Text messaging has come under attack as one of the most vulnerable media for identity theft and more. Here’s what you need to know about an SMS message-based scam called “smishing.”
How it works
Smishing scams use text messages to establish contact with the intended victim to later access their personal information.
The scam begins with a supposedly urgent text appearing to be from the victim’s financial institution. The text may claim that the victim’s checking account is locked, or that there has been an unauthorized purchase charged to the victim’s account. The scammer will warn that immediate action must be taken.
The victim is then instructed to call a specified number and, upon doing so, will be asked to share their financial information. Once they’ve got their hands on this info, the scammer is free to steal the victim’s identity, empty their accounts or go on a shopping spree on the victim’s dime.
Who are the victims?
Smishing scams primarily target people who do their banking online, but fraudsters will use any cellphone number they can find. If you own a checking account and a cellphone, you are a candidate for a smishing scam.
Recognizing smishing scams
Knowing how to identify a fraudulent text is key to avoiding smishing scams. Here are some considerations that can help you identify a fraudulent text.
Few companies will call or text asking you to share personal, account, or login information. If the text asks you for any of that information, it’s a good sign that it’s a smishing text.
Look for typos. Misspellings, especially of the company’s name, are a smishing giveaway.
Is the text urgent? Most companies won’t relay urgent account information over text – they will call you. If the message feels too urgent, it may be designed to elicit a knee-jerk response to get the recipient to take action quickly.
If you’ve been targeted
If you receive a suspicious-looking text, do not engage the texter! Jot down the scammer’s number and delete the message. Let us know about the smishing attempt, tell all your friends and alert the FTC.
If you’ve fallen for the scam and your accounts have been compromised, alert your credit card companies and be sure to let us know, too.
Protecting yourself
- NEVER release your User ID and/or Password to anyone, not even a credit union employee. Even if they say they are going to “deposit” or “refund your money”, once they are in your account, they will have full access to steal your money.
- NEVER release security codes that are sent to you via text or email. Those codes should only be used by you, to validate an online session that you have initiated.
- NEVER use the same User ID and Password combination for multiple financial institutions, utilities and merchants. If a scammer tricks you into revealing the information for one, they will have access to all.
- NEVER perform transactions if the caller claims "it is necessary for identification” or to “test a system” to “catch a bad employee”. We will never call you and ask you to perform a transfer online, or make cash withdrawal. Scammers may ask you to purchase Bitcoin or gift cards but once you send the Bitcoin or release gift card information, your money cannot be retrieved.
- NEVER click links sent via email or text, or scan unfamiliar QR codes. Doing so can download malware to your computer or mobile device, which fraudsters use to gather your personal information such as user IDs and passwords.
- NEVER call a number in a text message, email, or voice message that does not look familiar. When you reply to a text from our fraud department to indicate YES or NO, if a follow up call with the credit union is necessary, we will never ask you for user IDs, passwords and/or security codes to validate your identity.
Don’t let those crooks get their hands on your money!
If you are ever unsure of who you are talking to, hang up and call us directly at 860-828-2790 option 5. If the credit union confirms that the text message was fake, report it as spam and block the sender. If you feel you have been a victim of identity theft, visit USA.gov/identity-theft.