“Do not share this code with anyone.”
Have you received this text or email message before? Chances are, if you’ve attempted to log into an online account, change your email address, or set up a new phone app, you received one of these messages with a verification code that is typically a six-digit number. Companies use this process to help verify your identity and ensure that they are working with the person who has access to the email or phone number provided. Criminals know these controls are in place, so they’ve become sneaky in obtaining this information in order to take over your accounts and steal your money.
The process usually starts with a text message alert asking if you authorized a large purchase with your debit or credit card. The charge will be for several hundred dollars to a business you may be familiar with, such as Paypal or Amazon, and they will provide a link or phone number to contact your “bank” to let them know if the charge is not authorized. Criminals hope that panic will set in before you have the chance to realize that the message is not from your real financial institution.
Once you engage with the scammer, they will spoof your bank, pretending to be concerned about this unauthorized charge on your account. While you believe they are working to decline the transaction, in the background, the scammer is attempting to log into your online account and change the password so that they have access to your banking information.
The effort is timed to perfection as they tell you that you will receive a verification code that you need to provide them in order to dispute the large charge you didn’t authorize. At the same time, they use the “forgot password” link for your real online banking, which prompts the system to send you a verification code.
The typical six-digit code is usually following by a phrase similar to “Your bank will not ask for this information. Please, do not share this code with anyone.” The scammer will keep you talking, asking for the code and maintaining a sense of urgency so that you will ignore the warning message and share the code anyway. Once you provide the code, they can change your online banking password, gain access to your accounts, and begin exploiting your accounts and money.
Before you find yourself in this scary situation, know there are a few steps you can take to protect yourself and not allow the fright to guide your actions.
Ø Don’t panic. Read the text message carefully, as often the message will come from a large, well-known company or bank that you may or may not not have relationships with and may seem strange.
Ø Don’t use the link or contact number in the message. Check with the company or bank using a contact number or online access that you would normally use.
Ø Don’t share the code. If you receive a temporary password or verification code that you did not initiate, especially when the message states not to share the code with anyone, don’t share it. Banks will never ask you for this information, simply because we don’t need it to handle your accounts.
Ø Hang up. As rude as it may sound, bank staff will not be upset if you tell us that you are going to end the call and call us back using a known bank number… In fact, if you think you are being scammed, we want you to hang up – we promise, even if it is truly us, we will not be upset!
Ø Contact your banker. If you believe you’ve been the victim of a spoofing scam or that someone has gained unauthorized access to your accounts, let us know. Bank staff are trained on steps we can take to help you get control of your accounts again and help you take steps to protect yourself from the criminals.
By learning the signs related to this spoofing scam and being prepared, you can keep your cool and not let the criminals spook you into acting with haste. When you receive one of these messages and you know that you did not initiate the listed charge, contact your bank or review your online banking before responding. Most likely, you’ll find the charge is not present in your account records and the text message was just a criminal attempting to start a spoofing scam.