June 18, 2020

“Smishing” Phishing Scams on The Rise


Unethically creative identity thieves have a new trick up their sleeves and financial institutions nationwide have reported a recent surge of this scam targeting their customers. “Smishing,” an SMS-based phishing scam, uses technology to send text messages to a victim’s cellphone impersonating their financial institution, internet service provider, or another company they trust. 

How it works

In many of these cases, the scam begins with an urgent text messaging claiming to be from the individual’s financial institution. There are several variations to the message in the text, but they all convey a sense of urgency to induce panic and trigger immediate and mindless obedience.

1. Your attention is needed on your account.

2. Your account is locked. You must take immediate action to restore it. 

3. A large, unauthorized purchase that was charged to your account. If the charge is not contested immediately, you will be responsible for the transaction. 

4. Attention. Fraudulent activity has been detected on your account. Act Now.

Often times, the scammer will incorporate some personal details about the victim, which they easily pull off the internet, to convince them of their legitimacy. The victim is then instructed to email or call a specified number and, upon doing so, will be asked to share personal financial information. Once they’ve got their hands on this info, the scammer is free to steal the victim’s identity, empty their accounts or sell your information to other scammers. 

Alternately, the scammer may lead a victim to click on links that are embedded with spyware. The links lead to a website that may look just like the financial institution’s site but is actually bogus. In such instances, the victim is probably certain they’re browsing their credit union’s website and won’t hesitate to share information or input usernames and passwords.

Who are the victims?

Unfortunately, smishing scams are often successful because people are conditioned to respond to text messages and mistakenly assume the content of text messages is secure. These scams primarily target is anyone who uses mobile banking apps and sites. It isn’t just online banking users who need to be wary of smishing. Information thieves have widened their net and have recently started sending messages to any cellphone number they can get their hands on. If you own a checking account and a cellphone, you can be targeted by a smishing scam.

Was My Financial Institution Hacked? 

How scammers acquired your number and know your banking relationship is a scary thought that leads many to assume their financial institution was hacked. Fortunately, this is rarely the case. 

More than likely, your phone number has been compromised and your information has been illegally sold. Hackers can access your personal data through your day-to-day activities like using public USB charging ports or wi-fi networks, clicking compromised links, installing malicious apps or engaging with online contests, promotions, service subscriptions, or other unsecure websites. 

Recognizing smishing scams

If you know what to look for, you’ll be able to spot a smishing scam at first glance.

First of all, your financial institution will never ask for sensitive information through unsecure channels, like text messaging. You can set up text alerts from Online & Mobile Baking at Tulsa FCU, but these alerts will never ask you to input private or personal information via text or any other method. If you are unsure about a text you have received, contact your financial institution using a phone number you know is real (do not trust information provided by the suspicious text message) and verify that the message is real with someone at your credit union or bank. 

If a text message is legitimate, it’s usually sent from a six digit short code or a 10-digit commercial long code and follow the SMS compliance rules laid out by the Cellular Telecommunications Industry Association (CTIA) and the Federal Communications Commission’s (FCC) Telephone Consumer Protection Act (TCPA)

If you’ve been targeted

The best way to stop scammers in their tracks is to report every attempt they make. If you receive a suspicious-looking text that might be a smishing scam, do not engage with the sender or click on any links. Jot down the scammer’s number and take a screen shot of the message. There are four ways to report a smishing scam. 

  1. Report it to the company the scammer is impersonating. You should be able to find fraud alert contact information on their website.
  2. Contact your carrier directly or copy the message and forward by texting the shortcode 7726. You’ll then receive an automated message from your wireless carrier, asking you then to enter the phone number from which the spam text was sent.
  3. Filter your text messages from unknown senders and report spam or junk to your messaging provider. 
  4. Report it to the Federal Trade Commission at ftc.gov/complaint.

Protecting Yourself and Your Phone

You may not be able to protect your phone from receiving these scams once your information has been compromised but there are some proactive steps you can take to protect yourself, your device and your money.

  1. Always use two-factor authentication. You may have the choice of opting out of this extra step but the it isn’t worth the risk. 
  2. Strengthen your passwords. Never double your password use across different accounts, websites and apps. Make sure your passwords are strong and unique. 
  3. Don’t respond. Ignore text messages from unknown numbers, even if they’re not alerting you about a problem with your accounts. A text from an unknown source may be the scammer’s first attempt at establishing contact and determining if you’re a willing target for a future scam.
  4. Be careful when asked for your telephone number. Giving your phone number in response to contests or online promotions can lead to unwanted calls and messages.
  5. Never respond to unsolicited text messages. It only lets the sender know they’ve reached a working number and may lead to more messages in the future.
  6. Do your research before subscribing to services online or installing apps. Read reviews, access permissions, term and conditions.
  7. Use ID theft protection to help monitor your personal information for suspicious activity. There are a variety of options for ID theft protection and restoration services out there, so it’s a good idea to do you research and compare. Tulsa FCU members can get proactive Identity Protection benefits through our partner ReliaShield. In addition, members with a Rewards or Interest Rewards checking account also get an included ID theft benefit, which can help guide you through restoring your identity, freezing accounts, and repairing your credit in the event of a breach or theft.

This article is for educational purposes only. Tulsa FCU makes no representations as to the accuracy, completeness, or specific suitability of any information presented. Information provided should not be relied on or interpreted as legal, tax or financial advice. Nor does the information directly relate to our products and/or services terms and conditions.