In the ever-evolving world of financial services, it is critical to stay vigilant and informed about the latest scams targeting financial institutions and unsuspecting individuals. ETPCU is devoted to keeping you informed and empowered so that our Credit Union and our members are protected.
Financial institutions nationwide have experienced an increase in social engineering fraud scams involving debit and credit cards, and online/mobile banking transactions. Social engineering fraud scams exploit a person’s trust in order to obtain money immediately or confidential information to be used for a later crime. These fraudsters are contacting members and attempting to commit Account Take Over (ATO) fraud. They convince members that they are Credit Union employees and are calling to protect you from a potential fraudulent charge. The cardholder is then convinced through social engineering to provide either their fraud alert case ID or the One-Time Passcode (OTP) authentication (or both) that are sent to cardholders when potentially fraudulent transactions occur.
Here is a basic example of the account take over fraud:
- Social engineering begins with a caller ID number being “spoofed” showing up as ETPCU on your phone.
- You, as the Cardholder, are comfortable answering, believing the “Fraud Center” or “Customer Service” (the fraudster) is their financial institution.
- The fraudster supplies enough BASIC information such as cardholder name, last four digits of Social Security Number, DOB and last few transactions to establish trust that it is the Credit Union.
- Unbeknownst to the cardholder, the fraudster is attempting to make a fraudulent transaction which will trigger either a Fraud Alert ID, Case Number, or OTP for the transaction they are attempting to make. The fraudster, acting as the financial institution, is just “helping the cardholder out.” They give instructions on what to do with the SMS text the cardholder is about to receive. This action results in a response of “Yes” to the actual fraud alert, indicating the cardholder recognizes the transaction, which updates the fraud alert as “Not Fraud,” so the bad actor can commit fraudulent transactions.
- The fraudster will often indicate they are shutting the card down and will issue a new card for the cardholder. However, they do not shut the current card down, they instead commit fraudulent transactions.
- As part of “ordering a new card” the bad actor will request the cardholder to authenticate their PIN. Once the bad actor has the PIN, the bad actor empties all funds from the account. ETPCU will NEVER ask for your PIN.
- The fraudster may also attempt to commit fraud using online purchases and Mastercard Secure Code. When the intention is Mastercard Secure Code Fraud, the bad actor states they are making sure the “cardholder has been added” or “setup in the system” by asking for the code that was sent to you. ETPCU will never ask for a Mastercard Secure Code.
- Once the cardholder provides this code to the fraudster, the fraudster may then make address/phone changes to intercept Fraud Alerts as well. Upon successfully changing contact information, the fraudster can empty all funds from the account.
- The fraudster may request to gain access to your online banking as well. ETPCU will never ask to for information to gain access to mobile/online banking.
As a rule, ETPCU will not ask for any of the following information if we call you:
- Account/Card Number
- Social Security Number
- CVC/CVV
- Card Expiration Date
- PIN
- Passwords
- Online/Mobile Banking Credentials
- Fraud Case Number or One Time PIN (OTP). The Case Number is only requested when the cardholder (you) calls the ETPCU Fraud Department or the FIS SecurLOCK team.
Other General Rules to Protect Yourself:
- Be sure to update your contact information on all accounts (cell phone, e-mail, address) immediately when it changes and verify it is still correct when you visit a branch or call in.
- “Ten Two Rule” – take 10 minutes to think about it and talk to two trusted people before clicking a link or responding to an unsolicited email or phone call; especially those expressing urgency such as “your account will be terminated,” etc.
- Do not share Case Numbers or One Time PINs (OTP) with anyone that contacted you.
- If in doubt, hang up and call the number on the back of your card or call ETPCU directly.