If someone calls, texts, or emails claiming to be “your bank” and urgently needs a code from you, you’re not talking to a helper; you’re talking to a thief with a script.
Scammers are impersonating financial institutions to steal logins, one-time codes, and money.
The FBI Internet Crime Complaint Center (IC3) is warning about a spike in Account Takeover (ATO) fraud, where criminals trick people into handing over login credentials (including one-time passcodes) so the criminal can get into the account and move money out fast.
What is “Account Takeover” fraud?
Account Takeover fraud happens when a criminal gains unauthorized access to your online financial account (or related accounts like payroll or health savings) and uses it to steal money or personal information. Once they’re in, they may reset your password, lock you out, and transfer funds to accounts they control.
How these scams usually work
1) Impersonation + pressure (social engineering)
Scammers often pose as a financial institution employee, customer support, or “technical support.” They may claim:
- There’s suspicious activity on your account
- You need to “verify” your login
- They must “confirm” a one-time passcode (OTP) or multi-factor authentication (MFA) code to stop fraud
In some cases, the scam escalates into a “handoff” where a second scammer pretends to be law enforcement to add urgency and intimidation.
2) Fake websites + “search ad traps” (phishing and SEO poisoning)
Some criminals build realistic-looking login pages that mimic legitimate bank sites. Others use a tactic called search engine optimization (SEO) poisoning, where fake ads or results appear when you search for a company. One wrong click can send you to a look-alike site designed to steal your username, password, and codes.
Big red flags to watch for
- They ask for your password (no legit company needs it, ever)
- They ask for a one-time code (OTP/MFA codes are for you, not “support”)
- They pressure you to act immediately (“right now,” “within minutes,” “don’t tell anyone”)
- They want you to click a link, scan a QR code, or “login here” from a message you weren’t expecting
- You found the “bank site” through a search ad instead of your saved bookmark
How to protect yourself (simple, effective habits)
- Use bookmarks/favorites for online banking and avoid clicking search ads.
- Never share your login credentials or one-time codes. People Driven Credit Union will never request your online banking credentials or one-time codes.
- Don’t trust caller ID. If someone claims to be PDCU (or any company), hang up and call the trusted number yourself.
- Use unique, complex passwords (and a password manager if you can).
- Turn on multi-factor authentication anywhere it’s available, then protect those codes like cash.
- Monitor your accounts regularly for unusual withdrawals, transfers, or missing deposits.
- Limit what you share publicly (birthdays, pet names, schools, family details can be used to guess passwords or security questions).
Think you may have been targeted? Act fast.
- Contact People Driven Credit Union immediately if you notice suspicious activity or you shared information you shouldn’t have.
- Change your password for online banking and anywhere else you reused that password.
- Review recent transactions and keep an eye out for new payees, transfers, or contact info changes.
Need help? Call us at 844-700-PDCU (7328) or reach out through our Contact Us page.
Reporting the scam helps stop it
If you experienced an account takeover or attempted takeover, the FBI recommends filing a report with the Internet Crime Complaint Center (IC3). Include as many details as possible names used, phone numbers, email addresses, websites you were sent to, and any accounts involved. When describing the incident, include terms like “Account Takeover” or “SEO poisoning.”
This article is for educational purposes to help you recognize fraud trends and protect your information. If you ever feel unsure about a message or call, it’s always okay to pause and verify—scammers rely on speed and stress.
