×
Routing Number: 307070050
Search
Search Our Site
Type a word or phrase in the search field below. If you are unable to find the information you are looking for, please contact us.
Kirtland Federal Credit Union logo

Welcome To The Insighter!

Explore the latest happenings at Kirtland FCU and learn about important topics from around the financial world. Here’s your insight!

SMishing: Double Check That Text!

10/28/2019
Ashleigh, K-Staff

Ah, technology.

Our high-tech world moves at lightning speed, with communication and tasks often happening in real-time. In many ways, security has lagged behind innovation. Now, new security measures such as two-factor authentication  have emerged to protect the vast amounts of information and money that is exchanged online. But criminals are beginning to exploit those extra security measures and options, and you need to be on the lookout for this latest ploy to access your accounts.

Financial partner CO-OP, which owns and operates credit union ATMs nationwide, recently warned Kirtland FCU of a tactic called ‘SMishing’—phishing (posing as a legitimate company) via SMS text messaging. And it’s effective because of the popularity of texting. According to the Pew Research Center, 97% of Americans send at least one text every day. 

What The SMish?
SMishing, according to CO-OP, is a text is designed to look like an automated text communication from a legitimate company. There are two different methods of SMishing that we’ll discuss: the SMished text alert and the SMished two-factor. 

SMished Text Alert
Criminals in possession your debit card details and other forms of personally identifiable information (PII) are spoofing credit union phone numbers in an effort to fool credit union members into thinking that the text messages are actually from the fraud department of a particular credit union. Fraudsters are sending text messages under the guise of trying to validate recent card activity and are including hyperlinks within some text messages.
 
Fraudsters are also using text messaging to deceive credit union members into providing card-related data and login credentials. A typical SMishing occurrence can begin with a member receiving a text message inquiring about a suspicious transaction on an account. In reality, the fraudster is looking to obtain other information from members such as debit card numbers, CV2 codes, expiration dates, PINs and other web login credentials.

Before we go into how to spot one of these texts, you should know that there ARE legitimate texts that can come in from your credit union (especially if you’ve registered for Text Alerts  Online Banking login, transaction alerts for your cards, or use Text Banking. But there are key differences between a SMishing text and a valid text transaction alert).
 
SMishing Text Contains Legitimate Text Contains
A vague reference to a bank or no reference at all An abbreviated version of  your credit union's name
No specific card information The last 4 digits of the card number
No specific transaction information The amount of the transaction detail
No merchant information Merchant details
Hyperlinked phone numbers and/or web addresses No hyperlinks
Requests for card numbers, CV2 codes, passwords, PINs, expiration dates Reply options of: YES, NO or STOP (to opt out)

The SMished Two-Factor

Have you opted in to two-factor authentication for your financial accounts? Many companies and financial institutions are now offering two-factor authentication  as a way to make logging in faster and safer by requiring not only a username and password but the entry of a one-time code, sent through a different channel (usually e-mail, text, or voice call). Which means that if a fraudster obtained your username and password to a specific account, they would also need to have access to your e-mail account or phone to obtain the one-time code—an unlikely situation. Thieves are now calling members, posing as credit union employees, to get you to turn over the code while you’re on the phone with them!

While on the phone with a member, the fraudster logs into a credit union Online Banking site. When the one-time code is sent to the member’s phone, the fraudster asks the member to provide the code as a means to validate the member. When the information is shared with the person the member believes is a credit union employee, the fraudster uses the code to finalize access to Online Banking, which is typically followed by changing the Online Banking password and transferring funds from member accounts.

How To Miss The SMish
  • Be aware! By simply knowing of the possibility of a SMishing attack, you can keep an eye out for the signs
  • Never provide information via text. A legitimate credit union employee or alert text will never ask for personal information to be sent over unsecured channels, and you will NEVER be asked for your Online Banking password or two-factor code outside of your login attempt.
  • Never click hyperlinks in texts. Legitimate requests to validate card activity will request a simple response of YES or NO. They will not include hyperlinks to other websites or ask for any personal info.
  • Don’t believe the caller ID. It’s amazingly easy to spoof a phone number—to make it look like a call is coming from a legitimate source.
  • When in doubt, check! You can always call the credit union (Kirtland FCU member, call 1-800-880-5328) to check on the validity of a transaction alert or to report a request for information that seems, well, phishy.
 
back to list