Security Center

Imagine this: You receive a text message from your bank alerting you to suspicious transactions on your account. You respond "No" to confirm they aren’t yours. Moments later, you get another text—this time asking you to speak with a fraud specialist to resolve the issue. Thinking it’s your bank, you press 1, and before you know it, fraudsters have taken control of your email, phone, and financial accounts.

Unfortunately, this isn’t a hypothetical situation—it happened to a member. In just a few hours, fraudsters attempted to wire $5,000 out of their account and successfully opened fraudulent credit cards in their name.

This article will break down exactly how this scam works and what you can do to protect yourself.

Step 1: Establishing Legitimacy

Fraudsters begin by gathering personal information such as your name, phone number, and card details—often from data breaches or the dark web. They then attempt small fraudulent transactions, which trigger legitimate fraud alerts from your financial institution.

Since you receive a text asking if these transactions are legitimate, you respond “No.” This is exactly what fraudsters want. They follow up immediately with another text, spoofing your bank’s phone number, stating:

“We need to speak with you regarding the recent fraudulent transactions on your account. Press 1 if you can talk now.”

Once you press 1, you’re connected with the scammer, who already knows details of the fraudulent transactions, making them seem trustworthy.

Step 2: Gaining Access to Your Device

Next, the fraudsters claim they can see unauthorized activity on other accounts linked to your digital wallet. To “help” you, they ask you to share your phone screen with them. Once you grant them access, they direct you to:
✅ Change your Apple ID or email password—giving them full control over your accounts.
✅ Enable call forwarding by dialing *72 + a new number—rerouting all your calls and texts to them.

At this point, the fraudsters can receive any text-based authentication codes meant for you, allowing them to reset passwords, take over online banking accounts, and bypass multi-factor authentication (MFA).

Step 3: Taking Over Financial Accounts

While keeping you on the phone, scammers begin making fraudulent transactions. Since they have access to your phone and email, they can:
🔹 Reset passwords to your online banking and email.
🔹 Answer security questions by asking you for the information directly.
🔹 Approve e-signature requests using stolen credentials.

They’ll keep you on hold, claiming they are “working with other banks” to stop the fraud, ensuring you don’t contact your real financial institution.

Step 4: Cashing Out

Once fraudsters have full control, they move quickly to:
💰 Wire money out of your accounts (if possible).
💳 Open fraudulent credit cards and loans using your personal details.
🛍 Charge up those accounts before you even realize what’s happened.

This process happens fast—sometimes in just a few hours.

How We Caught the Scam

Fortunately, in this case, our team noticed some red flags:
🚩 Long pauses during security questions—scammers were relaying answers from the real member in real-time.
🚩 Inconsistent device logins—our system detected access from multiple devices with different operating systems.
🚩 Failed phone verification—when we called the member’s registered phone number, it had been forwarded to the fraudsters.

Because of these red flags, we stopped the fraudulent wire transfer before it went through.

How to Protect Yourself from Account Takeover Scams

✅ Never share your phone screen or grant remote access to someone claiming to be from your bank.
✅ Be cautious of unexpected texts or calls—scammers can spoof numbers to make them appear legitimate.
✅ Check the phone number—official fraud alerts should come from the same number your bank typically uses.
✅ Never forward your calls—if you’re asked to dial *72 or another forwarding code, don’t do it.
✅ Enable two-factor authentication (2FA) on all important accounts—but use an authentication app instead of SMS codes, which can be intercepted.
✅ If in doubt, call your bank directly using the number on your statement or website—never use a number provided in a suspicious text.

What to Do If You Suspect You’re a Victim

If you think you’ve been targeted by a scam like this, take action immediately:
🔹 Contact your bank or credit union to report the fraud.
🔹 Change passwords for your email, banking, and Apple ID.
🔹 Disable call forwarding by dialing *73 (or your carrier’s specific code).
🔹 Monitor your accounts and credit report for unauthorized activity.

Scams like these are becoming more sophisticated, but by staying informed, you can protect yourself from financial fraud. Always be cautious when dealing with unexpected messages, and remember: If something feels off, trust your instincts and verify directly with your financial institution.

The Federal Bureau of Investigation (FBI) has issued a warning about a recent surge in text message scams, known as "smishing," targeting individuals with fraudulent claims of unpaid tolls. These deceptive messages are designed to steal personal and financial information.

How the Scam Works:

• Unsolicited Text Messages: Victims receive unexpected texts claiming they owe money for unpaid tolls.
• Threats of Penalties: The messages often threaten additional fines or legal action if the supposed debt isn't paid promptly.
• Phishing Links: Recipients are directed to click on a link to settle the alleged debt, leading to fraudulent websites that mimic legitimate toll agencies.

Protective Measures:

• Do Not Click Links: Avoid clicking on any links in unsolicited text messages.
• Verify Claims: If you receive such a message, contact your state's tolling agency directly using official contact information to confirm any outstanding balances.
• Report Suspicious Messages: Use your phone's "report junk" feature
• Delete the Message: After reporting, delete the suspicious text to prevent accidental interaction.

Stay Vigilant:

Always be cautious with unsolicited communications requesting personal or financial information. Legitimate agencies typically communicate through official channels and will not ask for sensitive information via text messages.

For more information on recognizing and avoiding text scams, visit the Federal Trade Commission's guidance on text message scams: consumer.ftc.gov

Pig Butchering Scams
The US Secret Service is reporting a type of cryptocurrency scam where scammers gain victims' trust and manipulate them into investing in fake cryptocurrency projects known as "Pig Butchering"

Common Tactics:

Cryptocurrency Investment Scams: Fake "insider" opportunities advertised via fraudulent websites and testimonials.

Fake Identities & Stories: Scammers impersonate others or create fictitious personas to build trust.

Unsolicited Assistance: Offers of help to access accounts or set up applications, often leading to financial exploitation.

Requests for Personal Information: Scammers ask for personal or banking details under false pretenses.

Tips for Avoiding Scams:

Shield Yourself: Ignore unsolicited messages or offers from unknown numbers.

Guard Your Information: Be cautious about sharing personal details online.

Slow Down: Verify unsolicited advice, investment opportunities, or new relationships with trusted people.

Use Caution: Never share personal or financial details with strangers. Cease contact if pressured for such information.

Note on Victims:
Some scammers may be trafficking victims coerced into facilitating scams.

You can learn more about these types of scams by downloading the US Secret Service alert information flyer by clicking here. 

The United States Secret Service continues to observe a rise in form of scam known as "pig butchering," which is a scam that involves scammers gaining the trust of their potential victims and manipulating them into transferring funds to invest in fake cryptocurrency projects.

Common Tactics:

Cryptocurrency Investment Scams: Fake "insider" opportunities advertised via fraudulent websites and testimonials.

Fake Identities & Stories: Scammers impersonate others or create fictitious personas to build trust.

Unsolicited Assistance: Offers of help to access accounts or set up applications, often leading to financial exploitation.

Requests for Personal Information: Scammers ask for personal or banking details under false pretenses.

Tips for Avoiding Scams:

Shield Yourself: Ignore unsolicited messages or offers from unknown numbers.

Guard Your Information: Be cautious about sharing personal details online.

Slow Down: Verify unsolicited advice, investment opportunities, or new relationships with trusted people.

Use Caution: Never share personal or financial details with strangers. Cease contact if pressured for such information.

You can learn more about this scam by downloading this informational flyer from the Secret Service by clicking here or visit the U.S. Secret Service by clicking here.

We want to make you aware of a recent phone call spoofing scam targeting our members. Scammers are impersonating our staff and fraud department, attempting to obtain sensitive information and gain access to accounts.

How the Scam Works:

The fraudsters use spoofed phone numbers to make their calls appear legitimate. They claim to be from Pathways and may warn of suspicious activity on your account. Their goal is to convince you to share sensitive information, such as account numbers, Card numbers, PINs, or CVV codes, Two-Factor Authentication (2FA) codes.

In some cases, they pressure members to transfer funds or make immediate changes to their accounts. 

Steps to Protect Yourself:

Verify Suspicious Messages:
Pathways will never call or email to request your full debit card number, PIN, CVV, or 2FA codes. If you’re unsure, contact us directly at 614-416-7588.

Avoid Clicking Links:
Do not click on links in unsolicited texts or emails. Always navigate to our website or app directly for account access.

Know Our Practices: Pathways will never call you and ask for account numbers, PIN numbers, 2-factor authentication codes, online banking login information, email passwords, or more than the last four digits of your card number. We will only ask you to verify your personal information when YOU call us directly.

Report Suspicious Activity:
If you receive a call, text, or email that seems suspicious, hang up or ignore the message. Contact us directly to confirm its authenticity.

What to Do If You’ve Shared Information:

If you believe you’ve provided sensitive details to a scammer, contact us immediately at 614-416-7588 so we can secure your account.

Monitor your account for unauthorized transactions and report any activity you don’t recognize.

Thank you for being vigilant and helping us protect your accounts. Together, we can combat fraud and keep your finances secure.

By Jonjie Sena

January 7, 2025

Today, we carry devices with us wherever we go, making us highly vulnerable to imposter scams, call spoofing, and data breaches. With the rise of artificial intelligence, threat actors can now commit fraud by mimicking a person’s voice over the phone. This troubling trend is affecting both consumers and businesses, with financial institutions being especially at risk.

In an increasingly common imposter scam known as the “grandparent scam,” the threat actor calls someone, posing as a family member. They claim to be in some kind of trouble, such as a car accident or an arrest, and request money to help get them out of the predicament. The criminal is able to mimic the voice of the person they’re impersonating by closing it with AI. Today’s technology is so advanced that only a short audio clip is needed.

According to 2024 Federal Trade Commission data, consumers reported that imposter scams were the leading method of fraud in 2023, with the highest losses per person coming from phone scams. Scammers have stolen over $10 million from U.S. consumers this year, reaching an all-time high, according to the FTC.

A separate report on cyberattack trends found that financial services is the most impersonated industry by criminals. Case in point, a Hong Kong finance worker was duped out of more than $25 million after falling prey to a deepfake video call scam earlier this year, in which the attendees looked and sounded just like his coworkers.

Call Spoofing: An Essential Tool for Threat Actors

Call spoofing is the deliberate falsification of a caller’s phone number and caller ID information. Criminals commonly use this tactic so that calls to their victims seem real. A common banking phone scam involves calling a bank customer and pretending to be a bank employee—ironically, in the fraud department. The incoming number the customer sees looks like a legitimate number from their bank.

The caller then tells the customer there has been fraudulent activity on their account and asks for their personal banking details. Through social engineering schemes, threat actors convince targets that their accounts have been hacked, which leads to the customer providing sensitive account information or, in some cases, wiring the caller money via apps such as Zelle and Venmo.

Data Breaches Are Fueling Financial Fraud

More than 1,500 data breaches affected over one billion people in the first half of 2024, including those impacted by multiple incidents. This represents a 14% increase in the number of breaches reported in 2023, which was a record-setting year. Financial service-related data breaches increased by 67% year-over-year, making financial services the most compromised industry in H1 2024, according to the Identity Theft Resource Center. This rise in data breaches creates a higher risk of financial fraud and call spoofing—a vicious cycle that leaves consumers and businesses vulnerable.

Armed with the victim’s name, address and other personal details obtained from data breaches, the dark web and phishing attacks, criminals can make an even more convincing case over the phone. Fraudsters use their persuasive stories during these vishing attacks, coupled with the highly personal nature of voice calls, to create a false sense of trust. They often seal the deal by sending the target a fake text link, known as “smishing.” These text and phone scams are so common, that one in three Americans has received one.

Just this month, more than a third (35%) of Americans said they were notified that details about their identities or online accounts had been stolen in a data breach—up from 28% last year according to the TransUnion 2024 Q4 Consumer Pulse Report.

One might assume that the larger the bank, the greater the temptation for fraudsters, but smaller banks and credit unions are seeing the most fraud. According to a recent report, 79% of credit unions and community banks saw more than $500,000 in direct fraud losses in 2023—higher than any other segment surveyed. Smaller banks and credit unions lack the fraud prevention resources, data and technologies used by larger banks, and they provide more personalized, phone-heavy customer service, leaving them more susceptible to fraud.

Technology Can Help Combat Call Spoofing

Though customers are increasingly aware of call spoofing and other phone-related scams, they enjoy the personal touch that only the phone can bring. Nonetheless, they’re demanding that more be done to protect them against phone fraud and unwanted calls. Customers want to feel safe to answer the phone when they receive a wanted call from their financial institution, school or physician’s office.

Industry-developed protocols such STIR/SHAKEN call authentication, which digitally validates a caller’s identity, have helped to combat call spoofing. However, STIR/SHAKEN is not always sufficient to ensure that mobile operators can differentiate between legitimate and spoofed calls. Due to the limitations of legacy networks and inconsistent implementations, they often lack the information they require to distinguish legitimate calls from robocalls calls, causing legitimate calls to be mistagged as spam. That makes it impossible for consumers to know when to answer the phone.

Other measures are available to help financial institutions reduce call spoofing, such as technology that allows them to digitally “sign” their own calls. This option stops spoofed calls from reaching the customer by providing mobile operators with the intelligence they need to block spoofed calls with confidence through complete end-to-end call authentication.

Because this method ensures mobile operators receive the authentication information they need, it greatly reduces the number of legitimate calls that are mistagged as fraudulent. That means fewer customers would block calls from those numbers—including calls from the business.

Empowering enterprises to take the reins on call authentication this way is a sound business strategy; after all, no one has a larger stake in protecting their customers and their business than the financial institutions themselves.

We wanted to make you aware of a recent counterfeit check scam [LINK TO NEWS ARTICLE] that has affected some of our members. It has come to our attention that individuals may be receiving fraudulent communications from a company called The Group, LLC, offering a work-from-home opportunity.

Here's how it works: Fraudsters are sending out offer letters detailing positions, salaries, benefits, confidentiality agreements, and including counterfeit checks allegedly issued by Pathways Financial Credit Union. We want to emphasize that these activities are in no way affiliated with Pathways Financial Credit Union and that these checks are fraudulent.

If you suspect that you have received communication like this or a counterfeit check, we urge you to take immediate action.

Please gather all relevant documentation and contact our Member Service Department at 614-416-7588.

Our dedicated team is committed to assisting you through this process. We will verify the information for you and provide the necessary guidance to navigate this situation effectively. Your security is our top priority, and we are here to support you every step of the way.

Please remember to remain vigilant and report any suspicious activity right away.

Thank you for helping us keep your deposits safe and sound.

Pathways has observed a worrying surge in sophisticated fraud attempts targeting our members. These scams, often cloaked in the guise of legitimate communications, pose a significant threat to the financial health and personal security of individuals. To combat this troubling rise, we have created a guide page devoted to monitoring and sharing these active scams with you, so you are aware and prepared to protect yourself should you encounter them.

Understanding Digital Fraud: An Overview

• A comprehensive introduction to the various forms of digital fraud, including phishing, identity theft, and malware attacks.
• Source: Federal Trade Commission (FTC) - Understanding Digital Fraud
  
  

Stay Safe Online - National Cyber Security Alliance

• Offers simple, straightforward advice on how to protect yourself online, with resources tailored for older adults.
• Link: Stay Safe Online

Recognizing Phishing Attempts:

• Tips and tricks on how to spot phishing emails, texts, and calls that may lead to fraud.
• Source: Cybersecurity & Infrastructure Security Agency (CISA) - Phishing Infographic
  
  

Digital Literacy Project

• This initiative provides tutorials and articles aimed at helping users of all ages increase their understanding of digital safety and privacy.
• Link: Digital Literacy Project

Latest Scam Alerts and Reports:

• Updates on recent scams as reported by consumers and financial institutions.
• Source: Consumer Financial Protection Bureau (CFPB) - Fraud & Scams
  
  

AARP Fraud Watch Network

• Aimed particularly at older adults, AARP's Fraud Watch Network sends out regular alerts about scams and frauds that are targeting seniors, including the latest tricks scammers are using.
• Link: AARP Fraud Watch Network
  
  

Better Business Bureau (BBB) - Scam Tracker

• The BBB Scam Tracker is a crowd-sourced tool that allows consumers to report scams and see what scams are happening in their area or across the country.
• Link: BBB Scam Tracker
  
  

National Cybersecurity and Communications Integration Center (NCCIC)

• Part of CISA, the NCCIC publishes bulletins and alerts on cybersecurity issues, including ongoing scam campaigns.
• Link: CISA Current Activity Alerts

Best Practices for Online Banking Security:

• Guidelines for maintaining strong passwords, enabling two-factor authentication, and monitoring account activity.
• Source: American Bankers Association (ABA) - Safe Online Banking Tips
  
  

Fraud Prevention Center:

• Make sure your financial information is protected.
• Source: National Credit Union Administration (NCUA) - Fraud Prevention Center

Identity Theft: What It Is and How It Happens

• An in-depth look into the nature of identity theft, common tactics used by thieves, and the impact it can have on victims.
• Source: Federal Trade Commission (FTC) - About Identity Theft

Preventing Identity Theft: Best Practices

• Strategies for safeguarding personal information online and offline to prevent identity theft.
• Source: Federal Trade Commission (FTC) - Protecting Your Identity

Fraud Alerts and Credit Freezes

• Explanations on how to place fraud alerts or freeze credit to prevent further damage.
• Source: Federal Trade Commission (FTC) - Credit Freeze FAQs

Identity Theft Recovery Plans:

• Step-by-step advice on what to do if you’re a victim of identity theft.
• Source: Federal Trade Commission (FTC) - Identity Theft Recovery Steps