Never share your password

By Elvis Huff on August 31, 2022
5 minute read

According to the American Bankers Association, and the Federal Trade Commission, customers lost a total of $3.3 billion to phishing and other fraud in 2020. That is a staggering number with money going the wrong direction: to the attackers. Attackers get this money through fraud and scams.

One popular scam is targeting your username and password. Getting a potential victim’s username and password is easier than trying to break into systems. Think of usernames and passwords like keys to a safe. Instead of having to drill, cut or tamper with the heavy steel door, the attacker can bypass all of that hard work and use keys to open the front door. Criminals are constantly coming up with new and clever ways to get you to give away your username and password. The most common method—impersonating a bank.

Yes! You read correctly. Criminals are now impersonating banks to get their victims to give away sensitive information such as multi-factor account access codes, usernames and passwords. How? Attackers will usually call customers pretending to be their victim’s bank. The attackers start out with very convincing information such as impersonating a legitimate fraud prevention call. The attackers tell their victims that they (attacker) are the bank and need to confirm information on a recent fraud charge (also fake). During this call, the attackers are very nice, polite and even joke around with their victims. This is all done to get trust from the victim. After a few minutes, the attacker will casually ask to confirm the username on the account. Once confirmed, more small talk continues. The attacker then goes for the gold and casually asks for the password on the account. The attacker assures the victim this is simply a confirmation and may even remind the victim that they can change the password at any time. Again, this is all done in attempt to sound legitimate and obtain trust from the victim.

With the username and password revealed, the attacker can now login as the customer. However, there is one final step needed:  the MFA (multi-factor code). The same process continues, and the attacker will casually ask for the MFA code. After this, the attacker can now fully login, appearing as the customer, and access their online bank account. Once access is gained, the attacker can initiate an electronic transfer. Attackers may further convince the victim that they were overpaid through another scam and need to send a refund.

Clearly, the username, password and MFA code are the keys to protecting your account. How do we combat these scams? The simple answer is to remember that WBT will never ask you for your username, password or MFA code. What can you do? If you receive any of the below, disconnect the call and call us at (844) WBT-BANK (844-928-2265).

  1. Text Message: If you receive a text message from someone claiming to be your bank asking you to sign in, or offer up personal information, it’s a scam. Banks never ask that.
  2. Email: Watch out for emails that ask you to click a suspicious link or provide personal information. The sender may claim to be someone from you bank, but it’s a scam. Banks never ask that.
  3. Phone Call: Would your bank ever call you to verify your account number? No! Banks never ask that. If you’re ever in doubt that the caller is legitimate, just hang up and call the bank directly at a number you trust.

Wilson Bank and Trust is here for you. Should you need help, please do not hesitate to reach out to us online at, our mobile app, or call us at (844) WBT-BANK (844-928-2265).

Have another thought, tip or suggestion? Leave it in the comments below. I would love to hear from you!


Posted by Elvis Huff

Elvis Huff worked as an officer and network administrator for 12 years with the Lebanon Police Department and has also served as an adjunct professor in information systems at Cumberland University. Read More »

Leave a reply

Your email address will not be published. Required fields are marked *