Account Takeover Fraud: Hacking and Scams

In this series of posts we are discussing Account Takeover Fraud

In this series of posts we are discussing Account Takeover Fraud; how it happens and how criminals are winning the war on cybercrime. As criminal hackers continue to seek out vulnerabilities in corporate networks and citizens are lax in their own home networks, account takeover fraud will continue to plague the public.

There are numerous types of account takeover and many ways account takeover can occur.

Here are 10 examples:

  1. Credit Card Fraud
  2. Hacking
  3. Scams
  4. Change of mailing address
  5. Skimming
  6. Phishing
  7. Telephone fraud
  8. Vishing
  9. Mortgage refinance fraud
  10. Check fraud

In a previous post we discussed credit card fraud. In this post we cover:

  • Hacking
  • Scams
  • Change of mailing address
  • Skimming
  • Phishing


Cracking unprotected data or even cracking what’s considered protected data under the Payment Card Industry standards has become the bane of the banking, financial, retail and credit card processing industries. Criminal hackers have found numerous ways to penetrate and sniff out data and quickly turn it into cash.


As criminal hackers get more sophisticated in their online scamming, they are also becoming more proficient at acquiring data in numerous ways and getting consumers to hand over their credit card data using a variety of ruses in the virtual and physical worlds.

Change of mailing address

Thieves may pose as the bank account or credit card account holder and request statements sent to a new mailing address.

The same can be accomplished simply by filling out a change of address card at the post office. Once they obtain these, they can begin to take over the account transactions.


ATMs, gas pumps, teller line debit card readers, point of sale credit card readers—they all have one thing in common: the ability to receive a credit card swipe when the card holder swipes the machine readable credit cards magnetic stripe.

Criminals have perfected the art of manufacturing hardware skimmers that are placed on the face of ATMs or other devices in tandem over or near where a card is swiped. These skimming devices record the data off the magnetic strip and retrieve the user's pin code via tiny cameras placed in approximation to the keypad. Once the data is stolen they can create a functional credit card from the information they retrieved from the magnetic strip.

In some cases it is impossible for the cardholder to detect the fraud at the POS because the entire card reader was replaced or internally hacked. In any case the user needs to be aware of potential red-flags such as 2 sided tape, Velcro, wires sticking out, discoloration of the card reader and the rest of the machine. Also look for secondary devices that may house a camera such as a brochure holder, external mirror, or even a protruding audio speaker. Whenever a skimmer is detected notify the bank branch ASAP and report and have your card number replaced. 


Anyone who uses email has undoubtedly received an email from a criminal posing as their bank, Paypal, AOL, eBay or any other entity that may either allow the criminal direct access to the consumers’ bank account or through 3rd parties where the bank account may be linked.

The users may freely enter the requested data providing usernames, passwords and multifactor forms of authentication allowing the criminal full access to the compromised account.

Once the user begins to click on links in the body of a phishing email they may be re-directed to a spoofed website (one that mimics the identity of a real brand) requesting data, or the clicked links prompt a download of a virus that has a remote control component.

The simple solution to this ruse is to hit delete. Certainly, whenever a user receives an email from what seems to be a trusted entity, he or she ought to make a phone call to confirm its legitimacy; if the user has requested electronic statements, it is always best to click links within the browsers favorites menu or manually type in the address in the address bar.