News Alerts

Current Account Take Over Fraud

Attention: VISA (Credit Card) & Debit Cardholders

There has been an increase in fraud scams where fraudsters contact cardholders to commit Account Take-Over (ATO) fraud. These bad actors convince cardholders that they are representatives from the financial institution, claiming to protect them. The cardholders are then persuaded to provide either their fraud alert case ID, the One-Time Passcode (OTP) for 3D Secure step-up authentication, or both.

Blue Water FCU Fraud Center/FIS will never ask for your Account/Card Number, CVC/CVV, PIN, Passwords, Social Security Number, or Online Banking Credentials. Additionally, FIS will not call cardholders to request a Case Number or OTP. If you are ever in doubt, please contact us directly.

Here is a basic example of the ATO fraud we are observing:

• Social engineering via a spoofed number showing up as a financial institution.

• Cardholder is comfortable answering, believing the “Fraud Center” or ”Customer Service” (bad actor) is their financial institution.

• Bad actor has enough BASIC information such as cardholder name, last four digits of Social Security Number, DOB and last few transactions.

• Bad actor requests Fraud Alert ID, Case Number, or OTP for the transaction they are attempting to make. The financial institution (bad actor) is “helping the cardholder out”. They give instructions on what to do with the SMS text the cardholder just received or will receive shortly. This action results in a response of “Yes”, the cardholder recognizes the transaction, which updates the fraud alert as Not Fraud, so the bad actor can begin committing fraud transactions.

• The bad actor will often indicate they are shutting the card down and will issue a new card for the cardholder. However, they do not shut the current card down, they instead commit fraudulent transactions.

• As part of “ordering a new card” the bad actor will request the cardholder to finally authenticate their PIN.

• When the intention is 3D Secure fraud, the bad actor states they are making sure the “cardholder has been added” or “setup in the system” by asking for the OTP that was sent to the cardholder.

• The bad actor may then make address/phone changes to intercept Fraud Alerts as well.