Thursday, May 21, 2009

Credit Card Holders "Be Wary of SMiShing"

Credit card holders 'should be wary of "SMiShing" threat'
Smishing, where fraudsters use text messages to target victims rather than the internet, is on the rise, according to one group. 

Credit card holders are being warned by the fraud prevention squad Cifas to watch out for the fraud method.  The smishing trend comes as banks and other financial services providers increasingly contact customers by text message.

HM Revenue and Customs (HMRC) has also warned that fraudulent text messages have been sent to victims asking for financial information.  Similarly this was because HMRC has been using text messages to contact people, a fact which fraudsters have exploited.

According to UK payments industry association Apacs, fraud where the card is not present amounted to £328.4 million in 2008. This is an increase of 13% since the previous year.

Richard Hurley, Cifas communications manager, said: "While the rest of us are reining in our behaviour as a result of the recession, the increase in facility takeover and online frauds demonstrates clearly that fraudsters are simply redirecting their efforts."

More on SMiShing (from Wikipedia)
Similar to phishing,
smishing uses cell phone text messages to deliver the "bait" to get you
to divulge your personal information. The "hook" (the method used to
actually "capture" your information) in the text message may be a web
site URL, however it has become more common to see a phone number that
connects to automated voice response system.

The smishing message usually contains something that wants your
"immediate attention", some examples include "We’re confirming you've
signed up for our dating service. You will be charged $2/day unless you
cancel your order on this URL: www.?????.com."; "(Name of popular
online bank) is confirming that you have purchase a $1500 computer from
(name of popular computer company). Visit www.?????.com if you did not
make this online purchase"; and "(Name of a financial institution):
Your account has been suspended. Call ###.###.#### immediately to
reactivate". The "hook" will be a legitimate looking web site that asks
you to "confirm" (enter) your personal financial information, such as
your credit/debit card number, CVV code (on the back of your credit
card), your ATM card PIN, SSN, email address, and other personal
information. If the "hook" is a phone number, it normally directs to a
legitimate sounding automated voice response system, similar to the
voice response systems used by many financial institutions, which will
ask for the same personal information.

This is an example of a (complete) smishing message in current
circulation: "Notice - this is an automated message from (a local
credit union), your ATM card has been suspended. To reactivate call
urgent at 866-###-####."

In many cases, the smishing message will show that it came from
"5000" instead of displaying an actual phone number. This usually
indicates the the SMS message was sent via email to the cell phone, and
not sent from another cell phone.

This information is then used to credit duplicate credit/debit/ATM
cards. There are documented cases where information entered on a
fraudulent web site (used in a phishing, smishing, or vishing attack) was used to create a credit or debit card that was used halfway around the world, within 30 minutes.




Reblog this post [with Zemanta]

Disqus for ePayment News