Cybercriminals are mounting sophisticated campaigns to commit Account Takeover (ATO) fraud by impersonating legitimate financial institutions. This activity involves contacting targets—which include individuals, businesses, and organizations of all sizes and sectors—through various social engineering techniques such as texts, calls, and emails. The goal of these deceptive communications is to prey on the users’ fears or concerns, or to trick them into visiting bogus websites. The agency reports that these fraudulent schemes have been highly successful, resulting in more than $262 million in reported losses and over 5,100 complaints since the beginning of the year, highlighting a significant threat to financial security.
The core of ATO fraud lies in the attacker’s ability to obtain unauthorized access to a victim’s online accounts, which can range from financial institutions and payroll systems to health savings accounts. This access is crucial for siphoning off funds and sensitive data for the criminal’s personal gain. A common tactic is deceiving users into providing their login credentials on a phishing site, often by urging them to click a link to report alleged fraudulent transactions. Once the connection is established, the criminal may manipulate the account owner into providing not just their password, but also critical security components like a multi-factor authentication (MFA) code or One-Time Passcode (OTP) by masquerading as a bank employee, customer support, or technical support personnel.
With the necessary credentials, the cybercriminal swiftly logs into the legitimate financial institution’s website. Their first action is typically to initiate a password reset, effectively locking out the true account owner and gaining full control of the accounts. Other methods employed by threat actors involve contacting account owners, falsely claiming their information was used to make unauthorized, sometimes high-value, purchases like firearms. They then convince the victim to provide their account details to a second criminal who is impersonating law enforcement, creating a two-step deception that maximizes the chances of a successful takeover.
In addition to direct social engineering, the FBI notes that ATO fraud can also be facilitated through technical means like Search Engine Optimization (SEO) poisoning. This method involves manipulating search results so that users looking for businesses are tricked into clicking on phony links. These links redirect them to a lookalike site via malicious search engine ads, essentially phishing for credentials through a search engine. Regardless of whether the access is gained through a deceptive call or a poisoned search result, the ultimate and immediate aim of the criminals is the same: to seize control, swiftly wire funds to accounts they control, and immediately change the passwords.
To cover their tracks and make recovery difficult, the accounts to which the stolen money is transferred are often further linked to cryptocurrency wallets. This conversion into digital assets is done specifically to obscure the money trail, making it extremely challenging for law enforcement to trace and recover the stolen funds. Given the severity of the threat, individuals are strongly advised to take protective measures: be cautious about sharing personal details online that could be used for security questions, regularly monitor all accounts for any irregularities, use unique and complex passwords, verify the URL of banking websites before logging in, and maintain vigilance against suspicious calls or phishing attempts that request account details.
Reference:
