By now most consumers can spot a phishing email – that is, if the message even makes it past increasingly sophisticated spam filters. Knowing this, spammers have turned to text messages and voice calling to gather sensitive information or gain control of a consumer's device. In recent years, the FBI, Better Business Bureau and online security company Symantec have issued warnings about consumer threats such as SMiShing (text message spam) and vishing (voice or telephone spam).
Just as email providers filter out email spam, mobile carriers try to filter out text message spam, but some of those messages slip through. Sixty percent of U.S. adults who send or receive texts received mobile spam within the past year, according to a 2012 survey conducted by research firm Harris Interactive on behalf of security solutions company Cloudmark.
Despite this, most people still perceive their phone to be more trustworthy than their computer, according to Cloudmark research analyst Andrew Conway. Cellphones offer more immediacy, too, because many consumers carry their phones with them everywhere and even sleep within reach of their phone. Consumers who delete emails without a second thought will often drop everything when they receive a text message or phone call, but that call may not be one they want.
Here's a look at how these phishing schemes work – and how to protect yourself.
SMiShing: Text message spam appeals to fraudsters because of the potential for better geographic targeting compared to email. "We see them picking a regional bank or credit union and targeting the area codes where that particular institution is based," Conway says.
As it becomes harder to phish people on a laptop or desktop, Jonathan Weber, owner of the Web security and app development company Marathon Studios, Inc. expects to see the volume of SMiShing attempts to increase. "The technology is not very difficult to set up a mobile phishing campaign," he says. As a result, mobile spammers have a few different strategies up their sleeves.
"You could receive an email or text message from someone posing as your credit card company, asking you to confirm your account numbers or passwords," says Robert Siciliano, an identity theft expert with BestIDTheftCompanys.com. "It's much easier to fall for these tricks on your mobile device because a lot of the things you can do to check if an email is legitimate are not available [on mobile devices]."
Last year, popular SMS spam focused on supposedly free gift cards. Since the Federal Trade Commission cracked down on those scams, smishers have shifted to other areas like bank phishing, porn and payday loans.
Bank smishers may use the first few digits of your debit or credit card as bait, since credit and debit cards all follow the same standard method for card numbers, according to Cloudmark security researcher Tom Landesman. Their text message might include a link to a bogus bank website that looks and acts like your real bank's website. Alternately, it might prompt you to download a fake bank app or call a number to clear up a supposed issue with your account. Once spammers capture your personal information, they can sell it on the black market or use it to commit fraud.
Vishing: Vishing can take a few different forms. A few years ago, scammers posing as Microsoft support technicians called consumers claiming they needed access to the their computer to help remove a "virus" (in actuality, they may have been installing key-logging software on the computers to capture the user's bank information or passwords without their knowledge or permission).
[See: 10 Dangers of Mobile Banking.]
Other vishing schemes involve the use of automated systems to call specific area codes and play a message about a local or regional bank in the area. Scammers can record the real bank's phone greeting to make you think it's a legitimate call from your bank and lure you into providing your account number or other information. They might also use caller ID spoofing technology to display a false name or number on your phone.
Here are a few ways to protect yourself against SMiShing or vishing:
• Be wary of incoming calls. If you receive an incoming call and a person or automated system requests personal information, hang up. Caller ID creates a false sense of security, so don't trust it. Before you give out any information to someone claiming to be from your bank or a company you trust, Siliciano suggests calling that company directly to verify there's a need for that information. Locate the phone number through the official bank website or on your bank card, not by Googling.
• Don't call a number left in a voicemail or text message. "Your bank is not going to send you a text message and prompt you to call them," Weber says. Before calling a number in a text message or voicemail, verify the number using the strategies above.
• Download apps through official channels. Go to the iTunes or Google Play store to download your bank's official app. "[Phishers] will send you a text message with a link to an app on a third-party server," Weber says. "It's not as easy to install it, but once you do that, it's completely seamless. They can make it look completely like the bank's app."
• Don't click links from unverified senders. Shortened links on a mobile device can be hard to verify and may link to malicious content. "Without being able to see a full address, it's difficult to tell if the website or sender is legitimate," Siciliano says. "You also can't hover over a link like you can from your computer and get a preview of a linked word or graphic."
[Read: How to Steer Clear of Online Scams.]
• Report suspected spam. Document as much information as you can, including what was said, the phone number of the caller and the information the person or system requested so you can report it to your bank as soon as possible. "The sooner you do, the more quickly the scam will be squashed," Siliciano says. With most major U.S. carriers, you can forward suspicious text messages to 7726 (spam spelled out on your keypad). This sends the message to a spam-reporting system that Cloudmark operates for the GSMA, an association of mobile operators.