6 min read
Account takeover fraud puts cybercriminals in control of your bank account and funds. Unlike schemes that unfold over time and target individual payments—such as business email compromise—account takeover gives bad actors broad access and the ability to drain funds faster than many businesses can react.
“The impact can be devastating. The velocity with which they can execute transactions is as fast as a bot can get payments through,” said John Geronimo, Managing Director, Client Fraud Prevention and Recoveries at J.P. Morgan.
Over the first 11 months of 2025, the FBI Internet Crime Complaint Center received more than 5,100 complaints reporting account takeover fraud, with losses exceeding $262 million.
Geronimo explained how these attacks work and shared best practices for account takeover prevention.
In an account takeover scheme, a fraudster gains unauthorized access to a protected account and the funds or data it contains.
Fraudsters seize control as well as funds, changing the account’s password and contact information. That leaves legitimate users locked out and unable to halt the attack without help from their bank.
Cybercriminals often gain access by impersonating the target’s bank, using techniques that include:
Social engineering: A fraudster employs psychological manipulation—often through deceptive calls, texts or emails—to trick the recipient into sharing login credentials such as a password or multifactor authentication code. For example, the bad actor might offer to help the recipient solve a problem, such as reversing a fraudulent transaction.
Spoofing and look-alike domains: Cybercriminals use these techniques to make fraudulent communications appear to come from a legitimate source. With spoofing, a fraudster disguises their phone number so a call or text appears to come from your bank. With a look-alike domain, subtle character swaps make a fake email or web address appear nearly identical to the authentic one.
Phishing websites and SEO poisoning: A fraudster creates a website that closely resembles a bank’s authentic website to trick targets into entering their login credentials. With SEO poisoning, fraudsters manipulate search engine rankings so the fake website appears at the top of search results.
Fraudsters may also use malware or exploit data breaches to harvest login credentials.
These four strategies can help your team prevent account takeover fraud.
Train employees—particularly those authorized to move funds—to question any unsolicited contact, regardless of how familiar or urgent the message seems.
“Unsolicited outreach is the common denominator in fraud attacks,” Geronimo said. “It can appear as if it’s from an institution you trust, which gives a sense of comfort. It often creates alarm or a sense of urgency. That’s the start of social engineering.”
Distinguishing authentic messages from fraudulent ones can be challenging. Train employees to check emails, texts and URLs for signs of spoofing before sharing information. Better yet: don’t rely on inbound messages or links sent by text or email. Instead, call back using a verified phone number or go directly to your bank’s website.
To recognize a fraudster impersonating your bank, employees need to know how your bank typically communicates and verifies your identity.
When a J.P. Morgan employee contacts you or a member of your team, they will never ask for your full account number, password or full token code. They also won’t ask you to click a link and enter your credentials.
Another red flag: a call or message from a purported bank employee alerting you to fraud rather than verifying a transaction.
“We call to validate account activity, we don’t come from the position that it’s fraud,” Geronimo said. “There’s not that sense of urgency—‘This is bad, now to help, you need to do this.’”
Regular training helps employees instinctively spot suspicious requests, even while multitasking or at the end of a long day.
Strong authentication technology—ideally passkeys—keeps fraudsters from taking over your account with a phished or stolen password alone.
Options include:
If passkeys, tokens or OTP aren’t an option, a password manager can strengthen your defenses.
“It allows you to have a unique password for every application, so if a password is compromised, it will only affect that application,” Geronimo said. “And if you come across SEO poisoning or a spoofed site, a password manager will recognize it’s not authentic.”
Technology | How it works | Pros | Cons |
|---|---|---|---|
Password + MFA/OTP | You log in with a password, then verify your identity with a one-time code sent to your phone or email. | Widely available and easy to set up; stronger than a password alone. | Codes can be intercepted or obtained through social engineering or entered on a spoofed site. |
Tokens | A device or app generates a time-sensitive code locally—no network transmission required. | Codes can’t be intercepted in transit or redirected to a fraudster’s device. | Requires a physical device or separate app. |
Passkeys | Uses cryptographic key pairs—your device holds a private key, the site holds a public key—to authenticate you without a password. | There’s no password to phish; only works with the legitimate domain. | Requires compatible devices and platform support. |
Supplement cyber fraud education with simulated phishing tests that train employees to spot threats in real time. Effective programs steadily increase in difficulty, shifting from messages with obvious red flags to ones that closely mimic authentic communications. Use test results to inform targeted follow-up training.
“To bring employees up the curve, your testing needs to evolve,” Geronimo said.
Account takeover often leaves signals both before and after a fraudster gains access. Watch for:
If you believe your company has experienced account takeover fraud, act immediately.
“The response from law enforcement can vary depending on the value stolen and circumstances at that office that day,” Geronimo said. “But we have seen cases where engaging law enforcement made a significant difference in the outcome. It has been the reason there was any recovery at all.”
Behind the scenes, J.P. Morgan Payments combines behavioral analytics, payment-pattern analysis and cybersecurity intelligence to help identify and stop suspicious activity.
We’re continually enhancing our fraud prevention solutions to help you protect your business and operate with confidence as threats evolve. Whether you’re looking to strengthen authentication technology, safeguard payments or train your team on prevention strategies, J.P. Morgan bankers and industry specialists can help you get there.
JPMorgan Chase Bank, N.A. Member FDIC. Visit jpmorgan.com/commercial-banking/legal-disclaimer for disclosures and disclaimers related to this content.