A text arrives from your bank stating that a suspicious transaction triggered a fraud alert, please call this number if you don’t recognize this transaction. The phone number is even highlighted so in one easy tap you are dialing the fraud department. Sounds legit, right?

Maybe not.

The term SMiShing is a combination of SMS (cellphone text messages) and phishing (a type of scam where the criminal pretends to be from a reputable company to induce individuals to reveal personal and financial information). In the past, these fraudulent text messages have come from random numbers or email addresses which made them easier to identify as fraudulent. You might receive a text like I did:

Example of phishing text

If I were to tap on the link in this text, I would be taken to a fake Facebook login page. If I typed in my Facebook user name and password on the fake page, cybercriminals would take over my Facebook account. They might even give my phone a virus for my trouble.

The new version of SMiShing is even more disturbing. Cybercriminals have figured out how to ‘spoof’ your bank’s text messaging number, meaning that their text will be added to the thread of valid texts from your bank, and be indistinguishable from them. The text will say something like, “Your debit card has been used at Store X for $X,XXX. Please call our Fraud Prevention number if you do not recognize this transaction.” The phone number in the text will not connect you to your bank, but a very friendly criminal that will be happy to take down all your information and rob you blind.

The method of robbery isn’t always a method for the criminal to log into your bank for you. Many times the fraudsters convince the victim to log into their bank and transfer their money from their supposedly ‘compromised’ account to a more ‘safe’ account.

Can you get your money back? That depends.

One woman in England tricked by this method lost $71,000, and her bank will not reimburse her because she made the error of transferring the money. Not all banks have the same policy, but many do.

Here are some tips to keep you safe from SMiShing attacks:

  • Do not trust Caller ID. Cybercriminals can easily spoof phone numbers to appear to be calling from anywhere. How easily? Anyone can download a free app to their cell phone that will spoof outgoing calls–no criminal experience required.
  • Be wary of giving too much information out over the phone or email. Your bank will never ask for your online account password, because no one in a call center has access to your password. Most banks use a combination of caller ID and your chosen secret passphrase to verify your identity. If the person you are talking to needs more than two items to identify you, stop and think. Also, no bank or legitimate business will ask for you to send information by email.
  • A bank will never call you with a request to transfer funds out of an account for security reasons. Never.
  • Be wary of cold calls. No matter who the caller claims to be: the bank, police, IRS, nonprofit, or anyone else; if anything seems off, call them back using a number you independently verify from another source.