The FBI has revealed that cybercriminals have stolen more than $262 million from US victims through account takeover scams in 2025 so far.
According to the agency, more than 5,100 complaints have already been filed this year, affecting individuals, businesses, and organizations across multiple industries. These incidents typically involve attackers gaining unauthorized access to financial accounts, payroll systems, or health savings accounts, then transferring funds out before victims realize anything is wrong.
Once control is established, criminals often move stolen money into cryptocurrency to obscure transaction trails and complicate recovery efforts.
Table of Contents
Social engineering remains the primary attack vector
The FBI says most account takeover incidents rely on social engineering rather than technical exploits. Victims are manipulated into handing over login credentials, multi-factor authentication codes, or one-time passcodes.
“A cybercriminal manipulates the account owner into giving away their login credentials by impersonating a financial institution employee, customer support, or technical support personnel,”
the FBI explained.
After obtaining access, attackers reset passwords, lock out legitimate users, and initiate unauthorized transfers directly through legitimate platforms, making the fraud harder to immediately detect.
AI is making phishing more convincing
Cybersecurity researchers warn that generative AI is significantly increasing the effectiveness of phishing campaigns.
Fortinet FortiGuard Labs recently reported identifying more than 750 malicious holiday-themed domains, many designed to exploit urgency around events such as Black Friday and Christmas. These campaigns often imitate well-known brands, including Amazon and Temu, lowering victims’ skepticism.
AI tools allow even low-skill attackers to produce realistic emails, websites, and advertisements that closely resemble legitimate services. This has expanded the scale and speed of account takeover operations.
Mobile and purchase scams drive direct financial loss
The FBI says mobile phishing has grown rapidly, with attackers using text messages and fake app updates to lure users into entering credentials or payment details.
Purchase scams are also becoming more prevalent. Victims are redirected to fraudulent e-commerce stores where they unknowingly authorize payments for goods that never exist. Because users approve the transactions themselves, banks are often slower to flag the activity as fraudulent.
Some campaigns use multi-stage traffic filtering systems to identify vulnerable targets before sending them to final scam pages, increasing success rates and financial impact.
Exploited platforms and stolen data fuel repeat attacks
Threat actors continue to abuse vulnerabilities and misconfigurations in widely used platforms, including Adobe services, Oracle E-Business Suite, WooCommerce, and Magento.
Stolen payment card details are frequently sold on underground marketplaces, funding further attacks and enabling criminals to chain multiple fraud campaigns together. In some cases, attackers attempt repeated transactions against the same account to maximize losses before detection.
Why prevention still matters
The FBI emphasizes that account takeover scams succeed because victims unknowingly authorize access or payments.
While no defense is foolproof, layered security practices can significantly reduce risk. The agency stresses that protection depends on consistent implementation across all devices and accounts.
How to stay safe
- Limit the personal information you share online
- Monitor financial and account activity regularly
- Use unique, complex passwords for every service
- Verify website addresses before entering login details
- Be cautious of unsolicited messages claiming to be from banks or support teams
- Install and maintain reputable antivirus software
- Enable firewalls on all devices
- Use identity theft protection services where available
- Remain alert to AI-driven phishing techniques and evolving scam tactics
