FBI Warning: Account Takeover Fraud Is Rising. Are You Sure You’re Talking to Your Bank?
At Detect-a-Fraud, we see the same pattern again and again.
Smart business owners.
Trusted employees.
Established banks.
And yet the money still disappears.
The FBI recently issued a warning about a surge in account takeover fraud, where criminals impersonate financial institutions and convince businesses to hand over access to their own accounts.
This is not about weak passwords or sloppy bookkeeping.
It is about social engineering, and it works because it feels legitimate.
What Account Takeover Fraud Really Looks Like
Forget the idea of a hacker breaking into your bank account in the middle of the night.
Most account takeover cases begin with a phone call or email that sounds like this:
“This is the fraud department at your bank. We’ve detected suspicious activity and need to secure your account immediately.”
The caller:
- Uses your bank’s name and logo
- Spoofs the bank’s phone number
- References real transactions or balances
- Creates urgency so you do not stop to think
Once you “verify” information or follow their instructions, the fraudster does not need to hack anything. You have already done the work for them.
From there, credentials are changed, funds are moved, and control is lost.
Why Businesses Fall for This
Here is the uncomfortable truth we explain to clients.
Fraud succeeds not because people are careless, but because they are helpful, responsive, and trusting.
Many businesses assume:
- Caller ID confirms identity
- Banks will catch fraud before damage is done
- Long-standing financial relationships are inherently safe
None of those assumptions are controls.
How Detect-a-Fraud Verifies You’re Actually Talking to Your Bank
When we assess fraud risk, we focus on verification procedures, not intentions. Every business should have the following in place.
1. No Incoming Call Is Trusted
If someone contacts you claiming to be your bank:
- End the call
- Do not click links
- Do not provide information
Then:
- Locate your bank’s phone number independently using a statement, the official website, or the back of your debit card
- Call the bank yourself
This single step prevents a significant number of account takeover attempts.
2. Limit Who Can Communicate With the Bank
Your bank should maintain:
- A documented list of authorized contacts
- Clear restrictions on who can request:
- Wire transfers
- ACH changes
- Credential resets
- Account updates
If multiple people can call the bank and make changes without oversight, Detect-a-Fraud considers that a high-risk exposure.
3. Require Call-Backs and Passphrases
Ask your bank:
- Can we establish a verbal passphrase?
- Are call-backs required before any account changes?
- Can changes be restricted to in-person requests or a secure portal?
Banks that resist these questions often reveal weaknesses worth addressing.
4. Separate Duties, Even in Small Organizations
One person should not:
- Communicate with the bank
- Approve transactions
- Reconcile accounts
This applies to owners, bookkeepers, CFOs, and long-term employees. Fraud thrives where authority is unchecked.
5. Train for Real-World Fraud Scenarios
Detect-a-Fraud recommends training employees on what fraud actually sounds like, including:
- Urgent calls from “the bank”
- Requests to verify credentials
- Pressure to bypass normal procedures
Clear rules matter more than good instincts.
The Risk Most Businesses Miss
Many business owners assume the bank will make things right.
In account takeover cases, if a business authorizes a transaction, even under deception, reimbursement is not guaranteed.
From a forensic perspective, prevention is the only reliable protection.
The Detect-a-Fraud Bottom Line
Trust is not a control.
Urgency is a red flag.
Verification must be routine, not optional.
If your business cannot clearly explain how it confirms bank communications, there is a vulnerability worth addressing now, before fraud finds it.
At Detect-a-Fraud, we help businesses and nonprofits identify these blind spots early, when the fix is simple and the money is still in the account.
Because the goal is not just catching fraud.
It is preventing it altogether.
