Since January 2025, scammers have stolen nearly $262 million from American bank accounts. The FBI’s Internet Crime Complaint Center received over 5,100 complaints from victims who lost an average of $51,000 each. This fraud scheme targets a security feature designed to protect us: two-factor authentication, also known as 2FA.
Here’s how the scam works. Scammers call or text pretending to be your bank’s fraud department or police. They make the caller ID look real and use a professional, urgent tone. They inform you that criminals are attempting to access your account and require you to verify your identity to “freeze” the funds. But here’s the trap: when you provide that verification code, you actually give criminals permission to reset your password or transfer your money. You never realize you handed over the very security code meant to protect you.
Two-factor authentication used to seem bulletproof. Banks told customers that even if hackers stole their passwords, they couldn’t access accounts without the verification code sent to their phone. That protection no longer works against these criminals. The FBI confirmed on November 25, 2025, that scammers are now exploiting this security system through simple social engineering, tricking people into handing over their codes.
Your Phone Type Doesn’t Matter—Neither Does Your Experience Level
The threat affects everyone equally. iPhone users, Android users, businesses, and individual people all face the same risk. The vulnerability doesn’t reside in the phone itself—it resides in the code that scammers intercept through basic phishing tricks. Cases occur from Miami to Seattle, proving that criminals target Americans everywhere.
The scammers are frighteningly good at impersonation. One credit union member received a call from someone who had access to details about her recent transactions. A retired police officer—someone trained to spot deception—almost fell for the exact same scheme. These criminals fool doctors, lawyers, teachers, and regular people alike. Your background or experience doesn’t protect you because the attack relies on social pressure and urgency, not technical vulnerability.
Once criminals access your account, they work fast. They wire your money to accounts they control, then convert it into cryptocurrency like Bitcoin or Monero. This conversion makes recovery impossible. When banks catch fraudulent credit card charges, they reverse them. But cryptocurrency transfers are permanent. Your savings are transferred onto the blockchain, beyond U.S. jurisdiction and recovery. By the time you notice the theft, your money is gone forever.
The exploitation often doesn’t end there. Scammers contact victims again, now posing as police or private investigators who claim they can recover the stolen funds—for a fee. Victims, already devastated and desperate, often fall for this second scam. The criminals already have your personal data from the initial attack, so establishing fake credibility as a “recovery agent” becomes relatively easy. Criminals exploit desperation twice over.
Better Security Is Coming, But Change Stays Slow
Technology companies are finally admitting that passwords plus SMS codes are no longer effective. Microsoft announced that “the password era is ending.” Google and Amazon are pushing passkeys instead—a technology that replaces passwords with codes that hackers cannot phish. Google reports that over 800 million accounts now use passkeys. Amazon has 175 million users on passkeys. The National Institute of Standards and Technology updated its 2025 guidelines, requiring federal agencies to use phishing-resistant authentication.
But millions of people still use old security systems. Security experts urge everyone to abandon SMS two-factor authentication immediately, yet the switch is happening slowly. Cifas, a fraud prevention group, reports that SIM swap attacks—a related scam—jumped 1,055 percent year-over-year in 2024. Criminals are accelerating their attacks as better security becomes more widespread.
The FBI’s warning sends one clear message: verify everything in the digital world. Never trust a caller just because the caller ID looks legitimate or the voice sounds professional. Criminals now utilize AI voice cloning, which makes impersonation almost perfect. Banks will never call asking for your verification codes. You now shoulder the security burden. Every smartphone owner faces one question: Can you hang up on someone claiming to be your bank?
Sources
Ezetech, 29 Jan 2025
Keepnet Labs, 22 Jul 2025
Authsignal, 14 May 2025
FIDO Alliance, 13 Oct 2025
Forbes, 18 Jun 2025
IronVest, 26 Oct 2025