Overview
- Since early 2025 the FBI’s Internet Crime Complaint Center has logged more than 5,100 ATO complaints with reported losses exceeding $262 million.
- Criminals impersonate bank staff or clone financial websites to steal passwords and MFA/OTP codes, then seize accounts, change credentials, and route funds to crypto‑linked destinations.
- Targets include consumers as well as businesses, with payroll and savings accounts at risk during December’s spike in online purchases and payments.
- Cybersecurity bodies highlight related holiday schemes such as ghost‑delivery texts, fake e‑commerce and travel sites, and WhatsApp takeovers used to solicit money.
- Authorities advise verifying senders and URLs, using strong unique passwords and two‑step checks, avoiding public Wi‑Fi for sensitive transactions, monitoring accounts, preserving evidence, and note that the EU is reinforcing PSD2 rules that can shift reimbursement liability when protections fail.