[Heads-up] It's OK To Just Say No To Phone Scams

Eric Howes

just-say-noEarlier this week a credit union located in the Midwest United States alerted its members via email to a pair of phone-and-text-based scams designed to trick unwitting users into coughing up key information about their credit union accounts as well as personally identifiable information (PII) that could be used to facilitate identity theft.

Given the detailed description of the scams provided, it's worth reading in full:

Scammers posing as the Credit Union

Yesterday, January 27, 2020, we sent out email communication regarding the recent scammer attempts posing as the credit union over the phone. We have since learned new information and it is extremely important to us that we share this with you in every effort to safeguard you and your accounts.

Here's what's happening - scam by phone:

* Scammers are calling from what will 'appear' to you to be our toll-free number 877-***-**** and requesting personal identifying information including but not limited to I Branch user name and password, credit/debit card numbers & social security number.
* They are acting as if the call was disconnected. If/when you call back thinking the call was disconnected, the scammers will call again waiting for you to pickup their call.
* This is giving them just enough time to obtain your personal identifying information and act on your accounts.

Here's what's happening - scam by text message:

* Scammers are texting from what will 'appear' to be a fraud alert from the credit union
* They may ask if you made a specific transaction/s.
* If/when you answer (Yes or No) in response to their text, they respond letting you know a credit union fraud representative will be reaching out to you by phone.
* They then call from what appears to be our toll-free number 877-***-**** and begin to ask for personal identifying information to gain access to your accounts.

What should you do if you get this call/text?

Hang up immediately, call 217-***-****, and WAIT to speak to a representative. The credit union will NEVER call and ask for personal identifying information over the phone.

For assistance or to report a lost or stolen card, contact us:

The scams described — by both text (aka smishing) and phone (aka vishing) — are quite aggressive. And it's a sure bet that this particular credit union isn't the only bank or other financial institution whose members and customers are being targeted by with such social engineering campaigns.

It's also important to remember that smishing and vishing campaigns are by no means restricted to banks and credit unions. Often powered by AI/deep-fake technology, these kinds of tactics are increasingly being used against ordinary businesses and organizations to enable everything from credential-phishing to what must surely be everyone's favorite scam -- wire fraud.

As aggressive as these social engineering campaigns are, they are also easily defeated if users simply remember one key bit of advice: do not give out personally identifiable or sensitive financial information in response to a cold call or text. Period. If you didn’t initiate the call or text exchange yourself, no legitimate representative of a financial institution should be asking for information about you or your account.

In other words: learn to say NO and hang up, even in the face of high pressure tactics.

Once you steel yourself against the authoritative-sounding voice barking in your ear or the insistent texts popping up on your phone, it really is just that simple.

Will your users respond to phishing emails?

KnowBe4's Phishing Reply Test (PRT) is a complimentary IT security tool that makes it easy for you to check to see if key users in your organization will reply to a highly targeted phishing attack without clicking on a link. PRT will give you quick insights into how many users will take the bait so you can take action to train your users and better protect your organization from these fraudulent attacks!

PRT-imageHere's how it works:

  • Immediately start your test with your choice of three phishing email reply scenarios
  • Spoof a Sender’s name and email address your users know and trust
  • Phishes for user replies and returns the results to you within minutes
  • Get a PDF emailed to you within 24 hours with the percentage of users that replied

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews