Accounts Drained by Smishing Scam | Credit Union of Denver

Accounts Drained By Zelle Smishing Scam - Stickley on Security Post

Scammers come up with new tactics using new technology, new events, or whatever they can to continue tricking us into giving up our personal or confidential information. With the increasing use of texting and SMS messaging, a newer one has been coined as “smishing.” Because it’s text, it often catches people off guard and causes them to react quickly, which is exactly what you shouldn’t do.

Scams can arrive via data services on a smartphone. However, it can also be iMessage, or any type of text messaging, including What’sApp, Facebook Messenger, and other chat programs.

In a recent scam, users are sent a text message that appears to be from their financial institution attempting to confirm a Zelle transaction. However, that phone number is spoofed by the cybercriminal. A message might say something like “Did you attempt a Zelle Payment of < some amount>? Reply YES or NO or 1 to stop alerts.” In other cases, the text may want the user to confirm identity by reading or sending back a supposed code. If the user replies, money is transferred directly out of their account to the scammers.

If you don’t know the sender, aren’t expecting a message with a link or attachment, or just aren’t sure a link is safe to click, don’t click it. Instead, contact the sender independently of the received message and ask about it.

Don’t react quickly to any message, whether text, voice, or email that threatens something bad may happen if you don’t. Take a breath. Go to your financial institution’s website or app and log in there. Never click links in messages for financial related details.

If you don’t initiate the phone call to your financial institution, don’t send information. Instead, log in to your account using the app or the banks official website and check on your accounts. Making a quick phone call using a number you find or know also works. Don’t use information sent to you in unsolicited messages.

Remember that financial institutions do not ask you to verify or update details via text or email.

It’s not rude to just not reply to suspicious emails or texts. In fact, it is recommended you do just that.

Report fraud via smishing to the FCC. There is a form on the agency’s website.

Other smishing scams include the following:

A text message arrives that appears to be from C·U·D requesting that a link be clicked that will go to a website to address and resolve an issue with the account or payment card. If it’s clicked, malware is installed and email address, contact list information, and other data is stolen.

A text message claims the user signed up for some sort of service and will be charged unless a link is clicked. The result is again malware getting installed and data stolen from the device.

The user is sent a text claiming he or she has won a prize of some sort. Often, it’s a gift card. A link must be clicked to claim the prize. The link directs to a website where personal information is requested, but the victim never gets the prize, of course. Instead, the information is used for spamming or efforts to steal additional information such as financial account credentials.

Here are some good ways to avoid being spoofed:

Don't answer calls from unknown numbers.
If you answer and it’s not who you expected, don’t hang on, hang up.
If a caller asks you to hit a button to stop getting calls, just hang up.
Never assume an unexpected call is legitimate. Hang up and call back using a number you can verify on a bill, a statement, or an official website.
Be suspicious. Con artists can be very convincing: They may ask innocuous questions, or sound threatening, or sometimes seem too good to be true.
Don’t give out personal information – account numbers, Social Security numbers or passwords – or answer security questions.
Use extreme caution if you are being pressured for immediate payment.
Ask your phone company about call blocking tools for landlines or apps for mobile devices.
Report spoofing scams to law enforcement, the FCC and the FTC.

When in doubt, call the company directly to confirm its validity.