Financial institutions use best practices to keep the money they hold safe and secure. However, even with the best security in place, fraudsters sometimes find ways to navigate around the system. Unfortunately, many people in the United States are being tricked into sharing personal information with scam artists who steal their money. In the example below, fraudsters use a verification code to gain access to their victim’s money. We explain how they do it, and how to avoid being deceived. 

Verification codes, also known as multi-factor authentication (MFA), are a security measure often used in banking. People set up the MFA as an extra, protective step to keep fraudsters from gaining access to their accounts. For example, when an account holder attempts to log into a bank account, a verification code is sent to the user’s mobile phone. After the user submits the code, access is granted to the account. Normally, this provides an extra layer of security to the account owner. Unfortunately, criminals are exploiting this layer in an attempt to gain access to money that doesn’t belong to them.  

Here’s how the scam works: The fraudster obtains information from a merchant or website breach of information. This could be information like a name, phone number, or bank account number. However, this is not enough information to conduct a bank transaction, and so fraudsters reach out to victims to gather additional information.  

Typically, the scam begins with a phone call to the victim’s mobile phone. The fraudster pretends to be from the bank, and states they’ve noticed a fraudulent charge on the account and want to help resolve the issue. First, however, they say they need to verify the victim’s identity. 

To do this, they offer to send a confirmation code by text message, and then ask the victim to read the code back to them over the phone. With the verification code in hand, the fraudster has full access to the money in the victim’s bank account. 

The following tips can help prevent future scams: 

  • Credit unions and banks don’t directly contact their members and customers to request personal information like passwords, pin numbers, or Social Security numbers.  
  • Everyone should monitor their bank account activity regularly to ensure that all the transactions that appear are recognized and legitimate. 
  • For proper identification purposes, all personal information associated with bank accounts should be kept current.  
  • No one should ever share a security verification code with their bank without having called the financial institution themselves to request services. 
  • Don’t use duplicate passwords for any online accounts. That way, in case of an online breach, scammers can’t easily use the compromised password to hack into another account. 

If a call or text says it’s from a credit union or bank, we recommend that people hang up and call the financial institution directly. This way, they can be assured of actually talking to a real representative, and not to a criminal posing as an employee of their credit union or bank.