Federal authorities are sounding the alarm about criminals who build convincing replicas of bank and payroll login pages to steal session cookies, a technique that lets attackers slip past multifactor authentication entirely. The FBI’s Atlanta Field Office published a warning that criminals are capturing “Remember-Me” cookies to access victim accounts without needing usernames, passwords, or any additional verification step. A separate FBI alert documents how the same approach has expanded beyond traditional bank fraud into employee self-service portals, where attackers reroute paychecks and drain benefits accounts.
How stolen session cookies defeat multifactor authentication
Multifactor authentication has been the standard advice for protecting online accounts for years. But the cookie-theft technique sidesteps it completely. When a user logs in and checks a “Remember Me” box, the website stores a small file, a session cookie, in the browser. That cookie tells the site the user has already passed all authentication checks. If an attacker captures that cookie, they can load it into their own browser and gain full access to the account without ever seeing a password prompt or a one-time code.
The FBI’s Atlanta Field Office described exactly this sequence in a public notice, confirming that criminals steal Remember-Me cookies to bypass every layer of login security. The cookies stay valid for extended periods, sometimes weeks, which gives attackers a wide window to operate inside a victim’s account. A single successful phishing page can hand over persistent access that outlasts any password reset the victim performs, because the session token itself remains active on the attacker’s machine.
For everyday users, this means that enabling multifactor authentication, while still a good practice, is not a complete shield. The real danger is the fake login page that harvests the cookie in the first place. Attackers craft these pages to look identical to a bank’s or employer’s real portal, and once a victim enters credentials on the clone, the cookie is captured before the victim even realizes anything is wrong.
Because the cookie represents an already-approved session, even hardware security keys or app-based codes do not help once the attacker has the token. In many cases, the victim may continue using the account normally, unaware that a second, invisible session is active elsewhere. That parallel access lets criminals quietly explore account settings, set up new payees, or prepare fraudulent transfers while avoiding obvious red flags such as password-reset emails.
Fake employee portals and the shift from bank accounts to payroll
The threat has grown beyond traditional bank account takeover. A separate FBI alert details how criminals now impersonate employee self-service websites to steal both personal information and funds. These portals, the kind workers use to view pay stubs, update direct deposit details, or manage benefits, have become prime targets because they offer direct access to payroll streams.
According to the bureau, attackers who gain control of an employee portal account can change direct deposit routing numbers, redirect entire paychecks, and siphon benefits funds before the victim notices. The FBI documented this evolution from classic bank fraud toward broader payroll and benefits abuse, where the financial damage can be just as severe but often goes undetected longer because employees may not check their portal settings as frequently as their bank balance.
This shift matters for employers too. A compromised self-service portal does not just hurt one worker. It can expose an entire organization’s payroll system, and the reputational and legal fallout from a breach of employee financial data can be significant. Small and mid-size businesses that rely on third-party payroll platforms are especially exposed, because their employees may not recognize a cloned version of a portal they only visit once or twice a month.
Once attackers have access, they can also harvest personal details such as Social Security numbers, home addresses, and benefit elections. That information can feed follow-on schemes, including tax-refund fraud or targeted phishing that appears to come from HR. In some cases, criminals may wait through one or two normal pay cycles to build trust before silently changing deposit information, increasing the odds that the theft will not be caught immediately.
What the FBI warnings leave unanswered about AI-generated clones
The FBI’s alerts confirm the cookie-theft technique and the expansion into payroll fraud, but they stop short of quantifying how often artificial intelligence tools are used to generate the cloned pages. No case numbers, dollar-loss totals, or specific AI toolkits are named in either notice. The headline claim that scammers are using AI to clone login pages reflects a widely reported trend in the security industry, yet the bureau’s own published warnings do not break out AI-assisted cloning as a distinct category in their complaint data.
That gap matters for anyone trying to measure the scale of the problem. Without granular FBI statistics on AI-generated phishing pages versus manually coded ones, it is difficult to know whether new browser-level defenses, such as anti-cloning detection rules from major vendors, are actually reducing the volume of these attacks or simply pushing criminals toward more sophisticated AI tools. A testable question emerges from this gap: will cookie-theft incidents reported to the FBI show a measurable increase in the months after a major browser vendor ships new anti-cloning protections, regardless of overall phishing trends? If so, it would suggest that defensive measures are triggering an arms race rather than suppressing the threat.
The FBI’s alerts also contain no direct statements or data from Google about detection of these campaigns, despite the search giant’s name appearing in broader industry discussions of the problem. The evidence chain for the MFA-bypass technique rests on the bureau’s own complaint intake and field office observations, not on vendor-supplied telemetry. That leaves open questions about how widely the attacks are distributed, what proportion rely on paid search ads or compromised websites for traffic, and how often browser-level warnings actually prevent a successful cookie theft.
For now, the most reliable visibility comes from victims who report suspicious activity. The FBI encourages organizations and individuals to share details of suspected phishing and account-takeover incidents, and users can sign up for email alerts from the bureau to track new advisories as techniques evolve.
Practical steps before your next login
Given the confirmed risks, anyone who uses online banking or an employer self-service portal should take a few concrete steps immediately. First, check the URL in the browser bar before entering credentials on any login page, especially if the page was reached through an email link or a search engine ad. Type the address manually or use a trusted bookmark whenever possible, and be wary of lookalike domains that swap or add characters.
Second, treat unexpected login prompts as suspicious, even if they appear after you click a link that references a real transaction or HR notice. If an email claims that your direct deposit failed or your account has been locked, navigate to the site independently rather than following the embedded link. Legitimate institutions rarely require urgent action through a single clickable path.
Third, review your account settings regularly. For bank accounts, that means scanning recent transactions and payee lists; for payroll portals, it includes verifying direct deposit routing and mailing addresses before and after each pay cycle. Many employers allow workers to set up alerts for changes to deposit information or contact details; turning on those notifications can dramatically shorten the window in which an attacker can operate undetected.
Finally, remember that multifactor authentication is still worth enabling, even if it is not foolproof. App-based codes or hardware keys remain strong defenses against many common attacks. But the FBI’s warnings underscore that security now depends just as much on recognizing cloned pages and guarding session cookies as it does on choosing strong passwords. Treat every login as an opportunity to pause, verify, and confirm you are on the site you intend to trust with your money and your data.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
