Account Takeover Fraud Causes $262 Million In Losses, FBI Reports

11

Account takeover fraud caused $262 million in losses in 2025, the FBI reports. Criminals are escalating techniques to seize bank, email, and financial accounts.

The bureau urges consumers and businesses to strengthen authentication, monitor transactions, and report incidents quickly at IC3.gov.

Security teams should reassess identity controls as phishing, social engineering, malware, and MFA bypass tools fuel account takeover fraud at scale.

Account Takeover Fraud: What You Need to Know

• FBI attributes $262 million fraud losses in 2025 to Account Takeover Fraud; deploy phishing resistant MFA, monitor accounts, and report fast to IC3.

---

Understanding Account Takeover Fraud

The FBI’s latest alert highlights a costly surge in account takeover fraud, with reported losses reaching $262 million in 2025. In these schemes, criminals gain unauthorized access to bank, brokerage, ecommerce, email, or social media accounts.

They then drain funds, change passwords, and lock out legitimate owners. Because account takeover fraud often begins with a single exposed credential, the blast radius can spread across multiple linked services.

According to the FBI, account takeover fraud typically starts with phishing emails, fake login pages, or text messages that harvest usernames, passwords, or one-time passcodes.

Threat actors deploy malware and info stealers that log keystrokes, exfiltrate cookies, and capture saved credentials, which accelerates account takeover fraud at scale. For a recent example of scaled phishing that feeds takeovers, see this analysis of a PayPal phishing campaign tied to account takeovers.

How criminals pull it off

Threat actors blend social engineering and technical methods to execute account takeover fraud. Common techniques include:

• Credential stuffing with data from prior breaches
• SIM swapping to intercept SMS one-time codes
• Adversary in the middle pages that capture MFA tokens in real time

Once account takeover fraud succeeds, actors add new payees, set forwarding rules in email, and move money quickly through mules and cryptocurrency channels. AI-driven password guessing is compounding the problem; learn more about how AI can crack your passwords.

Who is being targeted

Both individuals and organizations are regular victims of account takeover fraud. Consumers are hit via financial apps, digital wallets, and bank accounts.

Businesses see takeovers of email and finance systems that enable invoice fraud, payroll redirects, and downstream compromise.

The FBI cybercrime report 2025 indicates continued blending of phishing and social engineering behind $262 million fraud losses tied to account takeover fraud.

What the FBI recommends now

To reduce the risk and impact of account takeover fraud, the FBI advises immediate reporting to the Internet Crime Complaint Center at IC3.gov, along with prompt contact with financial institutions to freeze or reverse transactions. The agency also recommends:

• Enable phishing resistant MFA, such as hardware security keys or app based codes, instead of SMS.
• Use a password manager to generate unique, strong passwords for every account.
• Turn on transaction alerts and review account and email activity daily.
• Update operating systems and browsers quickly to limit token and cookie theft.
• Avoid unsolicited links and login prompts; navigate directly to known sites.

For additional guidance, see the FBI’s resources on identity protection and reporting and CISA’s multi factor authentication best practices.

References: FBI: Identity Theft and Online Scams and CISA: Implementing MFA. Also review how kits bypass MFA in this primer on 2FA phishing-as-a-service.

Following the money in $262 million fraud losses

After account takeover fraud, criminals monetize access quickly. They initiate Zelle or wire transfers, change direct deposits, redeem rewards, and alter contact details to retain control.

Businesses often face modified invoices or payroll instructions, with emails altered to mask changes. These patterns contributed to the $262 million fraud losses tracked so far in 2025 by the FBI Cybercrime Report 2025.

Rapid detection and response improve outcomes. The faster victims notify banks and IC3, the greater the odds of freezing funds and limiting the downstream damage of account takeover fraud.

What This Means for Consumers and Businesses

Advantages: The FBI warning gives organizations a clear basis to prioritize defenses against account takeover fraud. Alignment on phishing-resistant MFA, password managers, and continuous monitoring can shrink exposure.

Clear reporting channels through IC3 improve recovery chances and support disruption of fraud operations.

Disadvantages: Attackers are improving MFA evasion and exploiting vast breach data, so baseline controls may be insufficient.

Smaller organizations and families may struggle with layered defenses as account takeover fraud tactics evolve and phishing becomes more convincing.

Conclusion

The FBI’s advisory is clear. Account takeover fraud is accelerating and expensive. With $262 million fraud losses already documented in 2025, prevention and speed matter.

Start with phishing resistant MFA, unique passwords managed in a reputable vault, and tight monitoring of financial and email accounts. These steps make account takeover fraud harder and reduce impact.

If you suspect an incident, contact your bank immediately and file a report with IC3.gov. Early action can help freeze funds, restore access, and support law enforcement efforts to dismantle account takeover fraud operations.

Questions Worth Answering

What is account takeover fraud?

It occurs when criminals gain unauthorized access to online accounts such as banking or email to steal money, change settings, and lock out the owner.

How do attackers bypass MFA?

They use SIM swaps, adversary in the middle phishing pages, malware that steals session cookies, and social engineering to capture one time codes.

What should I do if my account is compromised?

Contact your bank or provider immediately, reset passwords, revoke active sessions, enable stronger MFA, and file a complaint at IC3.gov.

Which accounts are most targeted?

Financial apps, bank accounts, email, and corporate systems tied to payroll or invoicing are frequent targets for rapid monetization.

How can I prevent account takeover fraud?

Use a password manager, enable phishing resistant MFA, monitor transactions, patch devices and browsers, and avoid clicking login links in unsolicited messages.

Does reporting to IC3 help?

Yes. Prompt reporting improves fund recovery odds and helps the FBI identify patterns to disrupt criminal activity.

Are businesses facing unique risks?

Yes. Takeovers of email and finance systems enable payroll redirects, fraudulent invoices, data theft, and deeper compromise across the organization.

About the Federal Bureau of Investigation (FBI)

The Federal Bureau of Investigation is the United States’ premier federal law enforcement agency with mandates that include cybercrime, fraud, and national security.

Through the Internet Crime Complaint Center, the FBI collects complaints, coordinates investigations, and issues public advisories for victims and organizations.

The bureau partners with international, federal, state, and local agencies to disrupt criminal networks and protect the public from online and financial crime.