It didn't take long to realize that we had an issue that needed immediate attention.
A trickle of calls to our Customer Service team quickly became a deluge as more and more customers contacted us to question a "debit card alert" text message they had received. The texts were sent from a handful of different numbers, but the message was consistent:
"Debit card alert for [customer's mobile number]. Contact XXX-XXX-XXX."
Our team immediately recognized that this was not a text initiated by our bank or any of the affiliate services with whom we partner to keep our customers alerted to potential debit card fraud.
This was a smishing scam. "Smishing" is short for "SMS phishing," meaning that it's a phishing attempt delivered via SMS, or text message. "Phishing" is the practice of a fraudster trying to "bait" someone into providing personal financial information which would then be used for criminal purposes.
We tried to call the number provided, and after several attempts we were connected to an automated line that informed us that our debit card had been "deactivated." To reactivate the card, the recording said, we should enter our full 16-digit card number, our personal identification number (PIN) and the expiration date of the card. Using a test card, we did just that, and within seconds received a legitimate fraud alert from our BI Card Guardian service that the card had been charged! We quickly deactivated the card before more fraudulent charges could be made.
We notified our customers of the scam via email and social media, and again were overwhelmed by the number of responses we received from folks who had received the text.
Even customers of other financial institutions responded to our Facebook post to report they had also been targets of the text. Because the text message was so vague, anyone who received it could have assumed that it was from the bank or credit union that issued their debit card. They could have responded with their card information and not known until it was too late that their debit card had been charged for hundreds or thousands of dollars. It could have been devastating.
But it wasn't.
Instead, our customers--and those of other financial institutions as well--were smarter than the average fraudster.
They called us.
This is one of the very best ways to verify that a text or email is legitimate--call the organization's published numbers. If you receive something that looks the least bit suspicious, it's ok to question it. We welcome your call! In fact, it was the high volume of calls from our customers that alerted us to last week's scam in the first place.
They shared.
One of the first channels we utilized to alert our customers to the debit card smishing scam was social media. Within minutes of posting our message, hundreds of people shared it--a total of 668 folks, as a matter of fact. And they commented, too. We were thrilled to respond to comments like these:
We're a sharing society--especially when it comes to something that will help our neighbors. As our post was shared with more and more folks, we saw comments from customers of other financial institutions who had received the text, which was wonderful. Their sharing helped us and other banks and credit unions realize that the scam was targeted to our entire community!
They recognized a scam when they saw it.
One of our Facebook comments said, "I didn't call or reply. I knew something wasn't right!" A pleasant offshoot of the growing number of cyberscams is the fact that consumers everywhere are becoming more alert and more suspicious of unusual or unexpected texts, emails and calls.
While some have learned the hard way (as the victim of a scam), most of us have simply become more attuned to warnings from government agencies, media reports and alerts from businesses like Bank Independent.
Awareness has grown, and we've become more suspicious. Again, that's ok! Rather than creating an intimidating "trust no one" culture, we're experiencing a "question everyone" open-dialogue environment. Companies aren't insulted when you ask them if their email is legitimate. In fact, they're proud--and grateful!
They didn't give up their information.
Another Facebook comment said, "I got [the smishing text] yesterday [...] called number but did not divulge any information .... hung up on them." A vague message like "Debit Card Alert" is designed to intrigue or alarm the recipient to the point that they will call the number in the text to investigate.
We can confidently say that no legitimate financial institution will ask you to divulge your full debit card number, PIN, AND expiration date for ANY reason--especially via a text message or recording. If you've ever called or corresponded with your bank or credit union, you know that this just isn't done. In fact, we go the extra mile to identify our customers before even discussing account information.
Luckily, those who reached this point in the smishing scam recognized that this request was just not right, and hung up the phone before compromising their card.
So, in conclusion, KUDOS to our customers and those of other financial institutions for foiling these fraudsters' evil plan! You're our cybersecurity superheroes!
If you're ready to add an extra layer of protection to your Bank Independent account, click the link below to enroll in BI Card Guardian, a complimentary service that sends you (legitimate!) debit card alerts via text!
p.s. October is National CyberSecurity Awareness Month! Check out these great blog posts to learn more about fighting online fraud and how to be #CyberAware:
12 Ways to Protect Your Mobile Device
10 Simple Tips for Protecting Your Money From CyberCriminals
Debit Card Fraud: How it Happens and How to Stop It