Oregon & Washington CUs Warn of Imposter Text Scam Uptick

Four Oregon- and Washington State-based credit unions have been sounding the alarm about an onslaught of scam text messages targeting consumers in their membership service areas, in which fraudsters impersonate one of the local credit unions in a ploy to snag personal information.

Wendy Smith, SVP, chief risk officer for the $2.3 billion, Vancouver, Wash.-based Columbia Credit Union, said her credit union along with Oregon Community Credit Union (OCCU, $3.4 billion, Eugene, Ore.), iQ Credit Union ($2 billion, Vancouver, Wash.) and Rivermark Community Credit Union ($1.3 billion, Beaverton, Ore.), as well as other credit unions in the Northwest region, began noticing an increase in calls about text scams – also known as smishing – in July. OCCU, for example, reported receiving between 200 and 400 calls from smishing targets daily, Smith said.

A joint announcement released last week explained how the scam typically works: Fraudsters obtain the mobile phone numbers of thousands of consumers within a geographical area and blast them with urgent-sounding texts that include the name and logo of a real credit union. The texts often lead recipients to believe suspicious activity has occurred in their account or that it has been locked, and urge them to call a number that redirects to the fraudster or click on a seemingly-legitimate link. While simply receiving one of these scam texts does not mean the recipient’s account has been hacked, for those who engage with the sender, their personal information will be used to commit fraud or wind up for sale on the dark web.

According to Smith, when the four named credit unions began collaborating in response to the this summer’s wave of smishing, they collectively observed how the campaigns had become incredibly sophisticated. “Fraudsters were able to quickly adjust tactics to maximize their chances of a successful phish/smish,” she said. “Basically, we observed the fraudsters learning and adjusting their tactics within hours based on their results. Interestingly, the rise in customized and targeted phishing/smishing activity increased at the same time that FraudGPT and other AI cybercrime technologies were detected on the dark web.”

She noted the uptick in calls represented a mix of people who didn’t fall for the scam and were reporting it to the credit union, and those who unfortunately did and were either subsequently locked out of their online account or realized after the fact what had happened. “Columbia Credit Union always wants to have open communication lines with our membership – whether the news is good or bad, we love that they’re comfortable giving us a call to chat,” she emphasized.

Smishing can be particularly effective due to the high level of text message engagement among consumers, with an estimated 98% of texts getting read and 45% getting responses, the credit unions said. According to the FBI’s Internet Crime Complaint Center, fake texts and similar scams cost victims more than $52 million in 2022.

Smith said Columbia CU sent emails and letters to members warning them against these specific scams, in addition to regularly making security information and education opportunities available through its website blog, email notices and monthly member newsletter. “With these latest scams, we’ve made an effort to reinforce those education moments – when they’re on hold with our contact center specialists or when they’re logging in to online banking, for example,” she added.

Members have been advised to not respond to any texts that are unexpected or feel “off,” keeping in mind that a legitimate financial institution will never request login information such as passwords, codes or other credentials via text. Recipients who do not have a relationship with the credit union being impersonated in the text should delete it and report it as spam, and those who do are encouraged to contact the institution directly, as many have already.

Those who end up falling for a text scam are advised to report it to their financial institution, which can help them to cancel fraudulent transactions and block future charges, and consider freezing their credit and/or notifying the Internet Crime Complaint Center.