smish·ing
noun. the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers
How to identify SMS threats
You receive a text message alerting you of a suspicious debit that was attempted on your account. It provides you with instructions how to validate the legitimacy of the transaction. With this spoofing technology it appears the texts are coming directly from your financial institution.
The goal is to get you to provide your account number or online banking credentials to validate your identity. This in itself is problematic. However, fraudsters are now taking this a step further by turning to a hybrid form of smishing. They blast out these text messages as a pretext for immediately calling and scamming anyone who responds via text.
One possible scenario is a member receiving a SMS saying it is from Mid Oregon, inquiring if they authorized a payment from their account. The message asks them to reply “Yes” or “No,” or 1 to decline future fraud alerts. Since this seems like a reasonable and simple request — and they do have a Mid Oregon account — they respond, “No.”
When they reply “No,” someone calls immediately, and the caller ID reflects Mid Oregon. They indicate they are from the fraud department and need to help secure the member’s account. They ask to do this by asking for additional information with the pretense of ensuring they were talking to the account owner and not a potential scammer. Is the call legit or a scam—what would you do?
How to protect yourself against SMS threats
Cyber security experts recommend that account holders who receive a SMS and/or phone call, asking for account information, to follow the fraudulent rule—When In Doubt, Hang up, Look up, and Call Back. Also, don’t assume the number that called you is legit. Look up the number of the financial institution supposedly calling you, and call them back. Also, it is encouraged members save their financial institutions’ number so they can call immediately if they suspect they are victims of fraud.
And, as always, you should not use the same password for all your accounts or use passwords that can be easily guessed. Passwords should be frequently changed and should use multifactor authentication when its available.
Want to know more? Read additional Mid Oregon blog articles about online security and fraud protection.
Content based on an article by Wespay