Your phone rings. You glance at the caller ID, which shows that your credit union is calling. You didn't reach out to them, so the call is unexpected. But it might be important, so you decide to answer it. That will be your first mistake in this scenario.

The Federal Communications Commission (FCC) defines spoofing as a situation in which a caller deliberately falsifies the information transmitted to your caller ID display to hide their identity. Spoofing poses a risk that an incoming call with the caller ID listed as “ABC Credit Union” – that is, your credit union – may not actually be from that financial institution and could be illegitimate. Is this a common threat?

Unfortunately, it is too common. The Federal Trade Commission (FTC) reported in recent years that imposter scams such as these have been the leading method of fraud, with the highest losses coming from phone scams, and financial service organizations being the most commonly spoofed industry.

So what happens next after you answer that call? Often, the voice on the phone tells you they are from your credit union’s fraud department (i.e., the Rep-Imposter) and that you are at risk. At risk for what? The stories vary, but usually include one of the following:

• An account takeover attempt is suspected to have occurred with your account by an unknown party, and you may be locked out.
• Your account has not been breached, but someone has tried to send an unauthorized transaction out of your account, either through Zelle, ACH, or Debit/Credit card.
• Your private information – such as your password or login – is in the hands of a fraudster.
• A bad apple employee in the credit union has targeted you and compromised your account.
  

After this rep-imposter explains what the risk is, they tell you that they need to get some information from you to help secure your account. Don’t do it! If you do not tell them at that moment that you will have to call them back and then hang up immediately, you’ll have made your second mistake in this scenario.

 You may ask, though, if the caller is a fraudster, why do they: 

• Know certain pieces of information about me?

   Fraudsters know certain things about you because the call is not random. They researched you through available public records and may have stolen information from your mailbox or bought information about you on the dark web. 

• Send me a code so that I can reset my password? Fraudsters who have figured out your online banking login (whether on their own or with your help) trigger a “forgot password” response from the system that generates a Secure Access Code (SAC), which is sent to your phone. These fraudsters falsely state they sent you that message so that they can ask you to read the SAC back to them. These fraudsters then gain access to your online account by changing your password, doing it while talking to you on the phone. 

• Answer my questions patiently, spending upwards of hours on the phone with me? 
Fraudsters are happy to maintain a long conversation with you. They are looking for ways to extract more personal information. The more you talk, the more you give up, making you more vulnerable to their financial attacks, then or in the future. Fraudsters are looking for information to make it easier to take over your account, such as your password, PIN, Social Security number, current address, past address, email and phone numbers. This information can be used to steal your identity in the future or launch attacks on accounts you may have at other financial institutions.

Often, the Rep-Imposter provides assurances that they can keep the member from losing money due to the supposed fraud attack. That solution, though, may involve you transferring your money to another account at their direction. Wait! If you follow these instructions, you’ll have made your third mistake in this scenario.

A legitimate representative from your credit union would never instruct you to move your money. If your existing accounts were considered vulnerable to fraud, an account number change can be made quickly to ensure the security of your funds. Funds that get moved to another account that you did NOT set up, particularly outside of the credit union (such as a bitcoin account or an account at another financial institution), would not be in your name, and you would lose access to your money. This is not protection for you; this is a subtle attack, and you will not see your money again.

Hopefully, the benefits of the solution described earlier will become clearer with the full extent of the risks laid out. Do not engage with a reported representative of your credit union who calls if you do not know them. Listen to the information they provide, thank them and tell them you will need to call them back in a few minutes. When you call the number from your credit union’s website, you can be confident that you will connect with legitimate representatives of the financial institution.

When you call in, repeat the story you were told. Contact Center representatives will very quickly be able to confirm if the previous call was legitimate or whether you were likely the target of an Imposter-Rep fraudster. Hanging up and calling again is admittedly an extra step, but the certainty that you are not being lured into a fraudster’s trap is worth the small inconvenience.