The FBI’s Internet Crime Complaint Center (IC3) is warning of a surge in “Account Takeover” (ATO) attacks in which cybercriminals, impersonating support staff from financial institutions, try to gain access to a victim's account using various social engineering techniques.
The FBI says, since January, it has received over 5,000 reports of such attacks targeting individuals, businesses, and organizations – from ‘mom and pop’ outfits to large corporations, across all industry sectors.
And, according to the FBI Public Service Announcement released on Tuesday, those 5100 complaints alone have already led to a whopping $262 million in losses.
How does it work?
The scheme itself involves the bad actors pretending to be from a financial institution already affiliated with the victim – including banks, investment firms, payroll providers, or those holding health savings accounts, the FBI said.
The hackers will take on a variety of personas, posing as a financial institution's support staff, customer service representative, or IT help desk support.
The FBI released a PSA on cyber criminals using phishing and social engineering techniques to impersonate financial institutions and “take over” accounts. See tips on preventing an account takeover and how to report suspected fraud: https://t.co/ijQZOSPzZr pic.twitter.com/jnzigkSzO1
undefined FBI (@FBI) November 25, 2025
The impostors will then use social engineering techniques, such as smishing (text), vishing (voice), or phishing (email), to “manipulate the account owner into giving away their login credentials.”
Besides the traditional username and password, login credentials can include multi-factor authentication (MFA) codes or One-Time Passcodes (OTP), the FBI said.
Jim Routh, Chief Trust Officer at cybersecurity firm Saviynt, says most of the consumer accounts targeted in this particular ATO scheme are found by threat actors using already-compromised credentials, which can be easily bought off the dark web or in hacker forums.
These threat actors are “intimately familiar with the internal processes and workflows for money movement within financial institutions,” Routh states.
Routh says one of the root causes leading to ATO attacks “continues to be the accepted use of credentials for cloud accounts despite having passwordless options available,” adding that the most effective controls are manual phone calls for verification and SMS messages for approval.”
Attackers can transfer funds out of your account within minutes
In an account takeover attack, once the victim’s credentials are handed over, the bad actors will log in, initiate a password reset, and ultimately gain complete control of the account – and the money in it.
“The cybercriminals quickly wire funds to other criminal-controlled accounts, many linked to cryptocurrency wallets; therefore, funds are disbursed quickly and are difficult to trace and recover,” the FBI explains.
In some versions of the ruse, the cybercriminals alert the victim to “fraudulent transactions” made on their account that need to be reported.
The fraudsters then provide a malicious link leading them to a phishing website that mimics a legitimate financial institution to report the supposed discrepancies, also allowing them to steal the victim's credentials as they “log in” to the fake site.
The FBI also warns the public that once the scammer has gotten hold of a victims login information, in almost all social engineering attacks, they will immediately change the password locking the victim out of their account.
What to do and how to protect yourself
The FBI urges all financial account holders to “always be suspicious of unknown "banking" or "company" employees who call you.” And if you’re unsure of a caller's legitimacy, the IC3 says to “hang up, verify the correct number, and call it yourself.”
Cybercriminals are known to use caller ID spoofing in vishing and smishing attacks, which makes the call appear to be from a known or trusted number. Companies generally do not contact you over fraudulent account charges or transactions, much less ask for your username, password, or OTP, the agency said.
In fact, the FBI has previously warned about an ongoing campaign in which scammers are impersonating FBI 'IC3' employees and offering to help recover lost funds to steal sensitive personal information.
Some individuals received an email or a phone call, while others were approached via social media or forums,” the PSA said.
If you do fall victim to an ATO incident, the FBI says to immediately contact your financial institution and reset or revoke any compromised credentials.
In addition, the account holder should file a complaint and notify the impersonated company of the scam.
When reporting online fraud, the FBI advises gathering as much information as possible about the individual or company that contacted you, including the methods of communication used and a detailed description of the interaction, and providing this information to the IC3.
Additionally, information about the account and any financial transactions can also be important, such as “the date, type of payment, amount, account numbers involved, the name and address of the receiving financial institution,” the FBI said.
The FBI further reminds the public to stay cybersafe by providing the following tips:
- Be careful about the information you share online or on social media.
- Monitor your financial accounts on a regular basis.
- Always use unique, complex passwords and use MFA when available.
- Use Bookmarks or Favorites for navigating to login websites.
- Stay vigilant against phishing attempts.
To make an online fraud complaint or report other suspicious activity, you can contact the FBI’s Internet Crime Complaint Center at www.ic3.gov.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked