The new wave of cyber-criminal activity is here and you need to be prepared to fight against it as you may not be able to get a refund from your bank company. Smishing is a new style of phishing attacks that targets you by text message rather than email. Just like phishing emails, smishing messages are sent out to numerous people while they impersonate your bank and try to persuade you to send them back important account information or they will send you a website link that will send you to a fake website that will steal your account details.

Smishing messages are a lot more dangerous than the usual phishing emails because of the various techniques you can use to steal someone?s account details. One of them being if you know the targets phone number and email address, you could do a ?forgot password? and this will then send a genuine text message from the bank to the target with a code to type into the online banking page to gain access to the bank. The cybercriminal will then send a spoof text to the target that appears from the same number as the banks genuine message asking for them to reply with the code given from the previous message. Because it appears from the same mobile number, your phone will automatically put the spoofed message in the same thread as your previous genuine bank messages.


One Santander customer names Edward Smith had received a message on an existing message chain from Santander asking him to phone a number as there was potentially fraudulent activity on his account. As this message was part of the chain of previous genuine messages from his bank. The phone number was sent from a cybercriminal using the technique to spoof his number so his text appeared in the targets message chain. When Mr Smith phoned the number sent he was asked to generate a one time password (OTP) from his bank and then give this number to the scammer. At this time he received another phone call that was genuinely from Santander asking him to confirm a payment for ?2,700 to ?Edward Smith?. This transaction was not to himself but to the scammer who had changed the name of his account to match Mr Smiths.

Mr Smith confirmed that transaction and gave his OTP to the scammer who then managed to use this information to access his online account and send over a further ?20,000, however Mr Smith never confirmed this transaction and was never notified from Santander. Mr Smith received another genuine call from Santander soon after informing him that fraudulent activity had occurred on his account. He has then confirmed with the Santander genuine fraud team that the transactions were not authorised for his account but he was not been able to get any of the money back from his account. Even though he has not authorised the ?20,000 withdrawal from his account, because he had given the scammer his OTP the bank is holding him responsible for what happened to his money.

If you receive a message on an existing mail chain from your bank asking to call a number or to generate a code form your bank and reply back, don?t do it. You bank will never ask you to give them your OTP as this is used for the customer to gain access to their account if they do not know the password. If you ever receive any of these message or get a phone call about fraudulent activity on your account, hang up the phone and either go on your banks website and call the help number from there or go into you banks branch and meet them in person to find out the issue. If you get a phone call from your bank asking you to confirm a transaction that you have never made, don?t confirm it, even if they say that it is going to an account with the same name as your own.