Understanding Account Takeover Scams
No reputable financial institution — INCLUDING Synovus — will ever call, email, or text you to ask for personal information.
It starts seemingly innocuously enough. You receive a phone call from a person claiming to represent a bank you do business with. The caller says they are reaching out because they've detected fraudulent activity on your account, like maybe a suspicious wire transfer.
They may ask you to verify some information — and even read them a series of numbers that gets texted to your cell phone. You hang up, thinking fraud has been averted, only to discover later that your bank account has been taken over and your hard-earned money is gone!
This is known as an account takeover scam, and it's a growing problem that everyone with a bank account needs to know about.
What Is Account Takeover?
Account takeover is when a scammer fraudulently gains direct access to one or more of your financial accounts. Once they do this, they can change your password and other information, depriving you of access to your account.
Even worse, they can transfer money out of your account and into another one, from where they make a series of transfers from account to account. This makes it almost impossible to trace where your money went, let alone reclaim it.
How Does Account Takeover Happen?
In order to protect yourself from account takeover, you first need to understand how it happens — and what the fraudster is doing behind the scenes.
"The fraudster has done their homework," said Ryan Blackwell, a Senior Financial Crimes Investigator at Synovus. "They know your name, who you bank with and other personal information about you. More often than not, the fraudster has already compromised your email account. They have spent days, weeks, or even months acquiring this information."
Don't ever share an access code that you get by phone or email with anyone. Synovus will never call or email asking for one.
That's when they finally call you. Once they've got you on the phone, they lead you to believe they're an employee of a trusted financial institution trying to help you prevent fraud. Only then do they walk you through the final part of the scam — getting the last bits of information they need to take over your account.
They may ask you to confirm your username (if they don't already have it). Now they just need your password (if they haven't been able to hack that yet) and the final access code that gets texted to you before you can gain access to your account.
Let's say they don't have your password. While they have you on the phone, they may tell you that they will need a code from you in order to proceed. Sure enough, a code will appear on your phone. So, you read them that code. Problem is, that code was just generated because the scammer tried to sign into your bank account — and selected the "forgot password" option. Now they have the first code they need to get access to your account.
Once they do this — or if they already had even your bank account password — the last step is getting past the financial institution's two-factor authorization process. Once again, they'll tell you that you need to read them a code off your phone, perhaps to "verify" your identity. But really, the scammer just tried to log into your account — and that code was the last thing needed to gain access to your account!
What Can You Do To Protect Yourself From Account Takeover?
Calvin Collins, a Financial Crimes Investigator at Synovus, stresses that "While the fraudsters already have pieces of information about you and your accounts, they wouldn't be reaching out to if they already had everything they needed to take over your account."
This means that you can protect yourself by not giving them the additional information they need to complete the scam. Here are some key things to remember:
Don't ever "verify" or otherwise give out personal information to someone who calls you. This is true even if the caller say they are from a bank, even if the name they give is a bank you do business with. If your bank calls you, they'll know who you are, and they'll already have the information they need.
Remember to Stop, Drop and Call. If you get a call from your bank asking for you for any information, you should STOP to ask yourself why they would be asking you for personal information they should already have. Then you should DROP the call by hanging up. Finally, CALL your bank directly using a number you have on a bank statement or find their phone number on a trusted website.
Don't ever share an access code that you get by phone with anyone. There is literally no one (besides you) who should ever need this number. Not your bank. Not even if someone is telling you that potential fraud has been detected on your account. Want to know more? Check out this article "Shhh! Don’t Tell Anyone That Access Code!" to learn more.
Set up secure passwords on your email and financial accounts. The easier it is for a scammer to get into your email account or guess the password for your financial account, the easier it will be for them to ultimately take over your account. Follow these steps to set up a secure password for all of your sensitive accounts.
-
How Cryptocurrency ATM Scams Work
There's a new fraud in town. Cryptocurrency ATMs are appearing across the U.S., and scammers are using them to defraud thousands of victims.
-
Shhh! Don’t Tell Anyone That Access Code!
One-time access codes are for account owners' eyes only, but scammers are tricking victims into sharing them. Learn how this fraud works.
Important disclosure information
This content is general in nature and does not constitute legal, tax, accounting, financial or investment advice. You are encouraged to consult with competent legal, tax, accounting, financial or investment professionals based on your specific circumstances. We do not make any warranties as to accuracy or completeness of this information, do not endorse any third-party companies, products, or services described here, and take no liability for your use of this information.