Skip to content

Fraudulent Account Takeovers Increase in the UK


Account takeover cases in the UK are on the rise. An account takeover is a form of identity theft where criminals illegally access bank accounts, credit cards, or online e-commerce accounts with the use of bots or other techniques. Once they have access, they can illegally shop and carry out fraudulent transactions from the compromised accounts.

During the first half of 2019, the value of alleged fraud was down 7.5% when compared with the same period from the previous year but the number of account takeovers grew an alarming 57 percent. This is a huge cause for concern.

Understanding Account Takeovers

Data was analysed from 217 cases of alleged fraud from the first half of 2019 to identify trends in the illegal activity. The most alarming takeaway is that four cases involved repeat offenders totaling £2.6m in new charges, indicating that cybercrime is becoming more commercialised.

Account takeovers can be accomplished in a variety of sneaky ways, including email, text messages, and smartphone apps all in the pursuit of obtaining the personal data that will allow them access to your accounts.

Some scammers even run involved schemes where they will pose as a legitimate company until they have access to your bank details. This often happens when a business feels that their computers have already been compromised and are looking for help removing viruses or upgrading security features.

Sometimes, account information is obtained simply from credential cracking. This is when fraudsters use the information they know about you or commonly used passwords to gain access to your accounts.

Once your account information has been taken over, scammers will oftentimes sell your information on the dark web. Other scammers will then purchase these account details in mass and automatically try them on several different websites to see if that account information was used more than once on other websites.

How to Minimise Account Takeover Risk

While it may seem obvious, being cautious with your account details can sometimes be taken for granted, especially when the scammers are the ones offering the “solution”. Sometimes, it’s not even a matter of whether or not you freely give out your information.

To help protect yourself against cybercrime, you should have a unique password for every account that you have. Your passwords should include lowercase and capital letters, numbers, and special characters such as asterisks and hashtag symbols. Your password should not have anything to do with you personally, such as children or pet names, birth dates, or where you live.

You should also always research companies before providing any account details and never provide passwords. Any security company you use should have a website, legitimate online reviews, and preferably a BBB page. If you are approached by a company, there is a possibility that they are scammers and you should seek other options for your security concerns.

While most account takeovers come from outside sources, you should still follow due diligence when hiring employees, especially if they are filling a financial role.

In Summary

The Cyber-Attacks (Asset-Freezing) Regulations 2019 (SI 2019/956), enforced in June, requires banks to repay stolen funds that are the result of account takeover to customers. While this is a step in the right direction, you should still be stalwart about protecting your account information.

Account scammers are only becoming more creative with their methods for accessing your account, so each business needs to be more cautious in turn whenever they are asked for any account information.