Text message scammers quietly prey on regional banks

You get a text message from your bank telling you there's been suspicious activity on your account. You call the number on your phone to see what's going on, and before you know it, you're a victim.

Welcome to the next big thing in phishing.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Law enforcement and security experts say that for more than a year now, scammers have been using scam text messages to prey on small regional banks and their customers. And according to a report set to be released next Tuesday by Cisco Systems, the problem has only been getting worse in recent months.

"It's a serious problem," said Pat Peterson, a security researcher with Cisco.

Here's how the scam works. The criminals pick a bank -- say a credit union in Medford, Oregon -- then they bombard every phone in Medford's 541 area code with a phishing message sent by SMS (Short Message Service) telling the victims to call a fake 800 number that looks like it's from a local credit union. Because they're targeting a bank in the region, the bad guys have a pretty good chance of hitting real customers who may not have heard about the scam.

They use the open-source asterisk software to set up a fake voice-operated system and steal information when people enter their account numbers, passwords and other sensitive information to authenticate themselves on the system. When the criminals use this information to transfer money overseas, the banks take the loss.

By targeting regional banks, they scam has managed to stay somewhat under the radar and not attract a lot of attention, said Nick Newman, a computer crimes specialist with the National White Collar Crime Center. Big banks have large security teams set up to tackle this type of fraud, but with a regional institution such as a credit union, "their entire IT team for the bank might be only five people," he said.

Another problem for the banks is that the scam subverts one of the main techniques that banks and security experts have been trying to drill into their customer's heads for years now, Newman said. "We always say, 'If you have any questions, call your bank, or they'll call you.' Well SMS is pretty close to calling your bank. It gets to the point where it's like, 'What do we tell people to do now?'"

This past weekend, the scam hit southern California, where Wescom Credit Union and Farmer's & Merchants Bank were targeted. But they're just the latest of many.

The criminals have been going through the country credit union by credit union, bank by bank, Peterson said.

"It's working pretty well for them," he added. "It's a pretty innovative technique."

Sometimes it works exceptionally well, in fact. When Medford's Bank of the Cascades was hit with the attack in May this year, the scammers got more than they bargained for, according to Detective Sergeant Kevin Walruff with the Medford Police Department. "I've spoken with people that gave their personal information and aren't even customers with Cascades bank," he said. "They actually called that number and provided information."