Financial institutions across the country have noticed a troubling trend — a dramatic increase in text-message fraud attempts. “Smishing,” defined as phishing attempts via SMS text messaging, is increasingly the vehicle of choice for cybercriminals. Most frequently, this type of fraud is carried out through impersonation attempts, with the intention of gathering an individual’s personal […]
Financial institutions across the country have noticed a troubling trend — a dramatic increase in text-message fraud attempts. “Smishing,” defined as phishing attempts via SMS text messaging, is increasingly the vehicle of choice for cybercriminals. Most frequently, this type of fraud is carried out through impersonation attempts, with the intention of gathering an individual’s personal information.
This is known as credential harvesting, which is exactly what it sounds like. Bad actors are stealing and collecting the credentials needed to access financial accounts. And cybercriminals are getting much better at masking their efforts.
The scale of the problem is highlighted in the 2023 Data Breach Investigations Report, issued by phone carrier Verizon. It found that 74 percent of all breaches involved a human element, and that the three primary means of attacking an organization are through “stolen credentials, phishing and exploitation of vulnerabilities.” The threat this poses to businesses is multi-fold.
1. Reused passwords — If a criminal manages to access an employee’s personal banking records, there’s a chance that the employee has reused passwords. All a cybercriminal needs to do is look on LinkedIn to determine where the employee works, and then test the passwords they’ve stolen to see if they can get into business accounts.
2. Compromised accounts — For employees with mobile links to corporate systems, either through company-issued phones or apps on their personal phones, the risk is even more direct. With the right credentials, a criminal can access accounts and change logins, locking legitimate employees out, stealing funds, and more.
3. Distracted, upset workers — Even if criminals are not able to access corporate accounts via your workers, distracted, upset employees who have had their funds stolen will need time away from work to repair their accounts.
The increasing use of artificial intelligence (AI) is making fraud detection even harder. Over the years, people have become far savvier at spotting phishing attempts. Emails with jumbled syntax, spelling, and grammatical errors sent up red flags that meant even if an email looked official, it clearly was not.
Now, free, easy access to AI tools that have the capability of constructing persuasive, grammatically correct content has all but eliminated the warning of a misspelled email or text as an indicator of criminal activity.
It’s more important than ever for employers to talk to employees about cybersecurity and show them how they can protect themselves and the business. Here are some of the most-common signs of fraud to share with your employees to prepare them for smishing attempts:
• High sense of urgency — Criminals prey on our fear of having our money stolen and the impulse to address potential fraud fast. Common tactics are telling the fraud targets that they must click on a link or call a number within a short, fixed amount of time — like the next 15-20 minutes — in order to stop an allegedly fraudulent transfer from happening.
• Requests for your one-time PIN — Your financial institution will never ask for the one-time PIN to access your account. This is a sure-fire sign that you’re dealing with a criminal.
• Pestering you — Your financial institution will not badger you and repeatedly text you asking you to click a link, and they will not scold you or get angry if you ask to hang up and contact the fraud line. This should strike anyone as bizarre and unprofessional behavior and is a warning sign that you’re dealing with bad actors.
• Asking you for the answers to your challenge questions — Again, your financial institution has set up these questions to protect your account. They would never call or text you asking you to divulge these answers. It’s always the reverse: they ask you to answer these questions when you call them — not the other way around.
Attempts at fraud are increasingly sophisticated. Criminals have access to programs that can “spoof” a financial institution’s actual fraud-line phone number, so caller ID will appear to come from a legitimate source. Web domains can be set up quickly and look virtually identical to legitimate websites. Criminals are depending on the people they target to be upset at the possibility that they’ve been a victim of fraud, causing them to react rather than pausing and thinking.
If you or your employees are ever on the receiving end of a text message or phone call from someone saying they are from a financial institution’s fraud department, have your guard up. Remember that legitimate contacts will never ask you to divulge account-protection information, such as a one-time PIN, or the answers to your challenge questions, and they won’t pressure you to respond within a few minutes. Hang up and contact your financial institution by typing in its URL (do not click any links provided), or contact the firm through its official app on your smartphone.
Finally, mobile-phone carriers recognize the threat, and we can help them build an effective database by forwarding suspected spam messages by texting 7726 (SPAM). This will allow them to develop better tools to block spammers in the future.
Terra Carnrike-Granata is senior VP and senior director of information security at NBT Bank, where she designs and implements sophisticated controls to prevent loss and mitigate risk, while also developing innovative ways to educate consumers and businesses on cyberthreats.