The Federal Bureau of Investigation (FBI) has issued a stern warning regarding the dramatic rise in Account Takeover (ATO) scams, reporting that cybercriminals have already stolen more than $262 million from U.S. individuals, businesses, and organizations so far in 2025. The FBI’s Internet Crime Complaint Center (IC3) has received over 5,100 complaints related to these incidents, which typically involve unauthorized access to financial accounts, payroll systems, or health savings accounts.
The core tactic remains social engineering, where criminals manipulate victims into revealing sensitive login details. The scam is often initiated by an imposter—posing as a trusted entity like a financial institution employee, customer support, or technical support personnel—via fraudulent emails, calls, or texts.
Crucially, cybercriminals are increasingly using advanced methods to acquire not just usernames and passwords, but also Multi-Factor Authentication (MFA) codes or One-Time Passcodes (OTP), which allows them to bypass robust security measures. Once access is gained, the attackers swiftly lock the legitimate owner out, reset passwords, and wire funds to accounts they control, often converting the money into hard-to-trace cryptocurrency.
Cybersecurity researchers note that the sophistication of these scams has been significantly enhanced by the rising use of AI tools. These tools enable even low-skill attackers to craft highly convincing and persuasive phishing campaigns, fake websites, and social media advertisements that closely mimic popular brands like Amazon and Temu.
The holiday season serves as a particularly fertile ground for these criminals. Cybersecurity firms have detected hundreds of malicious, holiday-themed domains designed to exploit urgency-driven messages tied to events like Black Friday and Christmas, maximizing the likelihood of credential theft.
Another growing concern is the rise of mobile phishing campaigns that exploit trusted brand names to trick users into clicking links or downloading malicious updates on their phones. Furthermore, the FBI points out that individuals often inadvertently provide scammers with the necessary information to guess passwords or answer security questions by oversharing personal details online, such as a pet’s name or date of birth.
To combat this rising threat, the FBI urges the public to adopt a robust security posture, emphasizing that consistent implementation of safeguards is critical for all devices and networks:
- Be Skeptical of Unsolicited Contact: Never trust unverified calls, emails, or texts claiming to be from your bank or support staff, especially if they ask for your username, password, or OTP. If suspicious, hang up, verify the official number, and call back directly.
- Strengthen Credentials: Use unique, complex passwords for all accounts and enable Multi-Factor Authentication (MFA) wherever possible, but remain wary of unsolicited MFA requests.
- Monitor and Limit Sharing: Regularly check your financial accounts for any unusual activity and limit the personal information you share online or on social media.
- Verify URLs: Avoid clicking on links from search results or unsolicited messages. Use bookmarks or type the official URL directly, and always verify the address for typos or inconsistencies before logging in.
- Deploy Protection: Utilize antivirus software and enable firewalls to block malware and unauthorized access attempts.
Sources:
- FBI (IC3) Public Service Announcement: https://www.ic3.gov/PSA/2025/PSA251125
- The Hacker News: https://thehackernews.com/2025/11/fbi-reports-262m-in-ato-fraud-as.html
- Infosecurity Magazine: https://www.infosecurity-magazine.com/news/fbi-warns-account-takeover-fraud/
- Malwarebytes Blog: https://www.malwarebytes.com/blog/news/2025/11/holiday-shoppers-targeted-as-amazon-and-fbi-warn-of-surge-in-account-takeover-attacks
- Bitdefender Blog: https://www.bitdefender.com/en-au/blog/hotforsecurity/fbi-scammers-posing-bank-how-to-protect-your-account