Banks face new risks as account takeover fraud spikes 250%

• Supporting data: Since January 2025, the FBI has logged over 5,100 complaints of account takeover fraud, resulting in losses exceeding $262 million.
• What's at stake: A recent court ruling against Citibank challenges industry norms, potentially making banks liable for unauthorized wire transfers under the EFTA.
• Key insight: Regulators are urging banks to abandon single-point defenses in favor of "Protect, Detect, Respond" frameworks and rigorous employee training.

Overview bullets generated by AI with editorial review

The FBI has issued a warning about a surge in account takeover fraud schemes where criminals impersonate financial institution support staff to harvest credentials, a trend that is rapidly increasing fraud losses and liability exposure for the banking sector.

Since January 2025, the FBI's Internet Crime Complaint Center, or IC3, has received more than 5,100 complaints regarding account takeover fraud, with losses exceeding $262 million, according to a Nov. 25 public service announcement from the bureau.

For financial institutions, the threat is twofold: Criminals are leveraging the trusted brand reputation of banks to deceive consumers, and legal developments this year suggest banks may increasingly bear the cost of the resulting unauthorized transfers.

The FBI alert details sophisticated social engineering techniques where cybercriminals manipulate account owners into divulging login credentials, multifactor authentication codes, or one-time passcodes. Perpetrators often pose as bank employees, customer support or technical support personnel.

In a particularly aggressive tactic known as search engine optimization poisoning, criminals purchase advertisements that mimic legitimate business ads. These ads direct customers searching for a bank's website to sophisticated phishing sites designed to harvest login information.

Once inside, theft is effectively immediate.

"Once the impersonators have access and control of the accounts, the cyber criminals quickly wire funds to other criminal-controlled accounts," according to the FBI alert.

Rising costs and operational strain

In 2024, account takeover (often shortened to ATO) incidents surged by 250%, according to a report from security firm Kasada. The company attributed the spike to strategic credential stuffing campaigns and seasonal traffic spikes.

The financial sector is in the crosshairs. Attacks on fintech and finance organizations increased 122% year over year, according to a third-quarter report from fraud prevention company Sift.

Beyond direct financial loss, businesses face "operational strain" as they must allocate resources to customer support, incident management and legal repercussions, according to the Kasada report.

Furthermore, a recent survey of business leaders conducted by Transunion found that 7.7% of annual revenue was lost to fraud in the last year, with nearly a quarter of respondents citing scam or authorized fraud as the leading source of loss.

Potential liability shift and a legal wake-up call

While the reputational damage of having one's brand impersonated is significant, the direct liability for these losses is becoming a pressing legal concern.

Historically, banks have relied on the distinction between consumer negligence and bank error.

However, under the Electronic Fund Transfer Act, or EFTA, and Regulation E, if a consumer is fraudulently induced into sharing access information, the resulting transfer is often considered an "unauthorized electronic fund transfer," according to guidance the Consumer Financial Protection Bureau issued in November 2021.

This distinction caps consumer liability significantly, according to the bureau.

"Negligence by the consumer in these situations … cannot be used as a basis for imposing greater liability on the consumer than allowed under Regulation E," according to the bureau's 2021 guidance.

As the Trump administration neutralizes the CFPB, other institutions are filling the gaps it has left, and a recent court decision in the Southern District of New York has challenged long-held industry assumptions regarding wire transfers.

In January, the court ruled in favor of New York Attorney General Letitia James in a lawsuit against Citibank, determining that the EFTA does apply to consumer wire transfers.

"The ruling would make Citibank, and banks generally, liable under the EFTA for unauthorized consumer wire transfers, even if the bank otherwise followed UCC Article 4A," according to a February 2025 analysis from law firm Dickinson, Bradshaw, Fowler & Hagen.

Citi has since appealed the decision. The most recently available public information indicates the deadline for final briefs on the matter is March 13, 2026.

What banks can do to reduce account takeover losses

Regardless of whether the liability landscape for unauthorized transfers changes, banks have a variety of incentives to prevent account takeovers, including reducing the reputational damage of scams and fraud against bank customers.

Industry experts and regulators have urged financial institutions to abandon single-point defenses in favor of dynamic, layered security strategies.

Financial institutions must accept that "single-factor authentication, either alone or in combination with layered security, is inadequate" for high-risk transactions, according to 2021 guidance on authentication from the Federal Financial Institutions Examination Council.

The council recommended implementing multifactor authentication that utilizes distinct factors — such as "something you know, something you have, and something you are" — to mitigate the risk of compromised credentials.

Beyond technology, banks must enforce rigorous internal controls, particularly regarding wire transfers and administrative changes.

"Any change to vendor banking details, password reset, or wire transfer should require a second confirmation through a known phone number or an in-person conversation," according to a 2024 report from accounting firm Purk & Associates.

The Conference of State Bank Supervisors and the Texas Bankers Electronic Crimes Task Force advise banks to adhere to a "Protect, Detect, Respond" framework. This includes:

• Recommend that corporate clients transmit wire and ACH instructions via a dedicated, isolated device to minimize malware exposure.
• Enforce dual customer authorization through different access devices for high-risk transactions.
• Verify transactions via a different communication channel than the one used to initiate the request.

Because social engineering often targets human vulnerabilities, employee training remains a critical defense layer. Tellers and call center staff must be trained to identify the specific red flags of ATO, such as an account holder who appears to be under duress or coaching during a transaction.
"Your employees play a powerful role in fraud detection and prevention," but without proper training, they can inadvertently increase risk, according to a June 2023 blog post from SQN Banking Systems.

The firm advises banks to customize training based on roles; for example, call center representatives should be specifically versed in the signs of identity theft and account takeover, as fraud often originates before money physically changes hands.

Finally, speed is essential when prevention fails. The FBI advises institutions to contact the originating financial institution immediately upon recognizing fraud to request a recall or reversal and a "hold harmless letter."

Banks should also have a plan to "immediately attempt to reverse all suspected fraudulent transactions," keeping in mind that recovery capability diminishes in minutes, not hours, according to the guidance from the Conference of State Bank Supervisors.

This includes maintaining readiness to send a "Fraudulent File Alert" through the Federal Reserve's FedLine system to halt funds before they are withdrawn by criminals.