An FBI/IC3 advisory highlighted more than $262 million in reported account‑takeover (ATO) losses in 2025 with over 5,100 complaints to date. The bureau cautioned that criminals increasingly use social engineering, smishing/vishing and holiday-themed phishing pages to seize credentials, MFA codes and rapidly move funds into crypto wallets.

The FBI’s Internet Crime Complaint Center (IC3) advisory and subsequent reporting documented a steep rise in account‑takeover fraud through 2025, accounting for more than $262 million in reported victim losses and upwards of 5,100 complaints so far. Attackers impersonate bank or payroll support, contact centers and internal IT teams, leveraging tailored social engineering and real-time voice/text fraud to obtain passwords and multi‑factor authentication codes. The advisory noted a growing trend: threat actors use holiday promotion lures and phishing sites to accelerate credential collection and then funnel proceeds into cryptocurrency wallets to obfuscate trails and launder funds. The bureau urged rapid reporting to IC3 and financial institutions, adoption of phishing‑resistant MFA (hardware tokens or app-based authenticators), and implementation of improved transaction monitoring by banks. Public guidance emphasized never sharing one‑time codes, verifying communications through established phone numbers, and using dedicated devices or verifiers for sensitive financial actions to reduce the ATO attack surface during peak shopping seasons.