Fraud Education FAQs

If you believe you have been a victim of fraud related to your M&T accounts, please contact M&T Online Customer Service at 1-800-790-9130 (Monday–Friday 8am–9pm, Saturday–Sunday 9am–5pm ET).

Yes, you can dispute a debit card charge. In the case of fraudulent charges, acting quickly is critical for a successful resolution.

If you’ve detected fraudulent activity or have reason to dispute an unauthorized debit card transaction, contact your bank immediately. For M&T cardholders, we have solutions to mitigate the risk of fraud. The sooner the detection, the greater the chances of preventing additional unauthorized charges.

It’s much better — and in most cases easier — to prevent a fraudulent debit card charge than it is to recover one. M&T cardholders should consider enrolling in M&T Alerts . You’ll receive security notifications by text or email when potentially suspicious activity occurs or your PIN changes. And to protect yourself, it’s important that you regularly monitor your account. Watch for any unfamiliar charges and report suspicious activity to your bank immediately.

If you believe you have been a victim of fraud related to your M&T accounts, notify an M&T Customer Service Specialist at 1-800-724-2440.

M&T Bank Alerts are available for your M&T Card through M&T Online Banking. Suspicious activity alerts notify customers of certain potentially fraudulent activity on their M&T Card. Alerts are designed to be a helpful account management tool, but they do not identify all potential fraudulent activity and are not a substitute for security and fraud precautions including, but not limited to, verifying statements and being aware of your outstanding payments and available balance. For your protection, “suspicious activity” and “card PIN change” email alerts cannot be disabled. M&T Bank is not liable for any losses customers may incur due to an alert not being delivered. Your mobile carrier's text messaging and data charges may apply.
Use of these features and services requires Internet and/or data access through a computer or mobile device. Subject to availability and the same limitations as any service available through the Internet. M&T Bank is not responsible for matters that are outside of its reasonable control that might impact availability and functionality. M&T Bank reserves the right to suspend service for any reason at any time. Your mobile carrier's text messaging and data charges may apply. Fees may apply for optional services provided through M&T Online Banking. View the M&T Digital Services Agreement for additional details.

Thieves can steal your money using your debit card number without having physical possession of the card itself. And while debit cards have the added security feature of a PIN, criminals have ways to circumvent that step in a transaction.

Debit card fraud is varied. Cybercriminals may use phishing techniques by phone, email or text to lure consumers into providing their card numbers, PINs and passwords. Or in-person scams like skimming, where a modified PIN pad or ATM collects card information, can allow criminals to create fake cards they then use to make purchases or cash withdrawals.

Consumers, card issuers and merchants all must do their part to minimize the risk of debit card fraud. M&T has extensive security measures in place to protect its cardholders. Help yourself by keeping your card information secure and private, never loaning your card to anyone, shielding your card number and PIN when making transactions and regularly monitoring your account for suspicious activity.

Identifying a skimming device on an ATM can be difficult but there are a few obvious signs to recognize. ATM skimming is when criminals modify an ATM so that they can harvest debit card and PIN numbers. The criminals then use that information to make fraudulent transactions or cash withdrawals.

Before you swipe or insert your card, look closely at the machine’s insert slot or strip reader. Is there anything that appears modified? The card-insert slot may look unusually bulky, for example. Or there may be tape or glue residue apparent that indicates a new piece of hardware was tacked onto the machine. Next, look at the ATM keypad for signs of any modifications.

Beyond being observant, you can minimize your risk of ATM skimming by using the machines at your bank’s branches. These more-monitored ATMs are less likely to be corrupted than standalone machines found at a store, bar or restaurant.

Credit card fraud takes many forms. Thieves can physically steal your card and make fraudulent charges. Cybercriminals can phish your card credentials and use them just as if they had the card itself. And for cards with cash-machine privileges, criminals can modify an ATM so that they can steal card and PIN numbers. The scams go on from there and are ever evolving.

Credit card fraud can happen to anyone. In some cases, criminal techniques have gotten quite sophisticated. M&T employs updated technologies to offer leading fraud detection services and solutions to mitigate your risk. And our M&T Alerts program keeps you informed of any suspicious activity as it’s detected.

By text, email, phone call, social media or mail, a fraud attack can come from anywhere. As a consumer, you must remain vigilant. Protect your card credentials. Monitor your accounts. And know the signs of fraudulent texts and emails. Don’t let your guard down.

Online credit card fraud refers to unauthorized transactions that happen via the internet in “card-not-present” situations. Cybercriminals have sophisticated means of stealing credit card credentials and then using them to make purchases as if they had the card itself.

“Phishing” is a term used to describe how online cybercriminals illegally obtain credit card information. Common scams include fake text messages and emails appearing to be from a bank or other legitimate business that lure a consumer into clicking a hyperlink or opening an attachment. Cybercriminals then either install malware on the consumer’s device or fraudulently convince them to submit their card numbers, PINs and passwords.

To protect yourself against online credit card fraud, sign up for M&T Alerts. We’ll send you text and email notifications as soon as we detect any unusual account activity. Be sure to also monitor your accounts regularly. And be extremely cautious with any unsolicited texts or emails. When in doubt, don’t click the link or open the attachment.

With pretexting, a criminal attempts to win a victim’s trust by creating a believable scenario. The victim may unknowingly divulge sensitive information that the criminal can then use to make fraudulent transactions.

For example, a cybercriminal posing as a bank representative might email an account holder telling them that they are due a checking account refund. Without careful inspection, the email may appear to be legitimate. And the account holder may be excited by the news that they are going to receive money. The cybercriminal may ask the account holder for account information, telling them they need these credentials to complete the refund. If the account holder believes the pretexting story, they may give the cybercriminal all that they need to withdraw money from the account. Once that money leaves the account, it can be very difficult to retrieve. And the longer the victim goes before realizing a breach, the worse the damage gets.

When a text message asks for your personal information, is unsolicited, contains hyperlinks or has obvious spelling or grammatical errors, you should be suspicious that it is fake. Fake text messages are a common scam technique used by cybercriminals. Their aim is to lure unsuspecting victims into divulging personal information. 

Often, a text may appear to be from a bank and may ask for account information. Remember, your bank already knows that information and would not need to ask you for it by text message. M&T Bank also would never text you a hyperlink. Clicking an unsolicited link could lead to malware installation or could take you to a fraudulent website that attempts to steal your information.

Finally, keep an eye out for typos and irregularities. If the language in the message seems odd or unprofessional, the text is likely fake.

The account number alone doesn’t allow a scammer access to your money but it does put them one puzzle piece closer to replicating your credentials and draining your accounts.

With your account number, name and routing number, a scammer can set up one-time or recurring ACH payments from your account. And with your account number and driver’s license number or other state ID number, scammers may be able to complete online transactions at some major retailers. Of course, if a scammer knows your account number, name, PIN and password, they can unlock numerous ways to steal your money.

When a criminal already has a key piece of your identification puzzle, like an account number, you’re more likely to become a target. You become more susceptible to phishing, pretexting or other social engineering attacks where a cybercriminal may try to lure you into divulging additional personal information.

Any text or email asking you for personal information or to click on a hyperlink or attachment is likely a phishing message. Phishing messages can be difficult to identify but if you look for some telltale signs, you’ll reduce your risk of being the victim of fraud.

M&T Bank and other legitimate businesses will never request your personal information unless you’ve initiated contact with them. Be cautious of any message requesting personal information. Next, pay close attention to the email address or phone number of the sender. Does the email address domain match a legitimate business? Can you confirm the phone number with an internet search? Finally, never click a link or open an attachment unless you are certain that they are from a legitimate source.

Phishing is a method used by cybercriminals to try to lure account holders into sharing critical information. If the account holder is unaware and interacts with a phishing message, they may unknowingly give the scammer everything they need to withdraw from the account.

Start by comparing any check you weren’t expecting to one from your own checkbook. Look for any differences, including the weight and texture of the checks. A counterfeit may feel lighter and more slippery. 

A legitimate check is likely to have at least one perforated edge. It also will have a bank logo and street address. If there is no logo or if it’s faded and there’s only a P.O. box or no address, those are red flags. Next, look in the upper right corner. A legitimate check will have a check number. Look also at the routing number, the first nine digits at the bottom of the check that indicate the issuing bank. If there are more or less than nine numbers, or if there is no routing number, it’s a fake.

Be leery of any check you weren’t expecting. If you’re unsure whether it’s a fake, bring the check into your bank for closer examination.

A properly stopped check shouldn’t be able to be cashed. Scammers work this angle as part of a fraud that involves a worthless check.

Fake check scams have two key components: a check, which entices a victim into thinking they’re receiving money, and a believable story about why the victim can’t keep all the money. Say you were selling something online. A scammer may send you a check for more than the sale price. Before you can cash that check, they contact you about accidentally overpaying and ask that you refund the balance. Meanwhile, they stop payment on the check issued to you. When you try to cash it, you’re left with nothing. And unless you had immediately stopped payment to the scammer, you may lose that money and whatever it was you were selling.

Awareness is the best defense against check fraud, fake text messages, phishing emails and other social engineering scams.

A bank may deem a check invalid and refuse to cash it for reasons that include an irregular signature, alterations to the check, insufficient funds, the age of the check or incomplete information.

Consumer fraud often includes scammers attempting to pass invalid checks. You should be aware of the signs of a fake check, including the weight and texture of the paper, missing check numbers, irregular routing numbers and a missing or incomplete bank logo and street address. Inspect any check in question carefully and compare it to your own personal checks.

Be leery of any check you weren’t expecting. If you’re unsure whether it’s fake, bring the check into your bank for closer examination.

If you deposit a check that turns out to be fake, you’ll be responsible for repaying the money.

A fraudulent check might not be recognized until days after it clears. Scammers regularly prey on that lag time. Common check fraud includes a scammer sending a check to a consumer along with a believable story about why the consumer needs to return or forward some of the money. After the consumer has sent the money, the check is found to be fraudulent, and the consumer loses whatever they’d sent.

Treat any check from someone you don’t know with extreme caution. And be aware of the signs of a fake check, including the weight and texture of the paper, missing check numbers, irregular routing numbers and a missing or incomplete bank logo and street address. Inspect any check in question carefully and compare it to your own personal checks.

Yes, someone else can cash a check in your name if you’ve endorsed the back of that check. Or, in the case of check fraud, a criminal could forge your signature and steal the money from that check. Because forged signatures can be difficult to identify, stopping this kind of check fraud is not easy.

Be vigilant with your approach to receiving checks. Always keep checks in a secure place. And don’t delay depositing or cashing checks written to you. The longer it takes you to get the check to the bank, the greater the chances for it to get into the wrong hands. Also, never endorse a check until you are ready to deposit or cash it. If a criminal gets a check that already has your signature on the back, you’ve made their job much easier.

Yes, it is possible for a scammer to exploit a mobile deposit process. Through social engineering and pretexting scams, a criminal will attempt to convince a victim of a believable story that involves the victim sending the criminal some money.

A common fraud scenario might go like this: You sell an item online. A scammer poses as a buyer and sends you a check for more than the asking price of what you sold. You photograph the front and back of the check and use your banking app to deposit it into your account. Meanwhile, the scammer convinces you to refund them the surplus amount they paid, and they ask you to do it quickly through a third-party money transfer service. You send the money only for the bank to then notify you that the check you deposited is fake. You’re now responsible for any loss.

Awareness is the best defense against check fraud, fake text messages, phishing emails and other social engineering scams.

Unemployment fraud is rarely detected until it’s obvious. If you start to receive mail regarding claims you’ve never made, it’s likely that your identity has been compromised. Criminals use stolen identities to fraudulently collect unemployment benefits across multiple states. The scam has surged throughout the COVID-19 pandemic.

Because unemployment benefits are taxable income, you could owe taxes on these fraudulent claims until you get the matter resolved. Preventing this type of fraud requires proactively protecting your personal information. Keep all personal and financial information secure. Monitor your accounts for irregularities. Review password strengths. And make sure your bank has your updated contact information in case of fraud notifications.

If your account is frozen because of suspicious activity, contact your bank to resolve the matter. You and your banker can review account activity to determine if there is any risk of fraud. If there is none, your account should be unfrozen.

Share any plans for unusual spending with your bank ahead of time. If you’re traveling internationally or making an unusually large purchase, for example, alerting your bank may prevent your account from being frozen.

In turn, you should expect your bank to keep you informed. M&T customers have the option of customizing their M&T Alerts settings to get text or email updates about account irregularities. We work with our customers to prevent fraud.

The amount of time it takes to unfreeze a bank account will depend on the reason it was frozen. Once all parties are satisfied that the issue that caused the account freeze is resolved, the account should be reactivated quickly. In the case of suspicious activity, an account can be unfrozen immediately once the bank and account holder agree that there’s no imminent risk of fraud.

Your bank may freeze your account if they detect unusual activity. That’s why it’s important that you communicate with your bank if you plan to travel abroad or to make an unusually large purchase.

Yes, a legitimate cashier’s check is as safe a physical form of payment because the funds are drawn against a bank’s account rather than an individual’s or business’s. But as with any kind of check, there is potential for fraud. Be on the lookout for fake checks.

If you do accept a cashier’s check, call the issuing bank immediately to verify the check’s legitimacy. Inspect the cashier’s check closely, looking for signs of fraud. A fake check may feel lighter and more slippery than a legitimate check. Is there a bank logo and street address on the check? Is there a nine-digit routing number? Cashier’s checks also often include watermarks to identify them as legitimate.

Bring any questionable cashier’s check into your bank as soon as possible for closer examination.

In many contexts, two-factor authentication and strong authentication mean the same thing. Both refer to multiple pieces of identifying information being required to access an account, system or network. Two-factor authentication means that two separate pieces of information are required to gain access. Strong authentication could require those same two pieces of information or, in some cases, an additional piece of information.

In many instances, to gain access to information or to complete a transaction, a user will need to provide a unique piece of knowledge — such as a password or PIN — and a second means of proving their identity — such as a security question or unique code. Those two identifiers together make up two-factor authentication, which may also be called strong authentication. Some strong authentication instances require a third identifier, such as a fingerprint or retina scan.

Your credit or debit card’s CVV, or Credit Verification Value, is an identifying number that protects your card against unauthorized transactions. It is generally required in online credit- or debit-card transactions and helps to ensure that the purchaser is in physical possession of the card.

Treat your CVV as the most important number on your card and always keep it private. Even if a cybercriminal gets a hold of your card number, the CVV will prevent them from making any fraudulent online purchases. A CVV is to online credit or debit purchases what a PIN is to cash withdrawals or in-person transactions.

Visa calls this special identifier a “CVV.” MasterCard uses the term “Card Verification Code (CVC).” And American Express and Discover call it a “Card Identification Number (CID).”

Two-factor authentication is more secure than just a PIN or password but it is not immune to fraud. The most secure means of protecting account, card and identity information is with multi-factor authentication that includes more than two identifiers.

In many instances, to gain access to information or complete a transaction, a user will need to provide a unique piece of knowledge — such as a password or PIN — and a second means of proving their identity — such as the answer to a security question or a unique code. Those two identifiers together make up two-factor authentication. It’s a secure and effective way to guard against fraud, but it’s not perfect. Sophisticated cybercriminals have devised ways to steal multiple identifiers that allow them to complete their scams. In the case of one-time passcodes used to verify your identity, remember never to share that information with a stranger.

Some transactions are more secure and require an additional identifying factor, such as a fingerprint or retina scan.

Yes, credit card theft is a form of identity theft. For a criminal to use your credit card for fraudulent transactions, they will need to have stolen something unique to you, like a password, PIN, CVV, account number, Social Security number, answer to a personal security question or the physical card itself. Each of those things are a part of your identity.

Criminals are developing increasingly sophisticated means of identity and credit card theft. Phishing, skimming and pretexting are just a few common types of scams. To protect yourself, sign up for M&T Alerts. We’ll send you text and email notifications as soon as we detect any unusual account activity. Be sure to also monitor your accounts regularly. And be extremely cautious with any unsolicited texts or emails. When in doubt, don’t click the link or open the attachment.

Identity theft can occur anywhere there’s personal information. From an online network to a roadside trash can, the potential for identity theft is ever present.

Cybercriminals are continuously developing increasingly sophisticated methods for stealing identity through fake email and text messages. Hackers continue to breach networks and steal information. Pickpockets prey on crowds of people. Criminals even dig through garbage to find personal information. All these scenarios and many others can lead to identity theft.

Awareness is the best defense against identity theft. Closely guard your personal information. And learn to recognize the signs of fake text messages, phishing emails, check fraud and other social engineering scams. M&T Bank has solutions to mitigate the risk of fraud. Our Customer Service Specialists can help you with questions or concerns.

More questions?

Speak with an M&T Online Customer Service at 1-800-790-9130 (Monday–Friday 8am–9pm, Saturday–Sunday 9am–5pm ET).

You can also make an appointment to come in to a branch near you.

Unless otherwise specified, all advertised offers and terms and conditions of accounts and services are subject to change at any time without notice. After an account is opened or service begins, it is subject to its features, conditions, and terms, which are subject to change at any time in accordance with applicable laws and agreements. Please contact an M&T representative for details.