Notice: For enhanced security in Online Banking, member numbers may no longer be used as Log-in IDs. If you are still using your member number as your Log-in ID, you will be required to change it by October, 24th (extended). You can change your Log-in ID by selecting 'Account Management' in Online Banking. Learn More

scam alerts
scam alerts
print this page email link of this page Online Banking Login

Scam Alerts

For Your Security Always Remember the Following:

Never click on a link or download attachments contained in an unsolicited email.

Go to the website yourself through your browser's address bar or use a bookmark you have set earlier, and as always, think before you click.

To learn how to avoid phishing scams like these visit:

Recent Scam Alerts:

Posted on 9/29/2018:

If you’re thinking of donating money to help victims of Hurricane Florence, please do your research on the charitable entity before giving.  A slew of new domains apparently related to Hurricane Florence relief efforts are now accepting donations on behalf of victims without much accountability for how the money will be spent.

What’s happening?
For the past two weeks, KrebsOnSecurity has been monitoring dozens of new domain name registrations that include the terms “hurricane” and/or “florence” and some word related to support (e.g., “relief,” “assistance,” etc.). Most of these domains have remained parked or dormant since their creation earlier this month; however, several of them became active only in the past few days, directing visitors to donate money through private PayPal accounts without providing any information about who is running the site or what will be done with donated funds.

The complete KrebsOnSecurity article can be found here:

Posted on 8/15/2018:

With cybercrime a real threat to individuals and companies it is important to note what Meriwest is doing to protect your assets.

First, we have very sophisticated systems in place that look for unusual and suspicious activity.  We have a monitoring system that works for you 24/7 to allow us to mitigate activities should anything appear to be out of the ordinary.  We work very closely with our vendors to make sure we are up to date on best practices with regard to fraud detection and prevention. 

Secondly, we encourage all members to do their part by undertaking security precautions in managing your accounts. Those include not sharing your PIN or account access information, utilizing strong passwords for online access, establishing transaction alerts on accounts, and monitoring account activity through online or mobile banking. If you see anything out of the ordinary please contact us immediately at 877-637-4937.

Should you feel that your PIN may have been compromised at any time, you may contact our 24-hour Debit Card PIN change at 877-746-6746.

You may also contact our Fraud Prevention Service at 1-800-417-4592, for any suspected fraud on your ATM/Debit Card.

Additional recommendations and information regarding security can be found on our web site at

Posted on 8/1/2018:

PayPal phishing schemes

PayPal phishing schemes are fairly common these days. Many, or even most of them are generic in nature. In other words, they don’t target a specific person or group. They are merely crafted in such a way that they can be sent to a large number of people at one time as spam. However, sometimes they arrive as if they could actually be from PayPal and are specific or somehow related to the recipient. This is called spear-phishing, because the attacker has some information which he can spear his target specifically. This tactic is more likely to result in success for the phisher.

Spear-phishing campaigns are on the increase and the use of PayPal as the bait is increasing in sophistication with each new campaign. Cisco researchers have found several versions of imposter PayPal web sites that are so well done, they can trick even the most phishing-savvy person into falling for the scams behind them.

Roaming Mantis Malware

What is making it even more problematic is that these phony websites are actually legitimately registered, sometimes even with actual security certificates attached. Many, such as one of the primary ones used –– are registered through a site called Wix. A list of many of the other fake ones is listed here:

  • helpcenter-paypal-rosolution[.]pepitoheyashi[.]ga
  • paiiypal[.]com
  • paypal-secure-account-information[.]reikitrainingjourney[.]com
  • paypal[.]com[.]user[.]accounts[.]lwproductions[.]net
  • paypalcomcgibinwebscrcmdloginsubmitdispatch58z8duft875dl80al[.]planetevents[.]co[.]in
  • paypalupdate[.]uploadppl[.]com
  • paypaluserupdateinfoforupaypalnowclosedbypaypal[.]bodybuildingexercise[.]org
  • update[.]paypal[.]com[.]kgreendesigns[.]co[.]za
  • www[.]paypal[.]com-webapps-cgi-bin-webscr-login-access[.]com

new version of chrome

Unfortunately, the fake sites use the color schemes, text styles, and images from the actual PayPal site, making them nearly impossible to detect. Some have also registered with very popular and legitimate hosts, such as CyrusOne LLC, which also hosts CarFax and Dell. However, there are some ways to tell if one is trying to trick you:

new version of chrome

  • Check the website name in the address bar. It should be “” and have the “https” in front, as well as the secured site text and lock icon. If you’re using the U.S. site, it may even display as “” and the “us” may be changed to the country for the site you’re using. For the German site, the “us” in that URL is replaced with “de,” for example.
  • Check for the little country flag in the lower corner of the site. As of time of writing, it’s in the lower right corner as you scroll down the site. If the site is in the U.S., that flag will be the U.S. flag.
  • If you see anything prior to the “.com” other than the word “paypal,” or anything prior to the word “paypal,” it is likely fake. In other words, the only thing that should be between the dots is the word “paypal,” followed immediately by the “.com.”
  • The green text, the lock, and the “https” are all positive, though not always definitive indicators of the legitimate site.

Some of these phishing sites actually try to get users to enter credentials other than the ones for PayPal. A common one attempts to spoof an Apple credential verification page. However, Apple and PayPal are not related, so an Apple login page should not show up.

new version of chrome

Another site uses Spanish language but targets English speakers. If the text is in another language, those behind it are most definitely up to no good.

It’s likely more of these sites and those using other well-known companies will be popping up in the future.  If you need to verify credentials or check something in your account for any online account, go directly to a bookmarked link or type in the address manually, being careful not to make typos. Then login there to do your sanity checks or to make changes. Don’t click on links in email messages to do this, even if you think they may be real. It’s just safer not to.

Posted on 6/13/2018:

Roaming Mantis Malware Hijacking Two-Factor Authentication from Online Banking

Today’s Security Tip is brought to you by a Stickley on Security article that warns about a new Roaming Mantis malware that is being used to collect login credentials to financial accounts and other sensitive information.

What can you do?

  • Change the password on your internet router
  • Be wary of pop-up messages asking to update Chrome “for a better browsing experience”
  • Only download apps from the official stores such as Google Play and the Apple App Store
  • Watch out for app requests to access various device permissions (contacts, text, phone, account details, etc.)- Never give apps access they don’t need.
  • Ensure strong passwords are utilized an your devices are updated with the latest security patches

The Article: Roaming Mantis Malware Hijacking Two-Factor Authentication from Online Banking

If you haven’t yet changed your default password on your internet router, stop right now and take a few minutes to do it. Not only is the FBI recommending this because of the recent discovery of the VPNFilter malware, but now there is more malware that can hijack that same router (and any others) and spy on users. Roaming Mantis, changes the router’s DNS (domain name system or domain name service) settings to direct traffic to fake versions of legitimate sites. In this case, it uses Android devices with malicious apps installed to steal login credentials to financial accounts.

This warning goes for home and business users that have devices that connect to the Internet. Those are the ones at risk for DNS hijacking. DNS translates a website address to an IP number - it can be thought of as your computer’s phone book. That’s why it’s serious if these DNS settings are modified. If a lot of users get sent to fake websites and enter in their credentials (i.e. username and password), it’s quite a successful day for the cybercriminal.

Once a person’s DNS is overwritten, this group redirects users to malicious websites that display a pop-up message promoting a Chrome upgrade for a better browsing experience. The malware will pop up with a warning message asking you to update your Chrome version on the mobile device.

Roaming Mantis Malware

If you click OK, it will download and install a fake version of Google Chrome, then ask for various permissions including access to the device’s account details, the management of texts and phone calls, and recording and video capabilities, as well as others. If the user goes so far as to give the app appropriate permissions, another dialogue box appears stating “Account No.exists risks, use after certification.”  That alone should be a big warning that something is amiss. If “Enter” is clicked, it’ asks for the name and birthdate associated to Gmail.

new version of chrome

With access to the texts/SMS, it can intercept multi-factor authentication codes too. Never give apps access they don’t need. Very rarely, if ever, does an app need access to your device’s account settings or administrator password. If it asks, definitely do more research. It’s likely the app is up to no good. This one tries to trick users into entering Gmail credentials. If it gets enough information out of the user, it can potentially get access to all kinds of accounts such as social media, email, and financial accounts.

While you’re making sure your password is strong, make sure your devices are updated with the latest security patches. Hopefully, you have already done this after the FBI’s warning about VPNFilter.

Also, be sure to only download apps for all of your devices from the official stores, such as Google Play or the Apple Store. While there is never a 100% guarantee that these are free of malware, they are less likely to have it. The apps typically go through more security scrutiny before they are allowed into those stores than those that can be found on third-party sites. In this case, it is a third-party site that hosts this malicious app. Kaspersky Lab found references to South Korean mobile banking and gaming apps, as well as to a Chinese social media site, Sohu. Roaming Mantis was detected at least 6,000 times by Kaspersky. This indicates that it’s capable of spreading very quickly.

Posted on 5/24/2018:

Be careful of what websites you and your family visit:

Do you or your kids play games online using the family computer? This is just one of the many ways your computer can get infected. Many foreign-based game websites market to gamers and younger audiences, and download malicious code to your computers registry. If you are noticing weird behavior and strange pop-ups when using your web browser, then your computer is most likely infected. If your computer is infected then your online activity can be tracked making you vulnerable to phishing scams which can expose your financial and personal information. Good Antivirus software can catch many of these attempts, but they do not prevent all viruses and malicious code from being downloaded to your computer. As antivirus software companies try to keep up with all the new attacks, hackers are always coming up with new techniques and ways to exploit the new technologies we use every day. Be careful, and discuss with your kids the danger of visiting untrusted websites. As always, think before you click.

In the example below, malware, that was downloaded from a game website (ArcadeGala), activated a new tab while a member was visiting which prompted a fake survey that appears to be from Meriwest Credit Union but is not. Be careful not to fall for this one!

Red Flag: If the website URL does not look right, then follow your instincts.
Supermarket Cutomer Sweepstakes Raffle Draw Scam(Image snap-shot taken by member)

Pop-up says: "Dear Meriwest Credit Union Visitor", then asks visitor to complete a survey. Do not fall for these tricks! Supermarket Cutomer Sweepstakes Raffle Draw Scam(Image snap-shot taken by member)

Posted on 5/1/2018:

Warning your computer is infected

This is an oldie, but a goodie in the world of scams. When browsing the internet, users may see pop-up messages prompting them to either “click here for a free scan” or “contact xxx-xxx-xxxx to remove virus.” However, the software or "free scan" offered in these pop-up alerts often doesn't work or will actually infect a computer with the dangerous programs it is supposedly meant to protect against. Also, the phone number listed on these pop-ups will usually direct users to a scam artist who will try to sell “anti-virus protection software” and ask to take control of the user’s computer or device to complete the installation process. Once they have control though, malicious software can be installed on the victim’s device to track their activity and monitor their keystrokes. Then, the waiting game begins. Scammers will watch their victim’s activity until they sign in to their online banking account(s) and from there, they can obtain the user’s login credentials.

In some cases, if users purchase this “software" from a scammer, they might contact the victim later on to advise that a virus infected their computer and they would like to issue a refund for the product purchased because they were unable to prevent the virus attack. However, these fraudsters may claim that they must be logged in to the user’s computer in order to issue the “refund credit” and request to remotely access the device. The objective with this angle is to build trust. The scam begins when they show the victim that they have “refunded” the money while being logged into their computer; however, the amount may be more (even several thousand dollars more) than the amount originally paid. These fraudsters allow the victim to see what they want them to see by manipulating their accounts, when in reality the funds were actually transferred from the victim’s own, internal account. Next, they will try to scare their target into thinking they will be taxed or in trouble with the IRS if the funds are not returned immediately. They will then pressure their target into sending the funds back in the form of a wire transfer, MoneyGram, or gift card. Watch out for these red flags. This is a scam!

How can you protect yourself?

  • NEVER click on pop-up alerts! Don't even click on the “X” to delete the pop-up alert as this may result in receiving more pop-ups. Instead, enter CTRL+ ALT + Delete for PCs, or Command + Option + Esc for Macs, to view a list of programs currently running and delete the pop-up alert from the program list.
  • NEVER click on an unknown link on/from a social media website.
  • Keep your computer updated with the latest anti-virus and anti-spyware software that you purchased from a trustworthy source. Also, use a well-known firewall.
  • NEVER open email attachments unless you can verify the sender and you trust them.
  • NEVER click on the links in spam email.
  • NEVER trust the contact details provided in a pop-up message for computer assistance. Instead, independently find a reputable computer repair service to assist you with your computer issues.
  • NEVER allow any unknown source to remotely access or take control of your computer.

If you have experienced any of these scams, stop using your computer immediately! Contact your financial institution(s) to notify them of the situation, review your statements for any unauthorized activity, and take your computer to a reputable computer repair service. Lastly, ensure to use increased caution in the future.

Posted on 4/13/2018:

Scammers Claiming to be Meriwest Employees

It has come to our attention that there are phone scams going on in our area. Please be on the alert, and know that you will NEVER receive a call or e-mail from Meriwest asking you to provide your account or personal information. If this happens, please do not provide any information until you contact the credit union directly.

Posted on 1/18/2018:

Phishing Scam: Supermarket Cutomer Sweepstakes Raffle Draw Scam

One or more Meriwest Members received a fictitious letter claiming they were a winner in this sweepstakes. This letter included a fake check.

Scam Letter:
"We are pleased to inform you that you are one of the winners of the "SUPPERMARKET CUSTOMER SWEEPSTAKES RAFFLE DRAW"
The raffle entry ticket attached to your name with serial number PWG 61900 is one of the size winning tickets of the grand prize and your share of the winning is $880,000 (Eight Hundred And Eighty Thousand Dollars Only)...."

If you come across a mailing like this or a similar variation, please don't fall for it!

Supermarket Cutomer Sweepstakes Raffle Draw Scam

Posted on 12/18/2017:

Phishing Scam: Malware Masquerades As A Secure Banking Message

After a big cyberattack, such as the data breach that hit Equifax recently, criminals frequently attempt to take advantage of the fear factor and trust customers and members have with their financial institutions. In a recent phishing campaign, discovered by Barracuda Networks, messages masquerade as legitimate and secured messages from banking institutions such as TD Commercial and Bank of America to trick people into installing malware onto their computers and devices.

In this one, an email is received that claims to be a secure message from a financial institution. Inside is one of three possible phishing lures that researchers have seen thus far: 

  • An attachment with included malware
  • Instructions to reply to sender
  • A set of instructions to perform actions that executes the malware
They are pretty difficult to detect as fake because they use domain names that look very close to the real ones. For example, they may be “Bank0fAmerica” where the “O” is replaced with a zero. This is called do-jacking or typosquatting. 

They also use actual logos and copy the confidentiality statements word for word, making it even more difficult to identify it as phishing. As a rule, simply never click on an unexpected link; especially if it is from an unknown email address.  

When receiving messages from financial institutions or any organization that has a confidential relationship with you, go directly into your account to check the secure message center rather than clicking links or attachments. There is no need to click links because these organizations always place those messages in your secure inbox in your account. 

There are multiple variations of this attack and they make it past antivirus products in some cases. Once malware is on the device, it can be made more dangerous. The attackers may be able to remotely access it and turn it into ransomware, spyware, or information stealing malware.

Bank of America scam

Posted on 12/7/2018:

Phishing Scam: Uber Breach

As you may have heard, Uber suffered a data breach a year ago in which the names, email addresses and phone numbers of 57 million customers and drivers were stolen.  Uber reported that they paid off the hackers who then supposedly “deleted the data,” but that cannot be confirmed.  Consequently, Uber-themed scams are to be expected.

Watch out for phishing emails related to this Uber data theft.   For instance, look out for messages claiming that your "Uber account was compromised" and that you need to change your password, or anything else related to Uber that could be suspicious.  Below is an example of how these messages could look:

Uber Breach

Posted on 9/27/2017:

Phishing Scam: Anonymous Text Messaging Scam

One or more members have reported receiving an anonymous text message requesting them to contact Meriwest. Don't fall for this scam. 

Q: What is Smishing? A: Like a “phishing” email scam, where fraudsters send an authentic-looking email to obtain personal or financial information, “smishing” messages are sent to you via SMS (text message) on your mobile phone.

Q: What is happening? A: Members have reported receiving a text message purportedly from Meriwest Credit Union requesting a call back at an unknown phone number. THIS IS NOT A VALID MERIWEST CREDIT UNION COMMUNICATION OR PHONE NUMBER. DO NOT PROVIDE YOUR CARD INFORMATION. 
The phone number is a recording which states:  "Welcome to Meriwest Credit Union, for security reasons we need to verify your account.  All direct deposits have been disabled until verification is complete. Please enter your 16-digit card number." 
Meriwest will never contact you requesting account information. Be cautious and never reply to anonymous messages via text, phone, or email. 

Q: I’m concerned that I received this text message.  Was there an internal data breach?
A: That is a valid concern with all the data breaches in the news lately.  However, at this point we have no reason to believe that a data breach occurred.  What we know so far is that a fraudster has decided to use Meriwest Credit Union’s name to perpetrate this scheme to gather Debit card information. 

Q: What information is being requested? A: The recorded line goes on to request ALL the card information (i.e. the full 16-digit card number, expiration date, CVC security code, zip code and PIN).  If this information is provided, it could be used to complete any type of transaction, such as: ATM cash withdrawals, online purchases, fill ups at the gas station pumps, you name it.

Q: What do I do if I provided my card information? A: Contact the Credit Union to cancel the card immediatelyto prevent any fraudulent transactions on your account.  You may visit any one of the Meriwest Financial Center locations or call us directly. We will need to know what card information was provided and may ask what phone number you received the text message.

Anonymous Text Messaging Scam

Posted on 9/6/2017:

Phishing Scam: Hurricane Harvey Disaster Scams

Hurricane Harvey hit hard, especially in Houston, Texas where it was badly flooded, and cyber criminals are exploiting this disaster.

Scammers are now tricking people into clicking malicious links on Facebook, Twitter and phishing emails soliciting charitable donations for the Hurricane Harvey flood victims. 

 For example:

  • Facebook pages dedicated to victim relief may contain links to scam websites.
  • Tweets are going out with links to alleged charitable websites soliciting donations, but in reality include links to scam sites or links that lead to a malware infection. 
  • Phishing emails are being sent asking for donations to #HurricaneHarvey Relief Fund. 

Previous disasters have been exploited like this and the bad guys are going at it again. Don't fall for these scams. If you want to make a donation, go directly to the Meriwest home page to find a safe place to donate, or visit the website of the charity of your choice by typing the web address in your browser or use a bookmark.

Do not click on any links in emails, social media pages or text messages you may receive. Please be wary of anything online covering the Hurricane Harvey disaster in the following weeks.... THINK BEFORE YOU CLICK.

Hurricane Harvey Disaster Scams

Posted on 8/25/2017:

Phishing Scam: AMC Sweepstakes Letter and Check Scam

One or more Meriwest Members received a fictitious letter claiming they were a winner in this sweepstakes. This letter included a fake check with a Meriwest logo. There has been an increase in Phishing Scams similar to this.

AMC Sweepstakes Letter and Check Scam

Posted on 7/29/2017:

Phishing Scam: North America Financial Services, Lottery Winner Scam

One or more Meriwest Members received a fictitious letter claiming they were a winner in a sweepstakes/lottery. This letter included a fake check with a Meriwest logo. There has been an increase in Phishing Scams similar to this.

North America Financial Services, Lottery Winner Scam