FBI Reports $262 Million in ATO Fraud as Researchers Point to an Increase in AI Phishing and Holiday Scams
FBI Reports $262 Million in ATO Fraud as Researchers Point to an Increase in AI Phishing and Holiday Scams
The Federal Bureau of Investigation (FBI) in the United States has issued a warning about cybercriminals posing as financial institutions in order to steal money or sensitive data in order to support account takeover (ATO) fraud operations.
According to the agency, the activity targets people, companies, and organizations of all sizes and in all industries. Since the beginning of the year, the fraudulent schemes have resulted in losses of over $262 million. Over 5,100 complaints have been filed, according to the FBI.
Attacks that allow threat actors to acquire unauthorized access to an online financial institution, payroll system, or health savings account in order to steal information and money for their own benefit are sometimes referred to as ATO fraud. The access is frequently gained by contacting targets via phony websites or social engineering tactics, including SMS, calls, and emails that prey on users’ concerns.
By using these techniques, attackers can trick users into entering their login information on a phishing website and, in certain cases, encourage them to click on a link to report allegedly fraudulent transactions that have been recorded against their accounts.
“A cybercriminal tricks the account holder into handing away their login credentials, especially multi-factor authentication (MFA) code or One-Time Passcode (OTP), by imitating a financial institution employee, customer support, or technical support personnel,” according to the FBI.
“The cybercriminal then uses login credentials to log into the legitimate financial institution website and initiate a password reset, ultimately gaining full control of the accounts.”
In other instances, account owners are contacted by threat actors posing as financial institutions, claiming that their information was used to make fraudulent purchases, including firearms, and then persuaded to give their account information to another cybercriminal posing as law enforcement.
According to the FBI, ATO fraud can also involve the use of Search Engine Optimization (SEO) poisoning, which involves using harmful search engine ads to fool people searching for businesses on search engines into clicking on fake links that lead to a lookalike website.
Regardless of the technique employed, the attacks all aim to take over the accounts, quickly transfer money to other accounts under their control, and alter the passwords, thereby shutting out the account owner. In order to transform the funds into digital assets and hide the money trail, the accounts to which the funds are moved are further connected to cryptocurrency wallets.
Users are advised to be cautious when disclosing personal information online or on social media, to regularly check accounts for any financial irregularities, to use strong, one-of-a-kind passwords, to confirm the URL of the banking websites before logging in, and to be on the lookout for phishing scams or suspicious callers in order to protect themselves from the threat.
“By openly sharing information like a pet’s name, schools you have attended, your date of birth, or information about your family members, you may give scammers the information they need to guess your password or answer your security questions,” according to the FBI.
According to a statement from Jim Routh, chief trust officer at Saviynt, “the vast majority of ATO accounts mentioned in the FBI announcement occur through compromised credentials used by threat actors intimately familiar with the internal processes and workflows for money movement within financial institutions.”
“Manual controls (phone calls for verification and SMS messages for permission) are the most effective ways to stop these attacks. Despite the availability of passwordless methods, the accepted use of credentials for cloud accounts remains the primary problem.”
The development coincides with the major cybersecurity threats that Darktrace, Flashpoint, Forcepoint, Fortinet, and Zimperium have highlighted ahead of the holiday season. These threats include gift card depletion, Black Friday scams, QR code fraud, and high-volume phishing campaigns that imitate well-known brands like Temu and Amazon.
In order to create extremely convincing phishing emails, phony websites, and social media advertisements, many of these activities use artificial intelligence (AI) tools. This makes it possible for even inexperienced attackers to carry out attacks that look reliable and boost the success rate of their operations.
“Over the last three months, more than 1.57 million login accounts tied to major e-commerce sites, available through stealer logs, were collected across underground markets,” Fortinet FortiGuard Labs reported, noting that it had found at least 750 malicious, holiday-themed domains registered over the previous three months, many of which used keywords like “Christmas,” “Black Friday,” and “Flash Sale.”
Additionally, security flaws in Adobe/Magento, Oracle E-Business Suite, WooCommerce, Bagisto, and other popular e-commerce platforms have been aggressively exploited by attackers. CVE-2025-54236, CVE-2025-61882, and CVE-2025-47569 are a few of the exploited vulnerabilities.
Mobile phishing (also known as mishing) websites have increased fourfold, according to Zimperium zLabs. Attackers exploit reputable brand names to generate a sense of urgency and trick users into clicking, logging in, or downloading dangerous updates.
Additionally, Recorded Future has drawn attention to purchase scams in which threat actors utilize phony e-commerce sites to get victim information and approve fraudulent payments for items and services that don’t exist. The schemes were referred to as a “major emerging fraud threat.”
The scam operations, per the cybersecurity company, work in multi-stage attack funnels targeting specific victims using a traffic distribution system (TDS) to determine if they are deemed appropriate and initiate a redirect chain to lead them to the final stage, where the victim-authorized transaction takes place.
The primary benefit of this scam is that it offers operators instant financial payouts because the victims themselves authorize payments. In comparison, other fraud attack routes need a major investment of time and resources to cash out stolen data. It has also been discovered that certain purchasing scams try two consecutive fraudulent purchases using transaction recovery services, which double-monetize the card information.
“A sophisticated dark web ecosystem allows threat actors to quickly establish new purchase scam infrastructure and amplify their impact,” the business stated. “Promotional activities mirroring traditional marketing – including an offer to sell stolen card data on the dark web carding shop PP24 – are widespread in this underground.”
“In order to propagate purchase schemes, threat actors use stolen credit cards to finance advertising campaigns. This compromises additional credit card information, creating an ongoing fraud cycle.”
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
‘rn’ replaced by Hackers to ‘m’ in Microsoft(.)com to Steal Users’ Login Data
About Author
English