Are your business text messages open to identity fraudsters?

Technology is used to protect people and companies against fraud but unfortunately it can also be used to assist fraudsters during a scam, especially when certain technologies are used widely among businesses to send communications. Increasingly, reckless communication practices by companies play into the hands of fraudsters. All it takes is one irresponsible communication that fraudsters can replicate and a company’s integrity will be at risk and its customers’ defrauded.

This is true for email where the most common techniques used to defraud people are phishing scams, an attempt to trick a person into revealing personal information such as credit card details or bank account information by sending an email with a fake web address or telephone number, and ‘419 scams’, so named after the section of the Nigerian penal code that addresses fraud schemes, where a person is persuaded to advance relatively small sums of money in return for larger financial gain.

Due to the broad appeal of text messaging for business communications, phishing scams now also target mobile phone users by using a text to initiate a communication. For example, text message phishing, occurs when customers receive a text message from what seems to be a reputable financial institution prompting them to call a telephone number due to a possible fraudulent transaction on their account. They are then requested to divulge their PIN number, or other personal details, on the pretence of changing their PIN to secure their account. The fraudster however is now able to access the callers’ funds. Customers become victims of the very fraud that they are trying to prevent when they follow up on these sorts of text messages.

The communications conundrum

While text messaging can be used in many ways to make transactions safe and reliable, it requires the careful planning and the implementation by companies of suitable communication policies and procedures. Companies require a good understanding of the benefits of texting - messages are read immediately as people have mobile phones with them all the time. Companies also need an understanding of the text message’s weaknesses - these messages are not encrypted and are easy to imitate.

Some financial institutions may even perpetuate the impression that it is acceptable to divulge your personal information via insecure electronic channels – as long as you provide it only to your own banking institution. For instance, an institution may request your name, credit card number, Identity number and preferred e-mail address to the email address given in the text or call the client care centre telephone number provided. Not only is email an insecure means to send personal information but fraudsters can quite easily pretend to be your bank and imitate marketing material, emails and text message communications. Phishing scams go so far as to disarm customers by including the warning: “don’t divulge your personal information to anyone but your trusted bank” in emails sent.

Then there are your typical banking notifications sent by text message telling you that someone has logged onto your internet banking account. The bank’s name is followed by: “Internet – confirmation of log on: Account number ending in …5601: 26June08: 17h45: Helpline: xxx xxx xxxx”. As text messages are sent in plain text, it is very easy for a fraudster to imitate this message and include their own contact number in a message. In addition, by sending you this message, you would suspect that someone has fraudulently logged onto your Internet bank account. You call the number displayed in the text message thinking it’s your bank’s call centre, and there is someone on the line that asks you for all your relevant personal and account details and then offers to change your PIN to ensure the security of your account. At that point you have given all your account details and are now open to fraudulent activity on your account.

While it is easy to get caught up in the threat of text message phishing scams, the most effective solution to combat this fraud is for businesses to educate their customers about the risks involved when responding to a text message. Fraudsters rely on the ignorance of people and the trust customers place in their bank or other reputable brand.

1. Only send out relevant information and never ask customers to provide sensitive information via insecure electronic channels such as e-mail or text.
2. When communicating with customers using text messages, personalise the messages and include information that would not be available to phishers. This will enable customers to distinguish between legitimate and phishing messages.
3. Look critically at your text message and email communications, and consider whether fraudsters could benefit from imitating your message. Educate your customers on potential phishing scams. Inform your customers as soon as you are aware that someone has been using your company name fraudulently.
4. Make your text messaging policies known (e.g. message will always be personalised or we will never ask you to give us your PIN number).
5. Ensure that your marketing material is consistent with the communications you send to customers and that call centre staff are well trained.

1. Never respond to a text or email message that requests personal information. Do not divulge sensitive information such as credit card numbers via insecure electronic channels such as texting, e-mail or over the telephone.
2. Be aware that it is easy for criminals to imitate organisations by using electronic communications and initiate emails or text message phishing scams. If unsure whether or not something is a scam, always take the time to investigate it.
3. Always verify a contact number, especially those in emails or text messages. If the “bank” called you, call them back. Double check phone numbers that appear in a text message – you can do this via the Internet or by referring to any marketing material. For ease of reference, store banking phone numbers on your mobile phone, along with email and website addresses.
4. Never ever give your PIN number or password to a PERSON. Only use your PIN on systems that have been designed for this purpose, i.e. ATM’s and official internet banking sites. These systems have been designed such that employees at the bank cannot access this information.
5. Report it. If you are unsure of how a company received your number, or are suspicious about a text message that you have received, you should contact the company and report your concerns. You can also visit the Mobile Data Association and 160Characters Association for more details on text messaging regulations in the UK.