The threat is terrifying. Mobile phones are carpet bombed withrogue SMS messages that direct credit union members to criminalwebsites where their personal information is captured – and thentheir accounts are looted. There's the frightening scenario.

It is built on a technically sound bedrock.

Since we often don't see full URLs in SMS messages, wefrequently click on Web links with abandon and therein lies theopportunity for a crook. Send an SMS, dupe the victim into clickinginto a bogus edition of a credit union or bank site, and when thevictim logs in, bingo, the thief has the credentials to loot thevictim's account.

Even the Better Business Bureau has climbed aboard this frighttrain with a loud warning to consumers to guard against so called “smishing” (amashup word mixing SMS with phishing, the tried and true emailcredentials scam – and, yes, phishing remains a huge problem).

It's enough to make a person afraid to even glance at an incoming SMS.

Potentially, for credit unions in particular, this is horrificnews because many increasingly rely on SMS to send account alertsto members and also for multi-factor authentication logins. Giventhe ubiquity of cellphones (even cheap feature phones are SMScapable), it's a convenient communication channel and that ofcourse also makes it prime for thieves whom, if we believe the hype, are alreadyfuriously mining this path to stolen riches.

Just one problem: The smishing scare has all the substance of aHalloween ghost.

George Tubin, an expert with security firm Trusteer, said in aninterview, “People on mobile devices usually can't see full URLsand crooks are embedding links into SMS. Those links can bringfolks to a very sophisticated phishing site”

But, said Tubin, “We aren't seeing a lot of this, not really.”

“This definitely is not up there with Zeus,” the keylogging malware that has led to the compromise ofmillions of bank accounts globally.

“The potential is there and, certainly, we see more focus on themobile channel by fraudsters. But we still aren't seeing muchsmishing,” said Tubin.

Jonathan Weber, founder of Marathon Studios, a consultingcompany, said he has been doing in-depth study of malware and aconclusion he has reached is that “the level of SMS-based phishingattempts has not been anywhere near as significant as it could havebeen.”

He stressed that, in his eyes, the threat is real. “Most peoplecannot recognize SMS malware and there are no SPAM filters thatsift it out,” he said, alluding to the fact that filters built intoemail search for and destroy countless phishing emails daily,before the intended targets ever see them. With SMS, it remains aWild West, where every user stands on his/her own, but despite thatthe fact remains that incoming tainted SMS remains small involume.

Daniel Ayoub, a threats expert with Dell SonicWALL, echoes thechorus. He too sees a sizable potential danger in smishing, “but Ihave not seen that much of it, there's been no uptick involume.”

He added, “Most criminals are lazy. They go for the low-hangingfruit.”

What's a credit union to make of this? Experts pointed to twobig takeaways and the first is that the potential for a boom insmishing unquestionably is real and it is ugly. Today's incidence –hype aside – may be minimal but that could change as criminals seekto diversify out of Zeus and into more mobile-focused attackvectors that resonate with the broader shift away from online banking and into mobile.

The other takeaway: Now is the time to begin to educate membersabout the credit union communications they will see via SMS andwhat they will never see. Tell them they will never get an SMSinstructing them to “re-authorize” their account by clicking on alink in SMS and entering their login credentials – then tell themthat again. And again.

And it is the kind of member education that will pay off when infact smishing finally goes mainstream … which it probably will.

Just not yet, which means credit unions have ample time to layin their defenses to better protect themselves and theirmembers.