Summary
- Phishing, vishing, and smishing scams are on the rise, targeting victims by impersonating financial representatives to steal login credentials and other sensitive information.
- Scammers use fake emails with convincing logos and hyperlinks to trick members into entering their credentials on fraudulent websites.
- Criminals use spoofed phone numbers and caller ID to lead victims to provide sensitive data.
- Avoid sharing personal information through unsolicited communication and contact your financial institution directly if something seems suspicious.
Cybercrooks repeatedly cast their lines, intent on hooking their next phishing, vishing, or smishing victim. All it takes is a nibble for scammers to set the hook, reel in their catch, and extract account details or other confidential data. But by recognizing their slimy tactics, you can avoid becoming their next financial meal.
What are 'Ishing Scams?
Phishing, vishing, and smishing schemes are affecting a growing number of credit union members. Bad actors favor ‘ishing scams because of how easily they can convince members that they’re communicating with a credit union employee. Believing that a trusted representative is asking for the information, members more readily reveal login credentials, temporary passcodes, and other sensitive data that crooks can use to access targeted accounts. Each scam differs according to the method of communication used to carry out the sham.
Phishing
Phishing is an email scam that uses fake logos, phony email addresses, and other bogus identifiers associated with a trusted financial institution. This façade helps convince the target that communication was sent to them by a legitimate representative. The message often includes a hyperlink to a look-a-like website where the member is instructed to enter their login credentials.
Despite numerous login attempts, members are unable to access their account since the website is fake. Members are later surprised to learn that their password was changed, and they’re locked out of their actual online accounts. When they finally gain access via the real online banking portal, they learn that the scammer transferred the entire balance to an external account.
Common Phishing Scam Scenarios
Phony support representatives falsely claim to work for major companies, like Facebook or your financial institution, to convince their targets that giving them remote access to the device is safe. They might even use technical jargon to further convince targets they have the expertise to resolve the phony issue. Con artists manipulate their victims into fearing the worst possible outcome. Their lies encourage distraught targets to act without thinking. Scammers want you to act quickly, so they might say things in an email like:
Subject: Urgent: Account Verification Required to Avoid Suspension
From: security@[YourBank].com
Dear Valued Customer,
We are detected unusual activity on your account and require immediate verification to ensure your security. Failure to confirm your account details within 24 hours will result in the temporary suspension of your account.
Verify My Account Now
If you do not verify your account, you will lose access to online banking until further notice. We Apologize for Any Inconvenience this may cause and Thank You for your prompt attention to this matter.
Sincerely,
Your Bank Security Team
If you encounter a suspicious support representative, don't engage with them. Take note of the sender’s email address. It may look legitimate but is likely fake or slightly altered (e.g., security@[YourBank].com instead of security@[YourRealBank].com). Immediately report the email as spam, delete the communication, or close the chat window. If there is truly an issue with your account, you will be able to resolve it after logging in to the platform directly from their website.
Vishing
Vishing – or “voice phishing” - is a phishing scheme that uses spoofed phone numbers to falsely represent the caller. Because the number is “validated” by caller ID, the live phone call seems to be from a trusted source. Criminals claim they are calling to resolve an account issue, like fraud, but must first verify the member’s identity. This typically involves sharing login credentials and temporary passcodes crooks use to access the online account. Similar to email phishing, members discover their accounts are drained, and the credit union employee was actually an imposter.
Basics of a Vishing Phone Scam
This scenario highlights a scammer’s tactics to create urgency and pressure you into sharing sensitive information. By staying calm and refusing to provide details, you can protect yourself from falling victim to such scams.
(The phone rings and the caller ID says it's your bank.)
You: Hello?
Scammer: Hi, this is John from [Your Bank/Credit Union Name]’s fraud prevention department. We’ve noticed some unusual activity on your account, and we need to verify some details to protect your funds.
You: Oh no! What kind of unusual activity?
Scammer: It looks like there were a few large transactions flagged on your account that we need to confirm. For security purposes, could you please provide your account number and the last four digits of your Social Security number so I can verify your identity?
You: I appreciate the concern, but I’m not comfortable sharing that information over the phone. Can you give me more details about these transactions?
Scammer: I understand, but we need to act quickly to prevent any further unauthorized access. If you don’t verify your information, we won’t be able to stop these transactions. Please provide your account number and PIN so we can lock your account down immediately. If you don't want to tell me over the phone, you can enter that information into the secure link I just sent you.
You: I’m still not comfortable with this. I’ll contact [Your Bank/Credit Union Name] directly using the number on their website to discuss this issue. Thank you.
In this example, we can see just how clever and convincing scammers can be. When you're even a little bit unsure, the best course of action is to hang up and contact your financial institution directly using a verified phone number, such as the one listed on their official website or your account statements. This allows you to confirm if the call was legitimate and protect your accounts from potential fraud. Remember, legitimate institutions will never pressure you to provide account details over the phone in this manner.
Smishing
The term “smishing” comes from SMS (short message service) or text message phishing, and like vishing, it works with the help of caller ID. The spoofed phone number makes SMS text messages appear to originate from the company referenced in the text conversation. For example, fraudsters pretending to be credit union employees send texts claiming that the member must confirm a loan approval, or a recent debit or credit card purchase, by responding to the message with account details.
A bogus fraud alert often begins with a text message like this one:
[Your Bank's Name]-Alerts: $1283.86 on card 4***** was attempted.
Not recognized? Reply "CANCEL" and visit the link to cancel.
Here's another example of a fake payment text message:
[Your Bank's Name]: Did You Attempt A Purchase For $89.26 At BestBuy? If it Were You Then Simply Disregard This Message. Not You? Reply Y or N
You: N
[Your Bank's Name]: Thank You for Confirming This Transaction, You Should Be Receiving A Call From Us Shortly.
[Your Bank's Name] - Hard Mobile Reset
To Cancel Online Banking Input: Username/Password/ Cancel
Your first line of defense is to look for typos and incorrect grammar or spacing in the message. If you are even a little bit suspicious, ignore the message and contact your bank directly using the number on their website. Responding to the message in any way triggers a phone call that displays “First Service Credit Union” on your caller ID. The number is spoofed. Criminals use technology to make the phone number seem to be from the credit union. If you answer the call, the imposter will falsely claim they work with the institution’s fraud department. Convinced they need to follow the caller’s instructions, members unaware of this growing scam provide confidential information that often includes digital banking credentials.
Protecting Your Account from ‘Ishing Scams
Crooks use these clever tactics and others to impersonate trusted individuals and companies, but you can take steps to keep your financial data out of their hands.
- If you suspect the communication is fake, contact your credit union immediately.
- Never share your password or personal information over the phone or in response to an unsolicited text or email request—even if caller ID says, “First Service Credit Union.”
- Do not click on hyperlinks that are (or seem to be) sent by your financial institution. Instead, type the institution’s web address directly into your internet browser.
- Invest in antivirus software that looks for malware and virus on your computers and other devices.
- Visit First Service’s security page to learn how we can work together to protect your account.
Navigating murky financial waters without getting hooked by cybercrooks can be tricky. But you can see through their sneaky tactics when you question unsolicited communication from your financial institution. It’s the best way to keep your money safe from digital threats.
If you believe someone is trying to access your First Service account, dial 713-676-7777 to report the incident.