FBI Warns of Surge in Account Takeover (ATO) Fraud Schemes - What You Need To Know

What is account takeover fraud?

Account takeover fraud (also known as ATO fraud) occurs when a malicious hacker or fraudster compromises and gains control of an account without legitimate authorisation.

Typically the online account might be a bank account, email account, or social media profile that has been accessed after stealing login credentials through phishing, malware, a data breach, or social engineering.

So, why is ATO fraud in the news now?

The FBI has recently issued a public service announcement that warns that since January 2025 there have been more than 5,100 complaints of account takeover fraud, and total reported losses in excess of US $262 million.

$262 million? Sheesh!

Yep. I've done the maths for you. 5,100 complaints and US $262 million lost means an average of over US $50,000 per incident.

Ok, you've got my attention. How do these ATO schemes work?

It is common for fraudsters to steal login credentials, 2FA codes, one-time-passwords and the like via social engineering. For instance, they might pretend to work for the customer service department of a bank, and persuade a victim to share sensitive information.

Another technical method is through the use of phishing websites, where potential victims are lured (sometimes through poisoned search engine ads) to lookalike fake websites that pose as legitimate banks or online portals, and tricked into entering their details.

In addition, criminals take advantage of credentials exposed through past data breaches and malware campaigns, knowing that many users make the mistake of reusing the same passwords for multiple accounts.

Once the attackers have gained control over an account they will often attempt to wire funds to an account under their own control, frequently converting their ill-gotten gains into cryptocurrency to make recovery more difficult.

So is this just a problem for individuals, or businesses too?

As the FBI explains, attackers have targeted individuals, businesses, and organisations of all sizes across a wide ranger of industries.

Accounts which are commonly targeted (because of the value of the data they contain and the funds they may have access to) include bank accounts, payroll platforms, and other financial service accounts.

What should I be doing to protect myself and my company?

Harden your defences, both at home and in the workplace. Make sure that you are:

• Using strong, unique passwords on all critical accounts and enabling multi-factor authentication.
• Use browser bookmarks or navigate directly to the known published URL for financial login pages, rather than relying on search results or ads.
• Keep a close eye on your accounts. Looking out for unusual transactions, unusual logins, or unexpected password reset notifications.
• Raise awareness amongst staff through user training. Teach your colleagues and advise your customers on how to spot suspicious phone calls, spoofed emails, and bogus requests that claim to come from "technical support."

• Implement strong IAM policies, credential hygiene, and MFA across enterprise accounts, especially those handling payroll or funds.

   

What should I do if I think someone has attempted to compromise an account?

The FBI's Internet Crime Complaint Center (IC3) offers the following advice:

• If you suspect an account may have been compromised by a fraudster, immediately notify financial institutions, and attempt to reverse any fund transactions to mitigate losses.
• Reset any compromised passwords and login credentials. This also counts for any other accounts which might be using the same login details (remember that the reuse of passwords makes life much easier for cyber-criminals)
• Report the incident with the IC3, including as much detail as possible.
• Notify the impersonated company so they can work towards having any phishing pages removed, and warn their other customers.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.