Blog

Credit unions reported that 2024 featured a dramatic increase in members suffering financial losses from fraudsters. What’s perhaps the most important element of that trend is that most consumers make the choice to willingly engage in interactions with fraudsters. Credit unions also reported that there are limited steps they can take to stop members from becoming victims. As such, consumers are in the best position to stop fraud aimed at them before it starts.

This is the first of a two-part article discussing how consumers interact directly with fraudsters. In this part, the focus is on consumers who respond to what they believe are urgent calls from their credit union.

Lured in

People are being contacted by calls, emails and text messages by scammers claiming to be the member’s credit union.

Such calls appear to be for the benefit and safety of the member. The messages always convey an urgent threat, such as, “a suspect transaction has been identified on your credit card or account” or, “there is a risk that your account access has been compromised.”

The call will appear on caller ID as coming from the member’s credit union. The caller will identify a suspicious transaction that has been supposedly attempted or will warn the member that their online banking credentials have been compromised. The point of the call is to present this as an urgent threat to the member that must be responded to immediately.

The scammer will use this situation as a basis for having the member provide confidential information, which will allow the fraudster to take over the member’s account. Once the fraudster is in control of the account, they will initiate illegitimate transactions and also possibly block the member’s access from their own account.

The ability of fraudsters to execute such scams starts with the fact that they can spoof (fake) a credit union’s phone number or email address. How can a member know the difference between a legitimate call from their financial institution and a fraudster? There are observable differences:

• Your credit union will not ask for your login or password for online banking.
• Your credit union will not send a link that will require you to input information it already has, specifically your account number, member number, or full social security number. The financial institution will only ask for sufficient information to verify your existence as the owner of the account.
• The URL for your credit union cannot be duplicated exactly. If it is not the same URL as the one for credit union’s web page (for example, www.mycreditunion.com vs. www.mycreditunions.net), it's a fake.

First Best Defense

There are simple ways for consumers to protect themselves from these threats.

Do not answer a phone call coming from a number you do not recognize. Let the call go to voicemail. Listen to the voice mail (if one was left) and assess whether it sounds legitimate. If the caller claims they are from your credit union, do not call them back from the number they provide in the message. Go to your credit union’s website and use the number provided to call back.

When you reach the credit union’s service center, explain, “I received a call from (John Doe) at the credit union and he left me a message saying there is a problem with my account.” The service center representative will quickly confirm whether John Doe is a real employee.

This guidance still applies if you find yourself taking a call directly. Once the caller has stated their name and laid out why they called, tell them you cannot finish the call at that moment but will call them back in a few minutes. Do not provide any account information (such as login information, account numbers, member number, account activity) or personally identifying information (such as address, age, social security number, mother’s maiden name) during that call.

After hanging up, go reference the phone number on that credit union’s website and call it. Repeat the process described above with the service center.

Digital Danger

If an email is received from your credit union, confirm that the URL matches the URL on the credit union’s website before responding to it (hover your pointer over the URL). Any response should still not include account information or personally identifiable information. If that’s asked for, again, call into the service center of the credit union and explain, “I received this email that said I was at risk…”

You may receive a link that asks you to confirm the legitimacy of a pending credit or debit transaction. That is a common security feature most financial institutions offer. The response to such a message should be a simple “yes” or “no” as to whether you initiated that transaction. Any information sought beyond affirmation or denial of the transaction, or even an effort to redirect you to a website to provide account information or personally identifiable information should be disregarded. In response to receiving such a message or a link to follow, you should again reach out to your credit union’s service center and explain the situation you encountered.

Responses described here, such as ignoring a call and letting it go to voice mail or cutting off a caller in mid-call is counter to the general courtesy most consumers are used to conveying. Plus, having to look for a phone number from a website and making a new call instead of just completing a call that is made to you feels inefficient and time consuming. However, protecting your financial assets is not discourteous, it is an act of safety. Any caller you deal with from a legitimate credit union will understand your need for maintaining that safety. A fraudster will argue that you are wasting time. However, shutting down a scam attempt is time well spent.