By now most consumers can spot a phishing email – that is, if the message even makes it past increasingly sophisticated spam filters. Knowing this, spammers have turned to text messages and voice calling to gather sensitive information or gain control of a consumer's device. In recent years, the FBI, Better Business Bureau and online security company Symantec have issued warnings about consumer threats such as SMiShing (text message spam) and vishing (voice or telephone spam).
Just as email providers filter out email spam, mobile carriers try to filter out text message spam, but some of those messages slip through. Sixty percent of U.S. adults who send or receive texts received mobile spam within the past year, according to a 2012 survey conducted by research firm Harris Interactive on behalf of security solutions company Cloudmark.
Despite this, most people still perceive their phone to be more trustworthy than their computer, according to Cloudmark research analyst Andrew Conway. Cellphones offer more immediacy, too, because many consumers carry their phones with them everywhere and even sleep within reach of their phone. Consumers who delete emails without a second thought will often drop everything when they receive a text message or phone call, but that call may not be one they want.
Here's a look at how these phishing schemes work – and how to protect yourself.
SMiShing: Text message spam appeals to fraudsters because of the potential for better geographic targeting compared to email. "We see them picking a regional bank or credit union and targeting the area codes where that particular institution is based," Conway says.
As it becomes harder to phish people on a laptop or desktop, Jonathan Weber, owner of the Web security and app development company Marathon Studios, Inc. expects to see the volume of SMiShing attempts to increase. "The technology is not very difficult to set up a mobile phishing campaign," he says. As a result, mobile spammers have a few different strategies up their sleeves.
"You could receive an email or text message from someone posing as your credit card company, asking you to confirm your account numbers or passwords," says Robert Siciliano, an identity theft expert with BestIDTheftCompanys.com. "It's much easier to fall for these tricks on your mobile device because a lot of the things you can do to check if an email is legitimate are not available [on mobile devices]."
Last year, popular SMS spam focused on supposedly free gift cards. Since the Federal Trade Commission cracked down on those scams, smishers have shifted to other areas like bank phishing, porn and payday loans.
Bank smishers may use the first few digits of your debit or credit card as bait, since credit and debit cards all follow the same standard method for card numbers, according to Cloudmark security researcher Tom Landesman. Their text message might include a link to a bogus bank website that looks and acts like your real bank's website. Alternately, it might prompt you to download a fake bank app or call a number to clear up a supposed issue with your account. Once spammers capture your personal information, they can sell it on the black market or use it to commit fraud.
Vishing: Vishing can take a few different forms. A few years ago, scammers posing as Microsoft support technicians called consumers claiming they needed access to the their computer to help remove a "virus" (in actuality, they may have been installing key-logging software on the computers to capture the user's bank information or passwords without their knowledge or permission).
[See: 10 Dangers of Mobile Banking.]
Other vishing schemes involve the use of automated systems to call specific area codes and play a message about a local or regional bank in the area. Scammers can record the real bank's phone greeting to make you think it's a legitimate call from your bank and lure you into providing your account number or other information. They might also use caller ID spoofing technology to display a false name or number on your phone.