FBI warns criminals are now bypassing MFA

The FBI has issued a nationwide warning that cybercriminals are impersonating financial institutions to steal money and personal information, fueling a surge in account takeover (ATO) fraud that has resulted in more than $262 million in losses this year.

What happened

The U.S. Federal Bureau of Investigation (FBI) announced that cybercriminals are increasingly impersonating financial institutions using calls, texts, emails, and fraudulent websites to trick victims into handing over login credentials, multifactor authentication (MFA) codes, or one-time passcodes.

Threat actors commonly use phishing websites, social engineering, and search engine optimization (SEO) poisoning to mimic legitimate institutions. Once they get access, attackers reset passwords, move funds into mule accounts, and launder the money through cryptocurrency wallets to obscure the financial trail.

The FBI warns that criminals often work in teams, with one impersonating a bank representative and another pretending to be law enforcement, pressuring victims into revealing their information.

Going deeper

Phishing and social engineering:

Attackers send emails and SMS messages, and place phone calls, claiming to alert victims to “fraudulent activity,” “unauthorized transfers,” or “security holds” on their accounts. 

For example, attackers can use caller-ID manipulation to appear legitimate. Social engineers then script “urgent” conversations, so victims feel they must act immediately to prevent account closure.

MFA interception:

Attackers guide victims through fake “identity verification” steps where they tell victims to read back one-time MFA codes. Some groups use reverse-proxy phishing kits that capture MFA tokens, allowing account takeover.

SEO poisoning:

This happens when threat actors buy ads or manipulate search results so fake banking sites appear above the legitimate ones. For example, if someone searches for “Bank login,” “customer support,” or “fraud hotline,” they could click the fraudulent link, where they are prompted to enter credentials that connect them to the attackers.

What was said

The FBI’s warning states, “By openly sharing information like a pet's name, schools you have attended, your date of birth, or information about your family members, you may give scammers the information they need to guess your password or answer your security questions.”

“Watch for irregularities, such as missing deposits or unauthorized withdrawals, wire transfers, or expenditures.”

Lastly, “Enable two-factor authentication or MFA on any account possible. Never disable it.”

According to Jim Routh, chief trust officer at Saviynt, “The large majority of ATO accounts referenced in the FBI announcement occur through compromised credentials used by threat actors intimately familiar with the internal processes and workflows for money movement within financial institutions.”

“The most effective controls to prevent these attacks are manual (phone calls for verification) and SMS messages for approval. The root cause continues to be the accepted use of credentials for cloud accounts despite having passwordless options available.”

By the numbers

• $262 million in reported ATO losses this year
• 5,100+ complaints submitted to the FBI
• 750+ malicious holiday-themed domains registered in the past 3 months (Fortinet)
• 1.57 million stolen login accounts connected to major e-commerce sites are circulating underground (Fortinet)
• 4× increase in mobile phishing sites (Zimperium)
  
  

Why it matters

ATO fraud is rising across financial services and healthcare, and its techniques mirror those seen in email compromise, spoofed healthcare portals, and insurance login fraud, affecting HIPAA-regulated industries.

The bottom line

Since attackers are weaponizing AI, spoofed caller IDs, and SEO-poisoned search results, healthcare organizations need stronger identity protections and to improve their vigilance.

Moreover, organizations must use a HIPAA compliant email solution, like Paubox, that offers advanced encryption, MFA, and other security measures to mitigate the risk of potential breaches.

Learn more: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

How do scammers make their messages look legitimate?

They spoof caller ID, mimic real bank email domains, copy official logos, and use urgent language to make the message feel authentic and time-sensitive.

What is MFA interception?

Multifactor authentication (MFA) interception happens when attackers deceive you into revealing your one-time passcodes through fake “verification” steps that allow them to access your account.

Can scammers bypass strong passwords?

Yes. If an attacker gets someone’s MFA code or tricks them into approving a login request, they can get into their account even if the password is long and complex.