Con Watch: Don’t Bank on that Text Message or Phone Call

Steve Weisman is a lawyer, college professor, author, and one of the country’s leading experts in cybersecurity, identity theft, and scams. See Steve’s other Con Watch articles.

Lately there has been a significant surge in phony text messages that appear to be from your bank asking for debit card information in order to avoid having your account suspended. Responding to such a message can leave you with an empty bank account. These fraudulent text messages are known as smishing.

Debit card fraud is more dangerous than credit card fraud because while federal law limits the your liability for fraudulent charges made with a credit card to no more than fifty dollars, the laws regarding fraudulent use of debit cards are not as strong. Customers who neglect to notice and report the fraudulent use of their debit card run the risk of losing all the money in their bank account.

Text messages that appear to come from your bank can be particularly problematic because you may have signed up to receive legitimate (and helpful) text alerts from your bank. So how can you tell the difference between a real alert and a scam? Legitimate text alerts from your bank will never solicit personal information from you, so you should never provide information in a text. Also never click on links in text messages — the links can either download ransomware on to your phone or keystroke logging malware that can lead to identity theft.  The best course of action when you receive such a text message is to independently contact your bank to determine whether or not the text message was a scam. You can get your bank’s customer service number on the back of your debit card. Be careful not to misdial the telephone number as some scammers purchase phone numbers similar to those of legitimate banks and credit card companies hoping that they will receive calls from unwary consumers.

The phone call equivalent of smishing is vishing, and this type of scam is getting more and more sophisticated. Many scam artists are incredibly adept at psychology and armed with a bevy of personal information about you. They can convince you that an emergency exists and that you need to respond by providing them with personal information that unfortunately can often lead to identity theft.

Presently there are a number of variations of vishing telephone calls that appear to come from your bank, some of which are from live people, while others are coming from robots that sound like actual people. These calls generally tell you that your ATM card has been used for fraudulent purposes and that you need to replace it immediately. These calls may appear on your Caller ID as if they are coming from your bank, through a technique called “spoofing.” The scammer is also armed with much personal information about you, including in some instances the last four digits of your Social Security number, your address, and even your debit card number. This can make the call appear quite legitimate. Your information has generally been bought by the scammers on the Dark Web, that part of the Internet where criminals buy and sell personal information that may have been obtained through the many data breaches that are increasingly part of the new normal. During the course of the call you are then asked for the three digit CVV security number from your card, your PIN or both. Providing this information will enable the scammer to use your debit card to make purchases online or to create a counterfeit card to use at an ATM to steal directly from your bank account. If you take the time to think about it, you would realize that your bank does not need you to provide your CVV or PIN. But scammers are quite adept at getting people to respond quickly to a perceived emergency, particularly when the person calling seems quite legitimate.

The best thing to do is to remember my motto, “trust me, you can’t trust anyone.”

Never give out personal information to anyone on the phone unless you have initiated the call and you are sure the information is necessary. In the case of these debit card vishing scams, the best thing to do if you think the call may be legitimate is to hang up and call the bank at a telephone number that you know is accurate.

Taking the time to not react too quickly when you receive a purported text message or phone call from your bank can pay dividends in your safety.