$262 million stolen in account takeover fraud schemes this year, FBI says ahead of holiday season

The FBI released a warning on Tuesday about fraud schemes involving financial account takeovers, urging people to be wary of social engineering techniques perpetrated through texts, calls and emails.

The law enforcement agency said they have received more than 5,100 complaints about Account Takeover (ATO) fraud since January and have tallied losses exceeding $262 million. 

Cybercriminals have become adept at gaining access to financial institutions, payroll platforms and health savings accounts that they then drain of funds, according to the FBI. 

Agents have seen cases where hackers impersonate a financial institution to get access to accounts or manipulate account owners into handing over login credentials before resetting passwords and gaining full control. 

In other cases, cybercriminals have been seen exploiting fears about fraudulent transactions by sending texts or emails about fake charges. The messages contain spoofed links asking people to sign in to verify the charges — giving criminals account names and passwords that are then used for fraud. 

Over the last few years, the FBI said there has also been an increase in search engine optimization (SEO) poisoning, where cybercriminals place ads on platforms like Google that look like legitimate e-commerce websites but are not. 

“Once the impersonators have access and control of the accounts, the cyber criminals quickly wire funds to other criminal-controlled accounts, many of which are linked to cryptocurrency wallets; therefore, funds are disbursed quickly and are difficult to trace and recover,” the FBI said. 

“In some cases, including nearly all social engineering cases, the cyber criminals change the online account password, locking the owner out of their own financial account(s).”

The warning comes ahead of the holiday season where cybercriminals know billions will be spent online. 

Multiple cybersecurity firms have released warnings this month detailing how artificial intelligence will supercharge cybercriminal campaigns, allowing them to quickly spin up tailored, polished scam sites that can impersonate legitimate brands.

FortiGuard said it found at least 750 malicious, holiday-themed domains registered over the last three months, with many using key terms like “Christmas,” “Black Friday” and “Flash Sale.” 

Attackers also registered more than 2,900 malicious domains mimicking household items that would be easy to miss. 

“With generative AI making deception cheaper and more scalable, adversaries will utilize tactics like poisoned search results and fake CAPTCHA to trick shoppers into executing malicious code, opening the door for scams, extortion, and theft,” said Keith McCammon, co-founder of Red Canary.

“This holiday shopping season, phishing will become a real-time, AI-driven numbers game. Adversaries will flood the market space with personalized, adaptive lures aimed at thousands of eager bargain hunters.”

The FortiGuard report notes that there are troves of account details for sale on the dark web obtained through stealer malware, with more than 1.57 million login accounts tied to major e-commerce sites.