Security Center

Phishing Attempts

Don't share passwords, account numbers, or personal details via email, text, or social media. The IRS never initiates contact this way, especially asking for such information. Neither the IRS nor state agencies will text you about refunds or deposits.

Fraudulent Phone Calls

The IRS first contacts you by mail if you owe taxes. You have the right to question or appeal any tax bill. Don't engage if the caller:

• Demands immediate payment or offers payment assistance.

• Uses aggressive tactics like threats of arrest or legal action.

• Asks for your credit, debit, or bank account numbers.

Never share data, even if they seem to have some of your information.

Identity Theft

Scammers steal personal data for fraud, like filing fake tax returns. One growing scam targets tax professionals' data or your tax software logins to steal refunds. They may then pose as IRS agents to demand the money back, claiming it was a mistaken deposit.

Scammers can spoof caller ID to appear as a legitimate entity. Be cautious even if the caller ID seems familiar.

Watch out for unsolicited calls or pop-ups offering technical support. Scammers may try to trick you into downloading malicious software to gain access to your personal information.

Be wary of unexpected refund offers. Scammers may claim you’ve been overcharged and ask you to return a portion of the funds. Once you send the money, the original transaction may be reversed, leaving you in a financial loss.

Identity theft is when someone uses another person’s personal identifying information, such as their name, identifying number, or debit/credit card number without their permission, to commit fraud or other crimes.

Potential indicators of identity theft

• You fail to receive bills or other mail.
• You notice suspicious or unexplained activity or accounts on your statement(s) or online.
• Unfamiliar accounts appear on your credit report.
• The IRS notifies you of a tax return or employer not associated with you that has been linked to you.
• ·You get notified that your information was compromised by a data breach.

Phishing is the activity of defrauding an online account holder of financial information by posing as a legitimate company or entity.

Types of phishing

• Appeal to greed: An attacker will offer you a method to make some easy money.
• Appeal to fear: A hacker will tell you your bank account has been hacked. They may tell you that your computer has been filled with malware and must be cleaned immediately.
• Appeal to authority: A hacker will attempt to mimic someone in charge and ask you to do something because of their position.
• Appeal to human kindness: An attacker may send an email stating they really need your help to do something.  The email may even appear to be from someone you know.

How to “avoid” phishing

• Take your time. Don’t interact if you’re suspicious.
• Verify the contact’s identity. Confirm through an outside channel.
• Be very careful with email and text message attachments. If suspicious, don't open or download the attachment.
• Do not immediately click on email and text message links. First hover over the link and verify the address.

Card Member Security helps protect PenFed cardholders from fraudulent activity by identifying suspicious transactions and sending alerts to cardholders. It also assists with reporting fraudulent transactions and reporting cards as lost or stolen.

PenFed automatically enrolls all credit and debit cardholders in text alerts using the mobile number on file. Text alerts are a Free-to-End-User (FTEU) service, so there is no cost for enrollment, and text message rates do not apply to members. If Card Member Security sends a text message, it will come from the number 91937.

PenFed chip-enabled credit and debit cards offer enhanced security when used at chip-enabled terminals and over the phone. Your card is also protected by Visa’s Zero Liability Policy if lost, stolen, or fraudulently used.

Follow these online security best practices to protect your accounts and online activities.

• Avoid interacting with suspicious numbers. Add trusted numbers to your contacts. 

• Protect your funds. Never send money or information to anyone you personally do not know. 

• Verify your transactions. Review your account activity regularly. 

• Know your vendors. Familiarize yourself with how common vendors display in your account history.

• Utilize security alerts. Set up and receive account alerts in PenFed Online or in your PenFed mobile app. 

• Use only secure apps. For electronic payments, always use trusted applications like PenFed’s mobile application or Apple Pay and Samsung Pay.

• Protect your card information at the point of sale. Use contactless payment methods, when available.

• Beware of skimmers.
  • Skimmers are small devices that are designed to fit over card slots and keypads to collect card data and card PINs.
  • Common places for these are ATMs and gas pumps.
  • Some are virtually impossible to spot. If the card reader is loose or you see exposed wires, do not use it.

• Protect your card information online. Do not provide your information online unless you are making a purchase from a website you trust. Secure sites typically will direct you to a secure page with a URL starting with “https://.” Also, ensure the email address/link is from a reputable and known sender and always double-check for misspellings (example; Amazon vs. Annazon).

• Update your software. Make sure your device has the latest security updates installed. 

• Know that browsers are not safe for storing user credentials. Decline any offers when a browser asks you if you want to store our credentials for later. To avoid future storage offers, turn off these offers in your browser settings.

• Know how PenFed communicates with you. At times, PenFed may reach out to you with offers or important information regarding your account. Knowing how we communicate with you will help you better tell legitimate PenFed communications apart from those of scammers. 

  • Email: Email from PenFed will have a sent from email address ending in @penfed.org or @penfed.info. Always review sending email addresses as scammers like to spoof or impersonate organizations like PenFed. 

  • Text message: If Card Member Security sends a text message, it will come from the number 91937.

  • One-time passcodes: 1-888-904-8461, 1-833-266-5655 For security during high-risk transactions, PenFed uses a two-factor authentication system called a one-time passcode (OTP) that will come from one of the above numbers. PenFed also uses OTP when members are attempting to unlock their PenFed Online access. Never share OTPs with anyone.

• Always secure your device with a password to protect it if it should ever be stolen.
• Memorize PINs or keep them in a secure password manager.
• Change your password regularly, every 60-90 days.
• Do not store credit card numbers, PINs, or passwords where others may find them.
• Shield your PIN.
• Do not reuse passwords.
• Do not give your passwords to anyone.
• Turn off or decline browser offers to save passwords.

• Online security procedures also apply to your mobile device. When using your mobile device to access your accounts or engage in transactions, follow all general online security procedures, as well as the following mobile-specific practices.

  • Avoid connecting your smart phone to an untrusted wireless network. Only download apps from official stores such as iTunes or Google Play.

  • Never “root” or “jailbreak” your mobile device to get around limitations set by your carrier or device manufacturer. Rooting involves adding, editing, or deleting system files, and jailbreaking allows you to bypass system restrictions. These activities remove protections that are built into your device to defend against mobile threats.

PenFed is federally insured by the National Credit Union Administration (NCUA) through the National Credit Union Share Insurance Fund (NCUSIF).

That means your deposits are insured up to at least $250,000 per individual member for the total in your regular share (savings) accounts, share draft (checking) accounts, money market accounts, and share certificates. 

If you have more than $250,000 at PenFed any single federal credit union of which you are a member, there are options available for additional share insurance coverage.

Just as with FDIC insurance for banks, NCUSIF coverage does not cover losses on money invested in mutual funds, stocks, bonds, life insurance policies, and annuities offered by affiliated entities. It does protect members at all federally insured credit unions from losses on a broad spectrum of savings and share draft products.