Vishing and SMiShing - Text message safety
You receive a text message or an automated phone call on your cell phone that is
designed to alert you to a problem with one of your accounts. You're given a
phone number to call or a website to log into and asked to provide personal
identifiable information--like a bank account number, PIN, or credit card
number--to fix the problem.
But beware: It could be a "smishing" or "vishing" scam...and criminals
on the other end of the phone or website could be attempting to collect your
personal information in order to help themselves to your money. While most cyber
scams target your computer, smishing and vishing scams target your home and
Just like phishing, smishing uses cell phone text messages to
lure consumers in. Often the text will contain an URL or phone number. The phone
number often has an automated voice response system. And again just like
phishing, the smishing message usually asks for your immediate attention.
In many cases, the smishing message will come from a "5000" number
instead of displaying an actual phone number. This usually indicates the SMS
message was sent via email to the cell phone, and not sent from another cell
Sometimes, if a victim logs onto a phony website with a smartphone, they
could also end up downloading malicious software that could give criminals
access to anything on the phone. With the growth of mobile banking and the
ability to conduct financial transactions online, smishing and vishing attacks
may become even more attractive and lucrative for cyber criminals.
Criminals set up an automated dialing system to text or call
people in a particular region or area code (or sometimes they use stolen
customer phone numbers from banks or credit unions). The victims receive
messages like: "There's a problem with your account," or "Your ATM card needs to
be reactivated," and are directed to a phone number or website asking for
personal information. Armed with that information, criminals can steal from
victims' bank accounts, charge purchases on their charge cards, create a phony
ATM card, etc.
The typical vishing scam makes use of Voice over Internet protocol (VoIP), which
allows people to talk over their computer lines, and can allow for multiple
dialings of numbers at the same time. Scammers may work from a list of regional
phone numbers or even from a phone book, but what they mainly do is call
everyone they can and leave an automated message saying the person’s credit card
or bank account has been compromised, depleted or closed. When this process is
done by email it’s called phishing, instead of vishing.
People who are left a message are given instructions to call a number to get
more information about this alleged compromise. Scammers often use toll free
numbers for this purpose and may even have, for people with caller ID, the
legitimate name of the company that is supposedly calling. When people call the
number, they’re instructed to dial in their credit card number or bank account
number, and even sometimes information like personal identification numbers (PINs),
or their social security number. Once this information is obtained, callers may
speak to a person posing as a “representative” or they may never get to a
representative, and are placed on hold. Meanwhile, the damage is done and the
scammers may then use information to steal money or credit card numbers.
What can you do to protect yourself?
Essentially, it’s pretty easy to avoid a vishing scam or one conducted by email,
and now commonly through text messaging on cell phones. Instead of calling the
number listed, look up your bank account telephone number or your credit card
phone number and call that number instead. If you’re being vished, a bank or
credit card company can tell you this immediately by letting you know that there
has been no illegal activity on your account or any security compromise of your
account. These scams can seem very real though, because they often contain
warnings about not divulging your personal information, which may make a
potential target feel the company calling, texting or emailing is protecting
Be aware. Consumers need to know that these scams exist. To find out
more information, go to the FTC
Don’t fall for texts from your network which ask for details. Your phone network will often text you – if you’re abroad, for instance, to warn of data roaming rates. But networks won’t ever ask you to confirm or verify your details. If you see a “security” text which asks for a password, or any other details, don’t click the link, and don’t call any numbers in it. Contact your network via their website, or via their phone number (the real one, not the one in the SMS).
If you see a “business” phone number in a text, it’s no guarantee it’s real.
Many SMS phishing attacks will include “toll free” numbers that look like legitimate business ones – they’re not. Cybercriminals can set up these numbers easily and cheaply, and if you phone the number, you’ll usually be asked to “confirm” details – handing them over to the fraudsters.
Don’t reply with “STOP” if you’re being spammed – contact your network instead. If you’re being spammed repeatedly, and the SMS contains an instruction to text back with “STOP” to cut off the emails, don’t. This will simply tell the spammers that you’re there, and they’ll intensify their attacks. Your network will be able to block SMS
from specific numbers.
Be very suspicious of “special offers” – especially ones where you have to “act fast”.
Phishers commonly send out SMS attacks in the form of “special offers”
from big companies – such as a $1,000 gift card, where only a limited number are
available, and you have to click a link to cash in.
High-value “special offers” that sound too good to be true usually are. If it’s your local pizza place offering two-for-one on Tuesdays, you might be safer. Think first, and think hard if you’re being asked to click a link.
Set your phone to block apps from unknown sources. Many SMS phishing attacks aim to fool you into installing malicious apps – particularly on Android. As a precaution, block installation from unknown sources (it’s in Android’s Settings menu). If you have to unblock this (for instance to install a work app), set it back to “blocked” when you’ve finished. If you do make a mistake, this gives you another line of defence. It’s also worth using Google’s built-in “Verify Apps” function, which monitors apps for suspicious activity.
Don’t fall for texts from your bank which ask for “confirmation details”.
Your bank may well text you – for instance to confirm a transaction on PC – but bank texts will not, ever, ask you to confirm details, or for passwords. Banks also won’t update their apps in this way. If you’re suspicous, don’t click links, don’t call any numbers in the text. Instead, call your bank on its “normal” number – Google it if you don’t know – and check whether the text is from them.
If you’re an Android user, protect your phone with an antivirus app. Google’s own Verify Apps function is a useful first line of defence – and Android users should turn it on. Security apps such as ESET’s Mobile Security and Antivirus add a few extra layers of defense, blocking known phishing attacks – and scanning all apps on your phone for malicious activity in real time. You can also block specific numbers from texting you – or block all unknown senders.
Don’t fall for warnings saying, “Your phone is infected”. Recent SMS phishing scams use a bogus “security alert” to scare users into installing fake antivirus apps. Reputable security companies will not “push” products in this way. ESET’s Cameron Camp says, “Malware posing as security apps, also known as “scareware”, are some of the most pervasive scams on Android in recent months.”
Be suspicious of all unknown callers. People should be just as
suspicious of phone calls as they are of e-mails asking for personal
information. And some experts suggest letting all calls from unknown callers go
Don't trust caller ID. Just because your caller ID displays a phone
number or name of a legitimate company you might recognize, it doesn't guarantee
the call is really coming from that number or company.
Ask questions. If someone is trying to sell you something or asking for
your personal or financial information, ask them to identify who they work for,
and then check them out to see if they are legitimate.
Call them back. Again if someone is selling you something or asking for
information, tell them you will call them back and then either verify the
company is legitimate, or if it's a bank or credit card company, call them back
using a number from your bill or your card. Never provide credit card
information or other private information to anyone who calls you.
Register your number with the National Do Not Call registry at donotcall.gov.
Even though criminals and unscrupulous telemarketers may ignore the list, if you
are on the list and get a call from a supposed telemarketer, that could be a tip
that the offer is bogus. Most legitimate telemarketers obey the rules and laws
about contacting consumers. Also, the Website provides a place where complaints
can be filed.
Report incidents. Report vishing calls to www.ftc.gov or
call (888) 382-1222. The FTC wants the number and name that appeared on the
caller ID as well as the time of day and the information talked about or heard
in a recorded message. If you think you've been a victim of a vishing attack you
can also contact, the
Internet Crime Complaint Center.
For those outside the US, the following numbers can help out. In Canada report vishing or phishing attempts online at the Reporting Economic Crime Online government organization, or call 1-888-495-8501. In the UK, you should make your report directly to the bank indicated in the scam.