Vishing and SMiShing - Text message safety
You receive a text message or an automated phone
call on your cell phone that is designed to alert you to a problem with one of
your accounts. You're given a phone number to call or a website to log into and
asked to provide personal identifiable information--like a bank account number,
PIN, or credit card number--to fix the problem.
But beware: It could be a
"smishing" or "vishing" scam...and criminals on the other
end of the phone or website could be attempting to collect your personal
information in order to help themselves to your money. While most cyber scams
target your computer, smishing and vishing scams target your home and mobile
Just like phishing, smishing uses cell phone
text messages to lure consumers in. Often the text will contain an URL or phone
number. The phone number often has an automated voice response system. And
again just like phishing, the smishing message usually asks for your immediate
Sometimes, if a victim logs onto a phony website
with a smartphone, they could also end up downloading malicious software that
could give criminals access to anything on the phone. With the growth of mobile
banking and the ability to conduct financial transactions online, smishing and
vishing attacks may become even more attractive and lucrative for
Criminals set up an automated dialing system to
text or call people in a particular region or area code (or sometimes they use
stolen customer phone numbers from banks or credit unions). The victims receive
messages like: "There's a problem with your account," or "Your
ATM card needs to be reactivated," and are directed to a phone number or
website asking for personal information. Armed with that information, criminals
can steal from victims' bank accounts, charge purchases on their charge cards,
create phony ATM cards, etc.
The typical vishing scam makes use
of Voice over Internet Protocol (VoIP), which allows people to talk
over their computer lines, and can allow for dialing multiple numbers at the
same time. Scammers may work from a list of regional phone numbers or even from
a phone book, but what they mainly do is call everyone they can and leave an
automated message saying the person’s credit card or bank account has been
compromised, depleted or closed. When this process is done
by email it’s called phishing, instead of vishing.
People who have left a message are given
instructions to call a number to get more information about this alleged
compromise. Scammers often use toll-free numbers for this purpose and may
even have, for people with caller ID, the legitimate name of the company that
is supposedly calling. When people call the number, they’re instructed to dial
in their credit card number or bank account number, and even sometimes
information like personal identification numbers (PINs), or their social
security number. Once this information is obtained, callers may speak to a
person posing as a “representative” or they may never get to a representative
and are placed on hold. Meanwhile, the damage is done and the scammers may then
use the information to steal money or credit card numbers.
What can you do to protect yourself?
Essentially, it’s pretty easy to avoid
a vishing scam or one conducted by email, and now commonly through
text messaging on cell phones. Instead of calling the number listed, look up
your bank account telephone number or your credit card phone number and call
that number instead. If you’re being vished, a bank or credit card company can
tell you this immediately by letting you know that there has been no illegal
activity on your account or any security compromise of your account. These
scams can seem very real though because they often contain warnings about not
divulging your personal information, which may make a potential target feel the
company calling, texting, or emailing is protecting his/her interests.
- Be aware. Consumers need to know that these scams exist. T
- Don’t fall for texts from your network which ask for details. Your phone network will often text you – if you’re abroad, for instance, to warn of data roaming rates. But networks won’t ever ask you to confirm or verify your details. If you see a “security” text which asks for a password, or any other details, don’t click the link, and don’t call any numbers in it. Contact your network via their website, or via their phone number (the real one, not the one in the SMS).
- If you see a “business” phone number in a text, it’s no guarantee it’s real. Many SMS phishing attacks will include “toll-free” numbers that look like legitimate business ones – they’re not. Cybercriminals can set up these numbers easily and cheaply, and if you phone the number, you’ll usually be asked to “confirm” details – handing them over to the fraudsters.
- Don’t reply with “STOP” if you’re being spammed – contact your network instead. If you’re being spammed repeatedly, and the SMS contains an instruction to text back with “STOP” to cut off the emails, don’t. This will simply tell the spammers that you’re there, and they’ll intensify their attacks. Your network will be able to block SMS from specific numbers.
- Be very suspicious of “special offers” – especially ones where you have to “act fast”. Phishers commonly send out SMS attacks in the form of “special offers” from big companies – such as a $1,000 gift card, where only a limited number are available, and you have to click a link to cash in.
- Set your phone to block apps from unknown sources. Many SMS phishing attacks aim to fool you into installing malicious apps – particularly on Android. As a precaution, block installation from unknown sources (it’s in Android’s Settings menu). If you have to unblock this (for instance to install a work app), set it back to “blocked” when you’ve finished. If you do make a mistake, this gives you another line of defense.
- Don’t fall for texts from your financial institution which ask for “confirmation details”. Your financial institution may well text you – for instance to confirm a transaction on PC – but text messages from your financial institution will not, ever, ask you to confirm details, or for passwords. financial institutions also won’t update their apps in this way. If you’re suspicious, don’t click links, and don’t call any numbers in the text. Instead, call your financial institution on its “normal” number and check whether the text is from them.
- Don’t fall for warnings saying, “Your phone is infected”. SMS phishing scams use a bogus “security alert” to scare users into installing fake antivirus apps.
- Be suspicious of all unknown callers. People should be just as suspicious of phone calls as they are of e-mails asking for personal information. And some experts suggest letting all calls from unknown callers go to voicemail.
- Don't trust caller ID. Just because your caller ID displays a phone number or name of a legitimate company you might recognize, it doesn't guarantee the call is really coming from that number or company.
- Ask questions. If someone is trying to sell you something or asking for your personal or financial information, ask them to identify who they work for, and then check them out to see if they are legitimate.
- Call them back. Again if someone is selling you something or asking for information, tell them you will call them back and then either verify the company is legitimate, or if it's a bank or credit card company, call them back using a number from your bill or your card. Never provide credit card information or other private information to anyone who calls you.
Reporting Text Scams Here