Over the last few days, Swiss e-banking customers repeatedly fell victim to phishing attacks via SMS. In the process, the criminals involved netted several tens of thousands of Francs.
It sounds quite harmless: “Hello. To verify your account, please use the following link.” This SMS shows the name of your own financial institution as the sender of the message. The link does not look suspicious either, since it seems to contain the correct bank domain name.
So, everything’s okay really? Well it isn’t. This kind of SMS constitutes a phishing attempt meant to mislead Swiss banking customers for about a week or so now. And sometimes successfully: So far, the criminals involved succeeded in transferring several thousands of Francs from e-banking customer accounts after their unsuspecting victims had clicked the link contained in this SMS and entered their e-banking access data on the linked website - since this was a faked version of the bank’s actual website.
How can you expose such scamming attempts? SMS phishing (“smishing” for short) is so perfidious since most criteria involved in recognising phishing e-mails don’t apply to SMS messages: It is not common to include any form of personal address in an SMS, so it is generally missing. Language and design of text messages are too simple and brief to allow any conclusions as to whether they are fake. And it is rather difficult or unreliable to check the true sender and the link on most mobile devices. The customers of some banks are also used to receiving SMS messages to verify their e-banking log-in or before financial transactions are carried out.
Still, the following recommendations serve to protect you against falling victim to SMS phishing attacks:
- Be wary with regard to any SMS messages, in particular if you receive them unexpectedly, or if they ask you for personal details.
Financial institutions will never ask you to log into their site or enter your access data via SMS!
- Never click on any links included in SMS messages, but enter the website address of your financial institution which you are familiar with into your browser manually. Then check there is a secure connection (lock symbol, target address) before entering any sensitive information such as access data into the forms.
- If you receive any unexpected SMS messages, contact your bank via the contact information you know (for instance their official telephone number) and have them confirm that they actually sent this SMS.
- Delete any suspicious SMS messages immediately, and let your financial institution know.
Additional information can also be found in our article on Phishing and in our
“How to protect yourself against phishing attacks” info sheet.