Smishing is an attempt to fraudulently obtain consumers' personal information. The "smishers" pose as financial institutions and send requests via text messaging for personal and account information. Typically the message indicates your financial institution name or might state “your credit union.” The message may or may not include the first four to six numbers of a card issued by your financial institution. These first six numbers are a Business ID and are the same for all cardholders for a card type issued by their financial institution, such as a debit card.
There is almost always a threat or negative cardholder impact included in the fraudulent text message, such as “your card has been blocked,” “your card has been deactivated” or “your card has been suspended.” You are then supplied with a number to call to “reinstate” your card. If you respond and call the number, which is never associated with your financial institution, you will be prompted to input some or all of the following: your account number or your full card number, expiration date, PIN or online banking password and/or the CVV2 (three-digit code) on the back of the card. Once you provide this information, the fraudsters have all the information needed to make a counterfeit card and access your account.
Smishing e-mails are generated to thousands of mobile phone users at one time by using a phone number generation tool. The goal is to cast the net wide in hopes of tricking consumers into providing information.
How to protect yourself from becoming a victim of a smishing scam:
If there is a problem with your card or account, here are the ways WSECU will attempt to contact you:
- Never provide personal or card information in response to an unsolicited request.
- Review the contact number and validate this as a legitimate number to your financial institution by using alternate resources.
- Contact your financial institution to verify. If it is after hours, go to their social media site or website to see if any information has been posted about a scam.
- We may send you an alert via Online Banking or a text message. We will ask you to contact us in the message, but we will not ask you to provide us with your full card number, PIN, expiration date, CVV2, Online Banking username or password. When you contact us, we will ask you for your account number or the last four of your card number to ensure accuracy in assisting you with the concern.
- We may try to contact you by phone. We will ask you to return our call and leave brief information about the nature of the call. We will leave our number – 800.562.0999 – with our extension or we may leave a local direct line. These numbers will show on Caller ID as registered to WSECU. If you are not sure, use the 800 number and ask to be transferred to the WSECU employee who left the message. When you call back, we will ask you for your account number to verify your identity before we discuss any problems with your account or your card. We may ask you for the last four digits of your card number to continue with resolution. We will not ask you for your full card number, PIN, expiration date, Online Banking username or password.
- If we can’t reach you and the issue is urgent, we may put restrictions on or block your card or account and mail you a letter. We will always attempt to precede this action with a phone call.
- You may be contacted by our fraud prevention service. This is a voice response system that will prompt you to enter information about the card they are calling on to validate transactions. It will not prompt you for your expiration date, PIN or CVV2. If they are not able to reach you and leave a message instead, they will assign a case number to be used when returning the call.