Credential Stuffing and Online Banking Fraud

July 5, 2022 | | Business Insights

Credential stuffing is an attempt by malicious attackers to use credentials that were previously exposed from another account platform against an online banking environment. The frequency of this type attack is growing exponentially, and they’re becoming more and more sophisticated over time.


With this type of fraud, attackers will aggregate lists of username and password combinations found on the dark web. Using these credential lists, the attackers will script an attack in hopes that customers have re-used the same login credentials from another account platform. It’s dangerous because attackers are not blindly guessing.

How do you know if your account has experienced this kind of attack? Most likely, you would have experienced one or multiple of the following situations:

  1. Your account was locked out
  2. You received security notifications regarding failed login attempts or lockouts
  3. You had to change your login username, ID and/or password

What’s the risk?
You are at higher risk of a credential stuffing attack if you use the same username and password combinations across multiple account platforms. Your login credentials will be safer on platforms that require multi-factor authentication, biometric login, password refreshes on a regular basis, and complex password criteria (i.e., use of special characters, 8+ minimum character count, inability to repeat previous passwords, etc.).

Adding layers of protection to your accounts:
Unfortunately, fraudulent attempts (regardless of the type) are not 100% preventable. However, there are steps you can take and preventative measures you can implement to ensure your accounts are protected:

  1. Do not re-use passwords across multiple sites
  2. Change your login name to be different than your email address and other login names
  3. Use longer user names and passwords – these are more difficult for attackers to identify
  4. Use lowercase and uppercase letters within your passwords>
  5. Use special characters and a combination of letters and numbers within your password
  6. NEVER provide a username or password if/when you’re called or sent an email that asks for this information
  7. Change usernames or passwords known to be involved in a data compromise

To learn more about these preventative measures and other ways to protect your accounts, contact us today!