October 2011 (#NCSAM – National Cyber Security Awareness Month)
SMISH-SMASH your accounts don’t need a phish bath
What’s SMISH? SMISH is Short Message Service (SMS) Phish or in the lexicon of the day, Text Message Phishing. What’s phishing? Phishing is a criminal action where you are engaged by a third-party with the specific goal of you providing private and sensitive information for nefarious purposes. The difference between SMISH (SMS Phish) and Email Phish (Phish) is only the avenue by which you are engaged by the criminal.
How does it work? A text message is sent to your mobile device which contains an “urgent” request for you to either click on a link, or call a number because your bank account, credit card account, email account, online retailer account due to any number of artificial crisis. The crisis nearly always projects to you the recipient disastrous (account closure, card termination) results should you not take immediate action.
Here is an example of an active and ongoing SMISH attempt received by many between October 2 and 8, allegedly originating from Wells Fargo Bank with this simple text:
WELLS FARGO NOTICE: Your CARD 4868* has been DEACTIVATED. Please contact us at: 206-497-7885.
The above is being widely transmitted throughout the Seattle area (206 area code is Seattle) and is not limited to Wells Fargo Customers. According to the Washington State Attorney General’s Office tens of thousands of consumers in Washington State have been targeted. Sadly, should you provide your information to these criminals, and your money is transferred or goods are obtained the odds of your funds being recovered are between slim and none.
In the event you are compelled to contact your institution to make doubly sure that your account isn’t in jeopardy. For credit cards, call the number on the back of the card (not the number provided in the SMISH); for bank accounts, call the local number associated with your bank, for retailers/vendors call them at the number provided by them on their invoice, taken from the white pages. In all instances, make your search for the contact number a completely separate event.
The reality is your financial institution, service provider or retailer doesn’t need you to provide to them your account information – they already know it.