The Federal Communications Commission (FCC) warns of a dangerous new breed of scams known as "Text Message Scams" or “Smishing.”
In “Smishing” — a perpetrator would masquerade as banks, government agencies, or important organizations to trick people into revealing sensitive details such as credit card numbers or or account passwords.
It is similar to “phishing” but different in a way that scams are sent directly to victim's mobile phones as text messages.
The FCC warns strongly against responding to these text message scams, as there could be big consequences when you do.
How do these text message scams start?
The criminal would first send an unexpected text message, usually appearing to be from your bank- alerting that your checking account has unauthorized access and is deactivated “for your protection.”
The message will tell you to reply or "text back" with certain details, in order to verify your identity, and reactivate your account.
What a scam text message looks like
Scam text messages are usually short and simple, but rather professional looking. These texts use concise messages in a serious tone, and also sign off as the organization that it is trying to impersonate.
Here are some examples of scam texts:
"User #25384: Your Gmail profile have been accessed recently. If this is unauthorized, please reply with "BLOCK AUTH" to secure your account immediately.""We have identified some unusual activity on your account. Please log in via http://bit.do/j2o42nf to secure your account" - Bank of America"Some scam text messages may include links
The scam text messages may sometimes also include a suspicious link that you need to visit to unlock your account. Do not click or open the link. This is actually a phishing website in disguise to resolve the non-existent problem.
How exactly do these scams work?
Each of these text message hoax are usually very cleverly designed to deceive users. Depending on the type of text message scam the criminal is trying to use, the mechanism of each scam is different in design.
However, the end result is always the same. The criminal wants you to perform one of the following:
- Reveal your sensitive usernames, password, credit card numbers
- Install malware on your phone
- Make payment for some fake promotion or discount
Bank of America in One of Worst 'Smishing' Text Message Scams
Over the years, criminals have tried to impersonate various organizations such as Verizon, Amazon and Facebook, but the Bank of America 'smishing scam' stands out to be the most rampant text message scams in the recent years.
A number of criminal groups had used a number of different text message scams to steal or extract passwords and accounts. Heres the upside for them- Once they can get access to a bank account, all the money in there could be taken.
While the actual statistics of the money lost in the scams have not been revealed by Bank of America, BoA have publicly released information to warn users of fraudulent text messages, that pretend to be from Bank of America.
SEE: Banking Text Message Scam In Action
Based on what we studied, we found that banking scams usually fall into 3 different scam methods, and we will attempt to illustrate in 3 scenarios below.
Scenario 1: Fake bank 'Smishing' scam
The most common type of text message scam is a 'smishing' message, and is also the simplest and most effective one.
It requires the user to reply with his sensitive user details through text message in order to take action or resolve the issue.
Once you first reply to the initial scam text, the criminal will send you a second text, saying that to continue you have to enter your account details in order to be 'verified' or 'confirmed'.
This is the most effective way to get user's to submit their information as it plays on the immediacy of the problem and urgency in the victim's mind.
Scenario 2: Scam text messages with links
The second type of smishing text, is a scam text messages with links. These links are actually links to 'phishing' websites.
In you are not familiar with the term 'phishing', it refers to the use of a fake webpage that is designed to look like the real thing, usually something like a login page to steal login information.
In this case, the criminal is likely to have set up a fake Bank of America webpage that looks exactly the same and identical to a real one.
To an unsuspecting victim, the page looks completely legitimate, and may very well enter his sensitive details into the fake site and collected by the criminal.
This method plays on deception to fool the user into entering his real details.
Scenario 3: Scam text message with link to install software on your device
The third scenario involves a more complex mechanism. The link included in the phishing sms messages will ask you to visit a site- that again looks legitimate and convincing.
This site may not a regular phishing site (or a combination may be used), but the site prompt you to install some additional security software claiming that it is required for protecting your account.
The webpage may also provide technical details or describe it as new regulation or security protection enforced by the bank for customer safety- but this software is in fact something you do not want to get on your phone.
This software is usually a malware that perform very harmful actions such as to log your keystrokes, and silently collect personal information from your phone for as long as you do not remove it.
What’s the Worst That Can Happen?
If you did give up any sensitive information, you need to be prepared that your accounts will be accessed without your knowledge.
The worse that can happen is one of the following:
- Your bank account is compromised, and money is lost
- Your credit card information is stolen and used in fraudulent transactions.
- Your account login is lost, resulting in identity theft.
If they don’t use your information themselves, the spammers may also sell it to marketers or other identity thieves.
In other cases, you may also end up with unwanted charges on your cell phone bill. Depending on your service plan, you may be charged for sending and receiving text messages, even to scams text messages.
7 Ways to Deal With Fake Scams Text Messages
Remember this: None of the banks, government agencies, email services and other reputable organizations will ever request personal sensitive information through text messages.
- Do not click on any link in any email or text message that you were not expecting
- Take your time- Smishing scams work by creating a false sense of urgency by demanding an immediate response.
- Never click on any links or call any phone numbers in an unsolicited text or email messages.
- Don’t respond in any way to smishing messages, even to ask the sender to leave you alone. Responding verifies that your phone number is active, which tells the scammer to keep trying.
- Delete the message from your phone. Report the suspect message to your cell phone service carrier's spam/scam text reporting number or general customer service number.
- While the dangers of these text message scams seem horrifying, the defense is simple. the golden rule is “Just don't text back."
- Educate yourself and others. Tell your friends that phishing by text message is called 'smishing', and warn them about it.
Recovery Steps: What to do if you responded to text message scam
You may not immediately lose your private information when you respond to a scam through text message.
It depends on whether you have revealed or given up any sensitive information or not.
If you had recently replied to a text message scam and given up sensitive information, here are some immediate recovery steps that you can take:
- Recall what sensitive data or information you revealed, and write it down
- Call the REAL organization named in the scam text, inform them of the scam
- Delete any additional software you installed on your phone
- If you have given any credit card details, immediately contact your credit card company to stop any future credit card transactions.
Alternatively, you could report scams to the government
Complaints about these text message scams can also be filed and reported securely online using the Federal Trade Commission (FTC)’s complaint assistant.