One type of phishing attack — smishing (SMS phishing) is now being used to dupe customers of banks. If you have a bank account, you must be aware of it to avoid falling prey to this latest scam. What is it? How do fraudsters use it to empty your bank account? Find out here.
What is smishing?
Smishing is a scam where you get a fraudulent text message designed to trick you into sharing sensitive data or your hard-earned cash.
“Smishing, a form of cyberattack, combines SMS and phishing. It leverages text messaging to manipulate victims into giving away sensitive information or taking harmful actions. This social engineering tactic preys on human trust and emotions, as well as a sense of urgency, to influence potential victims’ decision-making,” says Sachhin Gajjaer, Managing Director and Founder of Sattrix, a cyber security company.
How fraudsters using smishing to dupe you
In the latest version of the smishing scam, you usually get an SMS from a mobile number saying a certain amount of money has been credited to your bank account. Right after receiving this SMS, you will get a call saying that a large amount of money has been mistakenly sent to your bank account. You will be asked to return it immediately to a certain UPI number.
The trick is that the message is very similar to the messages your bank usually sends when money is been debited or credited to your account. At first glance, it may look like a genuine message from the bank. Here is an example:
“Rs 15,000 credited to a/c XXXXX9082 on 10-05-24 by a/c linked to VPA XXXX9082 (UPI Ref No 41356463189.”
However, if you examine it closely and check who has sent it, you will often find a mobile number. Now the bank never sends such messages from a mobile number.
“Scamsters craft deceptive messages that closely resemble legitimate communications from trusted entities such as banks, consultancies, or government agencies. These messages are designed to create urgency or scare tactics to prompt immediate response and compel recipients to click on malicious links, share personal data, or download malware-infected attachments,” says Gajjaer.
The Reserve Bank of India (RBI) has a specific guideline on how banks must inform their customers about transactions in their accounts. Explaining it, Sheetal R Bhardwaj, executive board member of Association of Certified Financial Crime Specialists (ACFCS) in Dubai, UAE, says “As per Reserve Bank of India guidelines, banks should use a registered sender ID for sending SMS, which should be a six-character alphanumeric code that represents the bank’s name or brand. For example, HDFCBK, ICICIB, SBINNN, etc. The sender ID should not be a random or generic number, such as 567678, 909090, etc.,”
How to identify whether the SMS you got is real or a scam
As per Pradeep Janardanan, Director of a foreign bank in Bengaluru, “Scamsters often send SMS messages from personal mobile numbers to fool customers. Banks, however, will never use personal mobile numbers to send SMS alerts for several reasons.
Janardanan says that as per Telecom Regulatory Authority of India (TRAI) rules which every bank in India has to follow a standard SMS format to notify the customers about transactions. The format is as follows:
[XXXXXX] [dd/mm/yy] [HH: MM] [Transaction Type] [Amount] [Balance] [Other Details]
XXXXXX: The sender ID of the bank
dd/mm/yy: The date of the transaction
HH:MM: The time of the transaction
Transaction Type: The type of the transaction, such as debit, credit, ATM, POS, IMPS, UPI, etc.
Amount: The amount of the transaction
Balance: The available balance in the account after the transaction,
Other Details are any other relevant details of the transaction, such as mode, merchant, reference number, etc.
For example, a valid SMS format for a debit transaction of Rs. 500 at a POS terminal using a debit card issued by a Bank would be: [Bank’s sender ID] 10/05/24 08:33 Debit Rs 500 Bal Rs 10,000 POS 1234567890
Janardanan says that this set format helps customers to easily identify and verify the validity of the SMS.
What should you do if you have got a fraud bank SMS and a call?
One of the agendas of these fraudsters is to create a sense of urgency, hence when they call you, they will say things like: “I am at the doctor’s chamber and need you to pay me back” or “I am at the medicine shop buying life-saving medicines” etc. The primary motive behind this urgency is to make you ignore the sender’s ID of the SMS which is a regular 10-digit mobile number and not a real bank’s sender ID.
Experts say that one should be cautious and check the sender ID before taking any action based on the SMS.
“To combat these scams, individuals must scrutinise message content, verify sender details and its ID, and closely examine domains, logos, and grammar for inconsistencies. Additionally, it is important to be cautious of urgent or immediate action requests that come across as unprofessional, as legitimate institutions typically communicate in a more professional and measured manner. By staying vigilant and adopting proactive security measures, users can thwart these increasingly sophisticated smishing attempts,” says Gajjaer.