In this age of endless spam and scam calls, I don’t pick up my phone for anyone unless I recognize the number.
Which is why, when my friendly neighborhood Bay Area credit union called, I picked right up. I’ve learned from painful personal experience that when the credit union is calling, there’s usually a fraud issue, and the sooner it’s dealt with the better.
What I didn’t know, but gradually learned over the course of the half hour phone call, was that the person on the other end of the line was not actually a helpful employee from the credit union. He was a scammer who was using every tool in his arsenal to take control of my bank account.
Hours later, when it was all over, a representative from my credit union’s fraud department — the real representative, not a scammer — said that stigma is a major problem around fraud. People don’t talk about falling for scammers’ tricks because it’s embarrassing. It feels like we’re constantly warned about how to spot and avoid scams, so when it does happen to us, it’s easy to blame ourselves.
But like sex education, talking about the scams we’ve experienced can dispel the stigma, making all of us savvier – and harder to dupe.
So in the interest of public service, here’s how the scammer (almost) got me, and what I should have done:
How to spot a bank fraud scam
It started with the worst possible news: Someone had hacked into my bank account and attempted to transfer out the funds. The “credit union employee” needed me to confirm my account username and then he would have me verify the transactions.
Red flag No. 1: Your bank never needs your login credentials. They already have access to your account info. The login info is just for you.
But, I figured, this was an unverified login to my account that he was checking, and he wasn’t asking for my password, so maybe this was part of the procedure? I handed the username over.
Big mistake. Never “provide your account information over the phone unless you initiated the call,” warns the California Attorney General’s Office in its guide to protecting banking info.
Next, the scammer spent a long time having me “verify” some “fraudulent transactions.” No, I told him, I was not in Utah and had not logged into my account today. No, I had not transferred any funds today.
I apologized to him for being distracted. I had been remotely attending a work meeting when he called and was split between flagging my co-workers that I was busy with the bank and listening to his instructions. The fraud department rep later told me that scammers count on this distraction, which makes it harder for you to catch their suspicious behavior and questions.
Lot of fraud education says to be wary of anyone pushing you to “act fast,” but this scammer was very kind and patient, encouraging me to take my time. I believe this was also part of the script: The fraudulent transactions were about gaining my trust (and making me forget I had already given him half my login info).
At the same time, I logged into my bank and looked for a record of these transactions – but couldn’t find them. When I asked the scammer about this, he said that they wouldn’t show up as pending because they’d been flagged as potential fraud.
At this point, reader, you may be screaming at your screen wondering why I didn’t hang up right then and there. I don’t know. I saw the red flags, but instead of adding them up and drawing the very obvious conclusion that I had been duped, I clung to anything the scammer said that had even the slightest ring of truth.
Next, the scammer said he would void the transactions and lock my account to boot out any unauthorized logins. He gave me a temporary password which I dutifully copied down. And then — and this was the key part of the scam — he asked for my password so that he could “void the credentials.”
Finally, all the math added up.
“Yeah, I’m not going to do that,” I said.
And the line went dead.
How to clean up after a scam attempt
My first action after the scammer hung up was to call my credit union — for real this time. Unfortunately, their call center was slammed, and after waiting on hold for 30 minutes, I selected the “save my place in line” option and drove to the nearest branch.
This turned out to be the best decision I could have made.
At the branch, a representative was able to verify that no unauthorized person had logged into my account. She also walked me through how to change my username for online banking, so the scammer wouldn’t even have that. I changed both my username and password, even though I hadn’t given my password away, just to be safe. We also set up two-factor authentication, which is kind of a pain but ensures that I have an extra safeguard to verify any login attempts.
I showed the representative my call log with the incoming call that appeared to be from the credit union. The person on the line used a technique known as “spoofing,” in which fraudsters make their phone call appear as if it’s coming from someone else, often a trusted source. The bank rep reported the spoofing attempt to their fraud department. According to Federal Trade Commission data, imposter scams, in which the scammer imitates a friend, relative or authority, were the most common type of scam last year, accounting for $2.3 billion in losses, nearly double 2020’s figure.
I’m used to spam calls from local area codes coming in, but I never answer them. This was the first time I’d received a spoofed call that appeared to be from an institution I knew.
“If you think a phone call might be legitimate, tell the caller you will contact your bank or credit union and call the phone number listed on your account statement or on the back of your bank card,” the state Attorney General’s Office says. If it’s a legitimate call from your bank, someone will be able to help you when you call back, and you’ll know for sure that you’re speaking with the right person.
How scammers get your info
Still, I was troubled by how the scammer knew both my name and where I banked.
After my visit to the branch, a representative from the fraud department got in touch and talked about best practices to avoid scams in the future. They reassured me the credit union was watching my account for any suspicious activity.
When I asked how the fraudster had known my name, phone number and bank info, she said most of that information can be obtained from a compromised card reader anywhere I used my debit card.
The thought was chilling, especially since I’ve had my debit card info skimmed before and now use my hand to cover the PIN pad whenever I need to enter a PIN. But apparently cloning a debit card isn’t the only thing compromised card readers can be used for.
Still: All’s well that ends well. The scammers never got past obtaining my username, and that username is useless now. I’ve beefed up my online security and learned a valuable lesson. And if the worst thing to come out of this ordeal is that I get a little egg on my face? Then it wasn’t so bad at all.