The FBI just issued a stark warning: account takeover fraud is surging, and the numbers are alarming. Since January 2025, the FBI's Internet Crime Complaint Center has received more than 5,100 complaints about this type of fraud, with losses exceeding $262 million. Being aware of this trend can help you feel more in control and prepared.
This isn't just targeting wealthy individuals or large corporations. Criminals are going after everyone — individuals, small businesses, organizations of all sizes. If you have an online bank account, payroll system, or health savings account, you're a potential target. Understanding that anyone with online accounts can be targeted helps prevent false security assumptions and encourages proactive protection.
How Account Takeover Fraud Works
Account takeover (ATO) fraud is exactly what it sounds like: criminals gain unauthorized access to your online financial accounts, then drain the funds before you realize what's happened. Recent scams have involved fake emails claiming to be from your bank, or fake websites mimicking legitimate banking sites. These real-world examples highlight how quickly and easily these scams can occur, emphasizing the need for vigilance.
There are two primary methods these criminals use to get access.
Social Engineering
This is the human manipulation approach. A criminal contacts you — via text, phone call, or email — pretending to be from your bank or financial institution. They tell you there's been suspicious activity on your account. Fraudulent transactions. They need to verify your identity to help protect you.
In that moment of panic, victims hand over login credentials and even two-factor authentication codes. The criminal logs in, changes the password, and locks the real account owner out.
One particularly devious variation: criminals tell victims their information was used to purchase firearms. That's designed to trigger maximum alarm. They then hand the victim off to a second criminal impersonating law enforcement, who extracts even more account details under the guise of an "investigation."
Phishing Websites and SEO Poisoning
The second method is more technical but equally effective. Criminals create pixel-perfect copies of legitimate banking websites. When you enter your credentials, you're actually handing them directly to the criminals.
What makes this especially dangerous is a technique called SEO poisoning. Criminals purchase search engine ads that mimic legitimate bank advertisements. When you Google your bank's name, its fraudulent ad appears at the top of the results. Click it, and you land on their fake site without ever realizing something is wrong.
Here's the critical point: multi-factor authentication won't save you if you're entering your codes on a fake website. The criminals capture those codes in real-time and use them immediately.
How to Protect Yourself The FBI recommends several protective measures, and they're simple to implement, giving you confidence in safeguarding your accounts today.
The FBI recommends several protective measures, and they're worth implementing today.
Bookmark your financial websites. This is the simplest and most effective defense against SEO poisoning. Don't Google your bank every time you need to log in. Save the legitimate URL as a bookmark and use that instead. This completely bypasses any fraudulent search ads.
Be suspicious of incoming calls. If someone calls claiming to be from your bank, don't trust caller ID — it can be spoofed. Instead, hang up, then independently find your bank's real phone number on the back of your card or recent statement, and call back. Remember, legitimate financial institutions will never ask for your passwords or verification codes over the phone or email. Clarifying these verification steps helps address concerns about distinguishing genuine contacts from scams.
Use unique, complex passwords. Yes, it's inconvenient. Yes, it's necessary. A password manager can help. Enable two-factor authentication on every account that offers it, and never let anyone convince you to disable it.
Monitor your accounts regularly. Set up transaction alerts if your bank offers them. Watch for anything unusual — missing deposits, unauthorized withdrawals, or wire transfers you didn't initiate. Catching fraud early dramatically improves your chances of recovery.
Be careful what you share online. Your pet's name, schools you attended, your birthday, your mother's maiden name — all of this information can be used to guess passwords or answer security questions. Those "fun" social media quizzes asking about your first car or favorite teacher? They're often data harvesting operations.
What to Do If You're a Victim If you discover you've been hit by account takeover fraud, acting immediately can significantly limit your losses and restore your peace of mind.
If you discover you've been hit by account takeover fraud, act immediately.
Contact your financial institution first. Ask them to recall or reverse any fraudulent transfers. Request a Hold Harmless Letter or Letter of Indemnity. The faster you act, the better your chances of limiting or eliminating losses.
Reset all compromised passwords. If you used that same password on any other accounts, change it everywhere.
File a complaint with the FBI's IC3 at [www.ic3.gov](https://www.ic3.gov). Include as much detail as possible: phone numbers that contacted you, websites you were directed to, and any account information the criminals provided. Include the words "Account Takeover" or "SEO poisoning" in your incident description.
Report the scam to the company that was impersonated. They may be able to take down phishing sites and warn other customers.
The Bottom Line
Account takeover fraud is a coordinated, sophisticated operation — but it relies on victims acting quickly under pressure without thinking clearly. Understanding how these scams work is your best defense.
Bookmark your bank. Never give out verification codes to incoming callers. Monitor your accounts. These simple steps can save you from becoming part of next quarter's statistics.
Source: FBI Internet Crime Complaint Center (IC3), Public Service Announcement PSA251125, November 2025