Picture this: someone calls your bank, recites your full name, your address, and the last four digits of your Social Security number. The customer service rep checks every box and grants access. Within minutes, the contact email on your account is swapped, a new device is enrolled, and money starts moving out. You had no idea until the balance alert hit your phone.
This is not a thought experiment. The FBI has issued alerts warning that account takeover fraud through impersonation of bank support staff is an active and growing threat. Criminals spoof caller IDs, rehearse polished scripts, and arm themselves with real customer data harvested from breaches or purchased on dark-web marketplaces. Once they clear a bank’s identity check, the damage unfolds in minutes.
There is a simple defense most people never activate: a verbal password.
What a verbal password actually is
A verbal password is a secret word or phrase that only you and your bank know. Whenever you call in, or whenever someone claiming to be you calls in, the representative asks for it before making any changes. It is completely separate from your online login, your PIN, and any one-time codes sent to your phone.
What makes it different from standard security questions? A verbal password does not exist in any public record or database. Your mother’s maiden name can be found on ancestry sites. Your date of birth sits in dozens of breached datasets. A phrase you chose yourself and shared only with your bank is far harder for a stranger to produce on demand.
Charles Schwab lists a verbal password among its recommended security measures for phone interactions, noting that it is distinct from its Voice ID biometric feature. Exchange Bank defines it as a secret word or phrase known only to the customer and the bank, designed specifically to block callers who may have obtained personal details through data breaches or phishing.
Why standard identity checks keep failing
The Federal Trade Commission reported that nationwide fraud losses topped $10 billion in 2023, with imposter scams ranking among the leading categories. A separate FTC analysis published in April 2024 detailed how impersonation tactics and payment methods have shifted over time, confirming that phone-based social engineering remains a persistent channel for fraud.
The problem is structural. Banks have historically verified callers using facts that feel private but are not: Social Security numbers, dates of birth, recent transaction amounts. After years of massive data breaches affecting hundreds of millions of Americans, these details are widely available to criminals. A knowledge-based question only works if the answer is genuinely secret, and for most people, it no longer is.
Regulators have taken notice. The Federal Financial Institutions Examination Council issued updated authentication and access guidance in August 2021, pressing banks to move beyond single knowledge-based questions and adopt risk-based identity verification. FINRA’s Regulatory Notice 21-18 similarly warned broker-dealers to tighten call center and help desk procedures after a rise in social-engineering-driven account takeovers. NIST’s Digital Identity Guidelines (Special Publication 800-63) call for layered authentication calibrated to the sensitivity of the transaction.
None of these frameworks mandate verbal passwords by name, but they all point in the same direction: relying on easily stolen facts to verify a caller is no longer acceptable.
How to set one up
The process is straightforward at most institutions that offer it:
- Call your bank or brokerage. Ask the representative whether they offer a verbal password, phone passphrase, or telephone banking password. The terminology varies by institution.
- Choose a strong phrase. Avoid anything guessable: pet names, birthdays, or common words. A short, memorable phrase with no connection to your public life works best. Think “copper telescope march” rather than your dog’s name.
- Confirm it is on file. Ask the representative to read back that the verbal password has been added and will be required for future phone interactions, especially for sensitive actions like address changes, wire transfers, or password resets.
- Store it securely. Record it in a password manager or a secure physical location. If you forget it, you will likely need to visit a branch with photo ID to reset it.
If your bank does not offer a verbal password, ask what alternative phone-channel protections are available. Some institutions use callback verification, where they hang up and call you at the number on file. Others require in-app confirmation before processing changes requested by phone.
What we still do not know
No publicly available data from banks, the FTC, or the FBI measures how much verbal passwords reduce successful account takeovers. The logic is sound, and regulators endorse the concept, but no published study has quantified the benefit. FFIEC and FINRA examination records do not disclose how many firms have implemented verbal passwords versus other authentication methods, so industry-wide adoption rates remain unknown.
There is also limited insight into how consumers actually use these controls. Public sources do not reveal how often customers accept a verbal-password option when offered, how frequently they forget the phrase, or whether they pick weak, guessable words that undermine the protection. Without that behavioral data, it is hard to measure how much incremental security a verbal password adds on top of existing multi-factor tools.
Complaint narratives filed through ReportFraud.ftc.gov or IdentityTheft.gov are not publicly searchable in a way that isolates cases where a verbal password stopped or failed to stop a takeover. The feature’s track record, for now, rests on institutional logic rather than hard outcome data.
One phone call now, fewer headaches later
A verbal password works best as part of a broader defense. Banks that pair it with staff training to recognize pressure tactics, limits on what can be changed in a single phone call, and real-time monitoring for unusual transfers create multiple barriers a scammer must clear. No single control is foolproof, but stacking them raises the cost and difficulty of an attack significantly.
For consumers, the calculus is simple. Setting up a verbal password takes one phone call and costs nothing. It closes a specific gap that criminals are actively exploiting: the ability to impersonate you using information that is already out there. If your bank offers it, there is no good reason not to turn it on.
Customers who want to stay ahead of emerging fraud tactics can also sign up for FBI email alerts, which flag new social-engineering schemes and recommended defenses as they surface.
For banks and brokerages, the research gap is worth closing. Tracking how often verbal passwords prevent suspicious calls from progressing and sharing anonymized findings with regulators would help the industry decide whether this control deserves broader promotion or needs redesign. As of June 2026, verbal passwords remain a low-cost, practical way to harden a historically vulnerable channel. The only real risk is not asking for one.
