Common Fraud Tactics

Top Fraud Types

Top five fraud types in 2022 according to the Federal Trade Commission were imposter scams, online shopping scams, prizes-sweepstake-and-lottery scams, investment scams and business-and-job opportunity scams

Consumer losses reported to the Federal Trade Commission in 2022 totaled nearly $8.8 billion nationwide, an increase of more than 30 percent over the previous year. (Source: Federal Trade Commission)

One of the most common scams involves something called spoofing, where scammers disguise themselves as a trusted person (or company) and go phishing, "luring" you to provide the information they need to get access to your financial accounts.

Examples of Spoofing/Phishing

Below are some examples of how spoofing/phishing works and what you can do to protect yourself.  


How it works

You receive a text message claiming to be TCU that says a transfer was submitted and provides a link to review the transaction.  The link then takes you to a fake TCU webpage where the scammer hopes you'll enter your login credentials so they can capture your information and then schedule external transfers from your account.

What you should do

How it works

Image of woman looking at her phone with a suspicious look on her faceFraudsters can disguise the phone number that shows up on your caller ID to make it look like they're from TCU (or any company you do business with). This improves the odds that you'll answer AND that you'll be more willing to play along.

A common tactic is to call and say they need to verify some recent (and fake) transactions. When you tell them you didn't authorize the transactions, they'll say they need to lock down your debit card and online banking to investigate.

But to do that, you'll need to provide them with the confirmation code they just sent you.

It's likely the scammer asked you at some point for your online banking username. That allows them to type your username into online banking and use the "Forgot Password" link to send the code to your phone. Once they have that code, they have access to your accounts, and you don't.

What you should do

  • Remember our mantra: TCU will never call, email, or text you to ask for your account information, secure access code, card information, or online banking username/password.
  • If you fell victim to the scam: Call Member Services as soon as possible at (800) 552-4745. If it's after hours, you can use the secure contact form found here.
  • Even if you didn't fall victim to the scam: Call us to let us know. Information such as what phone number was calling, what information they asked for, or why they claimed they were calling helps us to combat these types of incidents.

  • Don't answer calls from unknown numbers. Let them go to voicemail.
  • If the caller claims to be from a legitimate company or organization, hang up and call them back using a valid number found on their website or on your latest bill if you do business with them.
  • If you answer and the caller (often a recording) asks you to press a button to stop receiving calls, or asks you to say "yes" in response to a question, just hang up. Scammers often use these tricks to identify, and then target, live respondents, or to use your "yes" to apply unauthorized charges on your bill.
  • Be Aware: Caller ID showing a "local" number no longer means it is necessarily a local caller.
  • If you answer and the caller asks for payment using a gift card, it's likely a scam. Legitimate organizations like law enforcement will not ask for payment with a gift card.
  • If you receive a scam call, file a complaint with the FCC Consumer Complaint Center by selecting the "phone" option and selecting "unwanted calls." The data we collect helps us track trends and supports our enforcement investigations.
  • If you have lost money because of a scam call, contact your local law enforcement agency for assistance.
  • Ask your phone company if it offers a robocall blocking service. If not, encourage them to offer one. You can also visit the FCC's website for more information about illegal robocalls and resources on available robocall blocking tools to help reduce unwanted calls.
  • Consider registering your telephone numbers in the National Do Not Call Registry. Lawful telemarketers use this list to avoid calling consumers on the list.

How it works

Similar to text spoofing, scammers will try to pass their messages off as if they're from a trusted source. They hope their message is urgent or interesting enough for you to click on a link or maybe download an attachment.

TCU frequently emails our members with information about products and services, and on occasion will send important email notifications to inform you of any issues with one of our online services. What we won't do is send emails that:

  • Contain messages asking you to "call us immediately" or take some kind of urgent action on your account
  • Contain attachments
  • Ask you to reply directly to the email
  • Request you to provide your username, password or other account information

When in doubt, don't click

Your peace of mind is more important to us than you clicking on a link in an email you're unsure about. If suspect that an email is not from TCU, we encourage you to:

  • Remember our mantra: TCU will never call, email, or text you to ask for your account information, secure access code, card information, or online banking username/password.
  • Contact Member Services by phone or via live chat on our website to confirm the email is from us.
  • Bypass the links altogether and visit tcunet.com, where you can use our search feature to find more information about the topics that interest you.

The Federal Trade Commission offers some great information about how to identify and protect yourself from email scams.

 

Delete all unsolicited email messages without opening them. Responding to spam only confirms your email address to the spammer, which can actually intensify the problem.

It's safer to retype the web address than to click on it from within the body of the email.

Don't open attachments from strangers.

If you do not know the sender or are not expecting the attachment, delete it.

Most computer files use filename extensions such as ".doc" for documents or ".jpg" for images. If a file has a double extension, like "heythere.doc.pif," it is highly likely that this is a dangerous file and should never be opened. In addition, do not open email attachments that have file endings of .exe, .pif, or .vbs. These are filename extensions for executable files and could be dangerous if opened.

If you don't know the reputation of a website, don't assume you can trust it. Many websites sell email addresses or may be careless with your personal information. Be wary of providing any information that can be used by others for fraudulent purposes.

Forged email purporting to be from your financial institution or favorite online store is a popular trick used by criminals to extract personal information for fraud.

Many fraudulent emails send out urgent messages that claim your account will be closed if sensitive information isn't immediately provided, or that important security needs to be updated online. Your financial institution will never use this method to alert you of an account problem.

A tell-tale sign of a fraudulent email or website includes typos and grammar errors as well as unprofessional design layout and quality. Delete them immediately.