'Smishing' Scammers May Hit Cellphones

Oct. 22, 2011 — -- Brion Sever received an automated voice mail message on his cellphone last week that caught him off guard.

It contained an alert that his Wells Fargo bank account had been compromised.

Sever knew better. As a Monmouth University criminology professor, he has studied scams. But the one that surfaced on Oct. 9 left him both impressed and spooked.

"For the first 5 seconds, you're like, 'Oh no!' You're caught off guard," he said. "It was an automated computer voice and very well done, very sophisticated."

Sever experienced a spreading high-tech con known as "smishing."

Smishing is like phishing, a technique that uses e-mails that look legitimate to trick victims into handing over vital information, but with smishing, identity thieves ply their scam through messages to a mobile phone, not a computer.

With recent attacks in the western U.S., law enforcement and consumer affairs officials have expressed concern that similar large-scale attacks could spread nationally.

FBI spokesman Tim Ryan, supervisor of cyberinvestigations for the FBI's Newark division, based in Franklin, N.J., said the message Sever received is part of an open case.

In the recent spate of scams in the West, identity thieves sent text messages en masse to random cellphones that read: "Wells Fargo notice: Your card 4868* has been deactivated." The message listed a phone number.

People who dialed the number were asked for account information, Social Security numbers and personal identification numbers, officials said.

The crooks cast a broad net. Many people other than Wells Fargo customers got the messages.

Kevin Friedlander, spokesman for Wells Fargo, said the messages popped up on mobile phones in Washington, Oregon, the Dakotas, Utah and parts of Colorado. The attacks began in August.

The bogus messages also arrived via automated voice mail and e-mails to smartphones, he said.

"Wells Fargo would never ask a customer for personal or account information using these methods, and that's the common thread with these scams," Friedlander said.

Friedlander is urging anyone receiving similar messages to report it to Wells Fargo by calling 866-867-5568 or at www.wellsfargo.com.

The FBI is advising targeted people to report the messages to www.ic3.gov, the Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center.

The slang term smishing, sometimes spelled SMiShing, is a combination of the abbreviation for text messages — SMS, or Short Message Service — and phishing. Smishing is also known as vishing.

Several banks affected

Wells Fargo isn't the only bank victimized in the smishing scam. The text messages in the scam in the West also claimed to be from Bank of America, Chase, Citibank and Capital One, according to the Washington state attorney general's office.

"People's phones are becoming their computers," said Ryan.

Identity thieves began to key in on smartphones in a big way 12 to 18 months ago, he said, although smishing scams have been around longer.

The scam works like this: Criminals set up an automated dialing system to text or call people in a particular region or area code. Sometimes, they use stolen customer phone numbers from banks or credit unions.

With a victim's information in hand, the crooks can drain bank accounts, buy things with a charge card or set up a phony account. Smartphone users inadvertently have downloaded malware, designed to mine personal information, by responding to e-mails on their phones.

Catching you off guard

While consumers have become widely aware of phony lottery notices coming via e-mail in phishing schemes, smishing can easily catch people off guard, both because it's relatively new and designed to trigger a sense of alarm.

"They play on a person's flight-or-fight reaction," Ryan said. "They want you to click on or answer something without thinking. They get a person to instantly react."

Phishing, smishing — it's all the same in terms of the brand of theft. But a message popping up on a mobile phone, as compared with a computer, holds more urgency, Ryan said. And smishing e-mails sent to smartphones contain links to bogus sites that aren't always easy to spot because of the size of the phone screen and other limitations.

"The telltale signs that tell you you're on a fake website aren't present on a cellphone," he said.

Tracking smishing scam artists can be difficult, since many operate in other countries.

Friedlander said that under Wells Fargo's policy, victims' losses are covered if they notify the bank in a timely way.

Ryan says if you get a smishing message, have the bank's number handy in your mobile phone, or check your debit or credit card for the number.