The first sign of trouble was a call from Brooke Frizzell's bank: Had her husband, Craig, just called in claiming to have forgotten his account password?
Frizzell quickly confirmed the bank's suspicions of fraud. Craig was in a Milwaukee hospital recovering from emergency brain surgery. "Maybe he really did forget his password," she said —but he definitely wasn't calling from Miami to do a little light banking.
The warning wasn't fast enough.
"Within the next half hour, this person [impersonating Craig] called the bank again, spoke to someone else and initiated a $3,500 wire transfer out of my savings account," she said.
That kind of nasty surprise is one that more consumers can expect to encounter. So-called account-takeover fraud — which entails thieves using stolen information to access a consumer's accounts and transfer money — was up 31 percent in 2016 from 2015, according to a Javelin Strategy & Research report from earlier this year. Losses due to such fraud topped $2.3 billion, a 61 percent increase over the same period.
Thieves are looking for easy money, said T.J. Horan, vice president of fraud for FICO, the credit scoring company. The speed of wire and electronic transfers makes bank and brokerage accounts a more appealing target, especially as security advances in other areas — like chip and pin technology on debit and credit cards.
"Fraudsters tend to move to points where it's easier to get access to funds," he said.
In a 2013 white paper, Guardian Analytics noted there is an "endless" number of ways transfer fraud can be perpetrated due to various schemes and points of compromise — including not just you, but also the bank's systems and employees. Generally, thieves are looking for information that lets them impersonate someone authorized to initiate a transfer, said Guardian CEO Laurent Pacalin.
Frizzell suspects that her account information was compromised at some point during the weeks she spent camped out at the hospital.
"We had so many things going on that we forgot the basic, 'don't use unsecured Wi-Fi' rule, " she said.
Her story has a happy ending: The bank posted a credit to the Frizzells' account within 48 hours and refunded the wire transfer fee — and helped the couple put in place a few extra security precautions to prevent the thief from gaining access again.
With account takeover fraud on the rise, it's smart for consumers to be prepared.
"You can take steps to protect yourself, and you also need to be vigilant, just in case," said Ryan O'Leary, vice president of the Threat Research Center at WhiteHat Security.
Phishing schemes to collect your data are one of the most prevalent tactics, O'Leary said. The usual hook: Your account has already been compromised and you need to take action, fast.
If you get a text, call or email purportedly from your bank, don't click on any links and don't offer any info about your account, he said. Reach back out through channels you know to be legit.
"If you're unsure if it's real or not, call your bank," said O'Leary. "Don't call the number in the email. Call the number on the back of your card."
Before you hand over account numbers or log-in details to a legitimate third party, such as a financial advisor or a budgeting app, ask a few questions, said Horan. You should know why that information is needed (and if you can opt out of providing it), and how it will be protected.
Secure each bank account with a complex password. Don't reuse passwords across accounts, said O'Leary — thieves often check username and password combinations compromised in one breach against other sites.
"Turn on what's called two-factor authentication," O'Leary said.
When that's enabled, logging in requires not just a password, but a secondary point of ID – usually in the form of an emailed or texted code, he said. To access your account, a hacker would need to compromise more than your bank login details.
"I would make use of any of the bank's alerting capabilities," Horan said — the faster you spot a potential problem, the more quickly you can cut off the thief's access.
Depending on your bank, you may be able to
Unauthorized electronic transfers from your account are covered under the Federal Reserve's Regulation E, said Doug Johnson, senior vice president and senior advisor of risk management policy for the American Bankers Association. Provided you spot and report the fraud quickly, you would be liable for at most $50, and most banks will waive even that, he said.
"Internet banking is your friend," he said. "Don't wait patiently for your monthly statement to show up before you try to determine if transactions are legitimate or not."
More from Your Money, Your Future