Sign In
Sign In

8 Ways Fraudsters Are Getting Around Security Codes (MFA)



What You Need to Know to Stay Protected

Why This Matters

Fraud is evolving. Today, scammers don’t “hack” systems, they trick people.

Even with security features like one-time codes (MFA), fraudsters are finding ways to:

  • Gain your trust
  • Redirect your security codes
  • Access your accounts

Understanding how these scams work is the best way to stay protected.

Here are the 8 most common scams right now.

“Bank Investigator” Scam

A fraudster will phone you and impersonate a bank, credit card company, law enforcement officer or shopping website employee or investigator. They will request your assistance in a fraud investigation for a variety of reasons such as catching a fraudster who is stealing, to resolve suspicious purchases, or to confirm large money transfers from your accounts. The scammer will then try to get you to withdraw money or purchase gift cards, send money by various other means, or attempt to gain access to your online banking.

They may

  • Say your account is compromised
  • Pressure you to act quickly
  • Ask for security codes or passwords
  • Ask you to install apps or give access

 Important:

They may already know some of your information - this is how they gain your trust.

 Protect yourself:

  • Never share security codes or passwords
  • Never hand over your cards
  • Hang up and call the person or organization back using a number you trusted-not the one that called you

SIM-Swap (Phone Takeover)

Fraudsters transfer your phone number to their device. In a SIM swap scam, a fraudster tricks your mobile carrier into transferring your phone number to a SIM card they control without your knowledge. Once they do, all your calls, texts, and data are redirected to their device. From there, scammers can initiate “Forgot Password” requests on your accounts, like your email or bank, since the scammers now receive your SMS-based two-factor authentication codes.

Once they do this, they can:

  • Receive your security codes
  • Reset your passwords
  • Access your accounts

 Warning signs:

  • Your phone suddenly stops working
  • You stop receiving texts or calls

Act fast:

  • Contact your mobile provider
  • Contact your credit union immediately

Email Account Compromise

This scam often starts when you click a malicious link, reuse passwords, or fall for a phishing email. Once a fraudster gets into your email account, they don’t need your banking password right away - they simply use the “Forgot Password” option on your accounts.

Because your email is used to reset passwords and receive security alerts, the fraudster can quietly:

  • Reset your banking passwords
  • Access personal information
  • Take over multiple accounts

Protect yourself:

  • Use strong, unique passwords
  • Don’t ignore unexpected password reset emails

Remote Access Scams

Through social‑engineering tactics, fraudsters persuade members to install remote‑access applications under the pretense of resolving an issue or facilitating a legitimate request. Once access is granted, fraudsters may view email‑based OTPs, access saved passwords or log in from a trusted device without triggering additional authentication challenges.

Scammers may ask you to:

  • Download apps
  • Join video calls
  • “Let them help fix an issue”

Once you give access, they can:

  • See your screen
  • Capture passwords
  • Complete transactions

Protect yourself:

  • No legitimate organization will ask to control your device

Authenticator App Abuse

This scam usually happens after a fraudster already has some access to your account (through phishing, email compromise, or SIM-swap).

Once inside, fraudsters may:

  • Get into your account first
  • Change your security settings
  • Add their own authentication app
  • Remove or replace your existing MFA

After that, they can approve transactions without you knowing.

Protect yourself:

  • Review your security settings regularly
  • Report anything unusual immediately

Member Impersonation

In this scam, fraudsters collect enough of your personal information (through phishing, email compromise, or social media) to pretend to be you.

They contact your credit union and:

  • Pass security questions
  • Change your email or settings
  • Take control of your account

Protect yourself:

  • Never share personal or banking information (passwords, security answers, codes) with anyone who contacts you unexpectedly
  • Be cautious about how much personal information you share on social media (fraudsters can use it to answer security questions)
  • Use strong, unique passwords for all accounts - especially email and banking
  • Enable multi-factor authentication (MFA) wherever possible
  • Set up account alerts so you’re notified of any changes (email, phone number, password)
  • If you receive a notification about a change you didn’t request, contact your credit union immediately
  • Regularly review your account information to ensure your contact details have not been changed

Fake e-Transfer Pages

In this scam, fraudsters collect enough of your personal information (through phishing, email compromise, or social media) to pretend to be you.

This scam often happens during normal activities like buying or selling on Marketplace.  Instead of sending a real e-Transfer, the fraudster sends you a link or QR code that looks like a legitimate deposit or payment page. When you click it, you’re taken to a fake website that looks like your financial institution.

When you enter your login details and security code, you’re not completing a transaction, you’re giving your information directly to the fraudster. They can then use it to access your account and send money out.

You think you’re accepting money, but you’re giving away your login info.

Protect yourself:

  • Don’t click suspicious links
  • Always log in directly through your bank

CRA / Tax Scams

Common during tax season. A fraudster claims to be an employee of either the Canada Revenue Agency or Service Canada.

You may receive: Texts, emails or calls

They create urgency (audit, refund, penalties).

Protect yourself:
  • CRA will NOT ask for personal or banking information by text or email.
  • Do not click on links in unexpected messages claiming to be from the CRA
  • Be cautious of messages that create urgency (audit, penalties, refunds)
  • Never send money, gift cards, or cryptocurrency to someone claiming to be the CRA
  • Do not share SIN, banking details, or passwords
  • Always verify by going directly to the official CRA website or calling them using a trusted number

What All These Scams Have in Common

  • They create urgency
  • They use trust (banks, police, CRA)
  • They rely on you to take quick action
  • They don’t break security - they trick people

Simple Ways to Protect Yourself

  • Never share security codes or passwords
  • Don’t trust unexpected calls or messages
  • Avoid clicking links - go directly to official websites
  • Be cautious if something feels urgent or pressured
  • If unsure, pause and verify

When in Doubt STOP

  • Don’t continue the interaction.
  • Hang up and call the person or organization back using a number you trusted-not the one that called you.
Wednesday | March 25, 10:00 AM
This website uses cookies to improve your user experience. By continuing to browse the site you are agreeing to our use of cookies.