Recent reports indicate a rise in text message phishing. Phishing, for those not in the know, means sending messages that claim to be from banks or other financial institutions and which use fear and urgency (”Your account will be closed immediately unless you respond”) to try to trick victims into giving up their sensitive information. Cell phone text messaging had already become an avenue for spam messages, which are annoying but not particularly dangerous from an identity theft perspective. Now, the combination of spam texts and illegal intent has led to a rise in text messages that try to provoke a response. The response that the phishers want contains your Social Security number, bank account number or other private information. It’s the same old thieves wearing a newer, cooler costume.

The most recent major text-message phishing scam was reported nationwide just a few weeks ago. In this particular effort, phishers sent untold numbers of bogus text messages, claiming to represent U.S. Bank. The messages said, “Dear US Bank member, your account with us is closed due to unusual activity, call us at [number withheld].” The recipients represented customers of various cell phone providers and were not necessarily U.S. Bank customers. Like many email phishing schemes, this one had a broad scope in the hopes of getting a few victims to nibble at the bait. It’s difficult to know how many people fell for the scam, but the three return phone numbers that were known to be used in the phishing texts have been shut down by the state.

Banks, meanwhile, must now work to make sure that customers who benefit from their mobile banking services aren’t burned by the same technology. U.S. Bank issued a statement shortly after the phishing attempts were reported, reminding account holders that U.S. Bank does not request sensitive information via email, phone call or text message. CIBC, the Canadian Imperial Bank of Commerce, is one of many financial institutions providing additional information online about phishing, including ways to check for an email’s legitimacy and ways to report fraudulent communications. Most banking websites include safety and security information for consumers, even if consumers don’t always read or heed the warnings.

The advice, of course, has been heard before: treat suspicious texts the same way you treat suspicious emails. Don’t reply, don’t call any phone numbers listed, and don’t go to any websites suggested in the message. If you do receive a message claiming to be from your bank, call your local bank office or a trusted customer service representative (using a number you already know to be valid) to investigate the issue. Remember, no bank is immune to being used as text-phishing bait (Oregon-based Bank of the Cascades was used as a phishing front several months ago, for example, so scammers aren’t limiting their phishing efforts to national banks), and no cell-phone-toting consumer is immune from the potential attack.

If you still have doubts about mobile banking, you can elect to discontinue it entirely. As IdentityTheft.com noted, mobile banking has many pros (including ease of use, free updates and no account numbers sent in text messages), but it also has many cons (including potential lack of encryption, lack of security and lack of anti-virus software in some phones). The site notes that the technology is still fairly new and untested and suggests asking both the bank and the cell phone provider about the security of the systems used before signing on for mobile banking, just in case. When in doubt, consumers can just skip the mobile updates and do their banking the old-fashioned way (well, as old-fashioned as “online” can be). That way, ANY text messages that claim to represent the bank can be known as fraudulent the minute they arrive on one’s phone.

Sources for this article: Minneapolis Star Tribune, CIBC, IdentityTheft.com, ConsumerAffairs.com

Text message spam (often called m-spam, for “mobile spam”) is among the most annoying spam we get. We’ve all gotten pretty accustomed to receiving spam in our email inboxes, even if we don’t care for it. But our cell phones are more personal. Receiving an unexpected text message that advertises something feels like more of a violation than other methods of spam. Also, many people pay per text message for the SMS technology, incoming AND outgoing, so victims end up not just enduring but PAYING for the experience of receiving unwanted texts. Customers don’t have the option of choosing which of their incoming text messages they accept (and agree to pay for) and which ones they don’t. Text message spam is frustrating and costly, so what can be done about it?

The CAN-SPAM Act of 2003 addresses this issue, at least in part. The Act prohibits sending unwanted commercial email messages to wireless devices without express prior permission. The definition of “commercial messages” (those that advertise a product or service) is pretty widely understood. That said, the CAN-SPAM Act covers messages sent to cell phones and pagers IF the message uses an Internet address that includes an Internet domain name. It does not cover “short messages” sent from one phone to another.

So if a spammer sends commercial texts to your cell phone and uses another phone (instead of a computer) to do it, are you stuck without any recourse? No, because where the Act leaves off is where the Telephone Consumer Protection Act (TCPA) and other FCC rules take over. From the FCC website regarding the TCPA: “FCC rules prohibit sending unwanted text messages to your wireless phone number if they are sent using an autodialer, or if you have placed that number on the national Do-Not-Call list.”

So for starters, put your cell phone on the Do-Not-Call list, just in case you receive (or fear you might receive) undesired text messaging. That way, you’ll have grounds for filing a complaint with the FCC. Keep in mind, though, that some messaging is exempt from the bans; for example, if you have an established relationship with a business (i.e., messaging regarding a warranty you have on a product you’ve bought from them), if you’ve given them consent to text or call you (always read the fine print when you sign up for a service, just to make sure you’re not giving consent if you don’t want to), or if the messaging falls under the noncommercial category (which includes political organizations and religions), you’re not allowed to file a complaint. But outside of these exceptions, if you put your phone on the Do-Not-Call list and still receive spam texts, or you receive a commercial message sent via email that is clearly in violation of the CAN-SPAM Act, you can file a complaint here.

What about short-code text messages? You know, the ones with just a 4-6 digits instead of a full phone number. If you get messages from short-code sources, you probably opted-in for something, such as radio station updates. If you don’t want to receive them anymore, reply with “STOP” and see if that works. If you’re not even sure where the messages are coming from, there’s a short-code registry that allows you to check. It’s not guaranteed to be accurate, and it’s not comprehensive, but it’s a start if you need to find out the source of your unwanted messages so you can contact them and tell them to stop.

What else can you do to prevent text message spam before it happens? First, don’t give your cell phone number out unless you absolutely have to. Don’t post your number online where people can find it, since that’s just an invitation to spammers. If you DO feel the need to share your number with a website (say, when you’re signing up for alerts), read their privacy policy to make sure that your phone number won’t be sold to a third party. You don’t want to unknowingly give out that “express prior permission” described in the CAN-SPAM Act that would open the door for spammers to flood your phone with messages.

You can also contact your cell phone provider to make them aware of unwanted text messages if it becomes a problem. AT&T, T-Mobile, Sprint and Verizon offer methods on their websites that allow customers to block emailed messages (or just certain domains) sent to their phone; for each provider, look for “text messaging preferences” or “communication tools” after you log in to get you started on setting up an email block. Even if your carrier doesn’t offer this feature online, most U.S. carriers should be able to handle this for you if you call them directly. Be careful using this option, though, since it could block messages you actually WANT to receive via email-based messaging, such as the message from your airline notifying you of a flight change. 

If all else fails, responding to a text spam with the word “unsubscribe” is worth a try.

Sources for this article: www.fcc.gov, www.lifehacker.com, www.consumer-preference.com, Wikipedia, Pogue’s Posts