Kirtland FCU branches will be closed Thursday, November 25 in observance of Thanksgiving.
By Ashleigh, K-Staff
Our high-tech world moves at lightning speed, with communication and tasks often happening in real-time. In many ways, security has lagged behind innovation. Now, new security measures such as two-factor authentication have emerged to protect the vast amounts of information and money that is exchanged online. But criminals are beginning to exploit those extra security measures and options, and you need to be on the lookout for this latest ploy to access your accounts.
Financial partner CO-OP, which owns and operates credit union ATMs nationwide, recently warned Kirtland FCU of a tactic called ‘SMiShing’—phishing (posing as a legitimate company) via SMS text messaging. And it’s effective because of the popularity of texting. According to the Pew Research Center, 97% of Americans send at least one text every day.
SMiShing, according to CO-OP, is a text is designed to look like an automated text communication from a legitimate company. There are two different methods of SMiShing that we’ll discuss: the SMiShed text alert and the SMiShed two-factor.
Criminals in possession your debit card details and other forms of personally identifiable information (PII) are spoofing credit union phone numbers in an effort to fool credit union members into thinking that the text messages are actually from the fraud department of a particular credit union. Fraudsters are sending text messages under the guise of trying to validate recent card activity and are including hyperlinks within some text messages.
Fraudsters are also using text messaging to deceive credit union members into providing card-related data and login credentials. A typical SMiShing occurrence can begin with a member receiving a text message inquiring about a suspicious transaction on an account. In reality, the fraudster is looking to obtain other information from members such as debit card numbers, CV2 codes, expiration dates, PINs and other web login credentials.
Before we go into how to spot one of these texts, you should know that there ARE legitimate texts that can come in from your credit union (especially if you’ve registered for Text Alerts for Online Banking login, transaction alerts for your cards, or use Text Banking. But there are key differences between a SMiShing text and a valid text transaction alert).
|SMiShing Text Contains||Legitimate Text Contains|
|A vague reference to a bank or no reference at all||An abbreviated version of your credit union's name|
|No specific card information||The last 4 digits of the card number|
|No specific transaction information||The amount of the transaction detail|
|No merchant information||Merchant details|
|Hyperlinked phone numbers and/or web addresses||No hyperlinks|
|Requests for card numbers, CV2 codes, passwords, PINs, expiration dates||Reply options of: YES, NO or STOP (to opt out)|
Have you opted in to two-factor authentication for your financial accounts? Many companies and financial institutions are now offering two-factor authentication as a way to make logging in faster and safer by requiring not only a username and password but the entry of a one-time code, sent through a different channel (usually e-mail, text, or voice call). Which means that if a fraudster obtained your username and password to a specific account, they would also need to have access to your e-mail account or phone to obtain the one-time code—an unlikely situation. Thieves are now calling members, posing as credit union employees, to get you to turn over the code while you’re on the phone with them!
While on the phone with a member, the fraudster logs into a credit union Online Banking site. When the one-time code is sent to the member’s phone, the fraudster asks the member to provide the code as a means to validate the member. When the information is shared with the person the member believes is a credit union employee, the fraudster uses the code to finalize access to Online Banking, which is typically followed by changing the Online Banking password and transferring funds from member accounts.