Account Takeover (ATO) fraud happens when criminals gain access to your online financial accounts and take control often without you realizing it right away. Once the scammer is inside, they move quickly, changing passwords, redirecting funds and locking you out of your own account.
According to the FBI Internet Crime Complaint Center (IC3), since January 2025, they have received more than 5,100 complaints reporting ATO fraud, with losses exceeding $262 million.
At Bank Iowa, we remain committed to educating you on what to watch for so that you don’t fall victim. ATO fraud scammers use a mix of fake messages, convincing phone calls and look-alike websites to trick people into handing over their login information.
How These Scams Typically Start
Most account takeovers don’t begin with hacking; they begin with impersonation of bank staff or a company website.
Criminals may:
- Send a text or email that appears to come from a bank or payroll provider.
- Call you and pretend to be customer support or technical help from your bank.
- Direct you to a website that looks legitimate but isn’t.
In some cases, scammers place paid ads in search engines, so their fake website appears above the real one. If you enter your login information on one of these sites, they can capture it instantly.
If multi-factor authentication is enabled, scammers often follow up with a phone call, posing as a bank employee to ask for your passcode.
What Criminals Do Once They’re In
After gaining access, criminals may:
- Transfer money out of your account.
- With Treasury Management, such as positive pay, wires and ACH, criminals have the ability to do a lot more, such as pre-approve a company ID in positive pay or update recipient information in an ACH. It could be very subtle and go unnoticed until money starts leaving your Financial Institution more often.
- Try to redirect paychecks or benefit deposits to a new bank account.
- Change account settings to block you out
- Use stolen personal information to open new accounts or loans in your name.
How You Can Reduce Your Risk
A few simple steps can make a big difference:
- Use strong, unique passwords and keep multi-factor authentication turned on no matter what.
- Bookmark your bank’s website instead of using search results or ads.
- Be careful what information you share online or on social media as criminals may use this information to try and determine passwords or security questions.
- Be cautious about unexpected messages or calls claiming to be from your bank.
- Regularly review your account activity for anything unusual and change your password periodically to keep your account secure.
Bank Iowa will never:
- Have our fraud department call and ask you to supply sensitive information, like account numbers, SSN or online banking login credentials.
- Tell you the only way to protect your account is by sharing your online banking login ID, password or secure access code over the phone.
- Suggest you transfer funds between your accounts for your protection or to help with a fraud investigation.
- Send you a link, an attachment or a QR code that requests your account information.
- Attempt to gain remote access to your computer or mobile device to help with an investigation.
- Threaten you if you fail to take immediate action on a request
If at any time you think your account has been compromised or you have received a suspicious call, email or text, contact Bank Iowa immediately so we can help review the situation and secure your account. Acting quickly can make a meaningful difference in limiting potential losses.
Visit Bank Iowa’s fraud resources page to stay informed to recognize and prevent scams. You can also stop at any one of our locations to get assistance.
