How do I tell if a message from my bank is real or a scam?
Real banks send secure messages through their official app and never ask for your full password, PIN, or card CVV — contact your bank on the number on the back of your card if you have any doubt.
Last reviewed: 10 June 2026
Explanation
Bank impersonation is one of the most immediately damaging scam types because victims believe they are protecting their accounts while actually handing them over. Scammers use SMS messages, emails, and phone calls to create the impression of a genuine bank fraud alert, then capture credentials or authorise transfers under the guise of security verification.
Legitimate bank communications sent via SMS or email do not contain links asking you to log in. They may send a notification — 'a new payee was added to your account' — but for any action requiring login, they direct you to use the bank's own app or to call the number on the back of your card. If a message contains a link to a login page, treat it with extreme caution and access the bank directly via your app instead.
Your bank will never ask for your full online banking password, PIN, or card CVV during a phone call. During genuine fraud-prevention calls, banks may ask you to confirm partial information (last four digits, memorable date) but never complete credentials. A caller who says 'I need your full password to verify your identity' is not from your bank.
The impersonation call format often starts with an authentic-sounding fraud alert: 'We have detected unusual activity and are calling to verify.' This hooks you into a conversation where you feel the bank is protecting you, at which point the caller asks you to authorise a 'safe account' transfer to secure your funds. Banks do not transfer your money to a 'safe account' on your behalf — this is a known fraud script.
Common red flags
- Text or email containing a login link claiming to be your bank
- Caller asking for your full online banking password, PIN, or card CVV
- Request to transfer money to a 'safe account' while staying on the phone
- Caller ID shows your bank's number (remember: caller ID can be spoofed)
- Urgency about fraudulent transactions that must be addressed immediately
- Text claiming to be from your bank with a different mobile shortcode from previous messages
What to do now
- End any suspicious call and call your bank using the number on the back of your card
- Access your account only through the bank's official app or typed website address
- Never follow a link in a text or email to log in to your bank
- If you suspect your online banking credentials have been compromised, change them immediately
- Report bank impersonation to your bank's fraud line and to the FTC
- For UK residents, report to Action Fraud at actionfraud.police.uk
Frequently asked questions
My bank's name and logo appeared on the call screen. Does that mean it was real?
No. Caller ID can be spoofed to display any name or number. The visual appearance of your bank's name on an incoming call does not confirm the caller is actually your bank. Always hang up and call back using the number on your card.
What is an 'authorised push payment' scam?
An authorised push payment (APP) scam is when a victim is deceived into authorising a bank transfer to a fraudulent account. Because the victim authorised the payment, banks historically treated this differently from unauthorised fraud. Regulatory changes in several countries now place more responsibility on banks to reimburse APP fraud victims.