Got a cellphone? Here come Smishing scams
By Carmen Chai
With many consumers too savvy these days to fall for the fraudulent email attacks, scammers increasingly turn to a fraud scheme that target your new constant companion -- your smartphone.
Using text messages and voice mails, the cons try to trick victims into divulging credit card or other personal details.
Criminologist Brion Sever has seen plenty of scams, but in 2011 he became a target. A string of text messages on his cellphone told him that his Wells Fargo bank account had been compromised. An automated voice mail with the same warning followed.
The messages looked authentic. Sever, a Florida Gulf Coast University professor, has an account and debit card with the bank. The messages suggested he call an 800 number to verify his identity and unfreeze his account.
"I thought someone got into my account, and banks do call you to check for unusual activity," Sever recalls. "It was a very well-done message. The whole idea is to catch you off guard."
Sever caught on quickly, though. He refused to call the number provided -- it didn't match the bank's contact information on the back of his debit card.
Many other people are not so lucky. Sever's incident involved textbook examples of "smishing" and "vishing" attacks -- encounters in which fraudsters send SMS text messages (smishing) and voice messages (vishing) to consumers' mobile phones. The messages are designed to elicit personal and financial information from victims so fraudsters can gain access to their identity, bank accounts and credit cards.
"Smishing is basically a variation of phishing, where perpetrators will obtain personal data from you by sending you a text message to your smartphone," says John Everett, a spokesman for the National White Collar Crime Center (NW3C).
Satnam Narang, a senior security response manager at Symantec, notes that smishing has been growing for the past five years as smartphones have replaced computers as consumers' primary devices.
"People have grown accustomed to phishing emails," Narang explains. "The way it has evolved now is instead of getting emails, you're getting SMS texts pretending to be a financial institution or phone service provider."
I don't blame anyone falling for this because it seems real. These people will do anything to pry you away from your money.
National White Collar Crime Center (NW3C)
The messages sometimes warn consumers of fraudulent charges on their credit cards or withdrawals from their checking accounts. The FBI says that in other instances, the texts appear to be from mobile phone carriers and promise that the victim has won a prize. To claim it, they must call or text back with their personal details.
The message Sever received was probably sent to thousands of cellphone users, even if they weren't Wells Fargo customers, says Everett. Fraudsters bank on a handful of consumers falling victim to their scams. "It's a numbers game and criminals go for low-hanging fruit," Everett warns.
Complaints are already mounting. The Internet Crime Complaint Center (IC3) -- a partnership between the NW3C and the FBI -- is a repository used by law enforcement officials. From there, they build cases based on victims' stories, Everett says.
From August 2014 to April 2015, the IC3 received 7,891 complaints tied to phishing, vishing or smishing scams, the FBI said in an emailed response to questions. And in the last four months of that year it saw about 300 more phishing and smishing complaints than in the four months prior.
"There are so many people who have smartphones now and as that number grows, I would expect scams that target cellphones to grow, too," Everett says.
The scams run the gamut from simple to sophisticated, experts say. In some cases, Symantec experts tested out smishing scams that asked consumers to input their credit card number on the bank's website. If the experts typed in a string of ones or zeros, for example, the site knew it wasn't a valid credit card.
If you didn't ask for these messages and you're being contacted through text messages on your cellphone or pop-ups on your computer, it's fraud.
"They're able to detect and determine if you've provided a legitimate debit or credit card number using an algorithm. That's more sophisticated but it runs across the board," Narang says.
In common cellphone scams Everett sees, robocallers cast a wide net. If a consumer picks up, the call is routed to a fraudster who poses as a government official warning that the victim has missed jury duty. The fraudster claims that if the consumer hands over his or her credit card information to process a fine, they'll be off the hook.
"I don't blame anyone falling for this because it seems real. These people will do anything to pry you away from your money," Everett says.
Sever evaded a potential scam by being skeptical. Experts say that everyday consumers can be just as savvy, too, to avoid falling for a smishing scam. It helps to recognize when you're being manipulated.
"What these criminals are banking on is fear: your account has been frozen, you're locked out of your iCloud. When you invoke that fear, the victim's initial response is to go and see, to rectify the situation," Narang says.
Here are some other tips for staying safe:
- Don't automatically assume that a text or voice message is legitimate. Instead of calling a suggested number or clicking a link in a text message, refer to the contact information on the back of your card or on your credit card statement. You're better off typing in the URL of your bank or card issuer than clicking on the link provided in the message.
- Ignore text messages or automated voice messages from people you don't recognize. If you're receiving messages from unknown or blocked numbers, don't text back and don't return the calls. "Typically a lot of these scams are unsolicited," says Narang."If you didn't ask for these messages and you're being contacted through text messages on your cellphone or pop-ups on your computer, it's fraud."
Ask yourself if you've signed
up for text message alerts from your bank or credit card issuer. If you did, you probably had to go through a verification process,
including accepting terms and conditions and setting up a pass code, Narang
says. If you can't remember going through that process, you shouldn't be
receiving any text messages from them.
If you did sign up for alerts, find out what the financial institution's policies are. Capital One, for instance, says that it offers two-way email and text alerts so consumers can clear fraud concerns by responding to texts it sends. You may be asked to enter a code to confirm that an attempted charge is not fraud but you will never be asked to submit or verify personal information via text, a spokeswoman says.
- Report any smishing and vishing scams you come across: Hang onto any fraudulent messages you receive so you can document the case to your local police, your financial institution and to the FBI's IC3. Your case could help investigators and protect fellow consumers down the road.
- File a complaint: If you're receiving unwanted commercial text messages, file a complaint with the Federal Trade Commission, the FBI says.
Published: May 7, 2015
- CFPB warning: incentives can harm consumers – The U.S. Consumer Financial Protection Bureau issued a broad warning about sales incentives, possibly signalling a new enforcement priority ...
- CFPB: Minn. bank tricked customers into costly overdraft fees – Federal consumer watchdog charges TCF National Bank obscured fees and gave customers hard-sell to opt in for fees of $35 per overdraft ...
- FICO’s Scott Zoldi: Card-not-present fraud a growing threat – FICO analytics chief Scott Zoldi discusses the state of fraud protection amid the EMV shift and the use of trended data ...