It's Easier to Fall for a Bank Fraud Scam Than You Think

The FBI's Internet Crime Complaint Center (IC3) is warning consumers about a type of fraud in which threat actors pretend to be from trusted financial institutions in order to obtain login credentials and gain access to financial and personal data.

The consequences are high: With stolen credentials, scammers can gain full control of your accounts and your money. According to the FBI advisory, criminals will quickly wire funds from your bank to cryptocurrency wallets, making the money nearly impossible to trace and recover, and lock you out of your account in the process.

Here's how account takeover scams work—and how to avoid becoming a victim.

Account takeover scams may impersonate your bank

Most account takeover scams use social engineering: a series of tactics designed to manipulate you into giving up personal information, downloading malware, or paying money to bad actors. Scammers impersonate financial institution employees as well as customer support and technical support staff and reach out to targets via text, call, or email to say that their account has been compromised in some way.

They may tell you that there have been fraudulent charges on your account and send you a link to report the fraud—but this is actually a phishing site designed to harvest your login credentials. They may ask directly for your username, password, or multi-factor authentication (MFA) code over the phone. In some cases, they may even claim that your information was used to buy firearms and pass you off to a second scammer impersonating law enforcement. They're counting on you to feel fear and confusion and act quickly to "resolve" the issue by handing over your information.

The FBI has also identified a version of account takeover using search engine optimization (SEO) poisoning, in which scammers buy ads that appear to be for legitimate businesses but actually allow them to place malicious links to spoofed bank websites higher in search results.

How to avoid falling for account takeover scams

While being targeted for an account takeover may be unavoidable, there are a few red flags that can help you identify the fraud before it goes south.

First, you should always be wary of calls, texts, emails, and other communication (such as social media messages) from someone claiming to be from your bank or creditor, especially if they ask for personal information like your username, password, or time-based one-time password (TOTP). Reputable institutions will not contact you to request your credentials or other sensitive data—so these are almost certainly phishing attempts.

You should also be wary of trusting websites that look like they belong to your financial institution, especially if you click to them from a browser search. Cybercriminals can easily build convincing (but spoofed) websites and place the malicious links at the top of search results. Bookmark the trusted link rather than going through a search engine, or use the verified app on your mobile device. Always avoid clicking directly from unsolicited communication, and check URLs and email addresses carefully, as scammers can also use homographs to hide malicious links.

Finally, protect your personal information. Use complex, unique passwords stored securely (such as in a password manager), enable a stronger form of MFA (and never give away codes), and limit what you share online. Scammers may use what you've posted—like your date of birth, pet's name, or information about family members—to get past your security questions, guess your password, or make an impersonation attempt sound more convincing.

The IC3 also recommends monitoring your financial accounts for irregularities, such as unauthorized withdrawals or transfers, which may be a sign of an account takeover. Consider setting up transaction alerts with your financial institutions to be notified immediately of any suspicious activity.