Inside the ATO Scam Wave

By Greg Collier

The FBI is warning the public about a significant rise in Account Takeover (ATO) fraud, a scheme in which cybercriminals impersonate financial institution personnel or websites to gain unauthorized access to customer accounts. Since January 2025, the FBI’s Internet Crime Complaint Center (IC3) has received more than 5,100 complaints tied to ATO incidents, with reported losses exceeding $262 million.

ATO schemes affect individuals, businesses, and organizations of all sizes. The tactics used are increasingly sophisticated, blending social engineering, impersonation, and phishing-based website spoofing to convince victims to voluntarily provide sensitive login information.

This post summarizes the latest FBI guidance, outlines how the scam operates, and identifies steps consumers can take to mitigate their risk.

How It Works

Cybercriminals target online financial accounts—including banking, payroll, and health savings accounts—by posing as legitimate employees or support staff. Their contact typically begins through:

  • Text messages
  • Phone calls
  • Emails
  • Fraudulent “fraud alert” notifications
  • Search-engine ads that direct users to spoofed financial websites

Victims are persuaded that urgent action is required to prevent financial loss, identity theft, or an ongoing fraudulent transaction.

Once criminals secure login information or a one-time passcode, they can reset the account password, gain full control, and immediately begin transferring funds, often to accounts linked to cryptocurrency wallets. Transfers typically settle very quickly, which complicates recovery efforts.

Scam Breakdown

1. The Initial Fraud Alert

Victims receive a notification claiming suspicious account activity or fraudulent purchases. In some cases, scammers claim the victim’s information was used to purchase a firearm, increasing the sense of urgency.

2. Impersonation of Law Enforcement

After establishing initial contact, scammers may transfer the victim to another individual posing as a law-enforcement officer. This person requests further verification, often including account details, to “address the fraud.”

3. Credential Harvesting

The scammer requests login information, multi-factor authentication (MFA) codes, or one-time passcodes (OTPs). Criminals may also guide victims to phishing sites designed to look identical to legitimate banking portals. Some phishing sites appear at the top of search engine results through SEO poisoning, where criminals purchase ads mimicking real institutions.

4. Password Reset and Account Lockout

With access obtained, scammers initiate a password reset to lock the true account holder out. Victims lose the ability to intervene as criminals quickly initiate transfers.

5. Rapid Funds Transfer

Funds are wired from the compromised account to one or more criminal-controlled accounts. Because many are connected to cryptocurrency services, transactions are difficult to trace and reverse.

Red Flags

  • Unexpected calls or messages claiming to be from your bank or financial institution
  • Requests for login credentials, MFA codes, or verification numbers
  • Caller ID that appears legitimate but cannot be verified
  • Pressure to act immediately to prevent supposed financial loss
  • Search-engine results that lead to unfamiliar URLs or sponsored ads for financial institutions
  • Websites that appear correct but have slight variations in address or formatting

Consumers should be cautious whenever they receive unsolicited contact about financial accounts.

What You Can Do

The FBI recommends several preventative steps:

  • Use strong, unique passwords for every account.
  • Enable multi-factor authentication on all possible accounts, but never provide MFA codes to anyone.
  • Bookmark official login pages and avoid accessing financial sites through search-engine results or online ads.
  • Monitor financial accounts regularly for unauthorized transactions or missing deposits.
  • Limit personal information shared online, as details such as birthdays, schools, and pet names can be used to bypass security questions.
  • Verify phone calls independently by hanging up and calling the number on the back of your card or listed on your institution’s website.

If You’ve Been Targeted

Should you suspect an ATO incident:

1. Contact Your Financial Institution Immediately

Request a recall or reversal of fraudulent transactions. Ask for indemnity documentation such as a Hold Harmless Letter or Letter of Indemnity.

2. Reset All Potentially Compromised Credentials

Update passwords and security information across all accounts, especially if passwords are reused.

3. File a Detailed Report at IC3.gov

Include:

  • Impersonated institution
  • Phone numbers, emails, names, and websites used
  • Accounts involved
  • Any software or URLs the scammers directed you to
  • Notes on SEO poisoning if applicable

Use the terms “Account Takeover” or “SEO poisoning” in the incident description.

4. Notify the Impersonated Company

This can help institutions take down phishing sites and warn other customers.

Final Thoughts

Account Takeover fraud is a rapidly escalating threat that leverages impersonation, psychological pressure, and increasingly realistic digital deception. While financial institutions continue to strengthen security measures, criminals are adapting just as quickly.

Consumers can significantly reduce their risk by remaining cautious, verifying all unsolicited contact, and restricting the amount of personal information shared online. Swift action is critical when responding to a potential compromise.

Further Reading

Discover more from Greg's Corner

Subscribe to get the latest posts sent to your email.