The FBI warned of a surge in account takeover fraud this year, saying cybercriminals impersonating financial institutions have stolen more than $262 million since January. The bureau’s Internet Crime Complaint Center (IC3) has received over 5,100 complaints involving individuals, businesses and organizations across multiple industry sectors.
According to the IC3, criminals gain unauthorized access to online bank, payroll or health savings accounts through social engineering techniques and fraudulent websites. After gaining control of accounts, attackers frequently wire funds to cryptocurrency wallets and often change account passwords, locking legitimate owners out; the agency warned in an IC3 public service announcement issued yesterday that funds are disbursed quickly and are difficult to trace and recover.
Fraudsters typically impersonate bank staff or customer support personnel via text messages, phone calls or email to obtain login credentials and one-time authentication codes. Stolen credentials are then used to log in to financial websites and initiate password resets to seize control of victims’ accounts.
Victim reports cited by the IC3 indicate some attackers have falsely claimed victims’ information was used in fraudulent transactions, including fabricated firearm purchases, to persuade targets to visit phishing sites or hand over sensitive data to second-stage impersonators. The FBI also said some phishing sites are promoted through ads and other tactics that can push fraudulent pages to the top of search results.
The FBI advised account holders to monitor financial activity, use unique complex passwords, enable multi-factor authentication and use bookmarks rather than search results to reach banking sites. Victims should immediately contact their financial institution to request a recall and obtain hold-harmless or indemnification documents, and are encouraged to file complaints with IC3 including detailed information about criminal financial accounts and impersonated companies.