FBI Issues Alert on $262 Million Account Takeover Fraud Wave as Experts Warn of AI-Enhanced Phishing and Holiday Shopping Scams

Federal authorities warned of cyber thieves impersonating legitimate banking institutions in attempts to steal money and personal information by running account takeover scams. According to the United States Federal Bureau of Investigation, more than $262 million in financial losses have been attributed to these sophisticated attacks so far this year, with over 5,100 victim complaints filed.

Account takeover fraud includes those attacks wherein bad actors illicitly gain access to digital banking platforms, payroll management, or health savings accounts with a view to siphon sensitive information and monetary assets from the account holder. These breaches commonly take place via social engineering means: fraudulent text messages, phone calls, and emails to take advantage of users' vulnerabilities, among other things, along with the creation of sham websites.

These tactics can allow bad actors to trick victims into giving away their authentication credentials on fake sites, commonly by fabricating urgency around some unauthorized transactions on their accounts.

The FBI reports that criminals manipulate account holders into providing their login credentials through purported bank representatives, customer service agents, or IT support staff by requesting multi-factor authentication codes and/or one-time passcodes. Once received, the stolen credentials are used to gain access to actual financial institution portals to perform password changes and gain full control of the account.

Other schemes include fraudsters masquerading as banks, reaching out to account holders and telling them their accounts have been used for illicit purchases of items such as firearms, then convincing them to reveal their account credentials to a second fraudster pretending to be police.

The agency points out that account takeover operations may also use search engine optimization manipulation to deceive users looking online for legitimate businesses into clicking on malicious ads that redirect to imitation sites.

Whatever the particular approach, all such attacks share the basic aim: commandeering accounts, quickly transferring money to criminal-controlled accounts, and changing passwords to prevent access by the legitimate owner. The receiving accounts will be linked with cryptocurrency wallets for easy conversion to digital currencies that mask the traces of a transaction.

Protection strategies include being cautious with personal information shared online or through social media, periodic account reviews to look for financial anomalies, using unique and complex passwords, validating banking website URLs before authenticating any transactions, and being on the lookout for phishing attempts and suspicious communications.

The FBI indicates that publicly releasing specific information about pet names, schools attended, birth dates, or family members often allows hackers to access the information necessary to guess passwords or respond accurately to security questions.

Jim Routh, chief trust officer at Saviynt, said that nearly all of the account takeovers in the FBI notice result from compromised credentials used by bad actors with great familiarity with financial institution money movement processes and internal work procedures. According to him, the best preventive controls are manual verification by way of phone calls or SMS approval messages, where the root issue is that cloud account credentials are still in use where passwordless options exist.

This announcement comes amid several cybersecurity companies, including Darktrace, Flashpoint, Forcepoint, Fortinet, and Zimperium, having issued warnings of serious security risks created during the time of holiday shopping. Among these are fake Black Friday offers, QR code scams, gift card theft schemes, and widespread phishing campaigns posing as some of the most popular retailers, including Amazon and Temu.

Most of the recent attacks involve AI technology to create plausible phishing emails, fake websites, and social media ads that can easily be carried out by less experienced attackers, making the operations look genuine and yielding higher success rates.

Fortinet's FortiGuard Labs identified more than 750 malicious holiday-themed domains, registered in the last three months, many of which included terms like "Christmas," "Black Friday," and "Flash Sale." The company also reported collecting over 1.57 million login credentials for major e-commerce platforms from stealer logs circulating in underground marketplaces during this period.

The security weaknesses of Adobe/Magento, Oracle E-Business Suite, WooCommerce, Bagisto, and other popular e-commerce platforms have been actively under attack by various criminal actors. Some of the vulnerabilities being exploited include CVE-2025-54236, CVE-2025-61882, and CVE-2025-47569.

Research from Zimperium zLabs shows a fourfold increase in mobile phishing sites, wherein the attackers have used recognizable brand identities to create a sense of urgency and to trick users into clicking links, entering credentials, and downloading dangerous updates.

Similarly, Recorded Future has highlighted purchase fraud schemes in which criminals set up sham e-commerce sites through which they collect victim information and handle payments for products and services that do not exist. It labels such scams as one of the top emerging fraud threats.

According to the cybersecurity firm, these fraud operations work through multi-stage attack chains, targeting specific individuals by using traffic distribution systems to evaluate the victim's suitability to start a redirect chain that ultimately lands them at the final stage, where a victim-authorized transaction occurs.

The biggest advantage of this class of fraud is that the customers themselves approve the payments, thus providing operators with real-time financial gains. By contrast, other forms of fraud need considerable investment of time and resources to monetize the stolen data. In some cases, purchase scams also rely on transaction recovery services to have two successive transactions, thereby doubling the monetization of the payment card info.

The company said a sophisticated dark web infrastructure allows threat actors to quickly set up new purchase scam sites and scale their operations. Aggressive promotional tactics, reminiscent of traditional marketing methods, abound within the underground economy, where compromised card data is marketed for sale on dark web marketplaces like PP24.

With stolen payment cards, criminals finance advertising campaigns to proliferate purchase scams, thereby compromising additional payment card data, in an ongoing cycle of fraud.