Account Takeover Scams via Bank Transfer
How fraudsters use account takeover to initiate unauthorised bank transfers, and how push payment fraud via stolen credentials differs from card fraud.
Part of: Account Takeover Scams
Last reviewed: 1 June 2026
Account takeover through credential phishing leads directly to authorised push payment (APP) fraud — where the attacker uses genuine online banking credentials to initiate bank transfers from the victim's account to scammer-controlled mule accounts. Because the bank sees an authenticated login and an apparently voluntarily initiated transfer, fraud detection is harder than for card fraud.
The combination of credential phishing, SIM swap for OTP interception, and rapid automated transfers makes account takeover-driven bank transfer fraud one of the hardest fraud types to stop once initiated.
How this scam works on Bank Transfer
An attacker obtains banking credentials through phishing — typically via a convincing bank impersonation email or SMS. If SMS OTP codes protect the account, a concurrent SIM swap or SS7 interception attack provides access to verification codes.
Once authenticated, the attacker initiates one or more bank transfers to pre-staged mule accounts, typically in rapid succession and often in amounts below notification thresholds. Funds are immediately forwarded through further mule accounts before the victim or bank detects the activity.
Some attackers use the compromised account to set up new payees and scheduled transfers, maximising the window of access. Others use the access to gather financial data for follow-on fraud — balance information, direct debit details, and employer payment references.
Common red flags
- Bank email or SMS requesting login credential confirmation via a link
- Unexpected OTP SMS for a banking action you did not initiate
- Notification of a new payee being added to your account that you did not request
- Phone losing service coinciding with banking app login difficulties
- Transaction alerts for transfers you did not authorise
How to protect yourself
- Use an authenticator app rather than SMS for banking two-factor authentication where available
- Enable banking app notifications for all transactions and new payee additions
- Never click links in bank emails or SMS — use the official app directly
- Set daily transfer limits on your online banking to reduce maximum exposure
- Contact your bank immediately if you lose phone service unexpectedly
How to report it
- Contact your bank's fraud team immediately — 24-hour lines are available for most major banks
- Report to your national fraud service with full transaction details
- In the UK, report to Action Fraud and your bank for APP fraud reimbursement consideration
Frequently asked questions
Can I get a refund if my account was taken over and money transferred?
In the UK, the Payment Systems Regulator's APP fraud reimbursement rules require banks to reimburse victims of authorised push payment fraud in most cases. In the US, liability depends on whether the transfer was 'authorised' under Regulation E. Contact your bank immediately — early reporting significantly improves recovery prospects.