The New York Department of State’s Division of Consumer Protection is providing tips on how to recognize and avoid account takeover fraud, a type of identity theft where scammers gain access to an individual’s online account by stealing login credentials.  According to a June 2025 report from the Identity Theft Resource Center, account takeover incidents are on the rise.  Additionally, as technology becomes more advanced, cyber-enabled fraud has become more prevalent and was involved in almost 83% of all financial losses reported to the FBI in 2024.

“Cyber-enabled fraud, including account takeovers, continues to evolve and target unsuspecting consumers, often with devastating financial consequences,” said Secretary of State Walter T. Mosley.  “Once a hacker gets into your banking, social media or email accounts, it can be a nightmare to recoup the losses.  That’s why prevention is the first and best line of defense for consumers against these kinds of fraud.  I’m urging all New Yorkers to follow our tips so they can recognize scams, protect their accounts and take action quickly if fraud does occur.”

What is Account Takeover Fraud?

Account takeover fraud is a type of identity theft where a scammer gains access to someone’s online account by obtaining their login credentials and using those credentials to impersonate the account holder for fraudulent purposes.  Account takeover can impact multiple types of accounts, including e-mail accounts, bank accounts, credit card accounts, social media accounts, payment apps, or any other online account.  Once scammers gain access to an account, they can withdraw money, make purchases, transfer or redirect money, or open fraudulent lines of credit to access more money.  Scammers use various methods to trick consumers so they can gain access to their accounts.  Some of the common tactics include:

• Phishing: Scammers often impersonate organizations via e-mail, calls, text, or fake websites to trick individuals into revealing sensitive information.  Scammers may often call impersonating a bank representative, customer service professional, or tech support personnel asking for account login credentials.  If a password has been exposed, but two factor authentication is in place, the impersonator will ask the victim to provide the one-time passcode in order to access the account.
• SIM Swapping: SIM swapping occurs when a scammer transfers a phone number to a SIM card that they control.  This gives the scammer access to calls, texts, and the victim’s security codes.
• Unusual links sent via e-mail or text: Scammers often send deceptive links and offers of free downloads that hide malicious software created to steal passwords and record the keystrokes on devices, exposing personal information.
• Data breaches: Data breaches give scammers information that can allow them to access accounts belonging to others.  In 2024, data breaches led to over $1.8 billion dollars in losses.
• Password guessing: Scammers use automated tools to guess weak passwords, especially if they are common or easy to guess.

Immediate Action Steps If Your Online Account Has Been Taken Over

Account takeover fraud can have devastating consequences for everyone involved, but there are immediate steps you should take if you believe your online account has been compromised.

• Change your password as soon as you become aware of unauthorized activity or a data breach: If you still have access, update the credentials for the affected account.  Update credentials for any other accounts that use similar information.  If your e-mail access is impacted, contact your e-mail provider so they can issue a temporary password.  Depending on the severity, you may consider closing and starting a new account.
• Assess all online accounts: Check if your other online accounts have been affected, especially those with the same password.  According to Experian, criminals can attempt to access other accounts by “credential stuffing,” where the exposed login credentials are used to log in to other accounts.
• Update security questions: Change your security questions and answers to prevent further unauthorized access.
• If your bank account was compromised, notify your financial institution right away: Report the fraud and initiate preventative measures.
• If your e-mail or social media account was compromised, notify your contacts: Inform your contacts about the account takeover and advise them to be cautious of any suspicious e-mails or social media messages.  This includes answering personal questions, clicking on links, or downloading software.
• Report the fraud: You can report scams and suspicious communications to the Federal Trade Commission.  You can also report confirmed cases of identity theft to identitytheft.gov.  The information you report allows law enforcement to track trends and investigate threats.
• Monitor your accounts and credit reports:
  • You can get a copy of your credit report every week for free from the three major credit bureaus: Experian, Equifax and Transunion.  Go to annualcreditreport.com or call 877-322-8228 to check all three credit bureaus for free.
  • Regularly check your bank and credit card billing statements for fraudulent charges.  If you spot something suspicious or unusual, report it to your credit card or financial company immediately.
• Consider placing a fraud alert or security freeze on your credit:
  • A fraud alert will notify lenders processing a credit application in your name that they need to conduct additional identity verification.  It is free to do, and you only need to contact one of the three credit bureaus.  A fraud alert will stay on your credit for 1 year but can be renewed.  If you are the victim of identity theft, you qualify for an extended fraud alert which lasts for 7 years.
  • A security freeze blocks all access to your credit report.  To place a free security freeze on your credit report, you will need to contact each of the three credit bureaus.  A security freeze lasts indefinitely or until you choose to unfreeze it.  You can also unfreeze, or “thaw,” your credit report temporarily to allow a lender, insurance company or other entity access to your credit report for only a set period of time, after which your credit report automatically refreezes.

  Proactive Tips to Help Prevent Account Takeover Fraud

There are also proactive steps you can take to protect yourself from account takeover incidents and alert yourself to potential fraudulent activity on your accounts.

• Secure your accounts:
  • Review account settings: Verify that your account settings, such as recovery e-mail and phone number, are secure and up to date.
  • Check for forwarding rules: Ensure that no forwarding rules have been set up to redirect your e-mails to an unknown address.
  • Review the last log-in time: AARP recommends periodically reviewing the “last log-in” time stamp on sites you visit to ensure the time matches your activity.  Don’t ignore password change notifications.  Lastly, contact your financial institutions to implement security measures such as automated SMS messages about transactions.
• Protect your devices: Don’t click on free downloads from pop up ads, don’t auto save passwords on your computer, and don’t click on links from unverified sources.  In addition, call back any business or agency that unexpectedly calls by dialing their official number.
• Bookmark or save verified sites: Avoid using search engines to find frequently used websites.
• Protect your accounts:
  • Create different passwords for each account to prevent one account takeover incident from compromising several accounts or use a password manager.
  • Create unique, complex passwords that have a combination of uppercase and lowercase letters, numbers, and special characters to make it harder to guess.
  • Change passwords regularly.
  • Add additional security measures including enabling biometric authentication methods such as facial recognition or fingerprint scanning.

About the New York State Division of Consumer Protection

Follow the New York Department of State on Facebook, X, and Instagram and check in every Tuesday for more practical tips that educate and empower New York consumers on a variety of topics.  Sign up to receive consumer alerts directly to your e-mail or phone here.  The New York State Division of Consumer Protection provides voluntary mediation between a consumer and a business when a consumer has been unsuccessful at reaching a resolution on their own.  The Consumer Assistance Helpline 1-800-697-1220 is available Monday to Friday from 8:30am to 4:30pm, excluding State Holidays, and consumer complaints can be filed at any time at: www.dos.ny.gov/consumerprotection.  The Division can also be reached via X at: @NYSConsumer or Facebook.