Imagine yourself elbow to elbow with a crowd of pre-Christmas shoppers at your favorite department store or retail outlet. Your cell phone rings. It’s an automated call from your bank. The bank’s security department is calling to warn you that an identity thief may have compromised your checking account. They want you to call back right away so that the matter can be resolved before your account is completely drained.
Panicked, you immediately forget that once in a lifetime deal on a flat screen TV you were vying for only a moment earlier. Thank goodness your bank’s security team is on the ball! You call the number listed in the message and get an automated response asking you to verify your account information and password by typing it onto your phone’s keypad.
Or maybe you find yourself in a slightly different scenario: You receive a text message from your bank. This time you are asked to click on a link that takes you to a “security department” that asks you for that account and password information. Since you have a smart phone with a data plan, you can go directly to that link and ultimately provide the asked for personal information.
Even though you might feel an immediate sense of relief and be pleased that you have avoided financial disaster, you have actually just been fooled into diving right into a widespread hoax. In the first scenario you were “vished” and in the second you were “smished.”
Like phishing emails that computer users are by now well accustomed to seeing crop up on their home or office computers, vishing and smishing are fraudulent communications from confidence schemers and cyber hackers. Vishing gets its name from combining voice communications with phishing and smishing is the use of text messages, also known as SMS text, to do the phishing.
Plausibility of communication and the readily recognizable brand name of the sender are the cornerstones of this scheme. In fact, cyber criminals make their messages appear to come from some of the most well-known and trusted financial institutions. According to a USA Today article, among them are Bank of America, Wells Fargo, Capital One, Citibank, and Chase.
A report from MSNBC outlined a recent vishing attack under the banner of Santa Barbara Bank & Trust. An email blast was sent to cell phones in the Santa Barbara, California, area code asking account holders to respond to a customer service phone number that was also in the same area code. People who responded were asked to enter their 16 digit card numbers on their phone’s keypad. (With the advent of Voice over Internet Protocol, or VoIP, a local area code can be used from anywhere in the world.)
Using VoIP, computer criminals can set up automated dialing protocols to text or call large groups of cell phone users in specific areas and catch consumers at a most vulnerable moment. The Christmas shopping season is well known for stresses on consumers and receiving one of these phone warnings escalates that stress level 100%. Shoppers who have made a number of purchases with debit or credit cards are immediately affected by the sense of urgency that scammers want us to feel.
We are also more likely to feel more urgency when the message comes via our cell instead of our computer. Smart phones also contain inherent physical characteristics that stimulate response to these scams. For example, phone screen size makes it more difficult to detect fake web addresses and other anomalies common in a scam.
Obviously, vishing and smishing pose dangers for individual consumers. Bank accounts and credit card accounts are at risk and criminals from all over the world are joyful at the seasonal opportunity to steal millions. But the danger extends beyond individuals.
Smart phones make companies vulnerable to vishing and smishing as well, if an employee is combining personal and company use on a single smart phone. The device, once hacked, is a target for malware that can glean other information – such as proprietary company data.
Cyber criminals are smart. They manipulate shoppers into a stressful situation, and trick them into giving away data during the busiest retail season. Phone users need to be even smarter: Never respond to any request for personal account data sent over a text or voice message. If in doubt, call the bank or credit card company from a phone number listed on an account statement, and never feel pressured to impulsively respond through an unknown web link.