Imagine your surprise: You grab your morning coffee, settle in at your desk, log in to your credit union account, and…. Wait; what? Someone—not you—has cleaned it out.

A scam known as “account takeover” fraud is on the rise, and there are a few things you can watch out for to try to keep it from happening to you.

What it is. The account takeover scam involves theft of your login usernames and passwords with the intent to access, and then take over, your account. By impersonating you online, the scammers can use your account as they wish, which usually means taking the money out for themselves.

(This scam is also used to take over a person’s email and social media accounts, usually as a preliminary step to later get control of their financial accounts.)

How it works. This scam usually begins with the fraudster calling, texting, or emailing you and claiming to be an employee of your credit union, bank, or other business where you have an account. The caller may already have certain personal details about you, such as the last four digits of a card number, the names of others on your account, a partial Social Security number, or your phone number or address.

The information they have can make them seem like a legitimate representative, but don’t be fooled.

The scammer’s next step is to ask you about questionable transactions on your account. When you say the transactions aren’t yours, they say they need to verify some details in order to freeze the card or account and prevent a theft.

They may ask you for your online banking user ID to “verify your identity.” Once they have your user ID, they’ll enter it and use the “forgot password” option to reset your password, usually while they still have you on the phone. If you have two-factor authorization set up, your bank will send you an automatic verification code; the caller will ask for that code, implying that they sent to you.

That’s all it takes. Now the scammer has your user ID, a new password that you don’t know, and full access to your account. Your money won’t stay in that account for long. What’s worse is that the cybercriminals may also attempt “credential stuffing,” where the login and password from one site are used to try to log in to accounts elsewhere.

Protect yourself. Some risk factors for account takeover and other types of identity theft are out of your control. For example, you may be the victim of a data breach, or your information might have been posted to the dark web. But there are some steps you can take to decrease the risk:

• Don’t use the same online user ID and password for multiple sites. Try to use a unique, secure password for every online account. Look into secure password managers to generate and store unique passwords so you don’t have to remember every single one.

• Use multifactor authentication when it’s available. You’ll receive a one-time passcode by text or email each time you log in to your account. Don’t share this code with anyone you don’t know and trust.

• Check your financial accounts often. If you catch errors or unfamiliar transactions quickly, you have a better chance at success in working with the institution to protect your money.

Read more security articles.