Got a smartphone? What you need to know about smishing

You receive a text message on your smartphone from your bank: "Your credit card account has been compromised. Call this 1-800 number immediately to verify your identity or your account will be frozen."

It looks legitimate, but you should think twice before calling and handing over your personal financial details. Credit card issuers and security experts warn that, in the age of the smartphone, fraudsters have found new methods to get information: smishing and vishing. Smishers send an SMS text message to your phone to try to get you to give up details. Vishers do the same, but via calls and voicemails to your cellphone.

The messages seem authentic, promising you that you'll safeguard your account by confirming your financial information, or enticing you with rewards and free upgrades. smishing-dangers

They're meant to catch you off guard, says Iain Kenny, who leads computer forensics at accounting firm MNP, focusing on cyber breaches and theft of intellectual property.

"They know your instinct is to call and rectify the problem," he says.

And it works, says Scott Hannah, president of the national Credit Counselling Society.

"We've seen an increase in this," Hannah says. "A lot of people, when they've become victims of fraud or crime from smishing are embarrassed, but they should report it. We find that our seniors tend
to fall prey for this more than others. They say, ‘This seems
legitimate, why would they be calling otherwise?' and, "They're trying
to help me.'"

Rise in smishing follows smartphone craze
With emails came phishing: fraudsters posing as your financial institution in an email to gain personal information such as usernames, passwords and credit card details. Now that consumers are glued to their smartphones, the next step was a shift to text messages and voicemails, Kenny says.

"It's not that different than the ‘You've won a free vacation, just provide your credit card for a $99 administration charge' you'd get in your email or your home phone number," he says.

Smishing even harder to spot than other scams
Now, fraudsters are using technology to up their game in duping you. For example, they can set it up so your call display says you're receiving a call from your bank or credit card issuer.

"They mask where they're calling from so you can put faith in what's on your screen," Kenny says. "They can spoof you and you can't tell if they're next door or sitting in Nigeria. You can't tell where these calls originate from anymore."

Hannah says texts can look authentic, too. The wording sounds polished, the phone number looks legitimate and the message may include details that match your account. If the text points you to a website, the URL, website and logo may be nearly identical to your bank's.

"Those are really well done and probably one of the biggest problems for financial institutions," Kenny says.

He says he nearly fell for a scam recently when atext message purportedly from Canada Post said his package was lost in the mail and he needed to verify his personal information. He had an eBay package on the way -- "The timing of it was luck," he says -- but he chose not to click on the link provided. Instead, he went to the Canada Post website, typed in his tracking information and found his mail was on track for delivery.

Smishing and vishing scams are on officials' radar: Consumer protection groups, banks, governments and retailers all provide consumers with information on how to spot a smishing scam. Follow these guidelines to stave off smishers:

1. Be suspicious of requests for personal details over the phone.
"It is important to note that a bank or other reputable company would never ask their customers for personal information like account numbers, banking passwords or PINs through an email, text message or voicemail," Kate Payne, spokeswoman for the Canadian Bankers Association, said in an emailed response to questions. "Consumers should be skeptical if they receive such a voicemail, text message or email: Do not respond to it but do report it to the company being impersonated and delete it."

A notice from the Royal Bank of Canada proves Payne right: "A phishing email or text may look like it comes from RBC, usually has an urgent message, and typically asks you to provide or confirm personal details...," the notice said. "...remember that RBC will never contact you by regular email or text messaging regarding problems with your accounts or services. And we'll never ask you to provide or confirm personal details or confidential information by clicking on a link, completing a form, or calling a phone number included in an email or text."

If nothing else, remember you signed a cardholder agreement saying you won't give away your personal details.

 "Most of us don't read through those, but they clearly state that you do not disclose your password or PIN to anyone," says Hannah.

2. Don't blindly follow the text message or voicemail instructions.
Before calling the number or clicking the link, ask yourself a few questions. Does the contact number match the information on the back of your credit card or your bank statement? Does the website exactly match your bank's site?

Take it a step further and call your bank -- using the phone number on its website or on your original documents -- to let them know you've been contacted but can't tell if it's authentic.

If anything sounds suspicious when you receive a phone call, hang up and call your bank using an official number.

3. Ignore text messages or automated voice messages from unknown contacts.
If you didn't sign up for text message or voicemail alerts, you shouldn't be receiving them. You would know if you did - banks make you agree to the terms and agreements for web usage and create a personal identification code. If you didn't go through this process for text access, you won't receive communication from your bank in this fashion.

As Walmart warned its customers, "Remember, you can't win a contest you didn't enter. Walmart doesn't notify winners of any context via text message."

4. Report smishing scams you come across.
Take a screen grab of the fraudulent message (for most smartphones, you can do this by holding your home button and power button simultaneously for a few seconds). You'll need to document your case with the police, your financial institution and the Canadian Anti-Fraud Centre.

You may hesitate to report an incident because you're embarrassed you fell for the scam, simply because it's too much work. But it's worthwhile in helping authorities in tracking fraudsters and may prevent other consumers from falling for scams, too.

See related: How to safely use mobile banking, Third-party financial apps: convenient, popular -- secure?

Updated November 15, 2016

Most recent Legal, regulatory, privacy Stories