The FBI has warned that since January 2025 account takeover (ATO) fraud schemes have resulted in losses exceeding $262m.
In a public service announcement on November 25, the Bureau warned that cybercriminals are impersonating financial institutions to steal money or information in ATO schemed.
ATO sees cybercriminals gain unauthorized access to the targeted online financial institution, payroll or health savings account, with the goal of stealing money or information for personal gain.
Scammers typically use a combination of social engineering techniques and phishing domains or websites to commit fraudulent activity.
Cybercriminals impersonate financial institution employees, customer support or technical support personnel to manipulate account owners into disclosing login credentials, MFA or one time passcode.
Social Engineering Scams Lead to Account Takeover
Account owners can be contacted via fraudulent text messages, calls or emails to trick the email recipient into providing their login credentials. Some of these messages will state that there is unusual activity on their account with a link to a phishing website that is designed to trick users into believing they are reporting the fraud.
According to the FBI, scammers have also been found to alert the account holder to alleged fraudulent purchases of high-risk items such as firearms.
The cybercriminal convinces the account owner to provide information to a second cybercriminal impersonating law enforcement, who then convinces the account owner to provide account information.
Fraudulent Websites Steal Credentials
Once the account owner has been contacted, they are directed to fraudulent websites that often appear to be the legitimate online financial institution or payroll website.
Believing the phishing website is the legitimate one, users enter their login credentials into the fraudulent site, unknowingly providing them to cybercriminals.
Search engine optimization (SEO) poisoning is also a common tactic used by cybercriminals. This involves hackers purchasing ads that imitate legitimate business ads to increase the prominence of their phishing websites by making them appear more authentic to customers who use a search engine to locate the business’ website.
When users click on the fraudulent search engine ad, they are directed to a sophisticated fraudulent phishing site that mimics the real website, tricking users into providing their login information.
Protection Against Account Takeover Scams
In its notification, the FBI outlined a number of steps that can be taken to counter ATO attempts, these include:
- Be cautious about what information you share online. Openly sharing information like a pet’s name, schools you have attended, your date of birth, or information about your family members, you may give scammers the information they need to guess your password or answer your security questions
- Monitor your financial accounts on a regular basis to detect irregularities
- Enable two-factor authentication or MFA on any account possible and always use complex, unique passwords
- Avoid clicking on Internet search results or advertisements as these can lead to malicious websites. Instead use bookmarks for navigating to login websites and carefully examine any email address, URL, or spelling in unsolicited correspondence
- Stay vigilant against phishing attempts. Be suspicious of unknown “banking” or “company” employees who call you; don’t trust caller ID. Hang up, verify the correct number, and call it yourself. Companies generally do not contact you to ask for your username, password, or OTP
