Account fraud is where cybercriminals use another person’s stolen personal information – obtained either from a data breach or through password cracking – and good credit rating, to open a fake account and borrow money using fake credentials. The attacker will typically borrow as much as they can in one go.
The fraudster often obtains illegal information to purchase products online using the stolen account. They can then resell the products on third-party sites or black markets at a reduced price.
Types of account fraud
There are many different types of account fraud, including:
- Loan or credit card application fraud – where the victim has their identity stolen and used to apply for loans or lines of credit.
- Employment offer-letter scam – a company receives an email from a prospective employee who offers them work. The fraudster then sends a fake employment contract and asks for money upfront before they start working.
- Phishing scams – where fraudulent emails sent out pretending to be from official sources such as banks, social media platforms, retailers, etc. in order to pick up personal information like passwords, bank account number and password details, or usernames. When this data is obtained it can include opening new fraudulent accounts using the victim’s credentials; or accessing existing accounts by changing passwords, asking for alerts or updates to be sent on their behalf; sending out messages to all contacts who are connected with the victim’s account pretending they have been hacked and urging them to change their password.
What is new account fraud
According to the IRS, new account fraud is when someone uses your personal information – such as a Social Security number or bank account number – to open a fraudulent account in your name. This type of account fraud can be much more damaging because it doesn’t just affect you financially; it could lead to issues with identity theft and other serious consequences that may take years to sort out.
Types of new account fraud
New account creation fraud can take many forms, including:
- Opening a new fraudulent account in your name and running up debt without paying it back.
- Applying for loans or credit cards in your name that you never agreed to.
- Using false personal information when filling out a loan application on behalf of someone else.
It is common practice amongst cybercriminals to use social engineering tactics such as pretending they are representatives from a popular company who have called because money was detected being taken from the victim’s bank account by one of their employees – all with the intention of getting personal details so they can apply for new fake accounts at banks and stores.
The impact of new account fraud
Fraudulent accounts can have a serious impact on businesses, with the potential for significant revenue lost to chargebacks and lost sales, as merchandise finds its way onto the dark web. The organization can even incur fines and damage to their brand reputation.
New account fraud prevention
How to protect your assets from fake account creation fraud?
- Monitor your credit report.
- Check bank statements regularly, to look for any unauthorized transactions or the opening of new fraudulent accounts in your name.
- If you think someone has accessed an account using personal information without permission, contact the police and alert your financial institution immediately. If it’s after hours, contact them through their customer helpline. Your financial institution will send confirmation that they have taken action once they have investigated the fake account creation report further.
What is account takeover fraud
Account takeover fraud is when someone uses your password to access an online account. You can read more about account takeover fraud here and here.
How to protect yourself from account fraud
To avoid fake account fraud, follow these steps:
- Use a strong password that is unique and difficult to guess. This means using at least eight characters of different types such as letters, numbers or symbols in your passwords. Never use the same password for more than one site.
- Be cautious when clicking on links in emails from people you don’t know – especially if they’re asking for personal information like credit card details or bank logins. Hover over the hyperlinked text with your mouse cursor before clicking it to check where it will take you.
- Never respond to emails from people you don’t recognize asking for your account details. The email address may be a fake one, designed to look like that of the company they are claiming to represent. If in doubt, contact the organization through an official channel (e.g., their customer service phone number or webchat) and ask if there is anything you need to do about this request
- Enroll onto websites using two-factor authentication where available and protect all devices with anti-virus software.
- Check bank statements regularly by logging into internet banking on your PC at home – avoid public wi-fi networks.
How to protect your business from account fraud
- Conduct a risk assessment of your company’s online accounts to find out where you are at the most vulnerable. For example, what software does your business use? What security features do they offer such as two-factor authentication or password resets? Check with service providers if their site is safe and not experiencing data breaches.
- Encourage your employees not to part with their passwords and usernames. If you have to share them, be sure to do that using a trusted password manager, such as LastPass or 1Password.
- Enable two-factor authentication for all employees who have access to sensitive information on computers or mobile devices – this will help stop hackers accessing your account from outside by requiring verification using something like an SMS code sent to the user’s phone number every time someone tries to log into it. This code can be in response to a text message (SMS) notification or through some other form of security device that generates codes, such as a hardware token.
What to do if you fall victim to account fraud
- Report the fraud to your bank.
- Contact your credit card company and ask for a new card.
- Call the police if you believe that someone has stolen money from you.
- Change all of your passwords, as well as those of any other accounts that were accessed during this time period.
- Monitor your account activity closely in order to prevent further theft.
- If you live in the US, file an identity theft report with the Federal Trade Commission (FTC) and Identity Theft Resource Center (ITRC) so they can help monitor any future fraudulent activities on your behalf.
Frequently asked questions about account creation fraud
Why it’s important to report account fraud when it happens to one of your customers?
Reporting suspicious or wrongful activity on an account helps businesses maintain good public relations, builds trust with customers and maintains customer loyalty. The collective effect of these efforts yields a better bottom line for everyone involved in financial transactions, which then benefits society. Finally, reporting any potential criminal activity helps law enforcement officials to track down either individuals who violated laws or networks used to perpetrate illegal activities like money laundering.
How to report bank account fraud?
The answer to this question could be found on the website of financial institutions or other websites.
The Internal Revenue Service (IRS) has a detailed and very informative guide that covers many reporting requirements for financial transactions, including detecting possible refund fraud and protecting against fraud schemes. Stolen Identity Refund Fraud is a specific type of tax-related identity theft where someone files with your personal financial information to get a refund from the IRS in order to withdraw their money or damage your credit record further.
This guide includes what steps you take if you suspect someone has filed under your identity, how you can protect yourself against this type of theft, and what documentation is necessary for proof of withholding following fraudulent return filings. If more information is needed about these steps, the IRS provides a very informative guide that covers many reporting requirements for financial transactions, including detecting possible refund fraud and protecting against fraud schemes.
Why do people commit account fraud?
The motivation behind account fraud varies. Cybercriminals are often looking to make quick money, and will use the stolen account number, credit card or identity of an unsuspecting victim for their own personal needs. In other cases, it may be more malicious — they might want to ruin your good name in order to blackmail you into paying them money, steal sensitive information from you that could lead to further crimes, or even post slanderous content on social media sites under your username.
A recent study by IBM Security found that about half of all cyber-attacks are motivated by financial gain — either stealing data (such as intellectual property) with intent to carry out subsequent attacks against competitors’ networks, or using employees’ credentials obtained through phishing campaigns to access payment systems and steal funds.
The loss of intellectual property can have a devastating impact on the company concerned, but it’s important to note that cybercriminals don’t always go after high-value targets — they’ll attack small to medium websites or less protected government databases if there are people with access privileges willing to share their credentials.
What are some signs of fraudulent activity on your accounts?
- You receive an email or text message from your bank that they need you to verify information.
- Your phone number and email address have been changed without permission on a website where those are required fields for login.
- A new account is opened in your name, with no credit history attached to it but has access to significant balances.
Once fraudsters open these accounts, they can use the stolen personal data to purchase goods online using stolen cards/account numbers which will be shipped directly into their home — much more difficult for law enforcement agencies than intercepting packages at the post office. If this occurs, it is important to notify the police and credit card company.
Schedule Your Demo
Tired of your website being exploited by malicious malware and bots?We can help
Subscribe and stay updated
Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.