bank impersonators fuel $262M surge in account takeover fraud

FBI: bank impersonators fuel $262M surge in account takeover fraud

Pierluigi Paganini
November 25, 2025

Cybercriminals posing as banks drove a major spike in account takeover fraud this year, stealing over $262 million, the FBI warned.

The FBI warns of a surge in account takeover fraud, with criminals posing as financial institutions and stealing over $262M since January 2025. Cybercriminals breach online financial, payroll, or health-savings accounts to steal money or sensitive data.

The Internet Crime Complaint Center (IC3) has logged more than 5,100 complaints, affecting individuals, businesses, and organizations across all sectors.

“The FBI warns of cyber criminals impersonating financial institutions to steal money or information in Account Takeover (ATO) fraud schemes. The cyber criminals target individuals, businesses, and organizations of varied sizes and across sectors.” reads the alert published by the FBI. “In ATO fraud, cyber criminals gain unauthorized access to the targeted online financial institution, payroll, or health savings account, with the goal of stealing money or information for personal gain.”

Cybercriminals impersonate financial institutions to hijack accounts using social engineering via texts, calls, and emails. Crooks trick victims into providing credentials, MFA codes, or OTPs by posing as bank staff, support agents, or fraud departments. Attackers often claim there are fraudulent transactions and direct victims to phishing sites to “report” or stop the activity. In some cases, scammers allege fraud such as firearm purchases and bring in a second impersonator posing as law enforcement to extract additional account details.

“In some instances, cyber criminals impersonating financial institutions reported to the account owner that their information was used to make fraudulent purchases, including firearms.” continues the alert. “The cyber criminal convinces the account owner to provide information to a second cyber criminal impersonating law enforcement, who then convinces the account owner to provide account information.”

According to the FBI, cybercriminals deploy phishing sites mimicking financial or payroll portals to steal login credentials. They lure victims via fraudulent links or ads (SEO poisoning) that push fake sites to the top of search results. Once users enter their credentials on these convincing phishing pages, attackers capture them and gain unauthorized access to the real accounts.

“Once the impersonators have access and control of the accounts, the cyber criminals quickly wire funds to other criminal-controlled accounts, many of which are linked to cryptocurrency wallets; therefore, funds are disbursed quickly and are difficult to trace and recover.” continues the report. “In some cases, including nearly all social engineering cases, the cyber criminals change the online account password, locking the owner out of their own financial account(s).”

The FBI recommends that victims of an Account Takeover (ATO) incident immediately contact their financial institution as soon as fraud is detected. This allows them to request a recall or reversal of unauthorized transfers and obtain a Hold Harmless Letter or Letter of Indemnity, steps that can reduce or prevent financial losses. The Bureau also advises reporting fraudulent wire transfers both to the financial institution and to the FBI’s Internet Crime Complaint Center (IC3).

The FBI further urges victims to reset any passwords or credentials that may have been exposed, including those reused across multiple accounts, and to revoke compromised certificates or service accounts. It also recommends filing a detailed complaint at IC3.gov, including all relevant information about the attackers, impersonated institutions, phishing domains, and financial accounts involved, and using terms such as “Account Takeover” or “SEO poisoning” in the incident description.

Additionally, the Bureau advises notifying the company that was impersonated so it can warn other customers and request takedowns of phishing pages. Finally, the FBI encourages the public to stay informed by checking IC3.gov for updated alerts and announcements on ATO trends and other cyber fraud schemes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon