Cybercrime – Account Take Over (ATO) Scheme

Account takeover fraud (ATO) generally happens when a cybercriminal gains access to the victim’s login credentials to steal funds or information. Fraudsters digitally break into a financial bank account to take control of it and have a variety of techniques at their disposal to achieve this, such as phishing, malware, and man-in-the-middle attacks, among others. ATO is a top threat to financial institutions and their customers due to the financial losses and mitigation efforts. ATO is continually evolving and is a constant threat.[1]The following scenario is unique. The perpetrators were inside the lender’s network. A client’s firm received short-term financing from a company via the Internet. When the loan term expired, the firm attempted to pay off the balance due. The conversation through emails was regarding the payment of $50,000, and wire transfer instructions to ABC Bank were cordial. The negotiations changed from payment to an extension of the loan and a signature on a new addendum. The client was required to pay off the initial loan, and then the lender would be refunded under revised terms and conditions.

The client’s last email with a valid email was at 7:00 AM Tuesday. The next day at 7:00 AM, the client received an email from what appeared to be the lender but contained a subtle change. The email address had a zero “0” in the place of an “o.” In addition, the email included the following statement:

“Due to the auditing and upgrading going on in our account by our bank as a result of irregular deductions from our company bank account on tax-related issues, Do not make payment to our ABC Bank account yet. Our account department just informed me that the account is undergoing its yearly audition so we won’t be using it for any transaction again.Attached you will find our updated wiring instructions for your remittance. Apologies for any inconvenience.”

In their haste to make the payment, the client’s staff did not notice the change in the email address and the reason for the change by the bank. They followed the instructions and sent the $50,000. The fraudster continued with the charade over the next few days, asking when the funds were wired and when they could expect payment.

The client contacted their bank and was advised that the funds were wired and it was a scam, so nothing could be done.

The client contacted a Private Investigator who advised them to contact the fraud unit at their bank. The Investigator reviewed the email chain and identified the subtle change in the email address and the misstatements being the reason for the bank and wire instructions change. With that information, the client contacted the fraud unit of Wells Fargo Bank, and they were successful in stopping the delivery of the wire transfer.

This type of ATO happens daily in different manners and will continue because we have such quick access to our money through many digital means. Calling back the wired funds is difficult because the fraudster and their accomplices withdraw the money. This scenario is an example of an unsuccessful account takeover scheme. When dealing with your money or access to your accounts, whether bank or software accounts, stop, be skeptical, ask yourself if this email request is logical and always examine the email address. Major companies have their own internet domain and do not use Gmail or Yahoo.

If your law firm requires a private investigator or forensic accountant regarding identity theft or account take over fraud, contact Chief Investigator Edmond Martin of Sage Investigations, LLC at 512-659-3179 as soon as possible, or email him at We offer a free 20-minute consult. Visit our website at www.Sageinvestigations.ComClick to read about our team and their CVs.