The U.S. Federal Bureau of Investigation (FBI) has warned that cybercriminals are impersonating financial institutions with an aim to steal money or sensitive information to facilitate account takeover (ATO) fraud schemes.
The activity targets individuals, businesses, and organizations of varied sizes and across sectors, the agency said, adding the fraudulent schemes have led to more than $262 million in losses since the start of the year. The FBI said it has received over 5,100 complaints.
ATO fraud typically refers to attacks that enable threat actors to obtain unauthorized access to an online financial institution, payroll system, or health savings account to siphon data and funds for personal gain. The access is often obtained by approaching targets through social engineering techniques, such as texts, calls, and emails that prey on users’ fears, or via bogus websites.
These methods make it possible for attackers to deceive users into providing their login credentials on a phishing site, in some instances, urging them to click on a link to report purported fraudulent transactions recorded against their accounts.
“A cybercriminal manipulates the account owner into giving away their login credentials, including multi-factor authentication (MFA) code or One-Time Passcode (OTP), by impersonating a financial institution employee, customer support, or technical support personnel,” the FBI said.
“The cybercriminal then uses login credentials to log into the legitimate financial institution website and initiate a password reset, ultimately gaining full control of the accounts.”
Other cases involve threat actors masquerading as financial institutions contacting account owners, claiming their information was used to make fraudulent purchases, including firearms, and then convincing them to provide their account information to a second cybercriminal impersonating law enforcement.
The FBI said ATO fraud can also involve the use of Search Engine Optimization (SEO) poisoning to trick users looking for businesses on search engines into clicking on phony links that redirect to a lookalike site by means of malicious search engine ads.
Regardless of the method used, the attacks have one aim: to seize control of the accounts and swiftly wire funds to other accounts under their control, and change the passwords, effectively locking out the account owner. The accounts to which the money is transferred are further linked to cryptocurrency wallets to convert them into digital assets and obscure the money trail.
To stay protected against the threat, users are advised to be careful when sharing about themselves online or on social media, regularly monitor accounts for any financial irregularities, use unique, complex passwords, ensure the URL of the banking websites before signing in, and stay vigilant against phishing attacks or suspicious callers.
“By openly sharing information like a pet’s name, schools you have attended, your date of birth, or information about your family members, you may give scammers the information they need to guess your password or answer your security questions,” the FBI said.
“The large majority of ATO accounts referenced in the FBI announcement occur through compromised credentials used by threat actors intimately familiar with the internal processes and workflows for money movement within financial institutions,” Jim Routh, chief trust officer at Saviynt, said in a statement.
“The most effective controls to prevent these attacks are manual (phone calls for verification) and SMS messages for approval. The root cause continues to be the accepted use of credentials for cloud accounts despite having passwordless options available.”
The development comes as Darktrace, Flashpoint, Forcepoint, Fortinet, and Zimperium have highlighted the major cybersecurity threats ahead of the holiday season, including Black Friday scams, QR code fraud, gift card draining, and high-volume phishing campaigns that mimic popular brands like Amazon and Temu.
Many of these activities leverage artificial intelligence (AI) tools to produce highly persuasive phishing emails, fake websites, and social media ads, allowing even low-skill attackers to pull off attacks that appear trustworthy and increase the success rate of their campaigns.
Fortinet FortiGuard Labs said it detected at least 750 malicious, holiday-themed domains registered over the last three months, with many using key terms like “Christmas,” “Black Friday,” and “Flash Sale.” “Over the last three months, more than 1.57 million login accounts tied to major e-commerce sites, available through stealer logs, were collected across underground markets,” the company said.
Attackers have also been found actively exploiting security vulnerabilities across Adobe/Magento, Oracle E-Business Suite, WooCommerce, Bagisto, and other common e-commerce platforms. Some of the exploited vulnerabilities include CVE-2025-54236, CVE-2025-61882, and CVE-2025-47569.
According to Zimperium zLabs, there has been a 4x increase in mobile phishing (aka mishing) sites, with attackers leveraging trusted brand names to create urgency and deceive users into clicking, logging in, or downloading malicious updates.”
What’s more, Recorded Future has called attention to purchase scams where threat actors use fake e-commerce stores to steal victim data and authorize fraudulent payments for non-existent goods and services. It described the scams as a “major emerging fraud threat.”
“A sophisticated dark web ecosystem allows threat actors to quickly establish new purchase scam infrastructure and amplify their impact,” the company said. “Promotional activities mirroring traditional marketing – including an offer to sell stolen card data on the dark web carding shop PP24 – are widespread in this underground.”
“Threat actors fund ad campaigns with stolen payment cards to spread purchase scams, which in turn compromise more payment card data, fueling a continuing cycle of fraud.
