Protecting Yourself from SMiShing and Vishing

SMiShing and Vishing? No, those aren’t typos.

For years, Peoples Bank has informed customers and others in the community about phishing, where fraudsters “go fishing” to catch people unaware and steal their personal information by means of a fraudulent email. Like most criminal activity, fraudulent techniques have advanced and acquired new names.

Identity theft techniques have kept pace with people’s use of technology. The bad guys have moved on to the next fraud frontier and now try to take advantage of people by use of text (SMS) messages and even voice mail. Threats from these new approaches are called “Smishing” for SMS fraud attempts and “Vishing” for voice mail fraud attempts.

Editor’s note: If, like us, you have practiced saying “Smishing” silently to yourself to make sure you have it right, we decided not to try it in public. We’re just going to say “text message fraud”.

Smartphones make it easy to browse the web and embed hyperlinks into text messages and majority of personal communication is via text messages. Many companies, including Peoples Bank, use a shortened number to send SMS messages to customers. So, imagine receiving one of these types of text messages that looks legitimate and asks you to verify your bank account by clicking on a link. Perhaps you think that few people and organizations know your number. Unsuspecting, a person may do what the message asks, press the link to make sure nobody has hacked their account. However, that link is designed to make it easy to provide only the necessary details to make it easier to steal (or hijack) your financial assets or install malicious software onto your phone.

Voice mails are now added to the bad guys’ target list. Fraudsters are calling phone numbers in the same area code as a bank or credit union they are targeting and playing recordings that may sound similar to the bank or credit union’s own automated voice system. The caller leaves a voice mail and asks you call the “bank’s phone number” (providing a local number or even a toll-free number) to confirm your bank account information.

In both cases, the fraudsters are attempting to fool you into trusting them enough to give up something valuable. A bank would never send such a request by either means. Nor with an email for that matter.

But here’s the important thing to know. The bad guys got organized and shared information so the information you need to protect, and how you protect it, needs to adapt.

Fraudsters have been collecting information to help them correctly answer Knowledge-Based Answers (KBA) that many banks and government sites use to verify login credentials. This information can be found on social media sites, peer to peer file sharing, using open wi-fi networks, etc. Combined databases containing tax id numbers, birth date, mothers’ maiden name, tax filing status and the like make a formidable weapon for personal identity theft.

So what can you do? One thing is to use a good password manager that will generate random strong passwords and save them so you don't have to write them down. If you can’t do that, read our tips for creating strong passwords. Another pointer is to watch your credit report regularly, even better is to freeze your credit report until you actually need it.

Lastly, always remember that Peoples Bank will never contact you by email, text message or by phone and ask for personal information including debit card numbers, PINs, passwords, account numbers or other personal information.