Other
TINTON FALLS, N.J. – Brion Sever received an automated voice mail message on his cellphone last week that caught him off guard.
It contained an alert that his Wells Fargo bank account had been compromised.
Sever knew better. As a Monmouth University criminology professor, he has studied scams. But the one that surfaced Oct. 9 left him both impressed and spooked.
“For the first 5 seconds, you’re like, ‘Oh no!’ You’re caught off guard, and that’s what they’re trying to do,” he said. “It was an automated computer voice and very well done, very sophisticated.”
Sever experienced a spreading high-tech con known as “smishing.”
Smishing is like phishing, a technique that uses emails that look legitimate to trick victims into handing over vital information, only in smishing identity thieves ply their scam through messages to a mobile phone, not a computer.
With attacks recently happening in the western United States, law enforcement and consumer affairs officials have expressed concern that similar large-scale attacks could happen elsewhere.
As for Sever’s call, Wells Fargo – informed Monday – has received no reports of any other similar activity in New Jersey, a spokesman said.
But that doesn’t mean it hasn’t happened. People are so used to deleting phishing scam messages that the phony text or voice mail messages are easy to dismiss without reporting.
The message Sever received is an open case, an FBI spokesman said.
In the recent spate of scams out West, identity thieves sent text messages en masse to random cellphones that read: “WELLS FARGO NOTICE: Your CARD 4868* has been DEACTIVATED.” The message listed a phone number.
People who dialed the number were asked for account information, Social Security numbers and personal identification numbers, officials said.
The crooks cast a broad net. Many people other than Wells Fargo customers received the messages.
Kevin Friedlander, spokesman for Wells Fargo, said the messages popped up on mobile phones in Washington, Oregon, the Dakotas, Utah and parts of Colorado. The attacks began in August.
The bogus messages also arrived via automated voice mail and emails to smartphones, he said.
“Wells Fargo would never ask a customer for personal or account information using these methods, and that’s the common thread with these scams,” Friedlander said.
Friedlander is urging anyone receiving similar messages to report it to Wells Fargo by calling (866) 867-5568 or at www.wellsfargo.com.
The FBI is advising targeted people to report the messages to www.ic3.gov, the Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center.
The slang term smishing, sometimes spelled SMiShing, is a combination of the abbreviation for text messages – SMS, or Short Message Service – and phishing. Smishing is also known as vishing.
The scam itself is nothing new, just the method of delivery. While con artists used to hang around banks looking for a victim in the old scam known as the pigeon drop, the technology has transformed these operations into major criminal enterprises, Sever said.
Wells Fargo is not the only bank that has been victimized in the smishing scam. The text messages in the scam out West also claimed to be from Bank of America, Chase, Citibank and Capital One, according to the Washington state Attorney General’s Office.
And credit unions have also been hit in the past few years. The smishing scam artists have sent messages out to specific area codes covering the locations of the credit unions, according to the FBI.
“People’s phones are becoming their computers,” said Tim Ryan, supervisor of cyber investigations for the FBI’s Newark division, based in Franklin, N.J.
Identity thieves began to key in on smartphones in a big way between 12 and 18 months ago, he said, although smishing scams have been around longer.
Brian Krebs, a writer who focuses on security and technology, detailed a smishing scam that happened in March 2008. The banks and credit unions victimized were in Western states and Illinois. The Federal Trade Commission listed it as an emerging threat in 2007.
The scam works like this: Criminals set up an automated dialing system to text or call people in a particular region or area code. Sometimes they use stolen customer phone numbers from banks or credit unions.
With a victim’s information in hand, the crooks can drain bank accounts, buy things with a charge card or set up a phony account.
Smartphone users inadvertently have downloaded malware, designed to mine personal information, by responding to emails on their phones.
While consumers have become widely aware of phony lottery notices coming via email in phishing schemes, smishing can easily catch people off guard, both because it’s relatively new and designed to trigger a sense of alarm.
“They play on a person’s flight or fight reaction,” Ryan said. “They want you to click on or answer something without thinking. They get a person to instantly react.”
Phishing, smishing — it’s all the same in terms of the brand of theft. But a message popping up on a mobile phone, as compared with a computer, holds more urgency, Ryan said. And smishing emails sent to smartphones contain links to bogus sites that are not always easy to spot because of the size of the phone screen and other limitations.
“The telltale signs that tell you you’re on a fake website aren’t present on a cellphone,” he said.
Tracking smishing scam artists can be difficult since many operate from overseas.
Friedlander said that under Wells Fargo’s policy, victims’ losses are covered if they notify the bank in a timely way.
Aside from the standard tips issued to prevent people from being identity theft victims, Ryan offered this advice: Call a known, good number if you receive a text message from a bank.
Having your bank’s number already handy in your mobile phone is a good preventative measure, he said. If not, just flip over your debit card, where a number is listed.