Bank impersonation scams: How to recognize and avoid them

What is a bank impersonation scam?

Scammers usually commit this type of fraud for two reasons: to convince you to transfer money or withdraw cash on their behalf, or steal your personal and financial information to commit financial identity theft.

The risks don’t stop there. Scammers may pressure victims into installing remote access software to gain access to a secure account, sharing multi-factor authentication codes, or revealing sensitive information like their Social Security number. The impact of a bank impersonation scam can extend far beyond a single unauthorized transaction. That’s why it’s important to act immediately if you believe you’ve been targeted or compromised.

How does a bank impersonation scam work?

A bank impersonation scam works by convincing you that you’re communicating with your bank when you’re actually dealing with a scammer. The goal is usually to steal sensitive information, gain access to your accounts, trick you into sending money, or install malware on your device.

While the tactics vary, most bank impersonation scams fall into one of three categories:

• Vishing. Voice phishing is a type of cyberattack in which scammers use fraudulent phone calls or voice messages to trick victims into revealing sensitive information, sending money, or downloading malware. They may use caller ID spoofing to make the call seem like it’s coming from your bank. Some types of phone scams also use voice cloning or other AI-assisted tactics to sound more convincing.
• Smishing. SMS phishing uses social engineering and impersonation tactics to pressure you into responding quickly without verifying whether the message is legitimate. These scams often use urgent or alarming text messages about your bank account to pressure you into action. Others may promote fake banking services, rewards, or limited-time offers.
• Phishing emails. Phishing attempts via email usually imitate official bank branding and language to appear authentic, making it harder to spot a phishing email. They may ask you to verify account details, reset passwords, review suspicious activity, or download attachments. In many cases, the email directs you to a fake banking website designed to capture your login details or install malware on your device. 

Common scam scenarios

Bank impersonation scams often follow recognizable patterns designed to create urgency, build trust, and push victims into making quick decisions without verification. Scammers rely on fear of financial loss or the promise of quick resolution to manipulate people into revealing sensitive information or transferring money. Below are some of the most common ways these scams are carried out:

• Fake fraud alert. A scammer calls pretending to be from the bank’s fraud department, saying your account was compromised. They ask you to “verify” your identity by sharing one-time passcodes, card details, or login credentials. The scammer then uses that information to access your account.
• “Safe account” transfer. Victims are told their money is at risk and must be moved to a “secure” or “holding” account controlled by the bank. In reality, the account belongs to the scammer, and the transferred funds are difficult to recover.
• Fake text message link. You receive a text claiming there’s suspicious activity on your debit card. The text includes a link to “secure your account.” However, the link leads to a fake banking website designed to steal usernames, passwords, and verification codes.
• Mobile banking app impersonation. Scammers direct victims to download a fake banking app or remote access software under the guise of “fixing” account issues. Once installed, the scammer can monitor activity, capture credentials, or control the victim’s device.
• Refund or overpayment. A caller claiming to represent the bank says you were accidentally charged or are owed a refund. During the “refund process,” they trick victims into revealing account access codes or authorizing payments.

Can your bank contact you for these reasons?

Banks routinely contact customers via phone, email, or text message to alert them of suspicious activity or potential fraud on their accounts. But since scammers often imitate these same communication methods, it’s important to verify that any message or call is genuinely coming from your bank.

Typically, a legitimate communication from your bank will look like:

• Phone calls: An automated system or a financial fraud specialist may call to verify a specific, recent transaction (like a large out-of-state purchase). They may also inform you that your debit or credit card is being temporarily locked or replaced.
• Text alerts: Many banks (like Chase, Bank of America, or Wells Fargo) send SMS fraud alerts when unusual account activity is detected.
• Email: You may receive an email notification regarding unusual activity, which will usually instruct you to log into your secure online banking portal rather than taking action directly through the email itself.

Legitimate bank communications will never ask for details like your bank password, OTP, or PIN over email or phone. Any communication you receive that pressures you to click links or enter sensitive information like your account number or Social Security number is also likely an impersonation attempt.

What are the signs of a bank impersonation scam?

If you’ve recently gotten a message or call claiming to be from your bank, look for these common warning signs of a bank impersonation scam:

• Unexpected messages from unfamiliar or suspicious scam numbers that create urgency, such as “Your account will be locked” or “Fraud detected. Act now.”
• Requests for sensitive information like passwords, PINs, one-time passcodes, or full card numbers. Legitimate banks typically don’t ask for these details through email, text, or unsolicited calls.
• Links or phone numbers that direct you away from official banking channels, especially if the website address looks slightly misspelled or unusual.
• Caller ID, emails, or text messages that appear official but contain poor grammar, strange formatting, or inconsistent branding. 
• Pressure to move money immediately, approve transactions, install software, or “verify” your identity without giving you time to confirm the request independently.

How to avoid being scammed by a bank imposter

The best way to stay safe from impersonation scams and other types of fraud is by being vigilant about the communications you receive, especially if they’re claiming to be from your bank. Here are some practical steps you can take to protect your bank account from fraud:

• Be proactive and always verify. If you get an alert or notification about a potential issue with your account, don’t respond directly. Hang up or ignore the message, then contact your bank using the official phone number on the back of your card or the bank’s verified website. Alternatively, you can go straight to your bank or a bank branch and settle the issue with an actual teller.
• Never share sensitive information. Your account details, personally identifiable information (PII), and other financial data can be exploited by scammers. If you’re being asked or pressured to provide this type of information, stop interacting with the source immediately.
• Protect your account. Using 2FA (two-factor authentication) or multi-factor authentication (MFA) makes it more difficult for scammers to access your account.
• Access online banking through legitimate channels. Always access online banking through the bank’s official mobile application or website. Don’t click links in search results since those can be manipulated to lead you to fake websites. Instead, save your bank’s official login page as a bookmark.
• Set up notifications. Turn on notifications for transfers, withdrawals, and login attempts. Enabling this feature can help you quickly detect suspicious account activity.

What to do if you gave your personal or bank information to a scammer

If you’ve fallen victim to a bank impersonation scam and the scammer managed to get your personal, financial, or login information, it’s important to immediately take action to prevent serious damage.

Here are some steps you can follow to protect yourself from further harm:

• Call your bank immediately. Report all the details of the incident. Explain what happened and ask the bank to review your account for fraudulent activity and secure your accounts.
• Change your online account credentials. Change your passwords right away, and update the emails linked to your online banking account. Review your authorized devices and remove anything unfamiliar.
• Ask about transaction disputes or recalls. If money was moved, ask your bank if the transaction can possibly be reversed or recalled. Not all money lost through fraud, like bank impersonation scams, can be recovered, but it’s best to ask your specific bank for further details. Recovery isn’t guaranteed and may take days to several weeks, depending on how quickly the fraud is reported.
• Place a fraud alert and or freeze your credit. A fraud alert or credit freeze can help prevent new fraudulent accounts from being opened in your name. For more information, check out our guide on how to freeze your credit. 
• Monitor your accounts after the incident. Some scammers may not make immediate moves to steal money from your accounts after you’ve been scammed, while others may make small test transactions before larger withdrawals. 
• Report the scam. Report the incident to your bank, the FTC, and, if money was stolen, the FBI Internet Crime Complaint Center. 

How to report a bank impersonation scam

If you experience or fall victim to a bank impersonation scam, report the incident immediately. Doing so can help you limit potential financial damage and prevent similar scams from targeting other bank customers.

Contact your bank directly

Use the phone number on the back of your debit/credit card or the bank’s official website to contact the bank’s fraud department. Provide as many details as possible about the incident, including what information was shared and whether any money was transferred. Be sure to mention if you disclosed passwords, PINs, or MFA codes.

You can ask your bank to freeze or monitor compromised accounts and reverse transactions if possible. If your credit card or a specific bank account was affected, you may also ask for new cards/account numbers or assistance to reset your online banking credentials.

Report the scam to official authorities

You can report the details of the bank impersonation scam to the following agencies:

• Federal Trade Commission: Submit a report through the FTC’s fraud reporting portal to document the scam and receive guidance on next steps.
• FBI Internet Crime Complaint Center (IC3): If money was stolen or sensitive financial information was compromised, file a complaint with the FBI’s IC3 reporting center as soon as possible.
• Credit agencies: Contact Equifax, Experian, and TransUnion to place fraud alerts and freeze your credit if you believe your personal information was exposed.
• Cryptocurrency-related scams: If the scam involved cryptocurrency and wire transfers, report the incident immediately to the crypto exchange and IC3.