Account Takeover Financial Fraud: How to Help Keep Your Money Safe

January 20, 2026

Share

Tags

Criminals have long sought ways to steal consumer’s personal financial information. Before online transactions became commonplace, crooks would sometimes steal checks out of the mail or trash, which is still a real threat. Some of today’s extremely sophisticated criminals even try to steal consumers’ personal information and money by impersonating individuals, businesses, and organizations in what is called account takeover (“ATO”) fraud schemes.

Here's how it works. Once the cyber criminals gain access to a customer’s payroll, health savings, or other type of online account, they can co-opt the personal profiles and change passwords, add new contact information, initiate transfers, make purchases, or open new accounts in their names. ATO gives criminals complete control over an existing account and all information found on the online profile (either for their immediate misuse or down the line). This makes it harder to spot quickly, so the damage can spread to other accounts before someone even knows it’s taken place. But there are ways to help protect yourself and your finances. 

Common methods of attack

ATO fraud is the direct effect of scams, which relies on urgency, trust, and human behavior. Criminals are able to exploit everyday digital habits and do a lot of harm at full tilt through manipulation and stolen information schemes, such as:

 

  • Social engineering. Scammers send emails, texts, or phone calls that appear to come from technical support, customer service representatives, or other employees of trusted organizations, like banks, credit cards, retailers, or government agencies. These seemingly urgent messages may report fraudulent transactions, and ask you to “verify” your account or click a link, tricking you into sharing passwords or one‑time codes. The criminal then logs in as you to access full control of your accounts, locking you out, and making purchases or syphoning your funds.
  • Fake (phishing) websites. Lookalike web pages can deceive you into unknowingly releasing usernames and passwords to fraudsters instead of legitimate authorities. If login information is used for multiple accounts, criminals can move speedily, before you know what’s happened.
  • Search engine optimization (SEO) poisoning. Criminals can buy ads that mimic lawful businesses and lead you to a fraudulent online presence. If you’re innocently searching for a company you do business with using Google or another search engine, you could easily be fooled by the authentic appearance of the sponsored ad, typically prominently featured at the top of the search results. Once you log in, criminals act quickly and can wire funds to their own accounts.
  • Malware and spyware. Malicious software installed through infected downloads or fake apps can capture keystrokes, record login credentials, or monitor activity on your device.

Real life ATO scenarios

Understanding how ATO actually unfolds makes it easier to recognize warning signs and avoid becoming a victim. Be on the lookout for: 

Once criminals gain access to a consumer’s email account, they monitor messages, delete security alerts, and intercept password reset emails from the bank. In control of the email account, they can reset banking passwords and take over the financial account without triggering immediate suspicion. Additionally, criminals often set up email rules, such as auto-forwards, to the fraudsters personal email. This allows them continued access to your email, even after you have changed your password. 

Key lesson: Securing your email account is critical—email access often enables takeover of multiple financial accounts.

Consumers may receive a text claiming to be from their bank, warning of “suspicious activity” and urging them to click a link immediately. The link leads to a convincing replica of the bank’s website, where the consumer enters their username, password, and one‑time verification code. Within minutes, the criminal logs into the real account, changes the password, updates the contact information, and transfers funds to an external account. By the time the consumer realizes something is wrong, they are locked out of their account.

Key lesson: Legitimate banks do not contact customers to ask for passwords or security codes over the phone." 

Criminals may single out older adults, posing as their bank’s fraud department. The caller claims unauthorized transactions were detected and pressures them to “verify” their account by providing login details and verification codes. Within hours, the account is taken over and funds are transferred. The victim feels embarrassed and delays reporting the fraud, increasing the financial loss.

Key lesson: Legitimate banks do not typically ask for passwords or security codes over the phone.

After a retailer suffers a large data breach, criminals can access consumers’ email addresses and passwords. Because consumers often reuse the same password for multiple financial accounts, criminals can log in using automated tools. Fraudsters use this to determine other websites (and banks) the customer may be using the same password for. This can lead to not only traditional ATO, but criminals often use the breach credentials to log in to initiate small-test transfers before draining a large portion of the balance overnight.

Key lesson: Reusing passwords across sites dramatically increases vulnerability after data breaches.

Consumer may download what appears to be a legitimate budgeting or rewards app from an unofficial website but the app contains malware that records keystrokes and captures login credentials when they signs into their banking app. Fraudsters later use those credentials to log in from a different device and initiate unauthorized payments.

Key lesson: Only download apps from official app stores and keep mobile devices updated.

Warning sign checklist

Don’t wait to act if you see red flags your account may have been compromised:

  • Do you have trouble logging in because your password has changed?
  • Have you received unexpected password reset emails, security alerts, notification of transactions you don’t recognize, or alerts about logins from unfamiliar locations or devices?
  • Have new contact details or payment methods added to your account?

Take the following steps to guard against ATO

ATO can lead to financial loss, credit damage, stress, frustration, and many hours spent contacting banks, credit bureaus, and merchants. While no method is foolproof, taking these steps dramatically lowers your risk.

  • Use strong, unique passwords. Create a different password for every financial account. Passwords should be long, complex, and unrelated to personal details. A reputable password manager can help you store them securely.
  • Enable multi‑factor authentication (MFA). MFA adds an extra layer of security, such as a one‑time code sent to your phone or generated by an authenticator app. Even if a criminal has your password, MFA can stop them from logging in.
  • Be skeptical of messages. Banks and credit card companies typically don’t ask for passwords or full security codes. Don’t click links or respond to unexpected messages—contact the company directly using official contact information.
  • Monitor accounts regularly. Check bank and credit card activity frequently. Set up account alerts for logins, password changes, and transactions so you’re notified quickly if something changes.
  • Keep devices secure. Install updates for your devices and apps promptly. Use antivirus software, avoid public Wi‑Fi for financial transactions, and download apps only from trusted app stores.

What to do if your account is taken over

If you suspect you have been the victim of ATO:

  • Contact your financial institution immediately to freeze or secure the account; M&T customers should call 1-800-724-2440 (Mon.–Fri., 6am–9pm ET; Sat.–Sun., 9am–5pm ET) 
  • Change passwords on affected accounts and any others using the same credentials
  • Review transactions and report unauthorized activity
  • Monitor your credit and consider placing a fraud alert or credit freeze if personal information is compromised
  • File a report with the FBI Internet Crime Complaint Center (IC3) at www.ic3.gov

 

Always stay one step ahead

Criminals are continually trying to up their game. You can do the same and significantly reduce your exposure to financial fraud by staying vigilant, being informed, practicing good digital habits, and reacting quickly to warning signs. Your accounts are valuable—not just for money, but for your identity and peace of mind. Treat online security as an essential part of financial health.

Why do we ask so many questions?

When you call M&T, you may be asked questions that seem to go beyond the standard name and address. If it feels frustrating or intrusive, please understand: Criminals call us trying to impersonate legitimate customers, so we’re just seeking to protect your accounts. Your safety is our top priority.