The FBI has issued a critical warning regarding a sharp rise in AI scams and account takeovers, revealing that cybercriminals have already stolen over $262 million from US targets in 2025. This surge in financial fraud is being driven by increasingly sophisticated social engineering attacks, where artificial intelligence is used to craft convincing phishing campaigns that bypass traditional security filters and trick even tech-savvy users.
FBI Warning: $262 Million Lost to Account Takeovers
The scale of the threat is escalating rapidly. According to data released by the Bureau and reported by TechRadar, the $262 million loss figure represents a massive transfer of wealth from victims to threat actors through Account Takeover (ATO) schemes.
ATO attacks occur when a bad actor gains unauthorized access to a userโs online accountโbe it a bank portal, e-commerce login, or emailโand changes the credentials to lock the rightful owner out. Once inside, they drain funds, make fraudulent purchases, or leverage the account to launch further attacks.
The FBI highlights that these aren’t just brute-force attacks where hackers guess passwords. instead, attackers are utilizing social engineering to steal valid credentials. By impersonating trusted entities, they manipulate victims into handing over usernames, passwords, and even Two-Factor Authentication (2FA) codes.
AI Scams Make Phishing Harder to Spot
The driving force behind the increased success rate of these attacks is the integration of generative AI. Cybersecurity experts warn that AI tools allow scammers to generate phishing emails and text messages with perfect grammar, tone, and formatting, indistinguishable from legitimate communications.
This eliminates the tell-tale signs of previous scams, such as typos or awkward phrasing. AI allows attackers to scale their operations, personalizing thousands of messages instantly based on scraped user data.
Fortinet FortiGuard Labs has corroborated this trend, reporting the detection of over 750 malicious domains in recent months. Many of these were specifically designed with holiday themes to exploit seasonal shopping trends. These fake sites mimic popular retailers to harvest login credentials, which are then used to breach the victim’s actual accounts on legitimate platforms.
Major Brands and Platforms Targeted
The scope of these AI-driven phishing campaigns is broad, targeting massive consumer bases and enterprise software users alike. The attackers are not just looking for credit card numbers; they are hunting for established accounts with stored payment methods and history.
Key targets identified in recent waves of attacks include:
- Consumer Retail: Amazon and Temu
- Enterprise/Software: Adobe and Oracle
- E-commerce Infrastructure: WooCommerce and Magento
The inclusion of B2B platforms like Adobe and Oracle suggests a shift toward high-value corporate targets. Compromising a business account often yields a higher payout than a personal one and can provide access to corporate financial systems.
The Mechanics of Modern Account Takeover
Understanding how these financial security breaches happen is the first step in prevention. The modern ATO kill chain typically follows this path:
- The Lure: The victim receives an AI-crafted email or SMS claiming an urgent issue (e.g., “Suspicious activity detected” or “Package delivery failed”).
- The Harvest: The link directs to a spoofed login page hosted on one of the hundreds of malicious domains detected by firms like Fortinet.
- The Capture: The user enters credentials. In sophisticated attacks, the script may also ask for a 2FA code in real-time.
- The Lockout: An automated bot uses the stolen credentials to log into the real site, changes the password and recovery email immediately, and logs out all other sessions.
This process can happen in seconds. Once the account is taken over, recovering it is often a slow, bureaucratic nightmare, during which the attacker causes maximum financial damage.
How to Fortify Your Accounts
With the FBI emphasizing the severity of this threat, reliance on simple passwords is no longer sufficient. Financial security requires a proactive defense strategy to counter AI capabilities.
Critical defense measures include:
- Passkeys: Whenever available, switch from passwords to passkeys. These uses biometric verification on your device and are virtually impossible to phish because there is no credential string to steal.
- Hardware Security Keys: For high-value accounts (email, banking), use a physical security key (like a YubiKey). This prevents access even if an attacker has your password.
- App-Based 2FA: SMS authentication is vulnerable to SIM swapping and interception. Use an authenticator app (Google Authenticator, Authy, or Microsoft Authenticator).
- URL Verification: AI can fake a logo, but it cannot fake a domain. Always inspect the URL bar before entering data. If you get an urgent email from Amazon, close it and open the Amazon app directly rather than clicking the link.
The surge in cybercrime losses to nearly a quarter-billion dollars in just a portion of 2025 serves as a stark reminder: in the age of AI, trust nothing that lands in your inbox by default. Verify the source, lock down your accounts, and treat every login prompt with skepticism.
