Identified Scam:

Red Flags of Fake Credit Union Emails: Prevent Phishing

Scammers have turned their phishing attempts to members or credit unions by sending out fake emails hoping to get their hands on valuable personal data.

Gemma Davison
Updated 15 September 2021
Red Flags of Fake Credit Union Emails: Prevent Phishing
Identified Scam:
Key Finding

Emails are being sent, impersonating well-known credit unions in an attempt to steal your information.

Key Risk

Your identity and money could be stolen if you enter your information or download attachments.

Sections on this page
  1. How Do Credit Union Phishing Emails Work?
  2. Examples of Fake Credit Union Emails
  3. Red Flags of Fake Credit Union Emails
  4. How to Beat Credit Union Phishing Scams
  5. What To Do After Falling For This Scam
  6. Frequently Asked Questions

According to the FBI, in 2020, phishing was the most common type of cybercrime, with 93% of phishing attacks arriving by email. Recently, scammers have turned their phishing attempts to members or credit unions by sending out fake emails hoping to get their hands on valuable personal data.

If you’re tricked by one of these phishing emails into handing over your sensitive data, you can quickly become the victim of identity theft. Your accounts could be emptied, new lines of credit could be opened in your name, or your details could be used to commit tax fraud. Protect yourself from these scams by knowing the red flags to look out for and understanding how they work.

How Do Credit Union Phishing Emails Work?

Phishing attacks occur when a scammer sends you an email masquerading as a representative of your credit union. By searching public sources of information—like social media networks—scammers can collect information about you to convince you that the email is genuine, including your:

  • Name
  • Email address
  • Job title
  • Date of birth

Here's how this scam works. 

You Receive an Email

An email lands in your Inbox, and at first glance, it appears to be from your credit union. The subject line claims the email holds important account information, so you click to view the whole message.

The email appears genuine. It features the company logo of your credit union, the address bar is the name of your credit union, and the email mentions some of your personal information.

Example Fake Credit Union Email

Dear Customer, 

Please log into your NASA Federal Credit Union account immediately to review and verify recent activity on your account. Upon logging in, you will be asked to verify some of your information. 

>> Click here

Thank you for the opportunity to serve you. 

NASA FCU Security Team

Within the body of the message itself, scammers will use a variety of tactics to create a sense of urgency for you to take immediate action to the email, including:

  • Claiming there has been suspicious activity on your account
  • Saying your account has been linked to criminal activity
  • Requesting you update your account details or risk being blocked
  • Asking for verification of suspicious login attempts

You Click On The Link Provided

You’re invited to download an attachment labeled “Online Bank Statement” or something similar, as unusual activity has been detected on your account.

Concerned that you’re a victim of identity theft and are losing your hard-earned cash, you click on the download.

Scammers use two main phishing methods within their fake credit union emails:

  • Dangerous links to a legitimate-looking website, often a clone of that of your credit union, where you’ll be asked to log in to your account or verify additional personal details. The website is likely to contain a credential-harvesting code to steal your account details. Alternatively, once you click the link, harmful malware is immediately downloaded onto your device.
  • Dangerous attachments that have names designed to pique your interest, such as “ACCOUNT STATEMENT” or “LOAN AGREEMENT.” When you download the attachment, phishing malware is installed, allowing scammers to monitor your online activity and control your device.

Your Information and Identity is Stolen

Now that the scammer has your information and even your credit union login credentials, they can now log into your accounts and steal your money. They can even start taking out lines of credit in your name, leaving you with several bills to pay. 

Identity theft is a serious crime that can take years to recover from.

Examples of Fake Credit Union Emails

Example of a fake NASA Credit Union email
Example of a fake NASA Credit Union email. (Source: NASA Federal Credit Union)

Example of a fake Delta Community Credit Union email
Example of a fake Delta Community Credit Union email. (Source: Delta Community Credit Union)

Red Flags of Fake Credit Union Emails

Of course, there are legitimate notices from credit unions, so we can’t tell you to ignore all such emails. However, it’s always wise to use extra caution when dealing with emails that appear to be from your credit union. Here are some red flags that an email is not as genuine as it first appears:

  • Misspelled domain names or shortened domain links.
  • Poor spelling, punctuation, and grammar in the body of the email.
  • Suspicious email addresses, e.g., an employee of your credit union, won’t have a Gmail or Hotmail email address.
  • Request for personal information, such as your account details or Social Security Number (SSN), which your credit union would never request via email.
  • The need for immediate action, or your account will be suspended.
  • Warnings that you risk legal troubles if you don’t respond.
  • Vague details and unexpected attachments.

How to Beat Credit Union Phishing Scams

Phishers are becoming more and more convincing in their efforts to get your personal information. But there are plenty of things you can do to reduce your risk of falling victim to a phishing scam. Take a look at some of our top online anti-phishing tips:

  •  Use strong and unique passwords for all of your online accounts and keep them secured behind a wall of encryption with a password manager.
  •  Call and verify with your credit union if you’re suspicious about the content of an email. Don’t use the contact details provided in the suspicious email. Instead, use the telephone number from your statements or policies or your credit union’s official website.
  •  Be wary of links or buttons in emails. If you’re called to action via an email, visit your credit union’s website directly.
  •  Add multi-factor authentication to your credit union account if possible and to all other online accounts where you’re able. This extra layer of protection makes it harder for scammers to access your accounts, even if they have your username and password.
  •  Monitor your financial statements each month for any unusual activity. This can help you detect fraudulent purchases or withdrawals faster if your identity is stolen.
  •  Install a security add-on to your browser, which will protect you from malicious downloads and websites if you inadvertently click on a dangerous link in a phishing email.
  •  Keep your security software up-to-date and install firewalls to ensure that your personal data is safe from phishers hijacking your devices.
  •  Use a different computer to change your passwords if you think you may have been compromised. If malware has been stored on your computer, a scammer could log your keystrokes and learn your new passwords as you change them.
  •  Don’t use unsecured public WiFi to log in to your credit union account or carry out any financial transaction. It’s easy for scammers to hijack public networks and eavesdrop on everything you’re doing online.

What To Do After Falling For This Scam

If you fall for this scam and enter your information on a fake credit union website or download harmful attachments, follow these steps:

  • Run anti-virus software to remove any harmful viruses or malware that was installed on your device. 
  • Change your passwords to your online accounts, including your credit union account. 
  • Notify your bank if you gave away your credit or debit card information. 
  • Monitor your credit report and bank accounts regularly. 
  • Freeze your credit or place fraud alerts if you gave the scammer your SSN.
  • Report the scam to your credit union and the authorities.

Frequently Asked Questions

Can phishing occur through phone calls?

Absolutely! Even though most phishing attacks occur via email, scammers also use social media, text messages, and phone calls to try and steal your personal information.

Scammers can spoof the numbers of your credit union. This means that the scammer’s call will appear to come from your credit union on your caller ID. You can protect yourself from spoof calls by using a call blocking app. Not only will they block scam calls, but they also provide extensive caller ID, so you know who has called you from unknown numbers.

Remember, your credit union will never ask you for your passwords, account numbers, or PINs over the phone. If a caller asks for personal information, hang up immediately and call your credit union back using the number on your statements or the official website.

What do I do if I think I’m a victim of a fake credit union email?

If you suspect you’ve fallen for a fake credit union email, take the following steps as soon as possible:

  • Collect as much information as possible, including screenshots of fake websites and emails. If you downloaded an attachment, disconnect from your WiFi immediately.
  • Change your passwords, not just to your credit union account, but also to all other online accounts, as they may have been compromised too.
  • Run a virus scan and delete any infected files. Make sure your antivirus and operating software are up to date.
  • Check your financial accounts for signs of identity theft, such as unauthorized purchases, withdrawals, or new lines of credit. If you find anything suspicious, inform the associated accounts and your credit union of the fraudulent transactions.
  • Report the phishing scam to the FTC.

Where can I report phishing scams?

As well as reporting phishing to the FTC, you should also forward phishing emails to the Anti-Phishing Working Group at [email protected].