3 people using a desktop computer

6 min read

Key takeaways

  • Account takeover fraud occurs when cybercriminals seize control of your bank account and its funds, often by impersonating your bank’s employees or website.
  • Prevention starts with skepticism. Train employees to question unsolicited calls, texts and emails—even those that appear to come from familiar people or institutions. Verify requests through a known contact before acting.
  • Use the strongest authentication method available. Passkeys currently offer the greatest protection, while multifactor authentication (MFA), tokens and password managers are stronger than passwords alone.

Account takeover fraud puts cybercriminals in control of your bank account and funds. Unlike schemes that unfold over time and target individual payments—such as business email compromise—account takeover gives bad actors broad access and the ability to drain funds faster than many businesses can react.

“The impact can be devastating. The velocity with which they can execute transactions is as fast as a bot can get payments through,” said John Geronimo, Managing Director, Client Fraud Prevention and Recoveries at J.P. Morgan.

Over the first 11 months of 2025, the FBI Internet Crime Complaint Center received more than 5,100 complaints reporting account takeover fraud, with losses exceeding $262 million.

Geronimo explained how these attacks work and shared best practices for account takeover prevention.

What is account takeover fraud?

In an account takeover scheme, a fraudster gains unauthorized access to a protected account and the funds or data it contains.

Fraudsters seize control as well as funds, changing the account’s password and contact information. That leaves legitimate users locked out and unable to halt the attack without help from their bank.

Cybercriminals often gain access by impersonating the target’s bank, using techniques that include: 

  • masks icon

    Social engineering: A fraudster employs psychological manipulation—often through deceptive calls, texts or emails—to trick the recipient into sharing login credentials such as a password or multifactor authentication code. For example, the bad actor might offer to help the recipient solve a problem, such as reversing a fraudulent transaction.

  • id badge icon

    Spoofing and look-alike domains: Cybercriminals use these techniques to make fraudulent communications appear to come from a legitimate source. With spoofing, a fraudster disguises their phone number so a call or text appears to come from your bank. With a look-alike domain, subtle character swaps make a fake email or web address appear nearly identical to the authentic one.      

  • website warning

    Phishing websites and SEO poisoning: A fraudster creates a website that closely resembles a bank’s authentic website to trick targets into entering their login credentials. With SEO poisoning, fraudsters manipulate search engine rankings so the fake website appears at the top of search results.

Fraudsters may also use malware or exploit data breaches to harvest login credentials. 

     

Our team can help you protect your business from fraud. 

Contact a banker

     

Account takeover prevention

These four strategies can help your team prevent account takeover fraud.

Build a culture of skepticism

Train employees—particularly those authorized to move funds—to question any unsolicited contact, regardless of how familiar or urgent the message seems.

“Unsolicited outreach is the common denominator in fraud attacks,” Geronimo said. “It can appear as if it’s from an institution you trust, which gives a sense of comfort. It often creates alarm or a sense of urgency. That’s the start of social engineering.”  

Distinguishing authentic messages from fraudulent ones can be challenging. Train employees to check emails, texts and URLs for signs of spoofing before sharing information. Better yet: don’t rely on inbound messages or links sent by text or email. Instead, call back using a verified phone number or go directly to your bank’s website.

Know what your bank will and won’t ask for

To recognize a fraudster impersonating your bank, employees need to know how your bank typically communicates and verifies your identity.

When a J.P. Morgan employee contacts you or a member of your team, they will never ask for your full account number, password or full token code. They also won’t ask you to click a link and enter your credentials.

Another red flag: a call or message from a purported bank employee alerting you to fraud rather than verifying a transaction.

“We call to validate account activity, we don’t come from the position that it’s fraud,” Geronimo said. “There’s not that sense of urgency—‘This is bad, now to help, you need to do this.’”

Regular training helps employees instinctively spot suspicious requests, even while multitasking or at the end of a long day.

Use the strongest available authentication method

Strong authentication technology—ideally passkeys—keeps fraudsters from taking over your account with a phished or stolen password alone.

Options include:

  • Multifactor authentication (MFA) with a one-time passcode (OTP) requires a time-sensitive code—often delivered via email or text—in addition to a password. “MFA and OTP are table stakes,” Geronimo said. If a fraudster tricks an employee into revealing a password or obtains one in a data breach, they won’t gain access without the passcode. But codes can be intercepted or obtained through social engineering.
  • Tokens combine passwords with time-sensitive codes generated on a physical security key or authenticator app you own. Unlike passcodes delivered via text or email, token codes can’t be intercepted in transit. But a fraudster can still manipulate an employee into sharing a token code.  
  • Passkeys eliminate passwords altogether, which makes them resistant to phishing. When you use a passkey to protect an account, your device generates a pair of keys: a private key stored securely on that device and a public key shared with the website or application hosting the account. To log in, you confirm your identity on your device, often using a face scan or fingerprint. Your device then proves it has the private key—without ever sharing the key itself. Passkeys only work with the specific platform they were created for, so a fake site can’t trick your device into sharing its private key. You can also sync passkeys to the cloud for use across multiple devices.

If passkeys, tokens or OTP aren’t an option, a password manager can strengthen your defenses.

“It allows you to have a unique password for every application, so if a password is compromised, it will only affect that application,” Geronimo said. “And if you come across SEO poisoning or a spoofed site, a password manager will recognize it’s not authentic.”

Technology

How it works

Pros

Cons

Password + MFA/OTP

You log in with a password, then verify your identity with a one-time code sent to your phone or email.

Widely available and easy to set up; stronger than a password alone.

Codes can be intercepted or obtained through social engineering or entered on a spoofed site.

Tokens

A device or app generates a time-sensitive code locally—no network transmission required.

Codes can’t be intercepted in transit or redirected to a fraudster’s device.

Requires a physical device or separate app.

Passkeys

Uses cryptographic key pairs—your device holds a private key, the site holds a public key—to authenticate you without a password.

There’s no password to phish; only works with the legitimate domain.

Requires compatible devices and platform support.

Test and train continuously

Supplement cyber fraud education with simulated phishing tests that train employees to spot threats in real time. Effective programs steadily increase in difficulty, shifting from messages with obvious red flags to ones that closely mimic authentic communications. Use test results to inform targeted follow-up training.

“To bring employees up the curve, your testing needs to evolve,” Geronimo said.

How to recognize account takeover fraud

Account takeover often leaves signals both before and after a fraudster gains access. Watch for:

  • Unsolicited outreach: Don’t assume an unexpected call, text or email is legitimate—even if it appears to come from an institution or person you trust. Messages that create alarm or urgency deserve extra caution. End the conversation and verify with a known contact before sharing any sensitive information.
  • Unfamiliar account activity: Watch for unexpected login notifications, password reset requests, changes to contact information on file or sign-ins from unknown devices or unusual locations. These can all indicate a fraudster has gained access.   

What to do if you suspect account takeover fraud

If you believe your company has experienced account takeover fraud, act immediately.

  1. Contact your bank. Report that your credentials may have been compromised. Your bank can suspend access to halt the damage and share information on fraudulent transactions that occurred after you lost control of the account.
  2. Notify law enforcement. File a report with the FBI’s Internet Crime Complaint Center (IC3). Then contact your local FBI office and local law enforcement, referencing your IC3 report.

“The response from law enforcement can vary depending on the value stolen and circumstances at that office that day,” Geronimo said. “But we have seen cases where engaging law enforcement made a significant difference in the outcome. It has been the reason there was any recovery at all.”

We’re here to help

Behind the scenes, J.P. Morgan Payments combines behavioral analytics, payment-pattern analysis and cybersecurity intelligence to help identify and stop suspicious activity.

We’re continually enhancing our fraud prevention solutions to help you protect your business and operate with confidence as threats evolve. Whether you’re looking to strengthen authentication technology, safeguard payments or train your team on prevention strategies, J.P. Morgan bankers and industry specialists can help you get there.

JPMorgan Chase Bank, N.A. Member FDIC. Visit jpmorgan.com/commercial-banking/legal-disclaimer for disclosures and disclaimers related to this content.

Contact us

This field is required.

This field is required.

This field is required.

This field is required.

This field is required.

Please enter a valid business email. This field is required.

Please enter a valid business email. This field is required.

Please enter a valid business email. This field is required.

By checking the box below I consent to JPMorganChase using the information I have provided to send me:

Learn more about our data practices in our privacy policy.