The bank impersonation phone scam is a category of fraud in which criminals contact victims by phone — and increasingly by SMS or email — while pretending to be representatives of the victim’s bank or financial institution. The goal is to steal money, banking credentials, or personal information by exploiting the trust that people place in their bank and the fear that is created by warnings of fraudulent activity on their account.

The bank impersonation phone scam is technically sophisticated in ways that make it extremely difficult to identify even for careful, informed consumers. Caller ID spoofing allows criminals to make their call appear to originate from the genuine phone number of the bank — the same number printed on the back of the victim’s debit card or published on the bank’s official website. This means that a victim who checks the number calling them against their bank’s genuine number will find that they match — and will have no technical means of identifying the call as fraudulent.

What distinguishes the bank impersonation phone scam from other frauds is the level of prior knowledge the caller may already have about the victim. Data obtained through breaches, purchased from criminal data brokers, or gathered through social media research allows bank impersonation phone scam operators to know the victim’s name, address, partial account or card number, recent transaction details, and other information that would normally indicate a genuine bank representative. This prior knowledge is the most powerful tool the scammer has — and it is the element that most frequently causes victims to lower their guard. The same authority-impersonation playbook drives our imposter scam warning signs guide.

Almost every bank impersonation phone scam follows the same six-stage pattern, from the spoofed call arriving to the money disappearing through a chain of accounts.

Step 1: The Call Arrives

The bank impersonation phone scam begins with an unexpected phone call. The caller introduces themselves as a fraud prevention specialist, security advisor, or customer protection representative from your bank. They may give a name, an employee reference number, and a department — all fabricated but designed to sound entirely legitimate. The number displayed on your screen may match your bank’s genuine contact number due to caller ID spoofing. There is nothing in the initial presentation of the bank impersonation phone scam call that allows the average consumer to identify it as fraudulent.

Step 2: Establishing False Credibility

The bank impersonation phone scam operator immediately works to establish credibility by demonstrating prior knowledge. They may address you by your full name, reference the last four digits of your account or card number, mention a recent transaction on your account, or describe your home address — all sourced from data breaches or criminal databases. This information, which you naturally associate with your bank, creates a powerful impression that the caller must genuinely be who they claim to be. This is the critical moment in the bank impersonation phone scam — once the victim accepts the caller’s legitimacy, the subsequent extraction of money or information becomes dramatically easier.

Step 3: Creating Urgency and Fear

With credibility established, the bank impersonation phone scam creates extreme urgency. Common scenarios include: fraudulent transactions are currently being processed on your account and must be stopped within the next hour, a criminal has gained access to your online banking and is draining your account right now, your debit card has been cloned and is being used at multiple ATMs, or your account is subject to a legal hold due to suspicious activity that you must resolve immediately. The urgency prevents the victim from pausing to verify the call independently — which is exactly what the bank impersonation phone scam is designed to achieve.

Step 4: Requesting Sensitive Information or Action

Once fear and urgency are established, the bank impersonation phone scam moves to extraction. Depending on the variant, this may involve requesting your full card details including the CVV, asking for your online banking password or PIN, requesting a one-time password sent to your phone under the guise of “verifying your identity”, instructing you to authorise a transaction through your banking app to “move your money to a safe account”, or asking you to install a remote access application to allow the bank’s “technical team” to secure your account. The request for a one-time password is particularly significant — in many cases the bank impersonation phone scam operator has already initiated a genuine transaction on your account using credentials obtained through a previous data breach or phishing attack, and needs your OTP to complete the authorisation.

Step 5: The Safe Account Transfer

The most financially devastating variant of the bank impersonation phone scam involves the “safe account” transfer. The victim is told that their current account has been compromised and that — for their own protection — they must immediately transfer their funds to a new, secure account that the bank has set up for them. In reality, the “safe account” is controlled by the criminals. Once the transfer is made, the money is moved rapidly through a chain of accounts before being withdrawn. This authorised push payment variant of the bank impersonation phone scam is the most common cause of large individual losses because the victim makes the transfer themselves — which complicates recovery.

Step 6: The Disappearance

Once the bank impersonation phone scam has achieved its objective — whether stealing credentials, capturing an OTP, or directing a transfer to a criminal account — the call ends and the scammer becomes unreachable. The victim typically discovers the fraud when they check their account and find unauthorised transactions, a depleted balance, or a transfer they authorised themselves now showing in their transaction history. By this point, the money has already been moved through multiple accounts and may be extremely difficult to recover. The same withdrawal-and-disappear mechanic underpins our credit card interest rate scam guide.

The bank impersonation phone scam adapts to whichever extraction route the criminal can engineer — direct transfer, OTP harvesting, remote access, physical courier, or vishing follow-up. These are the five most reported variants.

The Retired Nurse and the Safe Account

The bank impersonation phone scam targets retirees with devastating effect. A retired nurse in her late sixties received a call that displayed her bank’s genuine number on her phone screen. The caller identified themselves as a fraud specialist, gave her the last four digits of her account number and her home address, and told her that £28,000 in fraudulent transfers had been attempted on her account by a criminal inside the bank. She was told to transfer her savings immediately to a new “secure government holding account” to protect them while the investigation proceeded. She transferred £28,000 in three separate transactions over two days — the caller stayed on the phone throughout, coaching her on what to say to bank staff who asked about the purpose of the transfers. When her daughter visited two days later and she described what had happened, the fraud became immediately apparent. Her bank was able to recover £4,200 through a trace but the remaining £23,800 was irrecoverable. The bank impersonation phone scam had taken a lifetime of savings in 48 hours.

The Business Owner and the OTP

The bank impersonation phone scam reaches small businesses through the OTP-harvesting variant. A small business owner received a call from someone who knew his business banking details, his recent payroll transaction amounts, and the names of two of his employees. The caller claimed to be from his bank’s commercial fraud team and said suspicious login attempts had been detected on his account. To verify his identity and “lock out the fraudster”, he needed to confirm the OTP that was about to be sent to his phone. He shared the OTP. Within three minutes, £47,000 had been transferred from his business account — a payment the caller had already initiated using credentials obtained through a previous phishing attack. The OTP the business owner provided was the final authorisation needed to complete the theft. The bank impersonation phone scam had exploited information from a previous data breach to make itself completely convincing.

The Student and the Remote Access

The bank impersonation phone scam reaches younger victims through the remote-access route. A university student received a call claiming to be from her bank’s technical security team, warning that her account had been accessed from an overseas device and that her online banking needed to be “re-secured” remotely. She was instructed to download AnyDesk and share the access code with the “technical specialist.” Once connected, the caller navigated her banking app while she watched — telling her he was “running security checks” — and transferred £3,400 to an account he described as “the bank’s secure holding facility.” She only realised what had happened when she received a genuine notification from her bank about the outgoing transfer. By the time she called her bank directly, the money had already been moved through two further accounts. She recovered £800 through her bank’s fraud compensation process but lost £2,600 permanently. The bank impersonation phone scam had exploited her trust in her bank’s security processes to steal money she had saved over two years of part-time work.

The bank impersonation phone scam has been the subject of sustained and urgent warnings from financial regulators, banking industry bodies, and consumer protection agencies across the world — all of whom identify it as one of the most financially damaging and rapidly growing categories of consumer fraud.

UK Finance — the trade body representing UK banks — publishes annual fraud data that consistently shows authorised push payment fraud, driven primarily by the bank impersonation phone scam, as the largest single category of fraud loss by value. UK Finance operates the Take Five to Stop Fraud campaign, which specifically advises consumers to stop, challenge, and protect themselves when receiving unexpected bank calls. Guidance is available at takefive-stopfraud.org.uk.

Action Fraud in the United Kingdom accepts reports of the bank impersonation phone scam and publishes regular consumer alerts about active campaigns. Action Fraud consistently identifies bank impersonation as the highest-loss fraud category for individual UK consumers. Report at actionfraud.police.uk or call 0300 123 2040.

The Federal Trade Commission in the United States identifies bank and financial institution impersonation as one of the top impersonation scam categories by total financial loss, noting that losses to this category have grown significantly year over year. The FTC’s consumer guidance specifically addresses the safe account transfer variant and OTP harvesting variant of the bank impersonation phone scam. Report at reportfraud.ftc.gov.

The Financial Conduct Authority in the United Kingdom requires banks to reimburse victims of authorised push payment fraud in many circumstances under the Payment Systems Regulator’s mandatory reimbursement requirements which came into force in 2024 — though eligibility depends on whether the victim took reasonable precautions. The FCA’s consumer protection guidance is available at fca.org.uk.

Apply the Four Golden Rules

Every major bank and financial regulator communicates four absolute rules that defeat the bank impersonation phone scam every time. Your bank will never ask for your PIN or full password. Your bank will never send a courier to collect your card. Your bank will never ask you to transfer money to a safe account. Your bank will never ask you to share an OTP to verify your identity. If any caller asks you to do any of these four things — regardless of how official they sound and what number is displayed on your screen — end the call immediately. You are being targeted by a bank impersonation phone scam.

Hang Up and Call Back on the Official Number

If you receive any call claiming to be from your bank that creates urgency, requests sensitive information, or instructs you to take any financial action, hang up immediately. Wait at least five minutes before calling back — this ensures any line the scammer may have been holding open is fully cleared. Use the number on the back of your card or on the bank’s official website — found by typing the URL directly into your browser, not by following a link in any message. This single step defeats the bank impersonation phone scam completely every time.

Never Share OTPs Over the Phone

A one-time password is a security code sent to your phone to authorise a specific transaction or login. No bank representative — genuine or otherwise — needs you to read that code to them over the phone. The moment any caller asks you for an OTP, the call is a bank impersonation phone scam. End the call immediately without sharing the code. If you have already shared an OTP, call your bank immediately — the scammer may have only seconds to use it.

Never Install Remote Access Software at a Caller’s Request

No legitimate bank security or technical support service will ever ask you to install AnyDesk, TeamViewer, QuickSupport, or any similar remote access application. If any caller — regardless of how official they sound or what number is displayed on your screen — makes this request, end the call immediately. Installing remote access software at the request of an unknown caller is one of the most dangerous actions a bank customer can take and is a defining feature of one of the most financially damaging variants of the bank impersonation phone scam.

Set Up Transaction Alerts and Daily Transfer Limits

Enable real-time SMS and push notification alerts for every transaction on your account through your bank’s app or online banking settings. Set a daily transfer limit that reflects your normal banking activity — any transfer above that limit requires additional verification. These measures will not prevent the bank impersonation phone scam from being attempted, but they limit potential losses and provide immediate notification of any unauthorised activity.

Educate Elderly and Vulnerable Family Members

The bank impersonation phone scam disproportionately targets older adults, who are statistically more likely to trust authority figures, less familiar with the specific mechanics of caller ID spoofing, and more likely to hold significant savings. Proactively share the four golden rules with elderly parents, grandparents, and vulnerable people in your life. The same isolation tactic used here is documented in our AI deepfake scams guide — a five-minute conversation could prevent a financially devastating loss.

If you believe you have been targeted by the bank impersonation phone scam, act fast. The steps below give you the best chance of limiting damage and recovering funds.