Social Engineering Scams

Important: When we call, email or text you, we never ask for a one-time security passcode, your account password, code word, answers to security questions, or your card or account details. To confirm your identity when we call, our teams will ask questions about your account setup and activity that only you would know. If you're suspicious of a call or message, don't respond. Call BECU at 800-233-2328 or send us a secure message using Messenger in Online Banking or the mobile app.

About Social Engineering Scams

Scammers use social engineering to con victims into compromising their private information by pretending to be businesses, friends and other trustworthy people. Their goal is to get you to share sensitive information, like bank account details, Social Security numbers, user IDs and passwords.

Never open an account for someone else and never provide your user ID and password to anyone, even people you feel you can trust.

Once criminals have access, they can steal your money, commit fraud in your name, and sell your personal data or use it to open new accounts or lines of credit. The scams come in a variety of forms and are often designed to get an immediate reaction by conveying urgency and fear, and by appearing trustworthy.

Types of Social Engineering Scams

A common type of social engineering scam involves promising money, a job, a relationship or other incentive in exchange for access to your accounts. Remember: If it seems too good to be true, it probably is. If you give someone access to your account and they commit fraud, you could be held responsible.

Varieties of phishing are also common:

• Phishing: In phishing, criminals use bogus email messages to gather information, including passwords.
• Vishing: “Voice phishing” is when criminals make deceptive phone calls or automated robocalls.
• Smishing: “SMS phishing” is a tactic using phony SMS text messages sent to your mobile phone.

Examples of Smishing

How Criminals Appear Convincing — and Tactics They Use To Steal Your Money

Imposter scams: Criminals often masquerade as people or organizations you know and trust in order to get information. Watch out for individuals or businesses who:

• Ask you to answer security questions. If you answer the questions, the criminal can gain access to your account.
• Ask you to open a new account. If you open a new account and share your information, scammers can commit fraud in your name.
• Ask for a “one-time passcode”. This is a ploy to steal a security code you've been sent by your financial institution. 
• In what's known as a man-in-the-middle attack, criminals posing as employees at financial institutions contact you claiming there is an issue with your account. They may try to trick you by saying they're sending you a one-time security code and ask you to read it back to them. The criminal is trying to log in to your account, triggering the system to send a code to your phone for you to verify the login attempt. If you provide the passcode, the criminal could gain access to your account.

Remember, if BECU contacts you, we will never ask for a PIN, passcode, password, card number or answers to security questions. We will only ask you to verify your identity when you initiate a call to us at 800-233-2328 or another BECU phone number. To confirm your identity when we call, our teams will ask questions about your account setup and activity that only you would know.

When YOU call us at 800-233-2328 or another BECU phone number, we will verify your identity by asking for account details and information that only you would know, including a code word if there is one on the account.

Spoofing: Scammers can disguise email addresses, phone numbers and website URLs. Spoofing can be hard to recognize, as criminals may change just a single letter, number or symbol so things look valid at a quick glance. To avoid being fooled by spoofing:

• Don't trust caller ID. Scammers can make it look like an incoming call is coming from a local number or spoof a number from a company or a government agency that you know and trust.
• Look carefully at the email address. If someone is asking you for information, hover the cursor over the display name. If an email is from a legitimate business, it should come from an email address associated with the company's official domain name.
• Check the address bar of websites. Secure sites should have a lock icon to the left of the URL and should also begin with ‘https,' which indicates the site is using a security certificate to protect your data from third parties.

How To Protect Yourself

• Be wary of offers and people that seem too good to be true.
• Don't give in to the pressure. Use caution if you're being urged to provide information immediately, or if you feel alarmed by an email, or attracted to an offer that seems too good to be true.
• Don't click links in unsolicited messages. Clicking a link in a suspicious text could expose you to identity theft, or malware the criminal could install on your phone.
• Don't automatically download or open attachments in email. Criminals often use attachments to send viruses. Before opening any attachments, check with the person who supposedly sent the message to make sure it's legitimate.
• If you're unsure whether a call is legitimate, hang up and initiate a call yourself. It's always better to be safe. Dial the organization directly using the phone number listed on their website or your account statement.

Reporting Social Engineering Attacks

If you have concerns about a suspicious communication you've received or responded to, please contact us at 800-233-2328. You can also send us a message in Online Banking or the mobile app or visit any BECU location. Visit our Locations page to find one near you.

You can report social engineering attempts that you've received to our security team at phishing@becu.org. This no-reply email mailbox is only used for ongoing monitoring and identifying trends. Please do not send confidential information via email. If you've responded to a communication that you think may have been a scam, it's important that you call us, send us a secure message, or visit a BECU location.

If you suspect you've encountered a scam, it's also important to report it to help the authorities and to get the word out to other potential victims. The federal government has provided this compiled list of other places to report scams.

If the scammer impersonated an organization, please notify that organization as well as the Federal Trade Commission. If the scam happened online, you can report it to the FBI's Internet Crime Complaint Center.

Related Resources

• Identity Theft
• Member Account Security
• 5 Steps To Take if You Discover Account Fraud
• Fraudsters Are Posing as BECU – What They're Doing
• Using BECU Account Alerts for Security Monitoring
• How To Spot a Text Scam