It’s Easier to Fall for Bank Fraud Than You Think.
The FBI’s Internet Crime Complaint Center (IC3)is warning consumers about a scam in which criminals impersonate employees of trusted financial institutions to obtain login credentials and access financial and personal information.
The consequences will be severe: stolen credentials will allow fraudsters to gain complete control over your accounts and your money. According to FBI recommendations, criminals will quickly transfer funds from your bank to cryptocurrency wallets, making it virtually impossible to trace and recover these funds, and also depriving you of access to your account.
Here’s how account theft scams work and how to avoid becoming a victim.
Account theft scammers may impersonate your bank.
Most account theft scams use social engineering : a series of tricks designed to trick you into providing personal information, downloading malware, or paying the scammers. Fraudsters impersonate financial institution employees, as well as customer support and technical support specialists, and contact victims via text messages, phone calls, or emails to inform them that their account has been compromised.
They may inform you of fraudulent charges on your account and send you a link to report the fraud, but in reality, it’s a phishing site designed to harvest your credentials. They may directly ask you for your username, password, or multi-factor authentication (MFA) code over the phone. In some cases, they may even claim your information was used to purchase a firearm and pass you on to another scammer posing as a law enforcement officer. They’re counting on you to feel fear and confusion, and quickly “resolve” the issue by providing your information.
The FBI also identified an account takeover variant using SEO poisoning, in which scammers purchase ads that appear to be from legitimate companies but actually allow them to place malicious links to fake banking sites higher in search results.
How to avoid becoming a victim of account hacking scams
While it may be impossible to avoid account takeover, there are a few warning signs that can help you spot a scam before it gets serious.
First, you should always be wary of calls, texts, emails, and other messages (such as social media posts) from people claiming to be from your bank or lender, especially if they ask for personal information like your username, password, or time-based one-time password (TOTP). Trustworthy organizations won’t contact you to request your login credentials or other sensitive information, so such messages are almost certainly phishing attempts.
You should also be cautious and distrustful of websites that appear to be from your financial institution, especially if you access them through a browser search. Cybercriminals can easily create convincing (but fake) websites and place malicious links at the top of search results. Bookmark a trusted link rather than using a search engine, or use a trusted app on your mobile device. Always avoid clicking links from unsolicited messages, and carefully check URLs and email addresses, as scammers can also use homographs to disguise malicious links .
Finally, protect your personal information. Use complex, unique passwords stored securely (for example, in a password manager ), enable a stronger form of multi-factor authentication (MFA ) (and never share your codes), and limit the amount of information you share online. Scammers can use what you share—such as your birthday, pet’s name, or information about family members—to bypass your security questions, guess your password, or create a more convincing illusion of impersonation.
IC3 also recommends monitoring your financial accounts for irregularities, such as unauthorized withdrawals or transfers, which could indicate a breach. Consider setting up transaction alerts with your financial institutions to receive immediate notifications of any suspicious activity.