Security Center

Your security is our priority. PenFed uses advanced measures to safeguard your finances, including the latest Passkey technology.

Visit Now

Peace of Mind

Signs of Fraud

What to Know

What to Do

Peace of mind

Protecting our members’ data and funds is our highest priority.

Secure login

Set up account or get help
Set up MFA (Passkey supported)
Check your security score

Report security issues

Read about what to do
Report by email: abuse@PenFed.org
Report by phone: 1-800-247-5626

Secure payment options

Read about tap to pay
Get the facts about digital wallets

Learn More

Recognize the signs of fraud

Stay alert and stay safe

Look: Carefully examine your statements for unusual activity, such as unauthorized charges or withdrawals.

Listen: Be wary of unsolicited calls, emails, or text messages asking for personal information.

Verify: Always verify the identity of anyone requesting personal information, especially if you are unsure of the source.

Report: If you suspect fraud on on of your PenFed accounts, contact us immediately.

What to know

Phishing Attempts

Don't share passwords, account numbers, or personal details via email, text, or social media. The IRS never initiates contact this way, especially asking for such information. Neither the IRS nor state agencies will text you about refunds or deposits.

Fraudulent Phone Calls

The IRS first contacts you by mail if you owe taxes. You have the right to question or appeal any tax bill. Don't engage if the caller:

Demands immediate payment or offers payment assistance.
Uses aggressive tactics like threats of arrest or legal action.
Asks for your credit, debit, or bank account numbers.

Never share data, even if they seem to have some of your information.

Identity Theft

Scammers steal personal data for fraud, like filing fake tax returns. One growing scam targets tax professionals' data or your tax software logins to steal refunds. They may then pose as IRS agents to demand the money back, claiming it was a mistaken deposit.

Scammers can spoof caller ID to appear as a legitimate entity. Be cautious even if the caller ID seems familiar.

Watch out for unsolicited calls or pop-ups offering technical support. Scammers may try to trick you into downloading malicious software to gain access to your personal information.

Be wary of unexpected refund offers. Scammers may claim you’ve been overcharged and ask you to return a portion of the funds. Once you send the money, the original transaction may be reversed, leaving you in a financial loss.

Identity theft is when someone uses another person’s personal identifying information, such as their name, identifying number, or debit/credit card number without their permission, to commit fraud or other crimes.

Potential indicators of identity theft

You fail to receive bills or other mail.
You notice suspicious or unexplained activity or accounts on your statement(s) or online.
Unfamiliar accounts appear on your credit report.
The IRS notifies you of a tax return or employer not associated with you that has been linked to you.
·You get notified that your information was compromised by a data breach.

Phishing is the activity of defrauding an online account holder of financial information by posing as a legitimate company or entity.

Types of phishing

Appeal to greed: An attacker will offer you a method to make some easy money.
Appeal to fear: A hacker will tell you your bank account has been hacked. They may tell you that your computer has been filled with malware and must be cleaned immediately.
Appeal to authority: A hacker will attempt to mimic someone in charge and ask you to do something because of their position.
Appeal to human kindness: An attacker may send an email stating they really need your help to do something. The email may even appear to be from someone you know.

How to “avoid” phishing

Take your time. Don’t interact if you’re suspicious.
Verify the contact’s identity. Confirm through an outside channel.
Be very careful with email and text message attachments. If suspicious, don't open or download the attachment.
Do not immediately click on email and text message links. First hover over the link and verify the address.

Card Member Security helps protect PenFed cardholders from fraudulent activity by identifying suspicious transactions and sending alerts to cardholders. It also assists with reporting fraudulent transactions and reporting cards as lost or stolen.

PenFed automatically enrolls all credit and debit cardholders in text alerts using the mobile number on file. Text alerts are a Free-to-End-User (FTEU) service, so there is no cost for enrollment, and text message rates do not apply to members. If Card Member Security sends a text message, it will come from the number 91937.

PenFed chip-enabled credit and debit cards offer enhanced security when used at chip-enabled terminals and over the phone. Your card is also protected by Visa’s Zero Liability Policy if lost, stolen, or fraudulently used.

Follow these online security best practices to protect your accounts and online activities.

Avoid interacting with suspicious numbers. Add trusted numbers to your contacts.
Protect your funds. Never send money or information to anyone you personally do not know.
Verify your transactions. Review your account activity regularly.
Know your vendors. Familiarize yourself with how common vendors display in your account history.
Utilize security alerts. Set up and receive account alerts in PenFed Online or in your PenFed mobile app.
Use only secure apps. For electronic payments, always use trusted applications like PenFed’s mobile application or Apple Pay and Samsung Pay.
Protect your card information at the point of sale. Use contactless payment methods, when available.

Beware of skimmers.
- Skimmers are small devices that are designed to fit over card slots and keypads to collect card data and card PINs.
- Common places for these are ATMs and gas pumps.
- Some are virtually impossible to spot. If the card reader is loose or you see exposed wires, do not use it.
Protect your card information online. Do not provide your information online unless you are making a purchase from a website you trust. Secure sites typically will direct you to a secure page with a URL starting with “https://.” Also, ensure the email address/link is from a reputable and known sender and always double-check for misspellings (example; Amazon vs. Annazon).
Update your software. Make sure your device has the latest security updates installed.
Know that browsers are not safe for storing user credentials. Decline any offers when a browser asks you if you want to store our credentials for later. To avoid future storage offers, turn off these offers in your browser settings.
Know how PenFed communicates with you. At times, PenFed may reach out to you with offers or important information regarding your account. Knowing how we communicate with you will help you better tell legitimate PenFed communications apart from those of scammers.
- Email: Email from PenFed will have a sent from email address ending in @penfed.org or @penfed.info. Always review sending email addresses as scammers like to spoof or impersonate organizations like PenFed.
- Text message: If Card Member Security sends a text message, it will come from the number 91937.
- One-time passcodes: 1-888-904-8461, 1-833-266-5655 For security during high-risk transactions, PenFed uses a two-factor authentication system called a one-time passcode (OTP) that will come from one of the above numbers. PenFed also uses OTP when members are attempting to unlock their PenFed Online access. Never share OTPs with anyone.

Follow these password security best practices when you log into any accounts or use your PIN.

Always secure your device with a password to protect it if it should ever be stolen.
Memorize PINs or keep them in a secure password manager.
Change your password regularly, every 60-90 days.
Do not store credit card numbers, PINs, or passwords where others may find them.
Shield your PIN.
Do not reuse passwords.
Do not give your passwords to anyone.
Turn off or decline browser offers to save passwords.

Online security procedures also apply to your mobile device. When using your mobile device to access your accounts or engage in transactions, follow all general online security procedures, as well as the following mobile-specific practices.
- Avoid connecting your smart phone to an untrusted wireless network. Only download apps from official stores such as iTunes or Google Play.
- Never “root” or “jailbreak” your mobile device to get around limitations set by your carrier or device manufacturer. Rooting involves adding, editing, or deleting system files, and jailbreaking allows you to bypass system restrictions. These activities remove protections that are built into your device to defend against mobile threats.

PenFed is federally insured by the National Credit Union Administration (NCUA) through the National Credit Union Share Insurance Fund (NCUSIF).

That means your deposits are insured up to at least $250,000 per individual member for the total in your regular share (savings) accounts, share draft (checking) accounts, money market accounts, and share certificates.

If you have more than $250,000 at PenFed any single federal credit union of which you are a member, there are options available for additional share insurance coverage.

Just as with FDIC insurance for banks, NCUSIF coverage does not cover losses on money invested in mutual funds, stocks, bonds, life insurance policies, and annuities offered by affiliated entities. It does protect members at all federally insured credit unions from losses on a broad spectrum of savings and share draft products.

What to do

Prevent Scams During Tax Season

File early and protect your Social Security number—only share it when absolutely necessary.

I Fell for a Scam, Now What?

Immediately contact your bank to close affected accounts. If your Social Security number was involved in a tax-related scam, contact the IRS. For suspicious or unsolicited calls from someone claiming to be the IRS, hang up and call TIGTA at 1-800-366-4484 to verify.

Stop. If they ask you for anything, decline. Even if you were hacked, your card company would never ask for a password.

Drop. End the call as soon as you suspect it's a scam. Don't feel obligated to be polite.

Call. Contact a known number to report the incident.

Use multi-factor authentication (MFA) for added security. This requires a second form of verification, such as a code sent to your phone, in addition to your password.

Avoid downloading any software recommended by an unsolicited caller. Scammers may use this to gain access to your computer and steal your information.

Log into PenFed Online to report your lost or stolen card. We'll cancel your card and send you a replacement immediately.

Additionally, you should

Notify any merchants that automatically charge your card and provide them with your new card information.
Review your transaction history for suspicious activity, and contact us immediately if there are transactions that you did not make.

Call PenFed at 1-800-247-5626. If possible, provide the number of the last check that was written or the name of the person or business to whom it was written.

Additionally, you should

Log into PenFed Online to view digital copies of your checks and to see if any unauthorized checks have been written to your account.
Schedule an appointment to visit a PenFed Financial Center so you can close your current account and open a new one. If you have any recurring payments set up in your current checking account, update those payments in your new account.
If checks you wrote haven't been cashed at the time your checkbook was lost or stolen, you may need to contact the payees and send them checks from your new account.

Call PenFed at 1-800-247-5626 and report the suspicious transaction. You may also want to contact the merchant. It is sometimes easier and more efficient to resolve any issue directly with the merchant.

Follow these steps if you believe your identity has been compromised:

1. Contact your financial institutions and creditors. Speak with their fraud departments and explain that someone has stolen your identity.

2. Check your credit reports, and place a fraud alert on your file. Initiate a fraud alert by contacting one of the following three credit bureaus. Once you contact one bureau, the other two bureaus are notified automatically.

Equifax: 1-888-766-0008

Experian: 1-888-397-3742

TransUnion: 1-800-680-7289

3. Watch out for suspicious emails, phone calls, or text messages asking you for your personal information. Always verify that any communication is legitimate by calling the organization back through an official phone number.

A merchant compromise is an organized theft of ATM, debit card, or credit card information.

We continuously monitor transactions for suspicious activity. If we detect that your PenFed card may have been part of a merchant compromise, this does not necessarily mean that fraud has occurred — or will occur — on your account. However, we may deactivate your current card and issue you a new one as a precaution to make sure your account and personal information are safe.

Suspicious email: Forward the email to abuse@penfed.org. Please be sure to include your contact information in case questions arise.

Suspicious text message: Send a screen shot of the suspicious message to abuse@penfed.org. Please be sure to include your contact information in case questions arise.

Suspicious phone call: Report the call at abuse@penfed.org. Please be sure to include your contact information in case questions arise. You may also call us at 1-800-247-5626.

Select “Set up your online account or get help signing in” from the login page.
Follow the on-screen instructions to receive an email with your username and/or to reset your password online.

Security Center