Tis the Season To Get Hosed
According To the F.B.I.
The Holiday Season always brings out every kind of crook highly
motivated to separate shoppers from their money.
In today's digital world, one part of robbing people of their cash often
means compromising their online security too. So, just in time
for the Holidays, the F.B.I. has issued Public Service Announcement
(PSA) warning and advising citizens about innovative new techniques
cybercrooks are using to steal Consumers' money and personal
information. Most relevant to holiday shoppers is the PSA of
November 25, 2025.
Alert Number: I-112525-PSA, dated November 25, 2025, titled, "Account Takeover Fraud via Impersonation of Financial Institution Support," discusses methods cybercrooks now employ to facilitate Account Takeovers (ATO). Victims of this new scam have targeted "individuals, businesses, and organizations of varied sizes and across sectors." The crooks aim to gain access to Consumers' financial institutions, payroll accounts, and health savings accounts. In 2025, according to the F.B.I. PSA, the Bureau "received more than 5,100 complaints reporting ATO fraud, with losses exceeding $262 million."
The purpose of the scam is too allow cybercrooks access to accounts using different social engineering techniques to pry that account information from their potential victims. Not only are texts, emails, and texts used in the ATO attempts, but also fraudulent websites that mimic legitimate sites are created to trick their victims into giving up access to their accounts.
The first step in an ATO scam is to trick the victimized "account owner into giving away their login credentials." This access can be had by a fraudster impersonating an employee of a financial institution, or a customer support person, or technical support personnel. After gaining access to the account, the cybercrooks change the password to the account. Thus, locking the actual account holder out of their own account, while the crooks gain total control over the account.
A common technique the crooks use is to inform the victim that suspected transactions have been noticed by the institution. This communication may happen via a telephone call, an email, or by a text message. No longer are these spams calls made by people with little to no mastery of the English language. With voice cloning, generative Artificial Intelligence (gen AI) can fake anyone's voice and turn that spam caller into a silver-tongued orator with an eloquent voice. Moreover, a gen AI voice clone can be natural sounding in tone and can also engage in very convincing conversations. No more must the hapless victim be subjected to the staccato and disjointed voice of a robot, or the sound of a poor recording. According to a report published July 25, 2025 by security vendor, Moonlock, in 2025, AI impersonation scams have increased by 148%. In the report cited, quoting Fergal Glynn, Chief Marketing Officer and AI Security Advocate of Mindgard, "AI tools today can mimic voices, faces, and even writing styles within minutes, making fake emails, texts, and calls feel almost real." Mindgard specializes in countering the many abuses of AI technology.
Once trust is established between the crook and victim, a link to a fake website is provided to fool the victim into reporting the fraud or to prevent further fraudulent transactions. From there, a second group of cybercrooks will impersonate law enforcement. Once this greater trust is established, the fraudsters will fool the victim into divulging even more of their personal information. Often wire transfers of victims' fund are immediately instigated.
The use of fake websites to capture Consumers' credentials is not a new technique. In fact, the F.B.I.'s own FBI Internet Crime Complaint Center (IC3) government website was spoofed, as was reported in an earlier PSA, dated September 19, 2025. In simpler times, like with old school spam calls and emails, these bogus websites were riddled with bad grammar and misspelled words. Now Artificial Intelligence has made the creation of realistic, but otherwise phony, websites of well-known companies too easy. A report titled, "How Cybercriminals Use AI to Build Fake Websites That Fool You," and dated, September 16, 2025, was published in Analytics Insight. The report described how AI makes very official looking websites. AI makes it quick and simple to generate elements of the actual copied website. As the article explained it, "cybercriminals can replicate the color schemes, logos, and layout of a brand in such a way that the cloned sites look almost 100% genuine."
Another F.B.I. publication that was a joint effort between the Bureau
and The Americans Banker Association (ABA) produced an orographic that
both summarizes the problem of AI generated deep fakes, and also offers
succinct advice about how to spot them. The infographic is in pdf
format. The article and link to the original pdf file can be had
here. The images below are png files snipped
from the original pdf.
 |
 |
Contributing to the growing problem of fake websites generated by AI is ever more sophisticated forms of typosquatting. Microsoft defined typosquatting thusly.
Typosquatting is what we call it when people - often criminals -
register a common misspelling of another organization's domain as their
own. For example: tailspintoy.com instead of tailspintoys.com
(note the missing "s").
If you mistype or misspell the legitimate site
you'll get the typosquatter's site instead and it may not always be
obvious that you're not where you intended to go.
A new and innovative typosquatting technique is the "rn" attack. The "rn" attack method is known as a "homoglyph attack." Security vendor, MalwareBytes, defines a homoglyph attack as "a method of deception wherein a threat actor leverages on the similarities of character scripts to create and register phony domains of existing ones to fool users and lure them into visiting." One example often offered as an example of a homoglyph attack is where the illegitimate URL amaz0n[.]com is substituted for legitimate amazon[.]com.
The "rn" method of attack is particularly cunning, and apparently successful. The Cyber Security News reported on the "rn" attack on November 24, 2025. The article's title, "Hackers Replace rn Microsoft(.)com to Steal Users Login Credentials," offers insight on how even mighty Microsoft can be a victim of typosquatting. So, rnicrosoft[.]com is not really microsoft[.]com.
The rn attack relies on how our eyes play tricks on us. Using certain fonts, when the letter "r" is placed before the letter "n" we may see the letter "m". Observe how using a font Lucida with condensed spacing makes morphing the two characters, "rn", into the single character, "m", too easy. See the example below.
bankofrnerica[.]com is NOT bankofamerica[.]com
Imagine you receive a phone call or text that claims to be from your bank telling you that the bank suspects that fraudulent transactions have been detected on your account. You are then advised to click on the link in a text or email to log on to the bank to verify these transactions. A certain amount of panic may set in, causing you to not carefully examine the URL that you were sent by the fraudster(s). And that is how victims typosquatting attacks come to be.
Not only can any link in an email not be trusted, but as the F.B.I. also advises, even search engine results are not to be trusted anymore. Search Engine Optimization (SEO) poisoning is also mentioned as an attack vector in the F.B.I. PSA. SEO poisoning has become one more tool in the cybercrooks toolbox that cybercrooks can use to harvest the credentials of these unsuspecting victims. Here is how the F.B.I. PSA explains SEO poisoning:
SEO poisoning refers to cyber criminals purchasing ads that imitate legitimate business ads to increase the prominence of their phishing websites by making them appear more authentic to customers who use a search engine to locate the business' website. When users click on the fraudulent search engine ad, they are directed to a sophisticated fraudulent phishing site that mimics the real website, tricking users into providing their login information.
We can no longer trust those search engine results that appear at the top of the list and labeled "Ad." The F.B.I. PSA offers from very cogent advice to avoid falling prey to these various techniques of subterfuge. If you are being told to call the institution, do not do so. Call the institution at the number that is one the back of your debit or credit card. To avoid S.E.O. poisoning, never use a search engine to verify the veracity of a website that supposedly belongs to a financial institution to which your are a customer. Bookmark or add to website favorites the known URL to any financial institution. If you are not familiar with adding Bookmarks, this page here will help you setup Bookmarks in Google Chrome. For users of the Microsoft Edge browser, check out this page to learn about Favorites in MS Edge.
The F.B.I. PSA offers an infographic that summarizes the F.B.I. recommendations to stay safe online. The PSA says to "Stay vigilant against ATO fraud attempts by following these tips."
Also in the PSA, the F.B.I. advises that if you are a victim of one of these attacks, immediately do the following:
Reset all credentials and passwords that may have been exposed during the intrusion, including user and service accounts, compromised certificates, or other "secret" credentials. If you use the compromised password for other online accounts, change your password on those sites too.
So follow Smokey's advice for the 21st century.
And never forget this very old maxim that dates back to 16th
England:
To be forewarned is to be
forearmed.
Gerald Reiff
| Back to Top | ← previous post | next post TBA → |
| If you find this article of value, please help keep the blog going by making a contribution at GoFundMe or Paypal | ||