The US Federal Bureau of Investigation (FBI) has warned that cybercriminals are impersonating financial institutions with the aim of stealing money and confidential information to facilitate account takeover (ATO) fraud schemes.
The agency said the campaign targets individuals, businesses and organizations of various sizes and sectors, adding that the fraudulent scheme has caused more than $262 million in losses since the beginning of the year. The FBI announced it had received more than 5,100 complaints.
ATO fraud typically refers to attacks that allow threat actors to gain unauthorized access to online financial institutions, payroll systems, and health savings accounts and siphon data and funds for personal gain. Access is often gained by approaching targets through social engineering techniques such as text messages, phone calls, emails, and fake websites that prey on users’ insecurities.
These methods allow attackers to trick users into providing login credentials to a phishing site and, in some cases, to click a link to report alleged fraudulent transactions logged against the user’s account.
“Cybercriminals are impersonating financial institution employees, customer support, or technical support personnel to manipulate account holders into divulging login credentials, including multi-factor authentication (MFA) codes and one-time passcodes (OTPs),” the FBI said.
“Cybercriminals then use the login credentials to log into legitimate financial institution websites, begin resetting passwords, and ultimately take full control of the account.”
In other cases, attackers posing as financial institutions contact account holders, claiming that the information was used to make fraudulent purchases involving firearms, and convincing them to provide the account information to a second cybercriminal impersonating a law enforcement agency.
The FBI said ATO fraud can also include the use of search engine optimization (SEO) poisoning to trick users searching for businesses on search engines into clicking on fake links that redirect them to similar sites through malicious search engine ads.
Regardless of the method used, the attack has one goal. The idea is to seize control of the account, quickly transfer funds to other accounts under its control, and change the password, effectively locking out the account owner. The account to which the funds are transferred is further linked to a cryptocurrency wallet, converting it into digital assets and obscuring the trace of the funds.
To protect yourself from this threat, users are advised to be careful when sharing about themselves online and on social media, regularly monitor their accounts for financial fraud, use unique and complex passwords, check banking website URLs before signing in, and remain vigilant against phishing attacks and suspicious callers.
“Sharing information openly, such as your pet’s name, school attended, date of birth, and information about your family, can provide scammers with the information they need to guess passwords or answer security questions,” the FBI said.
“The majority of the ATO accounts mentioned in the FBI announcement originated through compromised credentials used by attackers who were familiar with the internal processes and workflows of funds transfer within financial institutions,” Jim Routh, chief trust officer at Saviynt, said in a statement.
“The most effective controls to prevent these attacks are manual (confirmation phone calls) and SMS messages for authorization. The root cause is that the use of cloud account credentials is still accepted even though passwordless options are available.”
The development comes as Darktrace, Flashpoint, Forcepoint, Fortinet, and Zimperium highlight major cybersecurity threats ahead of the holiday season, including Black Friday scams, QR code scams, gift card leaks, and large-scale phishing campaigns copying popular brands like Amazon and Temu.
Many of these operations utilize artificial intelligence (AI) tools to create highly convincing phishing emails, fake websites, and social media ads, allowing even less skilled attackers to perform attacks that appear believable and increase the success rate of their campaigns.
Fortinet FortiGuard Labs said it has registered at least 750 malicious holiday-themed domains in the past three months, many using keywords such as “Christmas,” “Black Friday,” and “flash sales.” “Over the past three months, more than 1.57 million login accounts tied to major e-commerce sites have been made available through plagiarism logs and collected across underground markets,” the company said.
Attackers have also been found to be actively exploiting security vulnerabilities across Adobe/Magento, Oracle E-Business Suite, WooCommerce, Bagisto, and other popular e-commerce platforms. The exploited vulnerabilities include CVE-2025-54236, CVE-2025-61882, and CVE-2025-47569.
According to Zimperium zLabs, mobile phishing (aka missing) sites have quadrupled, with attackers leveraging trusted brand names to create urgency and trick users into clicking, logging in, or downloading malicious updates. ”
Recorded Future also calls attention to purchase fraud, where attackers use fake e-commerce stores to steal victims’ data and authorize fraudulent payments for non-existent goods or services. The company described these scams as a “significant emerging fraud threat.”
“The sophisticated dark web ecosystem allows attackers to quickly establish new purchase fraud infrastructure and expand their impact,” the company said. “Promotional campaigns that mirror traditional marketing are rampant in this underground, such as offers to sell stolen card data from dark web card shop PP24.”
“To spread purchase fraud, attackers are using stolen payment cards to fund advertising campaigns, resulting in even more payment card data being compromised and further accelerating the chain of fraud.
Source link
