The Safety Net
Posts
Account Takeover Scams

Account Takeover Scams

How to protect your online accounts

Bjorn Cooley
January 04, 2024

Welcome to The Safety Net, a newsletter that profiles scams and helps you protect your family from them. If you like this issue, please share it with anyone who might like it. Thanks!

“Account Takeovers” are one of the most dangerous forms of scam, but most people don’t know what they are or how to prevent them. Today we’re going to break it down and cover how to protect yourself and your family.

An Account Takeover (ATO in the industry jargon) starts when a scammer gets the password to one of your accounts. They login as you, change your password, change your contact information, and lock you out of your account.

At that point the scammer can do pretty much whatever they want - take money, scam your friends, rack up credit card bills, etc. Because they changed your password and contact information you don’t have a way to regain control of your account.

Security.org estimates that 24 million Americans have been the victim of Account Takeovers, with average losses of almost $12,000. Social media accounts are the most common target (51%) followed by bank accounts (32%.)

So how do you stop them? The easiest way is to set up “2-factor authentication” (2FA) for all your important accounts. It’s called “2-factor” because it requires using more than one device to login. So if you login to your bank account on your laptop, your bank will send you a notification on your phone. Once you approve the notification on your phone, then you’ll get access on your laptop.

You can probably see how this will stop most attacks. Almost all scammers are working in remote locations, so they can’t get physical access to your phone. By requiring both the password and approval on your phone, you’ve made it virtually impossible for scammers to get into your account.

There’s an important caveat: you’ll often see options to use your phone number or email address for 2-factor authentication. Both of these are weaker forms of security. The problem with email is that it can be accessed from anywhere. So if that scammer on the other side of the world also figured out your email password, they can just login to your email and approve their own account access. And as we discussed in the article on SIM swapping, scammers can actually get access to your phone number and intercept your text messages or phone calls.

The strongest form of 2-factor authentication is through an app. If the account you’re protecting also has a phone app that’s the easiest option. If not, you can use something called an “Authenticator app.” (Some of the more popular ones are linked below.) When you enable 2-factor authentication, choose the Authenticator app option then follow the instructions to enable it.

Even though an app is the strongest form, something is better than nothing. So if setting up an app is too difficult, or your account only offers the phone number or email address option, that will still keep you safer than not having any form of 2-factor authentication.

The Safety Net is a free newsletter, subscribe to get tips like this in your inbox every week!

Quick Tip of the Week: Authenticator Apps

Authenticator apps make it easy to enable 2-factor authentication and keep your accounts secure. In addition to the standalone apps below, password managers like 1Password can also be used as your 2-factor device.

2FAS
Google Authenticator
Microsoft Authenticator

Have you come across a scam recently? Received some weird messages that you think might be a scam? Forward them to [email protected] and we’re happy to help! We’ll take a look and let you know what we think, and if it is a scam we’ll profile it in future issues of The Safety Net to protect others.