Fraud Info


OpenSSL Vulnerability

If you have seen the news lately you may have read about the Heartbleed internet security flaw that can impact secure sites. As a HAPO member, you will be pleased to know that our website and our online banking sites were not affected by this.

At HAPO the security of your information is always our highest priority.

Debit/Credit Card Security Breach

HAPO was notified recently by VISA U.S.A. that some HAPO Debit and Credit Cards may have been compromised. This compromise was the result of a breach at a merchant whose identity has not been disclosed to us by VISA. In order to protect both our members and the Credit Union, all cards potentially impacted by this event have been deactivated. We can replace your card at any one of our branches (except the Walla Walla Mortgage office) if your card was deactivated. If your card was among the small number of those impacted and you are unable to come in to a branch, we will automatically reissue your card(s) within five business days and mail them to you.

A merchant security breach occurs when cardholder information is not adequately protected by the merchant or their partners. HAPO receives notifications of security breaches from VISA U.S.A.. However, notifications do not include details regarding the incident and therefore, we are unable to provide you with the exact circumstances of this event.

We want to emphasize that HAPO Community Credit Union's data systems have not been breached, and that this issue was in no way related to the security of our systems.

Fraudulent ACH Emails

The FBI has issued a warning about a new malware attack targeting bank accounts. The malware is called Gameover and the FBI says it is able to defeat several forms of dual-factor authentication. The FBI suggests that consumers and businesses pay attention to suspicious emails purporting to come from NACHA, The Electronic Payments Association. NACHA does not traditionally send emails directly to businesses or consumers. Receipt of a direct email from an organization such as NACHA should raise a red flag. If you receive any emails appearing to come from NACHA please delete them. Do not open or click on any links contained in the message.

The email will typically say something like: Your scheduled payment did not go through. Click here to see details. Do not click on the link; just delete the email.

Fraudulent Text Messages

Members have reported receiving text messages saying their card has been compromised. Members are instructed to call a 509-430-xxxx phone number to resolve the problem. That number is answered by a computerized system asking for your account information.

Please ignore these messages. They are not from HAPO. We do not send out text messages or emails or make phone calls asking for your information."

Fraudulent Phone Calls

Members have reported receiving phone calls saying their card has been compromised. The callers claim to be calling from HAPO, and ask for the card number. If the member gives them the card number, there will most likely be fraudulent charges that will appear on their account. Under no circumstances would we make a call like this. The fraudulent calls are automated and request an ATM card number to activate. The number on caller ID has been reported to be 817-688-7853.

If you receive a call you are not expecting, claiming to be from HAPO, you always have the option to hang up and call us at 509-943-5676. There are times when we will call you, but we already have your account information. For example, we might call to verify an unusual purchase made with your credit card number, but we will tell you the information, not ask you for it.

Protect yourself from fraud by being a suspicious consumer.

Fraudulent Pop-up Boxes, Fraudulent Phone Calls

Members have reported receiving phone calls saying their card has been suspended or is about to be suspended. We are not making these calls. If you receive a call you are not expecting, claiming to be from HAPO, you always have the option to hang up and then call us at 509-943-5676.

Other members have reported getting phone calls about extending their automobile warranties. These callers may pretend to be your auto manufacturer, your auto dealer or your financial institution. Sometimes these callers are legitimate, but frequently they are fraudulent. Protect yourself from fraud by being a suspicious consumer.

Another member reported receiving a popup window on her computer after logging in to her HAPO account. The window offered her a choice of prizes; all she had to do was enter her account information. That was not a real offer. It was an attempt to get her account information. Once again, when in doubt, give us a phone call.

There are times when we will call you, but we already have your account information. For example, we might call to verify an unusual purchase made with your credit card number, but we will tell you the information, not ask you for it.

Fraudulent Text Messages In Our Area

Please do not respond to any text message you might receive on your cell phone claiming to be from HAPO and asking for personal information.

Some members have reported to us the following text message being delivered to their cell phones.

"Dear HAPO Credit Union Customer: We regret to inform you that we had to lock your credit card access. Please call 604-288-8539 to reactivate your credit card."

If you receive such a message, do not respond! This is a scam with the purpose of getting you to divulge personal information (such as your PIN and/or SSN) for fraudulent purposes.

If you have already disclosed any of your private information, please call us immediately at 509-943-5676 or 800-284-4276.

Heartland Payment Systems Breach

Heartland Payment Systems provides debit and credit card processing services for approximately 250,000 businesses nationwide such as restaurants and pay-at-the pump gas stations. Heartland is not a vendor of HAPO Community Credit Union or associated with HAPO in any way. Heartland processes credit card and debit card transactions for merchants that you may do business with. They have announced that sometime last year their processing system was breached resulting in the compromise of cardholder names, card numbers, and expiration dates on an undisclosed number of accounts. They have confirmed this breach did not include cardholders' Social Security numbers, addresses or telephone numbers, or merchant data.

As a HAPO Community Credit Union member we want to assure you that your accounts are being monitored 24 hours a day, 7 days a week for suspicious activity. If any suspicious transactions are identified we will contact you either by phone or US mail. We will never send you a text message nor will we e-mail you regarding any compromise or suspicious activity on your account(s).

We are not experiencing any abnormal increase in suspicious activity at this time, however, we recommend you utilize online banking or 24-hour phone banking to periodically check your account and notify us immediately if you identify any unusual activity.

For additional details on the breach Heartland has created a website at

Another scam attempt is happening to local credit union members and non-members in our area. The automated call claims that your (credit or debit) card has been suspended because it may have been assessed by a third party. If you receive any of these calls please hang up. If you have given out any information regarding your account, please contact us as soon as possible at 509-943-5676.

Today many members have called about receiving phone calls telling them that their accounts need re-activating. THIS IS A SCAM. The scammers just want your card information. The scammers are just calling random phone numbers; even people without debit cards are getting calls. It is affecting all residents of the Mid-Columbia and all financial institutions in our area.

If you did respond and gave your information, please call HAPO immediately at our regular phone number: 509-943-5676. After hours, or on days that we are closed, please call 800-854-6219.

UPDATE Several member have notified us that they received a test message on their phone telling them that their account needed reactivating. Upon calling the supplied number, the answering machine message asked for detailed card information.

Recently, information about new kinds of scams have come to our attention.

For example, one was the "puppy scam." A person advertised to sell puppies. One response was "here is a check for your puppy, keep a portion and wire the rest back to me." The problem was that the original check was bad. Another was a touching cancer story with the same request: keep some money for you, wire the rest back.

When you place a personal ad in the paper to sell an item, you are giving them a name and number to contact. We speak with members everyday concerning some type of fraud and this is often how the scam begins.

There is a phishing scam going around Xbox Live right now that promises free Microsoft points by visiting a Web site. After entering your XBL info in the Web site, it sends the same message to everyone on your "friends" list. It is simply stealing your info. You get no points, no glory, and you'll annoy your friends in the process if you give up your info. Same with iPod downloads; you are giving out your information for people to misuse.

There is a new scam of people calling or sending out emails from CAMEROON, AFRICA. Giving away different exotic animals FOR FREE; just wire some shipping costs.

If you have bad credit and a dealership or anyone tries to get you approved at a high risk company, personal information is being sold. The scammers will then contact the customer stating that they can help give a "bad credit loan." This is obviously appealing to those who are desperate for money.

KNDU Kennewick has a brief article and video about another way a thief has found to steal your ATM/debit card. The thief places a small plastic device inside the card slot to trap your card. The video plays about 45 seconds and the last ten seconds or so show the device itself.

Mid-Columbia residents are receiving voice messages on their phones telling them that their credit or debit card is at risk and that they must re-authorize the card. Please do not give your card information in response to one of these calls. The callers are just "fishing" to see if they can get your information. (Phishing is when this fraudulent activity is done via emails, vishing is when it is done via voice phone calls, smishing is when it is done via SMS text messages.)

There are times when you might receive legitimate phone calls about your credit or debit card being misused. In these cases though, you will not be asked for your card number or PIN or social security number. The calling credit union or bank will already know that information and will be merely asking you to verify that you made certain purchases. For example, if you live in Pasco but your card was used to buy something in France, you might receive a call from the fraud people at your credit union asking if you actually made the purchase. If you did, everything is fine. If not, then you would normally be issued a new card with a different number.

The local Yakima press reported that Yakima area residents are receiving fraudulent emails asking for online banking information.

The NCUA recently warned of a scam that involves unsolicited text messages sent to cell phones. The message urges the recipient to call a number provided for information about account discrepancies and then solicits individual account information and pin numbers.

Cell phone users should be wary of unsolicited text messages. Such messages should be deleted and all deleted text messages should be removed, if possible, as the perpetrators have been known to use "spyware" installed on smart-phones in conjunction with their text message solicitation.

Consumers have reported receiving subpoenas and jury summons via email. These are fraudulent as the legal system only uses the United States Postal Service for that type of communication.

Be aware that "Caller ID" can be faked. Even though a call appears to be from your financial institution, be suspicious. As a general rule, do not give account information to people who call you. Instead, call the credit union yourself to begin the conversation. HAPO's number is 509-943-5676.

Members have been reporting phone calls that pretend to be from "your" credit union. Some members have reported that a credit union name was mentioned but mumbled so they couldn't understand it. The calls are prerecorded and imply that they've been trying to reach you about a transfer or about your credit being cut off or ... They leave a number to call with your account information. Do not return the calls to the number given. We at HAPO rarely call members and we never ask for account information when we've called you. You can always reach HAPO by calling our main line at 509-943-5676.

One type of email spam that keeps reappearing is the one where you receive an email from what appears to be your credit union or bank and it tells you that your account is blocked. Then it offers to unblock it if you click on a link and answer some questions. This type of fraud works because so many financial institutions have recently changed their login procedures to comply with changing federal regulations. Consumers are uncertain if this is just another change. HAPO will never send send you an email with a link to click. The problem with links in emails is that the words that you see may not be the same as the link that is programmed in the email. The programmed link may take you to a fraudulent site that just looks like the real one. You should always be suspicious of links in emails. Instead, type the address that you know is correct into your browser.

Visa recently learned of a fraudulent email sent to cardholders who participate in Verified by Visa. The email claimed to have come from Visa and stated that the cardholder was automatically enrolled in Verified by Visa. The email also stated that the cardholder's Visa card may be temporarily disabled if they failed to update their Visa card.

This email was a phishing scam and did not come from Visa. Phishing is a form of fraud that attempts to trick the cardholder into revealing personal information, such as their credit or debit account numbers, checking account information, social security numbers, or banking account passwords through fake websites or in a reply email.

Visa will never ask cardholders to divulge account information or password via email. Should you receive any questionable emails, please ask do not reply to the email or contact the website referenced in the email. Cardholders can report the email to Visa by sending an email to

If you have responded to a fraudulent email and entered your personal information, please contact our staff at 509-943-5676 or 1-800-284-4276.