Real or Fake: How to Avoid Sneaky SMS Phishing Bank Scams
You get a text message from an unknown number claiming to be your bank. The message says suspicious activity has been detected in your account; it wants you to click a link to verify your identity.
You panic. You want to resolve the issue immediately, and so you click on the link and input your personal information. Next thing you know, a stranger has access to your bank account.
Text-message phishing scams (also called “smishing”) are becoming more sophisticated. Cybercriminals now have easy access to AI, which can be used to craft plausible messages from supposedly trustworthy sources such as your bank. The FBI’s latest Internet Crime Report found that 298,878 complains of phishing scams in 2023 resulted in almost $19 million in loses.
While fraudulent texts are dangerous scams, authentic notifications from banks can be useful for letting you know when you have a low funds in your checking account or a high credit card balance. How can you tell if a text message from your bank is real? Read on for tips to detect fake text messages and how to report phishing scams if you get hit by one.
For more money tips, learn the best time to fly for cheap plane tickets and how to stop tax-related identity theft.
What’s the first thing to do if you get a text from “your bank?”
First, stop to consider if you’ve consented to receive text messages from your bank.
Melanie McGovern, director of PR and social media at Better Business Bureau, tells CNET, “there are banks that will text, and if you’ve opted in, they’re going to text you.”
If you’re not sure whether you’ve agreed to receive texts from your bank, log on to your bank account from its official website, and check your communications preferences via your personal profile or settings. The setting for text messages could be under “Delivery Settings,” “Alerts,” or “Notifications.”
If you haven’t enabled text notifications, be suspicious: The message purportedly from your bank is almost certainly a scam, and you should report it to your bank and the FTC (see below).
If you have enabled text notifications, you’ll need to go further to determine whether the text message is legitimate.
How can I tell if a text message from my bank is legit?
If you have agreed to receive text messages from your bank, there is a list of red flags that can help determine whether a banking related text is legitimate.
First, banks will never ask for personal or confidential information via text messages. If a message wants to know your PIN code, online credentials or other account information, ignore the message and report it to your bank and the Federal Trade Commission.
Most banks take care to explain their policies on a security or privacy page. Bank of America says that it will “never text, email or call you asking for personal or account information.” Banks will also not ask you to verify your identity by clicking a link.
Second, watch for claims of urgency. Scam messages often try to scare people by indicating they need to act quickly to avoid disaster. McGovern says, “they’re expecting you to panic and act immediately. Especially if you see a bank name.”
Third, be wary of links that are similar to your bank’s official website but slightly different, such as having an extra hyphen or using the .info domain extension instead of .com.
Smishing messages might also ask you to send money or make purchases — banks will never ask you to transfer money via text message. Also watch out for messages that seem too good to be true — your bank won’t send you a prize announcement for a contest you didn’t even know you entered.
The educational website Banks Never Ask That (sponsored by the American Bankers Association) includes more tips for avoiding banking-related smishing scams.
How should I respond to a text message that looks like it’s from my bank?
No matter what the message from your bank says, it’s best to contact your bank directly before doing anything. McGovern says you should “call your bank directly from the number on the back of your card or the number on their official website, not the number that texted you.”
She also advises to “never click on the link that they send.” You should always be able to reach any necessary URLs via your regular bank website.
In fact, there’s no need to engage with any text messages from your bank. You should be able to accomplish any necessary tasks by calling your bank or visiting its website.
What should I do if I’ve received a text message for a banking scam?
First, take a screenshot of the text message for reporting purposes and then delete the message — you don’t want to accidentally engage with it.
Next, report your suspicious text message to both your bank and the FTC. If you didn’t take any action on the text message, email it to your bank (see addresses below) or call them with the information.
If you did interact with the text message at all, such as clicking a link or replying, be sure to call your bank’s phone number for fraud or security issues ASAP.
To report the phishing attempt to the FTC, simply forward the message to 7726 (SPAM). You can also report the scam using ReportFraudftc.gov.
*First Republic Bank does not list an email address for reporting phishing scams on its website and has not yet replied to an email request for one
Remember, there’s no need to reply to or click any text messages from your bank, even when they are real. Play it safe by calling your bank or visiting its website whenever you get a text message, and you’ll be sure to keep your accounts protected.
For more money tips, learn why you might pause your Social Security benefits and how to get free food on your birthday.
Source: CNET