(Before you ask, no, that headline does not contain a typo!) For years, Peoples Bank has informed customers and others in the community about phishing, where fraudsters “go fishing” to catch people unaware and steal their personal information by means of a fraudulent email. Like most criminal activity, fraudulent techniques have advanced and acquired new names.
Identity theft techniques have kept pace with people’s use of technology. The bad guys have moved on to the next fraud frontier and now try to take advantage of people by use of text (SMS) messages and even voice mail. Threats from these new approaches are called “Smishing” for SMS fraud attempts and “Vishing” for voice mail fraud attempts.
Editor’s note– If, like us, you have practiced saying “Smishing” silently to yourself to make sure you have it right, we decided not to try it in public. We’re just going to say “text message fraud”.
Smart phones, with their ability to browse the web and use hyper-links can make it super easy to receive links to internet sites via text messages. A majority of personal communication is via text messages now that the cellular companies offer generous SMS plans.
Many companies, including Peoples Bank, use a shortened number to send SMS messages to customers. So, imagine receiving one of these types of text messages that looks legitimate and asks you to verify your bank account by clicking on a link. Perhaps you think that few people and organizations know that number. Unsuspecting, a person may do what the message asks, press the link to make sure nobody has hacked their account. However, that link is designed to make it easy to provide only the necessary details to make it easier to steal (or hijack) your financial assets.
Voice mails are now added to the bad guys’ target list. Fraudsters are calling phone numbers in the same area code as a bank or credit union they are targeting and playing recordings that may sound similar to the bank or credit union’s own automated voice system. The caller leaves a voice mail and asks you call the “bank’s phone number” (providing a local number or even a toll-free number) to confirm your bank account information.
In both cases, the fraudsters are attempting to fool you into trusting them enough to give up something valuable. A bank would never send such a request by either means. Nor with an email for that matter.
But here’s the important thing to know. The bad guys got organized and shared information so the information you need to protect, and how you protect it, needs to adapt.
The IRS has disclosed that it gave up the personal information for more than 300,000 people recently via a data breach (more than the 110,000 number of the initial report). What hasn’t made the mainstream news is that this data breach was different.
“What’s interesting about the IRS incident is that the breach wasn’t a breach in the traditional sense — attackers did not disable or bypass security features. They used previously mined data to answer authentication questions correctly.” – Redmond Magazine, 08/18/2015
Fraudsters have been collecting information to help them correctly answer Knowledge-Based Answers (KBA) that most banks and government sites use to verify logon credentials. Combined databases containing tax id numbers, birth date, mothers’ maiden name, tax filing status and the like make a formidable weapon for personal identity theft.
So what can you do? One thing is to use a good password manager, such as our personal favorite RoboForm. If you can’t do that, use good passwords following tips such as this one we posted on January 1, 2013. Another pointer is to watch your credit report regularly. But perhaps the best thing to do is freeze your credit report.
Get more information: How to Protect Yourself From SMiShing and Vishing, US News & World Report 9/2013