Phishing, Vishing, and Smishing are all variations on a type of scam that attempts to trick victims into revealing financial or personal information to someone posing as a financial institution, government agency, or other trusted organization. The difference in the three is that Phishing is delivered by e-mail, Vishing by voice phone call, and Smishing by SMS text message.
In a typical phishing scenario, the victim receives an e-mail message that claims to be from a credit union, bank, or credit card issuer, claiming that there is some problem with the recipient’s account. The e-mail could be generic, stating that it is being sent from “your card issuer” or some other generic phrase, or it might be very specific and include formatting and graphics that make it appear to come from a specific financial institution or organization.
Regardless of the formatting, these types of scams share several characteristics:
- Appears to come from a trusted source
- Includes warning that something negative is about to happen to you or your accounts. Warnings about account, card, or online banking suspension are typical.
- Requests you to “verify” personal or financial information in order to restore services.
- Provides a link to a web form to enter your information
Vishing and Smishing are similar, except that instead of receiving an e-mail, the initial warning is delivered by voice call (usually automated) or SMS text message. Usually these are targeted at debit or credit card holders, and claim to be from a card fraud department or something similar. Usually you will be asked to call a phone number that will prompt you to enter your card number, as well as other info that can be used by the scammers to place fraudulent charges on your card. Some more daring Vishing attacks will actually use a live person to collect the information).
So how can you protect yourself? First off, any financial institution that may contact you about fraud on your account will already know everything about you and your accounts. They will not need you to provide a full account number and they will never, NEVER, require you to reveal your PIN. Depending on the financial institution, they may require you to verify some information just to make sure they are speaking to the correct person, but it will never be enough information to compromise your identity. If you are ever concerned about a call you receive, ask for a call back number. You can then call the number on the back of your card and verify that the call and the phone number were legitimate. If the call was related to a deposit account or online banking, call them back on the number provided on your financial institution’s website.
The bottom line is that it is ok to be suspicious and to question calls, e-mails, or text messages you receive. If something doesn’t seem right, trust your instincts and don’t feel pressured to reveal information that you do not want to reveal.
Another important thing to remember: Some attacks now don’t require you to enter information. Instead, they provide a link to a website. Simply by going to that website, your computer becomes infected with malware that can be used to steal information from your computer. See “What is malware and how can I protect myself” for more information.