Member Notice: Beware of Vishing Scam

Credit union members are being targeted in a vishing (phone-based phishing) scam in which fraudsters spoof phone numbers making the calls appear to originate from their credit union. The members are duped into providing CVV2/CVC2 codes and expiration dates for their debit cards. The fraudsters, already possessing the counterfeit mag stripe debit cards, use the information to change the PINs through voice response units. Then, they use the counterfeit cards to make ATM withdrawals, as well as purchases at Wal-Mart in Florida and Georgia. Credit unions in Indiana, Kentucky, Ohio, and Virginia have been impacted by the scam.


Fraudsters targeting members through a vishing scam (phone-based phishing) are spoofing credit union phone numbers and posing as an employee in the credit union’s fraud or security department. The fraudsters tell the members they are calling to verify suspicious debit card transactions and, to verify the member’s identity, the members are asked to provide the CVV2/CVC2 code and the card’s expiration date.

Because the fraudster already has counterfeit debit cards on hand, they use the information obtained to change the members debit card PIN through the card processor’s voice response unit (VRU).

Changing debit card PINs using the card issuer’s VRU typically requires the cardholder to pass three of five security tests:

  • Call must originate from cardholder’s phone on file with the card issuer;
  • Provide the three-digit security code on the card’s signature panel (CVV2/CVC2);
  • Card expiration date;
  • Card holder’s date of birth;
  • Last four digits of the cardholder’s Social Security number