Account takeover fraud is emerging as the fastest-growing type of financial crime in the United States, costing consumers $15.6 billion in 2024—a dramatic rise from $12.7 billion the year prior, according to a new report from Javelin Strategy & Research.
Fraud experts and credit union executives say this surge is being driven by the increasing sophistication of cybercriminals, many of whom now use generative artificial intelligence to create convincing phishing emails and spoofed websites that fool even cautious consumers.
Traditional defenses like passwords, one-time passcodes (OTPs), and security questions—once considered sufficient—are quickly becoming obsolete. Despite the evolution of attack methods, many institutions continue to rely on these older tools, leaving them and their members vulnerable.
“Fraud is one of the biggest problems the credit union is having,” said Matt Selke, president and CEO of Georgia Heritage Federal Credit Union in Savannah, Georgia. “We have a lot of layers of security . . . multiple-factor authentication, stronger passwords, better equipment, 24-hour monitored access. But it’s always a race against new scams.”
Selke noted that while his $153 million-asset credit union's fraud losses remain below industry peers, much of the damage is happening to members themselves—particularly older adults. “By far, older boomers and the silent generation are at a much higher risk of getting scammed through their personal emails and texts,” he said, citing the growing prevalence of so-called “toll scam” text messages and voicemails that trick recipients into revealing sensitive financial information.
These scams don’t just pose a risk to individual members. Once a fraudster obtains access credentials—whether via phishing, SIM swaps, or credentials purchased off the dark web—they can hijack accounts, reroute funds, or impersonate members convincingly enough to bypass traditional identity checks.
At Langley Federal Credit Union in Newport News, Virginia, fraud prevention is becoming increasingly high-tech. Jennifer Gray, the $5.6 billion-asset institution’s Bank Secrecy Act officer and fraud mitigation manager, said Langley has turned to behavioral biometrics—a form of AI that tracks users’ typing rhythms, mouse movements, and login patterns—to stay ahead of attackers.
Traditional methods such as passwords, security questions, and device recognition are no longer sufficient, Gray said. “Fraudsters have adapted . . . once they have access to personal information, they can convincingly impersonate a legitimate account holder.”
Langley’s system flags anomalies in user behavior to detect unauthorized access attempts, often before a member realizes their credentials have been compromised. The credit union also monitors dark web activity to detect member information being trafficked among fraudsters.
These tools help, but fraud prevention also depends on awareness, Gray added. Members need to use unique, complex passwords, enable multifactor authentication, and be skeptical of unsolicited links or messages.
“Awareness is key,” she said.
Yet even newer security technologies like voice biometrics—once hailed as the future of authentication—are now at risk. A west coast credit union CEO, who spoke on condition of anonymity due to security concerns, said their $5 billion-asset institution is actively exploring alternatives.
“Even some of the newer methods, such as voice biometrics, are at risk,” the executive said. “With the increasing sophistication of AI used by fraudsters, it’s imperative we stay ahead of the curve. One concept that needs more attention is ‘phone trust’—authenticating whether a phone really belongs to a member and hasn’t been spoofed.”
Beyond technical threats like SIM swapping—where criminals take control of a user’s phone number by manipulating mobile carriers—a growing number of credit unions are reporting losses from imposter scams. In these schemes, fraudsters pose as legitimate organizations or even relatives, tricking victims into transferring money themselves.
“In many cases, it’s not an account takeover in the traditional sense,” the west coast CEO said. “It’s the member voluntarily sending money, thinking they’re helping someone. That makes it even harder to detect and prevent.”
While the fraud landscape becomes more treacherous, credit unions continue to balance security with member experience. Advanced fraud prevention systems often carry high upfront costs, but many institutions argue the investment is justified.
“The financial impact of even a handful of successful ATO cases can exceed the cost of these systems,” said Gray. “More importantly, these protections preserve member trust and confidence.”
Despite the arms race between institutions and cybercriminals, the consensus is clear: fraud isn’t going away anytime soon. But with AI being used by both attackers and defenders, the future of account security may hinge on which side adapts faster.
“Fraud is constantly evolving,” Gray said. “But so are we.”
Portland, Oregon-based Tyfone is a leading provider of consumer and commercial digital banking services for community financial institutions. At Tyfone, we responded to the rise in account takeover fraud with an elegant, forward-looking solution: Cryptographic Device Authentication. CDA is a way for users to bind trust to the device itself by deploying advanced cryptography that is seamless for the user and nearly impossible for attackers to replicate.
