Taking precautions to guard against phishing attacks has become standard operating procedure for small business owners. Sadly, phishing is not the only cyber threat your company may face. Attacks can also come via social media and text messaging or SMS, and some of these attacks will target your business bank account information specifically.
What you need to know
- Smishing is a phishing attack that targets your personal and financial information via SMS.
- Bank text scams are smishing attacks in which a scammer pretends to be your bank notifying you of an unauthorized transaction.
- You should always be cautious and suspicious of text messages you receive from unfamiliar numbers.
What is smishing?
Smishing is a form of phishing specific to text and SMS. It’s a tactic often used when someone attempts to access your personal and financial information by including a fake URL in a text message. Unsuspecting recipients who click on the link are taken to a page that asks them to enter personal or business banking information. That’s almost always a scam.
Financial institutions know how smishing works. They’ll typically avoid sending you links or asking for your personal information with a text message to keep you safe. If you receive anything that looks suspicious, call your bank immediately to make sure it came from them. They may be able to work with law enforcement to find the perpetrators if it’s a scam.
See all the ways Bluevine helps keep your business checking account secure.
How does a bank text scam work?
A good example of a bank SMS scam is a text from someone pretending to be your bank, alerting you about an unauthorized transaction. Smishing attempts usually include a link or ask you to respond YES/NO. Don’t assume that this is legitimate or harmless—you can always check with your bank to make sure they’re the ones who sent it and that there is indeed an issue that requires your attention.
The negative impact of these smishing texts can be significant. Clicking on the link in a smishing email could initiate a malware attack on your device. That attack could be a denial of service (DNS) that shuts you down or a “trojan” that steals your information. To avoid these, make it a habit never to click a link in a text message unless you get advance notice that it’s coming.
Smishing links could also lead to a form that appears authentic and prompts you to enter personal information. In more sophisticated smishing, responding to the text could trigger a phone call from the scammer pretending to be a bank customer service representative. Many victims fall for this because once they hear from an actual person, they assume it’s real.
How to avoid bank text scams
You can take some precautions to avoid being a victim of bank text scams. The most obvious is to call your bank if you get a strange message from someone claiming to be them. Ensure you have the correct phone number and ask for someone to explain the issue if it is legitimate. You can also save your bank’s phone number to your phone so you know it’s them when you receive a legitimate text.
Here are a few more tips on what to do to prevent smishing:
- Never provide your password or login information via SMS: Both passwords and text message two-factor authentication (2FA) recovery codes can compromise your account in the wrong hands. Never give this information to anyone, and only use it on official sites.
- Look for spelling and grammar errors: Many smishing scams come from outside the United States, so there may be grammar or sentence structure errors.
- Don’t feel threatened by time-sensitive warnings: Banks send written notices in the mail, reach out via email, or put an action item in your online dashboard when something is time-sensitive. Text message usually isn’t the primary communication method, unless you’ve opted into text notifications for specific transaction alerts.
- Never click links or reply to unfamiliar numbers: Read the message and call the phone number on the bank’s website, not the number in the text. Never click the link.
- Keep your smartphone apps updated to the latest versions: Hackers and identity thieves stay current on new technology. Make sure you update your apps frequently to help protect yourself with the latest security updates.
- Consider installing additional security software on your phone: Mobile devices have antivirus built-in, but it’s not as good as a security system you pay extra for.
- Use multi-factor authentication to help protect sensitive information: Facial recognition and thumbprint ID are two good examples of multi-factor authentication.
- Validate unsolicited texts by checking with your bank: Never assume that a text is legitimate without checking with your bank first.
Tip for Bluevine customers
Always double-check the phone number: Numbers that look odd—i.e., containing only 4 digits—could be email-to-text services. Verify the number belongs to Bluevine before providing information. Contact us if you’re unsure.
It’s also essential to train your employees to protect themselves and their devices from phishing attacks, including bank text scams—especially if they are authorized users on your account. Schedule some time to have someone teach a class and/or print up some information that employees can take home and study.
Company-wide alignment helps keep everyone prepared and accountable, and proper training can help you avoid financial losses related to fraud scams.
What to do if you identify a smishing attempt
Taking immediate action is important if you receive a questionable text message and identify it as a smishing attempt. Here’s what you need to do:
- Delete the message immediately.
- Block and report the unknown phone number.
- Contact your bank using a publicly listed phone number.
- Report the fraud attempt to your bank’s fraud team.
- Change your password and PIN as soon as you can.
Did the scammer manage to steal your information or compromise your bank account? You can file a complaint with the FCC or report fraud to the FTC. Make sure you document the situation thoroughly and include any screenshots of phishing screens or fake text messages. The documentation is needed for the authorities to prosecute if they catch someone.
Business checking built to keep your information secure.