Police in Pima County, Ariz., have issued a
warning about
smishing, or text-based phishing attacks, targeting mobile users. The warning comes after a Tucson-area resident filed a complaint about a phishy text message that appeared to be from the recipient's financial institution. The text, which asked the accountholder to call a specified number to resolve a possible compromise of his bank account, included the last four digits of the user's debit card, making the text appear legitimate.
"If the victim had called the number provided, he would have been asked to verify his debit card number and the security code on the back of the debit card," the department said in its warning. "With this information, the debit card could have been reproduced, and the victim's bank account would have been cleaned out."
Smishing attacks are low-tech schemes, but they nevertheless prove frustrating for financial institutions. Jason Rouse, a mobile security expert and consultant with Cigital Inc., says smishing, like most
socially engineered schemes, preys on victims' trust. "So, the bank should issue very clear guidelines about the way it will communicate with customers," he says. "The must tell customers they will never ask for a password or information over a cell."
Rouse's advice, incidentally, is in line with the new
FFIEC Authentication Guidance, which directs institutions to give their customers "an explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request the customer's provision of electronic banking credentials."
Smishing on the Rise
In the Tucson case, the would-be victim was quick to contact his financial institution before responding to the text. But not all consumers are quite so savvy, especially in the mobile environment. "People are used to
phishing by e-mail," says mobile expert
Dr. Markus Jakobsson. "Smishing has still not sunk in."
The mobile phone is a social device, and consumers' communications and behavior over mobile devices mirror casual phone communications. "Their trust in their friends rubs off on everything that has to do with the [mobile] phone," Jakobsson says [See
Mobile Banking: The New Risks]. That casual mobile behavior is likely to perpetuate more mobile fraud, and encourage fraudsters to exploit even the most low-tech mobile schemes, such as smishing.
The good news for financial institutions is that smishing attacks have not hit a tipping point. But it's only a matter of time. "We will see it peak in the next couple of years," Rouse says. "From an organized crime perspective, smishing is simple, and I think you will see more organized crime lean toward it."
Smishing scams are increasing in popularity over traditional voice/phone call scams known as
vishing because consumers are more apt to fall for them. "The absence of an awkward pre-recorded or live voice call increases the probability of success for the criminal," says John Buzzard, of FICO's Card Alert Service. "The consumer is only evaluating the words in the text without the weight that hearing a voice or recording would add to their decision-making process."
Consumer Education and Anomaly Detection
As smishing attacks like the one in Tucson proliferate, financial institutions have to hone customer and member education efforts. The Tucson scheme proves how crafty smishing attacks can be, says
Joe Rogalski, information security officer of Buffalo-based First Niagara Bank [$38 billion in assets]. "The last four [digits] of the card number and the increase in the use of text alerts give the customer confidence and improve validity of the scam," Rogalski says. "Customers need to understand how and when the institution will contact them on an unsolicited basis, and if they will ever request a PIN or other confidential information. Getting this message out to consumers consistently is very important."
There's little financial institutions can do to stop smishing. The real success of controlling attacks and subsequent losses begins and ends with the consumer.
Anthony Vitale, who oversees mobile solutions for San Francisco-based Patelco Credit Union [$3.75 billion in assets], says financial institutions are quickly learning that the convenience of mobile banking comes with a price. As the use of mobile explodes, the threats and risks associated with mobile behavior have never been greater.
"Organizations are putting in layers of security and tools to safeguard information and assets, however, the fraudsters are attacking our weakest link, the consumer," Vitale says.
To ensure it's sufficiently addressing existing and emerging mobile risks, Patelco invested in a behavior-monitoring solution. When something out of the ordinary occurs, the credit union can react. So, if a user has been duped by a smishing attack and the bank account is hit with requests for funds in amounts and to recipients that seem out of line, a red flag goes up.
Institutions also should monitor mobile transactions in the same ways they monitor online transactions. If fraud is detected, transactions can be stopped and addressed with the mobile carrier. Mobile carriers can assist banks in tracking anomalous behavior and shutting it down before it results in big losses.
But how can institutions initiate better communication and education with customers and members? Getting the word out about mobile and even online risks has proved challenging in the past.
Citigal's Rouse says institutions should not be intimidated from using common channels, like mobile. "I think the No. 1 channel banks should be using is the mobile channel itself," he says. "There is no reason why they can't use the mobile device to disseminate information to their users."
As 2012 nears and federal regulators prepare to examine financial institutions for conformance with the 
