By now, you've likely heard of a phishing scam circulating via text message intending to trick members into divulging their confidential account information. In case you’re unclear as to what exactly is meant by a phishing scam, it’s a type of crime in which an attacker attempts to obtain sensitive (usually financial) information by posing as a trustworthy enterprise. Although email phishing scams continue to wreak havoc, criminals are increasingly targeting mobile phones in what’s known as a “smishing” (SMS phishing) attack using text messages to deceive consumers into giving up confidential information.
Are you curious as to why these types of scams are so effective and why even those of us who are savvy, security-minded consumers will fall for the ploys of these con artists? Sources and security experts from CSO magazine to Forbes offer insight into the psychology and tools of these attacks below:
Rapid communication makes for more mistakes: As explained by a mobile security expert Dr. Michael J. Covington to CSO magazine, people are less likely to scrutinize messages sent through text or social media and tend to be more distracted when they receive messages this way. As he tells it, text and social media messages are also generally shorter, so it can be easier to craft a convincing message.
We’ve learned to be more cautious about email: Cybercriminals are aware of the fact that people tend to be more suspicious of emails than texts, and are counting on this to help them obtain the information they need for malicious activities, from stealing your money and opening new accounts in your name to selling your data on the dark web.
Mobile allows fraudsters to play on a sense of urgency: Since most people have their cell phone on them just about 24/7 on any given day, the mobile phone is an ideal platform for instilling a sense of urgency with a fraudulent message. For instance, you may be told in a message marked for your “immediate attention” to confirm an order purchase, or that an urgent problem has been identified with your bank account or credit card and that you must take action right away (provide your confidential information) to get it resolved. What’s important to keep in mind: financial institutions like SFPCU will never request confidential information about your accounts via a text message, so don’t respond in any way to such a request. Simply delete the message. If you’ve already provided account information to someone you suspect of fraud, contact your provider immediately for proper steps to take.
The tool kits are readily available to criminals: According to Forbes, phishing campaigns have gotten much easier to conduct due to a growing cybercriminal marketplace which enables fraudsters to collaborate on building phishing kits for sale to other criminals who want to quickly launch an attack. What’s also disturbing, attackers don’t need a lot of specialized technical skills to use professional phishing kits.
Growing investment in mobile scams: USA Today offers up an additional reason for the growing threat of mobile phishing attacks. As you may know, these mobile attacks often originate in foreign countries. Since smartphones are the primary means for accessing the internet in some of these countries, criminals are putting more resources behind scams that target your hand-held devices.
How to Avoid a Smishing Scam:
As stated by CSO magazine, “Users are three times more likely to fall prey to phishing on mobile, than they are on desktops.” Here’s what the FTC and other experts recommend for staying one step ahead of the scammers:
- Keep in mind that government agencies (e.g. The IRS), financial institutions and legitimate businesses will never request sensitive financial information via text message.
- Don’t respond to unsolicited text messages or click on any links in these messages. Links can install malware on your computer and take you to spoofed (fake) websites that look authentic. Delete the suspicious message from your phone.
- Any kind of response indicates that your phone number is active, so don’t even reply to tell the scammer to stop texting you.
- Stay alert to anything marked as “urgent” or requesting that you “confirm” anything or take some kind of specific action “immediately.” Don’t fall into the scammer’s trap of having created a false sense of urgency.
- If you’re concerned that your financial institution or another legitimate company is trying to contact you, call the organization directly after looking up the correct number. Check the back of your credit or debit card for a number to your credit union or bank or get the organization’s number online. Do not visit the website or call or text a phone number that the text message provides.
- Consider using anti-virus/antimalware software on your mobile phone.
- To reduce spam texts, list your cell phone number on the FTC’s Do Not Call Registry at www.donotcall.gov or call 1.888.382.1222.
- File a complaint regarding unwanted commercial text messages with the FTC.
Want to put your skills in spotting financial fraud in a phishing attack to the test, or simply want a bit of practice to avoid getting bamboozled? Forbes recommends honing your skills with Financial Fraud Action UK’s online quiz. Test your ability to spot dangerous messages in just a few minutes here. Good luck!