BECU fraud prevention notes for everyday members
Phishing patterns that target credit union members, card-skimming basics, secure messaging in online banking, when to call the credit union directly, and how to report fraud to public agencies.
Snapshot Brief
Credit union members are frequently targeted by phishing emails and smishing texts that spoof the institution's branding. The cardinal rule: the credit union will never ask for your full password, PIN, or a one-time verification code through email or text. If you suspect fraud, call the number on the back of your card — not any number provided in a suspicious message. Report externally to the FTC and CFPB in parallel with contacting the credit union.
Phishing patterns that target credit union members
Phishing campaigns aimed at credit union members typically rely on urgency, spoofed branding, and fake login pages — recognising the pattern is the first line of defence.
Credit unions are attractive targets for phishing operations precisely because members tend to have strong institutional trust. A spoofed email that accurately reproduces the cooperative's green-and-gold colour scheme, drops in the right logo, and mimics the tone of a legitimate fraud alert can be convincing on first glance. The mechanics, though, are consistent: a message creates urgency (your account is locked, a suspicious transaction was detected, your debit card has been flagged), provides a link to a fake login page, and captures the member's username and password the moment they type them in.
SMS phishing — sometimes called smishing — has grown considerably more common in the past three years. The messages typically arrive as short texts claiming to be from the credit union's fraud department, asking the member to confirm a transaction or unlock an account. They include a phone number or link. Neither the number nor the link is legitimate. The technique is effective because people are conditioned to act on fraud alerts quickly, and the phone's small screen makes it harder to inspect a URL for telltale signs of spoofing.
The credit union will never ask for a full password in an email, text, or phone call. It will never ask for a one-time verification code that was just sent to you — that code is yours alone, and a request for it is a social-engineering attack. If a message creates unusual urgency or asks for information a legitimate fraud team would already have, treat it as suspicious regardless of how official it looks.
Card skimming: what it is and how to spot it
Skimming devices are physically attached to card readers and capture magnetic-stripe data; a few seconds of attention before inserting a card is usually enough to spot one.
Card skimming involves a device placed over or inside a card reader — commonly at ATMs and gas-pump terminals — that reads and records the data encoded in a card's magnetic stripe as the card passes through. The device is usually paired with a tiny hidden camera pointed at the keypad, or with a thin overlay placed on top of the real keypad that captures PIN keystrokes. The attacker retrieves the device later and uses the captured data to clone cards or make unauthorised transactions.
Skimmers at ATMs often feel slightly loose or misaligned with the machine's body. Gas-pump skimmers are frequently installed inside the pump cabinet, making them impossible to spot visually — but the pump's cabinet-door security tape (a tamper-evident sticker) being broken or absent is a useful signal. At any card reader, covering the keypad with the other hand while entering a PIN is a simple habit that defeats camera-based PIN capture even when a skimmer is present.
Contactless payment methods (tap-to-pay on a phone or card) do not expose magnetic-stripe data and are not vulnerable to traditional skimming. Where a merchant's terminal supports contactless, using it instead of a swipe or dip reduces skimming exposure.
Secure messaging in BECU online banking
The secure message feature inside the authenticated online banking portal is the right channel for anything sensitive — email is not.
BECU's online banking includes a secure message feature that works like email but operates entirely inside the authenticated session. Because messages are tied to the member's logged-in account rather than passing through public email infrastructure, they are appropriate for communicating account numbers, describing a specific transaction in detail, or flagging a concern that requires the credit union's response. Regular email should not be used for any of this — even if the intended recipient is the credit union's own support staff.
The practical workflow: log in to online banking normally, navigate to the messaging or support section, and compose the message there. Response times through this channel vary; for urgent fraud concerns — a card reported stolen, an unrecognised transaction that appeared today — a phone call to the number on the back of the card is faster than waiting for a secure message response.
When and how to report fraud
Two tracks run in parallel: contacting the credit union directly, and filing reports with federal consumer-protection agencies.
The first call for any suspected fraud on a BECU account is the credit union's member services line — the number printed on the back of the member's card or on the official BECU site. Use that number directly; do not use a number provided in a suspicious email or text. The credit union can freeze a compromised card, initiate a dispute on an unauthorised transaction, and flag the account for monitoring within the same call.
The second track is the public reporting system. The Federal Trade Commission's fraud reporting tool accepts reports of financial fraud, identity theft, and deceptive practices and routes them to appropriate law enforcement. The Consumer Financial Protection Bureau's complaint portal accepts complaints specifically about financial products and services, including credit union accounts. Filing with both is straightforward and takes under ten minutes; the reports create an official record that can support dispute resolution and, in aggregate, help regulators identify fraud patterns.
For identity theft — where a fraudster has used a member's personal information to open new accounts or take out loans — the FTC's IdentityTheft.gov generates a personalised recovery plan and pre-fills the forms required to report to each agency. This is separate from disputing fraudulent activity on an existing BECU account; both should be done.
Snapshot Brief
Call the number on your card immediately if you spot an unrecognised transaction. File with the FTC and CFPB in parallel. Never share a one-time code with anyone claiming to be from the credit union — that request is always social engineering, without exception.
| Fraud type | Red flag | What to do |
|---|---|---|
| Phishing email | Urgent account-locked message with a link; sender domain does not match the institution's real domain; generic greeting ("Dear Member") | Do not click the link. Report the email as phishing through your email client. Separately log in directly (not via the email) to verify account status. |
| SMS smishing | Unsolicited text claiming fraud on your account with a callback number or short link you did not request | Do not call the number or tap the link. Call the number on the back of your card directly to check account status. |
| Card skimming | Unrecognised debit or credit card charges; card reader feels loose or misaligned; pump cabinet-door tape broken | Call to freeze the card immediately. Dispute the charges with the credit union. File an FTC report if card data theft is confirmed. |
| Account takeover | Locked-out of online banking unexpectedly; password-change email you did not request; unrecognised devices in account settings | Call member services immediately to initiate an account review and credential reset. Change the email address password used for account recovery too. |
| Social engineering call | Caller claims to be from the credit union's fraud team and asks for a one-time code, PIN, or full account number | Hang up. Call the credit union back using the number on the back of your card. The institution will not ask for these in an inbound call. |
Frequently asked questions
Five questions covering the fraud scenarios that BECU members encounter most often.
How do phishing attacks target credit union members specifically?
Phishing campaigns targeting credit union members often spoof the institution's logo and sender name in email, or send SMS messages that mimic fraud alerts. The message typically creates urgency — a suspicious transaction, an account lock, a flagged debit card — and directs the member to a fake login page designed to capture credentials. Legitimate credit unions do not ask for full passwords, PINs, or one-time codes through email or text. If a message triggers any of those requests, treat it as an attack regardless of how official it looks.
What is card skimming and how can members spot it?
Card skimming involves a device attached to a card reader — usually an ATM or gas-pump terminal — that captures the magnetic-stripe data from a card as it is swiped. Skimmers are often combined with a small hidden camera to capture PIN entry. Members can spot a skimmer by checking for loose or misaligned card-reader panels, looking for evidence of tape or adhesive residue around the slot, and checking that the pump cabinet's tamper-evident seal is intact. Covering the keypad with the free hand while entering a PIN defeats camera-based capture even when a skimmer is present and undetected.
When should a BECU member call the credit union directly about suspected fraud?
Members should call the credit union directly — using the phone number on the back of their card or from the official BECU site, never a number provided in a suspicious message — any time they suspect account access without their permission, see an unrecognised transaction on a statement, receive an unexpected card-activation or password-change confirmation, or are asked for account credentials by someone claiming to be a BECU staff member. Speed matters: the sooner the credit union knows about a compromised card or account, the faster it can limit the damage.
How do I report fraud to public agencies as a BECU member?
Members can report financial fraud to the Federal Trade Commission using the reporting tool at ftc.gov, which routes complaints to appropriate agencies and law enforcement. The CFPB accepts complaints about financial products and services at consumerfinance.gov. For identity theft, the FTC's IdentityTheft.gov generates a personalised recovery plan and pre-fills required agency forms. These public reports run in parallel with — and do not replace — contacting the credit union directly to freeze accounts and dispute charges.
Is it safe to use the BECU secure message feature in online banking?
Yes. The secure message feature inside BECU's authenticated online banking environment is a legitimate and appropriate channel for communicating sensitive account details. Unlike regular email, messages sent through the online banking portal are transmitted within the authenticated session and are not routed through public email infrastructure. Members should never send account numbers, Social Security numbers, or PINs through regular email — always use the secure message channel inside online banking for anything sensitive. For urgent matters, a direct phone call remains faster than waiting for a secure message response.