The FBI is warning about bad actors impersonating personnel at financial institutions to steal money or information, a social engineering scheme that the agency said has generated more than 5,100 complaints and losses to victims of more than $262 million.

Such account takeover (ATO) scams are part of a larger and aggressive assault on identities and credentials as threat actors look to take advantage of human behavior through such social engineering techniques as texts, calls, and emails, as well as through fraudulent websites, according to the FBI.

They will pretend to be part of a financial institution’s staff or website to obtain access to the accounts.

“The cyber criminals target individuals, businesses, and organizations of varied sizes and across sectors,” the law enforcement agency wrote in the warning. “In ATO fraud, cyber criminals gain unauthorized access to the targeted online financial institution, payroll, or health savings account, with the goal of stealing money or information for personal gain.”

When impersonating someone from the financial institution – an employee or customer or technical support personnel – the hackers try to manipulate accounts to give out their login credentials, including their multifactor authentication (MFA) code or one-time passcode (OTP).

They’ll then use the credentials to log into the legitimate institution’s website, reset the password, and gain control of the account.

Scammers Use Texts, Calls, and Emails

They’ll contact account owners through text messages, calls, or emails, and at times will tell their targets that there are fraudulent transactions on the account, after which they deliver a link to a phishing website the victim believes will fix the problem.

“In some instances, cyber criminals impersonating financial institutions reported to the account owner that their information was used to make fraudulent purchases, including firearms,” the FBI wrote. “The cyber criminal convinces the account owner to provide information to a second cyber criminal impersonating law enforcement, who then convinces the account owner to provide account information.

The hackers also will use the phishing websites that look like a financial institution or payroll site to trick the user to give away their login credentials, or may use search engine optimization (SEO) poisoning by buying ads that ape legitimate business ads to artificially build their fraudulent site’s credibility by making them appear more authentic.

The Damage Happens Quickly

“Once the impersonators have access and control of the accounts, the cyber criminals quickly wire funds to other criminal-controlled accounts, many of which are linked to cryptocurrency wallets; therefore, funds are disbursed quickly and are difficult to trace and recover,” the FBI wrote. “In some cases, including nearly all social engineering cases, the cyber criminals change the online account password, locking the owner out of their own financial account(s).”

The FBI warning addresses what cybersecurity company Bitdefender found earlier this month in its 2025 Consumer Cybersecurity Survey. Looking at input from 7,000 respondents, Bitdefender found that about 14% of them reported that they’d fallen victim to a scam in the past year, and that the most common scams were delivery, shipping, and mail fraud, at 21%, and credential phishing and ATO, at 19%.

Social media is now used by scammers more than email, while 25% of them happen over the phone. In addition, 53% said credential phishing and ATOs were their top security concern, but too many also continue to show risky behavior, such as accepting cookie prompts without reviewing them or not running security software on their systems.

More Scams + Risky Behavior = Danger

It’s that combination of the growing number of instances of ATO fraud and the risky behavior of consumers that is dangerous, Filip Truță, information security analyst at Bitdefender, wrote in a blog post.

“Scammers know that many users rely heavily on their phones and mobile banking, and use weak credentials for multiple accounts, all while lacking basic protections like password managers or dedicated security apps,” Truță wrote. “This makes impersonation schemes especially effective. A convincing call or text from ‘your bank’s support’ – claiming suspicious activity and urging immediate verification – can lure victims into giving up OTPs or passwords. Once the attackers have access, the damage is often swift and irrecoverable.”

For the consumer, that could mean financial loss, compromised privacy, and a sense of betrayal, given that they believe they were dealing with a legitimate institution, he wrote.

Use Strong Passwords, Common Sense

The recommendations Truță made are well-known by now but important, including using strong, unique passwords and a password manager, not oversharing online, using MFA, and being wary of calls from an institution’s support or customer service operations.

Users also should monitor their accounts, use an independent security solution and a scam detection tool, and avoid logging in through links from search engines or ads.