Fake Bank Unauthorised-Payment Alert Scams
Scammers send text messages or emails mimicking your own bank's fraud-alert system, claiming an unauthorised payment has been initiated and you must act immediately to stop it. The link or callback number leads to a phishing page or fraudster posing as a bank fraud specialist.
Part of: Account Takeover Scams
Last reviewed: 7 June 2026
Almost every bank now sends genuine SMS fraud alerts asking you to confirm or deny unusual transactions. Criminals have weaponised this familiarity by sending nearly identical messages that appear in the same text thread as your real bank's messages, thanks to SMS spoofing. The alert creates urgency, and the natural impulse to 'stop' a fraudulent payment plays directly into the scammer's hands.
When a victim clicks the link in the fake alert or dials the callback number, they reach either a phishing page that mimics their bank's online banking portal, or a live fraudster posing as a bank fraud specialist. Both paths aim to collect the credentials and OTPs needed to take over the account and authorise real outgoing transfers.
Because the initial message appears to come from the bank (via SMS spoofing) and the urgency involves stopping a payment the victim did not make, victims are in a heightened, reactive state. This psychological state makes it harder to pause and verify — which is exactly what the attackers rely on.
How this scam works on the Your Bank brand
Your real bank's fraud-alert process works like this: if it detects a suspicious transaction, it may send an automated SMS asking you to reply Y or N to confirm. If the bank needs to speak with you, the agent will call from a number listed on your bank card or official website, and they will be able to confirm information you already know (like a recent transaction) without asking you for new credentials.
The fake version inverts this: the message or caller asks you to provide information — your online banking password, full card number, card PIN, or an OTP that just arrived. No bank fraud team will ever need your full password, PIN, or an OTP to investigate a transaction on your behalf. These are authentication tokens that exist to verify you, not the bank.
Some campaigns are highly targeted, using data from previous breaches to address victims by name, reference the correct bank, and mention the right partial account number. This specificity makes victims more likely to trust the message — but it merely reflects the data economy of fraud, not actual bank knowledge.
Common red flags
- A text or call about an 'unauthorised payment' you did not initiate — especially if immediately followed by a callback request
- The message link leads to a domain other than your bank's official website
- A caller asks for your online banking password, full card number, or PIN
- An OTP arrives on your phone and the caller asks you to read it back to them
- Caller ID shows the bank's number, but the caller cannot independently confirm details you have not shared
- You are asked to transfer money 'to yourself' to stop a fraud — this is the safe-account variant
- The caller asks you to stay on the line and not call the bank directly to 'avoid alerting the fraudster'
How to protect yourself
- Hang up or ignore the link and call your bank directly using the number on the back of your card
- Log in to your online banking through the bank's official app or website to check for real alerts
- Remember: your bank can freeze a transaction on its systems — it never needs you to move money
- Never share an OTP, full password, or card PIN with anyone, even a claimed bank agent
- Register for genuine fraud alerts through your bank's official app to distinguish real from fake
- Review recent transactions regularly so a fraudulent charge is caught quickly
- Report the suspicious message to your bank's fraud line immediately, even if you did not click anything
How to report it
- Call your bank's dedicated fraud line using the number on the back of your card or their official website
- Forward smishing (SMS phishing) texts to 7726 (SPAM) in the US and UK to alert the carriers
- Report to the FTC at reportfraud.ftc.gov (US) or Action Fraud at actionfraud.police.uk (UK)
- File a complaint with the CFPB at consumerfinance.gov/complaint if your bank refuses to investigate
- Contact your state's banking regulator or the OCC (US) if you believe your bank's response was inadequate
Frequently asked questions
Can scammers really make their texts appear in the same thread as my real bank?
Yes. SMS spoofing allows attackers to set the sender name to anything, including 'HSBC' or 'Chase', which causes the message to appear in the existing conversation thread with your real bank. The text's position in a trusted thread does not guarantee it is genuine.
What if I gave my OTP to the fraudster? Is my account gone?
Not necessarily, but act immediately. Call your bank's fraud line using the number on the back of your card, tell them you suspect your OTP was compromised, and ask them to freeze your account and reverse any unauthorised transactions.
Are banks required to reimburse fraud victims?
Regulations vary by country and the type of fraud. In the UK, the voluntary Authorised Push Payment Code (now being made mandatory under PSR rules) covers some bank-transfer fraud. In the US, Regulation E covers unauthorised electronic fund transfers. Consult your bank's fraud team and escalate to the regulator if needed.