Pieter Gunst is a lawyer and CEO in San Francisco who recently tweeted out his ordeal with a new type of phone scammer:
He and many other banking customers and credit union members are experiencing calls that they think are from their financial institution. Unfortunately, these calls are actually from scammers who are phishing for your information in order to get access to your online banking accounts.
Many scammers can fake the caller ID information or the number from a text message to make it appear like it’s coming from your financial institution--even if the number is saved in your contacts, an incoming call isn’t necessarily from the bank or credit union that it says on the phone.
Scam Step 1: Pretend to be your financial institution
Scammers may know which bank or credit union you’re using. They’ll fake the number they’re calling from to make it look like they’re from your bank. Or they’ll send what looks like a text from your financial institution to confirm whether you made a recent purchase.
They’ll say they’re alerting you to a purchase and ask whether you made that purchase. This is something many financial institutions do, which is why scammers know most people will take it seriously.
Stop the Scammer:
Don’t automatically assume that your bank or credit union is actually calling you, even if their name comes up on the Caller ID or you have their number saved in your phone.
If you pick up the phone, tell them you can’t talk right now; you might try getting their name and number to call them back. Hang up and call your financial institution directly to confirm whether there is a problem with your account.
Look into whether you can use a verbal password at your financial institution: this is a word or phrase you’ll use with the bank or credit union when on the phone. If you have a verbal passcode and they don’t know it or ask for it, this is giveaway that they’re not who they say they are.
Scam Step 2: Trick you into giving up information
Scammers may ask you for your member number or online banking username.
Gunst was wrong: a member number can also be an online banking username.
Once they have your username, they can click on the “Reset password” or “Forgot password” link that will trigger you getting a text message, email, or phone call with a verification code in it. They might ask you to read the code to confirm your identity. Then, they’ll use the code to change your password and access your online banking account.
Stop the Scammer:
Scammers take advantage of the fact that you’re already on the phone with them to make it seem like the code is part of how they’re verifying your identity. In reality, they’re triggering a process that will allow them reset your password and gain access to your online banking account.
Never read back the verification code.
Scam Step 3: Get access to your account
Once they have the verification code, they’ll change your password and get into your account. They might read through a few of your recent transactions to make it seem like you’re really talking to your bank or credit union.
Once they have access to your account, they may read out your transactions to make it seem like they really are your financial institution.
They may also ask for additional information, like your card PINs. In Gunst’s case, they asked for his card PIN in order to block his card.
Stop the scammer:
Don’t ever share your card PIN with anyone. A financial institution will NEVER ask you for your PIN and does not need it to block your card.
If you receive one of these calls or texts, don't give them any information. Call your financial institution directly to confirm whether there’s an issue with your account.
The frightening reality is that sophisticated scams like these are becoming more common: in 2018, 26,379 people reported being victimized by scams like this and reported nearly $50 million in losses.
Because you’re giving your credentials to scammers, you could be held liable and your financial institution might not be able to get your money back.
If you are scammed into giving up a verification code or your PINs, call your bank or credit union immediately so they can lock your account and investigate.