Social Engineering Scams

In social engineering attacks, bad actors try to trick victims into compromising their private information, including bank account information, Social Security numbers and passwords. Once criminals have access, they can steal your money, sell your personal data or use it to open new accounts or lines of credit. The scams come in a variety of forms and are designed to get an immediate reaction by conveying urgency or fear.

Important Note: When we call, email or text you, we will never ask for a one-time security passcode, your account password, code word, answers to security questions, or your card or account details. To confirm your identity when we call, our teams will ask questions about your account setup and activity that only you would know. If you're suspicious of a call or message, don't respond. Call BECU at 800-233-2328 or send us a secure message using Messenger in Online Banking or the mobile app.

Types of Social Engineering Scams

  • Phishing: In phishing, criminals use bogus email messages to gather information, including passwords.
  • Vishing: “Voice phishing” is when criminals make deceptive phone calls or automated robocalls.
  • Smishing: “SMS phishing” is a tactic using phony SMS text messages sent to your mobile phone.

Examples of Smishing

Smishing Scam Example: Suspicious activity on debit card
Smishing Scam Example: Unauthorized transactions
Smishing Scam Example: Address change

How Criminals Appear Convincing — and Tactics They Use To Steal Your Money

Imposter scams: Criminals often masquerade as people or organizations you know and trust in order to get information. Watch out for individuals or businesses who:

  • Ask you to answer security questions. If you answer the questions, the criminal can gain access to your account.
  • Ask for a “one-time passcode”. This is a ploy to steal a security code you've been sent by your financial institution. In what's known as a man-in-the-middle attack, the criminal may try to trick you by saying they're sending you a one-time security code and ask you to read it back to them. If you provide the passcode, the criminal could gain access to your account.

Remember, if BECU contacts you, we will never ask for a PIN, passcode, password, card number or answers to security questions. We will only ask you to verify your identity when you initiate a call to us at 800-233-2328 or another BECU phone number. To confirm your identity when we call, our teams will ask questions about your account setup and activity that only you would know.

When You call us at 800-233-2328 or another BECU phone number, we will verify your identity by asking for account details and information that only you would know, including a code word if there is one on the account.

Spoofing: Scammers can disguise email addresses, phone numbers and website URLs. Spoofing can be hard to recognize, as criminals may change just a single letter, number or symbol so things look valid at a quick glance. To avoid spoofing:

  • Don't trust caller ID. Scammers can make it look like an incoming call is coming from a local number or spoof a number from a company or a government agency that you know and trust.
  • Look carefully at the email address. If someone is asking you for information, hover the cursor over the display name. If an email is from a legitimate business, it should come from an email address associated with the company's official domain name.
  • Check the address bar of websites. Secure sites should have a lock icon to the left of the URL and should also begin with ‘https,' which indicates the site is using a security certificate to protect your data from third parties.

How To Protect Yourself

  • Don't give in to the pressure. Use caution if you're being urged to provide information immediately, or if you feel alarmed by an email, or attracted to an offer that seems too good to be true.
  • Don't click links in unsolicited messages. Clicking a link in a suspicious text could expose you to identity theft, or malware the criminal could install on your phone.
  • Don't automatically download or open attachments in email. Criminals often use attachments to send viruses. Before opening any attachments, check with the person who supposedly sent the message to make sure it's legitimate.
  • If you're unsure whether a call is legitimate, hang up and initiate a call yourself. It's always better to be safe. Dial the organization directly using the phone number listed on their website or your account statement.

Reporting Social Engineering Attacks

If you have concerns about a suspicious communication you've received or responded to, please contact us at 800-233-2328. You can also send us a secure message using Messenger in Online Banking or the mobile app or visit any BECU location. Visit our Locations page to find one near you.

You can report social engineering attempts that you've received to our security team at This no-reply email mailbox is only used for ongoing monitoring and identifying trends. Please do not send confidential information via email. If you've responded to a communication that you think may have been a scam, it's important that you call us, send us a secure message, or visit a BECU location.

If you suspect you've encountered a scam, it's also important to report it to help the authorities and to get the word out to other potential victims. The federal government has provided this compiled list of other places to report scams.

If the scammer impersonated an organization, please notify that organization as well as the Federal Trade Commission. If the scam happened online, you can report it to the FBI's Internet Crime Complaint Center.