On November 25, 2025, the Federal Bureau of Investigation (FBI) published a Public Service Announcement warning that cyber criminals are “impersonating financial institutions to steal money or information in Account Takeover (ATO) fraud schemes.” These schemes target individuals and businesses of all sizes across all sectors. According to the announcement, “Since January 2025, the FBI Internet Crime Complaint Center (IC3) received more than 5,100 complaints reporting ATO fraud, with losses exceeding $262 million.”

To successfully launch the scheme, the cyber criminals impersonate a financial institution’s staff or website to attempt to obtain access to the account. They do so through social engineering techniques or by standing up fraudulent websites. Social engineering techniques used include “fraudulent text messages, calls, or emails to trick the email recipient into providing their login credentials. In some instances, the cyber criminal states fraudulent transactions appear on the financial account and may provide a link to a phishing website that the account owner believes will report the fraud or prevent additional fraudulent transactions.” In one elaborate example, cyber criminals tell the account owner that fraudulent purchases have been made, including for firearms. “The cyber criminal convinces the account owner to provide information to a second cyber criminal impersonating law enforcement, who then convinces the account owner to provide account information.”

If the cyber criminal gets an email account user to give them their credentials, including a one-time passcode by impersonating the bank’s staff, they then use the credentials to log in as the user and initiate a password reset. This allows the threat actor to gain control of the financial account.

Cyber criminals are also standing up fraudulent websites that look like “a legitimate online financial institution or payroll website to trick the account owner into giving away their login credentials.” They also use Search Engine Optimization, purchasing ads to get their fake websites higher on the search engine list and to make the website look authentic. “When users click on the fraudulent search engine ad, they are directed to a sophisticated fraudulent phishing site that mimics the real website, tricking users into providing their login information.”

After gaining access to financial accounts, cyber criminals wire funds to their account—often to cryptocurrency wallets—making recovery difficult. They then change the account password, locking out the real account holder.

The announcement offers these tips:

• Be careful about the information you share online or on social media.
• Regularly monitor your financial accounts.
• Always use unique, complex passwords.
• Use bookmarks or favorites for navigating to login websites.
• Stay vigilant against phishing attempts.

If you become a victim of an ATO Incident:

• Contact your financial institution
• Reset or revoke compromised credentials
• File a detailed complaint with www.ic3.gov.
• Notify the impersonated company
• Visit www.ic3.gov for updated industry alerts and public service announcements regarding ATO trends, as well as other cyber-enabled fraud schemes.