SMShing on the Rise: Threat of the Week

In just one week, CU Times learned about two largescale SMShing attacks on credit union members. One involved a multi-billion institution in the northeast. Another credit union was not quite $1 billion in assets and also located in the Northeast.

Separately, security experts provided CU Times with sample SMS fraud text that targeted members of two other credit institutions: One among the nation's biggest, the other with fewer than $100 million in assets in the Northeast. 

That last institution presently has the following message in boldface on its homepage: “ALERT: If you responded to a text or email and provided your debit card information, you are a victim of fraud! Call 800-xxx-xxxx immediately and report your card as stolen to avoid personal liability for fraud charges that will occur on your account.  Remember we will never ask for your card numbers, we have them. And we do not text our members. Contact us for details.”

Exactly what is going on?

Members receive an SMS or text message, purportedly from the credit union, demanding the member go to a website or call a phone number and provide personal account data to restore a suspended account. They are growing in numbers, according to San Francisco-based security company Cloudmark, which has been monitoring SMS for some time.

“It's really risen in the last year,” Neil Cook, Cloudmark chief technology officer said. The reason is profits. 

“It costs more to send out an SMS phish,” Cook said, “but the returns are higher than with email.”

Read more: Texts are taken more seriously …

That is because most of us have been trained to take SMS more seriously than we do email, said Jan Volzke, CEO of Sausalito, Calif. based security firm Numbercop. 

We get alerts from our credit unions – about deposits, payments – and we also may have multi-factor authentication setup involving a cellphone. For those reasons, we view SMS as serious business and crooks are jumping on it.

Recent Cloudmark data show that financial institution account phishing has become the third most common type of SMS spam.

The messages are blunt, frightening. One seen by CU Times simply had the name of the credit union and the urgent instruction to call a particular phone number.

Another read: Your Visa has been temporarily deactivated. Call 800-xxx-xxx to reactivate.  The SMS included the name of the institution.

Other, simpler scam SMS include a link and tell the member to click to reinstate the account.

Where do fraudsters get the mobile phone numbers? Some may simply be automatically generating numbers on known mobile phone exchanges. Others may have bought valid numbers and, Volzke said, following large retail breaches at Target, Home Depot and others. There are millions of good numbers out there for crooks to buy.

Cook said the crook next buys batches of prepaid SIM cards, which trace back to nowhere, and load them into so-called SIM boxes, which are large arrays of SIMs. The crook then automates SMS deployment.

“They will send out in high volume, sometimes millions a day,” Cook said.

The bottom line is that email phishing is declining in effectiveness, but crooks now are seeing good returns from bad SMS.

What's a credit union to do?  Affinity FCU, a $2.3 billion credit union in Basking Ridge, N.J., recently had its membership fall under SMS attack and it agreed to tell its story.

As soon as it heard from many members about the SMS attack, Affinity blasted out an email that read: “We have just been made aware that some of our members have received deceptive text alerts, claiming to be from Affinity, stating: 'AffinityFCU-Urgent Notification-Call (908) 818-1530' This message is not from Affinity. If you receive the message, delete the message immediately. If you have already called the phone number and provided any personal information, please contact our Member Service Center immediately.”

Jean-Albert Maisonneuve, Affinity's vice president of marketing, assured CU Times that Affinity itself had not been breached; the phone numbers had not come from within the credit union.

“As to protecting members, with this sort of scam the best we can do is continually inform members of what they can do to protect themselves and provide an outlet just in case they do get caught,” he said.

Maisonneuve also said the credit union was unaware of any losses associated with this scam.

Another credit union, which requested anonymity, was also hit with the scam and said so far, it is unaware of any member losses.