It can happen to anyone, it seems. Even those who work in the finance industry.
A former Mastercard executive told Business Insider she nearly lost $100,000 to an account takeover scam last year.
Catherine Woneis, former vice president of CipherTrace, a service owned by MasterCard that helps secure crypto transactions, says she almost lost most of her life savings after scammers accessed her real-estate agent’s email.
Account takeover fraud is when scammers gain access to your social media, email, banking, or other personal accounts. Criminals usually gain access to accounts with stolen credentials that they purchase through the dark web or social engineering tactics that trick you into sharing your password, Woneis said. They then use these accounts to siphon away your hard-earned cash.
The number of known account takeover scams grew by 354% year over year in 2023, resulting in $13 billion in losses, according to AI fraud detection service Sift Science.
In Woneis’s case, Scammers accessed her real-estate agent’s email using “credential stuffing,” a tactic that uses AI bots to try every possible username and password until they fall on the correct answer.
The fraudsters used information found in emails about Woneis’s transactions to impersonate the title company for her home. The fake title company then emailed Woneis, asking for an “accelerated” payment.
“This is a very typical thing that criminals use in frauds: They try to implement some time piece,” Woneis said.
Woneis said she checked to see if the email address was real and noticed it was appended with another address, but she assumed it was part of the company’s automated email system.
“They sent me wire instructions that perfectly mimicked the wire instructions from the title company. They had an example of what that looked like,” Woneis said. “It was the exact same typography, the exact same letterhead, and everything else.”
The only differences from the real wire instructions were a fake phone number and email, along with incorrect bank information. Woneis said she thankfully called the phone number she originally received from the title company, who informed her the bank account information was incorrect on the form.
“Had I been in a rush and called the phone number on the form, that would have been them, and they would have pretended to be the real estate company saying, ‘Yes this is authentic, and it’s come from us,'” she said. “We could have potentially been caught in wire fraud.”
Woneis said she would have lost about $100,000 if the transaction went through.
Woneis now works for a cybersecurity company called Fingerprint, which she says is developing tools to combat the rise of account takeovers. Some of the keys to fighting this kind of fraud are algorithms that can determine where a website visitor is located (if they’re using a VPN) and systems to identify when bots are trying to access a website through brute force, Woneis said.
If you think any of your accounts may be compromised, Woneis says to quickly change all of your usernames and passwords, set up two-factor authentication for any sensitive accounts, and report any fraud to the FTC fraud reporting website.