Navigation skipped

Ask the expert: How to prevent account takeover fraud

It can be distressing to learn that a criminal has taken over your bank account, but a few tips from the experts can help you avoid becoming a victim.

Updated
7 min. read
A young couple is safeguarding their laptop to avoid account takeover fraud.

You log on to your online bank account and realize someone booked a trip to Mexico using one of your cards, but it wasn’t you.

You receive your bank statement in the mail and notice a handful of wire transfers overseas, but you don’t remember sending money to Thailand.

You pull a copy of your credit report and notice that you’ve applied for three credit cards over the last six months, but you haven’t.

Scenarios like these are more common than you think: Fraudsters targeted almost 3 in 4 Canadians in 2020: CPA Canada survey reveals in 2020. It can be distressing to find that your bank account has been taken over by someone else, and they’re spending your money, using your personal information, or taking advantage of your credit score.

B M O’s Head of Fraud, Ash Khan, addresses some of the concerns you might have about account takeover, how you can avoid it and what you should do if you think you’re a victim.

Q: What is account takeover fraud?

Account takeover fraud occurs when a criminal gains access to your banking profile to either commit theft of your personal information or execute unauthorized transactions, explains Khan.

“Criminals take advantage of online resources and social media to guess your basic information, accurately answer your security questions and then gain control of your accounts. They often use their short-term access to drain your savings or request a new credit card. Alternatively, some criminals will sell your login information to the highest bidder. This is especially true for high balance accounts, as it allows the criminal to still make money but minimize risk to themselves.”

“Multifactor authentication is the strongest way to prevent online account takeover.”

Q: Is account takeover something that only happens online?

Account takeover can happen in person at a branch, over the phone through a call centre, through a written request via email, and through mobile and online banking platforms.

As Khan describes, “One of the more common schemes we’ve experienced in Fraud is when someone walks into a branch and requests an urgent wire transfer to another province. They typically claim to be travelling; they’ll have a very elaborate explanation for why they don’t have their bank card with them. In this scenario, what we’re really seeing is a criminal impersonating an existing B M O customer, using fake identification created based on information they likely found on social media or via other public sources, and trying to transfer money from that customer into their own account.”

Although this can seem a bit far fetched, Khan offers this context: “These criminals are professionals; they know how to make a fake ID, build or imitate a persona, socially manipulate people they meet, and move money as quickly and discreetly as possible.”

Khan is no stranger to protecting customers; before his career at B M O, he spent decades working in roles in technology, cybersecurity and cyber financial crimes.

Khan is very passionate about his team’s work: “We do everything possible to detect and prevent fraud so that you can focus on the things that really matter, like achieving your financial goals.”

Q: What can I do to prevent an account takeover at a branch or call centre?

As Khan says, a little caution goes a long way. “Never share your card or P I N with anyone, even family members. Grandparents, children and teenagers can be particularly vulnerable to social engineering and may share this type of sensitive information inadvertently. Even your bank will never ask you to share your P I N out loud, in an email, text or call.”

When deciding on your P I N, avoid:

  • Repeating patterns, such as couplets and straights e.g. 0202 and 3333
  • Years, birthdays and anniversaries
  • References to popular culture or historic events e.g. 1984 and 2001
  • Keyboard patterns like 2580

“I always tell my friends and family: keep your bank card in sight and in hand. Don’t loan it to a friend, don’t add it to someone else’s digital wallet, and don’t let someone take it out of your hand to conduct a transaction on your behalf. Just as a magician can seemingly make playing cards appear out of thin air, so too can a fraudster disappear or switch out your bank card without you ever noticing.”

Q: What about online account takeover fraud?

“Multifactor authentication is currently one of the strongest ways to prevent online account takeover,” explains Khan.

Multifactor authentication uses more than one piece of information to confirm a customer’s identity. A combination of factors can be used, for example, something the customer knows (like a password), with something they have (like a hardware token), or something they are (like a fingerprint, facial pattern or voice, also known as biometrics).

Khan recommends also signing up for BMO Alerts. He explains, “Let us tell you if something is different or unusual with your account, such as an email address change or a large transaction—and then you can tell us if the change or transaction was made by you or someone else. Alerts are more than just keeping track of your spending and bills; they can empower you to own your security.”

B M O Alerts are available through B M O Digital Banking (online or in the mobile app) and include options to be notified of suspicious account activity, as well as changes to your contact information, large transactions and account overdrafts.

Khan’s most important piece of advice: “Be vigilant with personal information.”

For example, when you are resetting your login credentials for mobile or online banking, B M O may send you a one-time password. As Khan elaborates, “Although a one-time password can help you get back into your account as quickly as possible, it can also be used by criminals to manipulate you into sharing your login information. BMO will never send you a one-time password, and then later call and ask you to share that password back with us. If this happens to you, there’s a good chance someone is trying to take over your account.”

Q: How do I make sure that criminals don’t guess my password or security questions?

“A lot of security questions are easier to guess than you might think,” says Khan.

As Khan explains, ‘What was your first car?’, a safe guess might be Chevrolet. ‘What’s your favourite pizza topping?’, that Instagram picture of your pineapple pizza would easily give that away. ‘What’s your favourite childhood cartoon character?’ Mickey Mouse might be a good starting point.

If your password or the answers to your security questions are easy enough for a close friend to guess, they are probably obvious enough for a criminal to figure out. Khan also emphasizes the importance of building unique and complex passwords in the first place. These are his top tips for creating strong passwords:

  1. Create passwords that are at least 8 characters long, using numbers, upper- and lower-case letters and special characters. The more characters, the better!
  2. Use passphrases. An example is: I love to ski downhill like a star, which becomes 1l0VEtsdhla*.
  3. Never use birthdays, anniversaries, pet’s or children’s names, seasons or common phrases like password, 123456 or qwerty.
  4. Never reuse old passwords or share the same password across multiple sensitive profiles.

Q: If I don’t have online or mobile banking, will that help to protect me from account takeover?

“In fact, quite the opposite,” says Khan.

Not being signed up for online and mobile banking makes you more vulnerable to account takeover fraud. By signing up, you’re making it much harder for someone else to create an online account on your behalf using your credentials.

Khan adds this context: “Even if you don’t think you're likely to use them often, online and mobile banking make it easy to update your address and contact details, give you access to B M O Alerts, and allow you to keep a closer eye on your recent transactions and bank statements.”

Q: This is a lot of information; how do I remember all of it?

We have put together a one-pager to summarize all these recommendations. Share it with your family and colleagues; or print it out and post it somewhere you’ll see it often.

Q: What should I do if I think I might be the victim of an account takeover?

If you notice unusual activity on your accounts that could indicate account takeover, don’t panic. As Khan explains, “There are lots of reasons you might not recognize a transaction or get locked out of your account. The first thing you should do is call your bank and validate your suspicions.”

Unusual activity on your account?

Let us know.

Report fraud

Related articles

    How to protect yourself from credential stuffing

    Having the same username and password for every online account is convenient, but are you putting your security at risk?

    Tips for safe online shopping

    The convenience of online shopping often comes with concerns about security. Get our tips for safe online shopping before you place your next order.