’s to verify with the financial institution, retail company, airline, or other ploy by calling them first before providing any information, period. Never use contact information given for the alleged incident or follow any links in emails or texts as they are all under hacker control. Instead, look up the real phone number yourself and call to verify if your account is truly compromised, or log in directly to your accounting using trusted links or apps. If there is a problem, it will be shown in there.

Don’t forget, no matter how much we know, or think we know about what a cybercrime looks like, a sophisticated hacker may still get the best of us.