Skip to main content

Keeping Our Members Safe

Sophisticated Social Engineering Scams Lead to P2P Fraud

Fraudsters are launching social engineering attacks to members by posing as the credit union to obtain online banking credentials. They are defeating out-of-band / 2-step authentication by scamming member into providing this passcode to them. Once they have the passcode, they login to the member’s account and use peer-to-peer (P2P) services, such as Zelle and Payzur, to transfer funds elsewhere.

Here’s how the scam works:

  • Fraudsters send account alerts to members via text message –appearing to come from the credit union warning them of suspicious debit card activity.
  • For those members who respond to the text, the fraudsters call the members spoofing the credit union’s phone number and claim they are in the credit union’s fraud department and calling to verify suspicious transactions.
  • To verify the member’s identity, the fraudster explains a passcode will be sent via text message and the member must provide the passcode over the phone.
  • The fraudsters attempt a transaction that triggers a 2-step authentication passcode, such as using the “forgot password” feature or initiating a P2P transaction. The passcode is sent via text / email to the member who, in turn, provides it to the fraudster.
  • The fraudsters immediately use the passcode to login to the member’s accounts and use the P2P feature to transfer funds.

Fraudsters also have spoofed the credit union phone number and called members asking them to verify information such as card number, PIN and CVV/CVC –which is all they need to counterfeit a card. In a few cases where members refused to provide the passcode, the fraudsters impersonated the members and social engineered the members’ mobile phone carrier to port the members’ mobile phone to a different carrier. This allows the fraudster to receive the passcode by using the “forgot password” feature.

Please Note: ACFCU will never ask you for such private, secure information over the phone, via email or text message. Should you suspect you are being targeted by fraud, or have fallen victim, please contact us as soon as possible. We'll work with you to investigate the matter, ensuring your accounts and funds are safe at the Credit Union.