'SMiShing' theft becoming more common

'SMiShing' theft becoming more common

Our cell phones are often wonderful devices; in addition to the traditional voice phone calls, they also can provide enhanced functionality with Internet access, cameras and SMS (text messaging). Now that smart phones have become the primary communications mode for most of us, it has also become a fertile field for crooks capitalizing on the functionality of our devices. Rather than using a weapon to rob us, this new breed of thief uses cell phone text messages to illicitly bait us into “voluntarily” sending money to the crook, or freely giving the crook enough personal information about us (identity theft) that the thief can empty our bank accounts or charge our credit cards to their limits. This exploding form of electronic crime has become known in cyber circles as “SMiShing” (smishing), or theft initiated by SMS (text messages).

On a recent afternoon, I received a text message (SMS) from a prominent local credit union: “This is an important message. Your debit card has been disabled. Call … to reactivate.” I was immediately suspicious because I do not have an account at that particular credit union but was very aware that these text messages were geographically targeted to localities where a particular financial institution is likely to have a large number of accounts. Calling the toll free 877 number, the caller is greeted with an automated female voice that says, “Welcome to your credit union. In order to reactivate your ATM or debit card, please enter your 16 digit card number. … Now, enter your four-digit PIN number. … Thank you. Your card has now been reactivated.”

If I would have entered a valid number, I would have voluntarily given a crook, probably overseas, my debit card number and PIN number; what was my account would now be his account, and in a short period of time my account would likely be drained.

This is not some abstract example, as one of my former co-workers actually called an 800 number where she freely entered her debit card number and PIN number. Over the next several days, more than $9,000 was withdrawn from her and her husband’s checking account at a local big-named credit union; the money was withdrawn from ATM machines in Lahore, Pakistan, in small amounts over a period of several days, and was not caught until her debit card was denied at a local business for a legitimate transaction. Fortunately for her, her credit union and debit card company offered a 100 percent loss and fraud protection policy that eventually replaced her losses.

Another almost identical variation of this “smish” scam sends a text message informing the victim that a credit card may have been compromised, and the cardholder needs to verify that the card is still in his or her possession. Different versions of the text message reference Visa, MasterCard, Discover or American Express. Since most adults have at least one of the above cards, the response rate to this particular “smish” is somewhat higher. When calling the listed phone number, either a digital voice or a foreign call center responds with “credit card verification,” and like the debit cards, asks for the credit card number and CVV2 code off of the back of the card (or front of American Express).

A variation of SMiShing that has become very common is “voice phishing” or “vishing” where a voice mail message is left on a cell or home phone. The recipient is either directed to call a particular phone number or to a particular website, and asked to enter a credit card number with its CVV2 security code, or debit card with PIN. In a few cases, both debit and credit card numbers are requested, in order to maximize the victims’ loss and crooks’ revenue.

Another identity theft scam is targeted to subscribers of particular cell phone services. The BBB recently posted the following scam alert: “Verizon Wireless customers, watch out for robo calls that claim you are eligible for a credit on your account. It’s really a phishing scam. How the scam works: You answer a call on your cell phone. It’s a recording that says you have a credit on your Verizon Wireless account, and you need to visit a special website to claim it. When you go to that URL, it looks just like Verizon’s website — colors, logo and all. You are prompted to enter your account username, password and/or credit card information. Don’t do it! Giving away this info will open you up to identity theft. The con keeps changing as authorities shut down the fake websites. However, you can often spot the scam because the amount of credit offered typically matches the URL given. For example, scammers would instruct you to redeem a $123 credit by going to vzw123 .com.”

While many financial institutions and retailers have posted that they will never call or text message an individual asking for account information (they already have it), many people still fall victim to these scams. If it is a prize, free offer, gift card, credit on card balance or other benefit that arrives by text message (SMS) or voice mail, be very suspicious. Contact the company directly, and do not use the number or Web address in the questionable message. Credit and debit cards have a toll free number on the back; that would be a good number to call to verify the authenticity of a contact. Remember that if it is too good to be true, it probably is not true.

For more information visit: