THE battle for personal information is shifting to cellphones.
SMS phishing, or SmiShing, is a form of fraud where people try to get personal information through text messages, said Scott Gamble, vice-president of account recovery and fraud management at TD Canada Trust. That personal information is then used to commit fraud, he said.
"The text message may ask you to click on a (link), which will direct you to a website and then ask you to confirm some personal or financial information. Things such as credit card, debit-card number, the CVV code on the back of your card, basically anything they can get their hands on," Gamble said.
Sometimes, the message may ask people to call a toll-free number that sends them to an automated system, he said.
"That 1-866 number is the fraudster trying to glean information," Gamble said.
People may not know they are being defrauded when they follow those links, said Dave Mason, a professor of computer science at Ryerson University. When a link is clicked, what usually follows is what appears to be a normal login page for a bank.
"If they're very clever, they can make it so that when you enter your information, it looks like you're logged into the bank and you can see your account and everything else but in the process they've gathered your account password information," Mason said.
The fraud may also extend beyond SMS to things such as social-media sites. Gamble said those trying to commit fraud will build up profiles from any information they can get.
"They might use texting to try to get some information like your social security number, or a piece of your banking information, and they use that maybe in addition to try to find you on Facebook to build a profile. And then they try to maybe access a bank account," Gamble said.
A recent poll by TD Canada Trust found nine per cent of people asked admitted to sharing their credit-card number or other information via SMS. Though the number isn't huge, Gamble said it's still early days, and the risk will increase as more and more people take their banking to their smartphones.
The risk is also higher right now because people still trust their text messages, Gamble said.
"Early on with text messaging, the only people who would text you are your friends or the people you know. Because of that, people would be more confident who would be texting them," Gamble said.
To be safe, Gamble said, people can assume a text message asking for any information should be judged as suspicious.
"Your Canadian bank will not text you and ask for personal information," he said.
TIPS on how to avoid falling victim to SMS phishing:
Never disclose personal information via text. Even when a message looks legitimate, it's better to follow up on it in person, said Dave Mason, a professor of computer science at Ryerson University. "I got one the other day that is actually, as far as I can tell, legitimate, from a bank offering to increase my credit limit. I don't plan to follow the link that it gave; I plan to call the bank and see if that's really the case," Mason said.
Be careful on mobile web browsers. Often, the small resolution and different layout makes spotting fake sites harder, said Scott Gamble, vice-president of account recovery and fraud management at TD Canada Trust. "You'll notice sometimes when you click on those links, and have a look at the URL when you're into the website, it's not the website you think you're in," Gamble said.
Only download software from well-known developers. What looks like a banking app may be fake. Some stores let users see how many times an app has been downloaded. Those with many downloads are usually safer. People should never download apps when prompted through text messages, Gamble said. "They might ask you to download something and by doing that they access information," he said.
Monitor your bank account and let your bank know if you think you're a victim of fraud. People should also let their banks know if they receive text messages they think may be fake, Gamble said. "Even if you get a suspicious text or email, and it might say TD Bank or Royal Bank on it, let your bank know that you received that. That helps us shut these guys down," he said.