Your phone rings. The caller ID shows your bank's name and phone number. The person on the line knows your name, the last four digits of your account, and says they have detected suspicious activity. They need to "verify your identity" to secure your account. This is vishing — voice phishing — and it costs Americans over $1.2 billion annually according to the FTC's 2025 consumer fraud report.
How Bank Impersonation Calls Work
These calls are not random. Scammers invest significant effort in making them convincing.
Step 1: Caller ID Spoofing
Using VoIP services and spoofing tools, scammers can make any phone number appear on your caller ID. They choose your bank's published customer service number, so even savvy people see a familiar number and answer. The technology to do this costs pennies per call.
Step 2: Social Engineering Setup
Before calling, scammers often have partial information about you from data breaches. They may know your name, email, phone number, bank name (from leaked records), and sometimes the last four digits of your account. This partial knowledge creates instant credibility.
Step 3: The Fear Script
The caller follows a rehearsed script designed to create panic. Common openings include:
"This is the fraud department at [your bank]. We have detected an unauthorized transaction of $2,847.00 on your account. Did you authorize this purchase?"
"Hello, this is [name] from [bank] security. Your debit card has been compromised and we need to issue a new one immediately. I just need to verify some information."
"We are calling because someone is attempting to wire $15,000 from your account to an overseas recipient. We have temporarily frozen the transfer but need your authorization code to complete the block."
When you say "No, I did not authorize that," the scammer shifts to "verification" mode.
Step 4: The Information Extraction
The scammer asks you to "verify" your full account number, Social Security number, online banking password, or a one-time verification code that was just sent to your phone. That code is actually generated because the scammer is simultaneously trying to log into your account or initiate a transaction.
Step 5: The Real Theft
With your credentials and verification code, the scammer drains your account via wire transfer, Zelle payment, or by changing your login credentials and locking you out.
Got a suspicious phone call?
Describe what they said — we'll identify the scam pattern.
Free · No signup required · Cmd+Enter to scan
What Your Bank Will Never Do
Knowing the boundaries of legitimate bank communication is your best defense:
- Never call and ask for your full account number. They already have it.
- Never ask for your password or PIN. Bank employees cannot see your password and have no reason to ask for it.
- Never ask you to share a verification code sent to your phone. If your bank sends a code, it is for you to enter into your bank's website or app yourself.
- Never ask you to transfer money to a "safe account." There is no such thing as a safe account set up by the fraud department.
- Never threaten immediate account closure if you do not comply immediately.
- Never ask you to download remote access software like TeamViewer or AnyDesk.
Real Scenarios Reported to IsThisAScam
Users regularly describe bank scam calls through our platform. Here are three representative cases:
Case 1: The Zelle Reversal
A user received a call from someone claiming to be Chase fraud prevention. The caller said someone had sent $500 via Zelle from their account. To "reverse" it, the user was told to send $500 via Zelle to a specific phone number — which the scammer claimed was Chase's internal reversal system. The user lost $500. Zelle transfers cannot be reversed this way.
Case 2: The Verification Code Trap
A caller claiming to be from Bank of America asked a user to read back a 6-digit code "for verification." The code was actually a two-factor authentication code the scammer triggered by entering the user's username and password (obtained from a previous data breach) on the real Bank of America login page. The scammer then used the code to access the account.
Case 3: The Fake Fraud Alert Text + Call
The user first received a text: "BofA ALERT: Did you authorize a $1,200 purchase at Electronics Depot? Reply YES or NO." When they replied NO, they received a call within minutes from someone claiming to be the bank's fraud department. This two-step approach felt very authentic because the user had just interacted with what they believed was the bank's alert system.
How to Handle a Suspicious Bank Call
Follow this protocol every time someone calls claiming to be your bank:
- Stay calm. Scammers rely on panic to override your judgment. A real fraud alert is concerning but not an emergency that requires immediate phone action.
- Tell the caller you will call back. Say: "Thank you for alerting me. I am going to hang up and call the number on the back of my debit card to continue this conversation." A legitimate bank employee will understand and agree. A scammer will pressure you to stay on the line.
- Hang up and wait two minutes. Some scammers keep the line open so that when you "call back," you are still connected to them. Waiting or using a different phone eliminates this risk.
- Call your bank directly. Use the number printed on your bank card or on your bank's official website (type the URL yourself). Ask the fraud department if there is actually an issue with your account.
- If you received a suspicious text first, paste it into IsThisAScam.to to check whether it matches known scam patterns before taking any action.
Why Caller ID Cannot Be Trusted
Many people believe caller ID is reliable. It is not. The STIR/SHAKEN framework, mandated by the FCC, was designed to combat spoofing, but adoption remains incomplete. Scammers using overseas VoIP providers can still spoof any number. Until every carrier fully implements call attestation, you should treat caller ID as informational but not proof of identity.
Protecting Yourself Proactively
- Set up your bank's official alerts. When you receive real fraud alerts through your bank's app, you know what they look like and are less likely to trust a fake.
- Enable two-factor authentication on your banking apps using an authenticator app rather than SMS when possible.
- Freeze your credit at all three bureaus to prevent scammers from opening new accounts in your name.
- Use a unique, strong password for online banking that you do not use anywhere else.
- Monitor transactions regularly. Check your accounts at least weekly so you spot unauthorized activity early.
- Register on the Do Not Call list. While scammers ignore it, it reduces the volume of legitimate marketing calls, making scam calls easier to identify.
What to Do If You Gave Information to a Scammer
Act immediately — speed matters:
- Call your bank (using the number on your card) and explain what happened. Ask them to freeze your account and issue new card numbers.
- Change your online banking password from a secure device.
- Place a fraud alert with one of the three credit bureaus (they are required to notify the other two).
- File a report with the FTC at ReportFraud.ftc.gov.
- File a police report for documentation, which may be required for fraud claims.
- Monitor your credit reports weekly for the next six months via AnnualCreditReport.com.
Received something suspicious? Check it now for free →