The safest thing to do is NOT trust any text/SMS message from a bank, delivery company etc. The message might be real but could be a scam and you can lose thousands.
Fake bank text messages, usually designed to make you panic and call immediately, are still catching thousands of people every year.
This report from Australia includes a recording of a scammer tricking someone into giving away enough details to allow access to their accounts. Modern fast banking means that your money can be scooped up in minutes and transferred through multiple overseas accounts.
Any bank can be spoofed, though the criminals will mostly target the larger banks who have more customers (aka targets).
Fake bank text messages are common but not the only trap. Bogus parcel delivery messages are also used with a link to a web page that asks for credit card information to pay some non-existent fee.
Criminals send out millions of text messages knowing that most will be ignored. People will delete texts ‘from’ a bank they don’t have an account with or ‘from’ a delivery company when they are not expecting a parcel. But enough texts will reach unwary people who do use that bank or are waiting for a package.
Don’t call the number in the text message
If you get a text message from, say, a bank asking you to call a phone number – don’t.
Instead use the phone number from another trusted source – like a bank statement, back of credit card. If the two numbers are different – that’s a caution flag right away.
If you think the message is real, call the trusted number and explain the text message. If it’s a fake they’ll tell you. If the text is legitimate, they should transfer you to the right department. It might take longer, but it’s a lot safer.
Why emails are a little more secure
Spoofed emails are also a problem but there are two things that make emails a little less likely to be faked. Legitimate senders should be verified using acronyms like SPF and DKIM. Emails also go through spam and security filters so many spoof messages should be blocked.
In addition, receivers should check the real web link, not just the visible text. Hover your mouse over the text to see the real link ‘underneath’.
SMS/text messages don’t have that level of protection. It’s too easy to fake/spoof the sending phone number. Mobile phone carriers don’t put the same effort into spam and security filters that email providers are expected to.
