A single unsecured connection can give a fraudster everything they need to access your business accounts: login credentials, multi-factor authentication (MFA) approval and an active session. Knowing how to spot an account takeover attack, where a cybercriminal gains access to a protected account and the funds or data it contains, is critical to prevention.
The scenario below shows how a routine payment on public Wi-Fi could open the door to an account takeover attempt. Plus, learn about red flags and practical prevention tips.
Scenario: A payment on public Wi-Fi exposes a company account
A treasury team member stops at a coffee shop late at night for a quick latte and decides to submit a time-sensitive payment.
Without realizing it, they connect to an “evil twin” Wi-Fi hotspot set up by a bad actor. The network name looks legitimate—“CoffeeShop_Free”—and their phone connects automatically.
A polished sign-in page appears with an “accept terms” prompt. The attacker uses it to intercept the connection and display a request to install “security certificates” by approving new device management settings. The employee taps through the prompts.
Joining an evil-twin hotspot doesn’t automatically give an attacker all your passwords right away. In most cases, the attacker only gets passwords if you give them a way to capture them—typically by tricking you into logging in on a spoofed page (for example, through a look-alike domain).
Moments later, the employee visits their bank’s website to make the payment. Because of the settings they just approved, the attacker can redirect them to a convincing look-alike login page. When the employee enters their username and password, the attacker captures the credentials.
The attacker immediately uses those credentials to sign in to the real account and triggers an MFA push notification to the employee’s phone. Eager to finish, the employee approves the prompt, unintentionally approving the attacker’s login.
Soon after, the employee notices warning signs: an unexpected VPN icon, certificate warnings, and a stream of account alerts and password reset emails from unfamiliar locations. With access in hand, the attacker attempts to change profile details, add new beneficiaries and initiate payments.
Warning signs to look out for
Recognizing red flags early can help you stop account takeovers before damage is done—whether they start with an “evil twin” hotspot or a deceptive text, email, call or website.
Unusual prompts asking for sensitive information
It’s normal to enter your login details on our website or app. But if you’re asked to share your password or any token/MFA code by email or text message—or on an unexpected webpage—treat it as suspicious.
For example, if a page looks like our site but your password manager doesn’t auto-fill like it normally does and the site asks you to type your credentials, pause and confirm you’re on the correct website before entering anything.
Unexpected requests to click links, log in or download files
Avoid signing in through links in unknown or unexpected messages. Instead, open our official app or type the web address into your browser. If a webpage asks you to install anything—like “security certificates,” a “security update” or new device settings—stop and confirm the request is legitimate before you continue.
Login alerts, password resets or activity from new locations
Unfamiliar access patterns can indicate unauthorized access and should be escalated quickly.
New device management settings
A device management profile is a setting that can control how your phone or computer works. If your device asks you to add a new “device management” setting or “profile” and you didn’t request it, treat it as a warning sign.
Check your device’s Settings (often under Device Management or Profiles). If you see one you don’t recognize, don’t approve it. Ask for help to review it and remove it.
Copycat websites and emails
Account takeover often uses look-alike domains or spoofed emails. They may closely resemble a real webpage or email from the organization a fraudster is impersonating, but are designed to trick users into sharing credentials or trusting a fake destination.
Five security steps to help protect your accounts
- Avoid public Wi‑Fi for sensitive activity
Instead, use cellular networks or a trusted corporate virtual private network (VPN). Turn off settings allowing your phone to automatically connect to open Wi-Fi networks. If you must use public Wi-Fi—for example, at a coffee shop or other business—verify the exact network name with staff before connecting. - Don’t click—navigate directly
Avoid logging in via links in emails or messages. Go directly to a trusted website. - Never share passwords or security codes
We will never ask for your password or for one-time passcodes (MFA/token codes) by email, text or phone. Don’t send personal or account information by email or text, or enter it on unfamiliar websites. To sign in, use our official app or type the website address into your browser (avoid links in unexpected messages). A padlock icon means the connection is encrypted, but it doesn’t confirm the site is legitimate—double-check the web address before entering information. - Use MFA and treat unexpected prompts as a red flag
If you receive an MFA prompt you didn’t initiate, stop and verify before proceeding. - Watch for look-alike domains and spoofing
Fraudsters often use look-alike domains and spoofing to make messages and websites appear legitimate. Review URLs, email addresses and domains for anomalies or misspellings.
What to do if you suspect an account takeover
If you’re worried you may have compromised your J.P. Morgan account credentials or other sensitive information, contact your client service representative.
Forward suspicious emails to abuse@jpmorgan.com, and consider reporting suspicious activity to the U.S. Federal Trade Commission.
© 2026 JPMorgan Chase & Co. All rights reserved. JPMorgan Chase Bank, N.A. Member FDIC. Deposits held in non-U.S. branches are not FDIC insured. Non-deposit products are not FDIC insured. Visit jpmorgan.com/cb-disclaimer for disclosures and disclaimers related to this content.
