On a yellow background, this text appears: Smishing (smish-ing) Sending fraudulent messages, or phishing, through SMS text messaging.
Financial Health
October 10, 2019

‘I have a background in cybersecurity … and I still got scammed’

Raising awareness of ‘smishing’ and other social engineering scams is critical as cybertheft evolves.

Wells Fargo customer Doug S. had just arrived in the Middle East on a business trip when he received a text alerting him to a problem with his Wells Fargo account. A few minutes earlier, he had lost internet connectivity while attempting to sign on to the bank’s mobile app, so he figured the text was part of the reauthentication process. He clicked through to a webpage that looked official, and began entering his personal and account information.

“At some point, it popped into my head, ‘Why are they asking me for my PIN?’” — Doug S.

“At some point, it popped into my head, ‘Why are they asking me for my PIN?’” he said. “But after 11 hours of flying, then getting to the hotel and checking in, I was kind of flustered and just wanted to resolve the issue and get it over with.”

“Looking back,” he said, “Who fills in their Social Security number on a mobile app? I have a background in cybersecurity and data. I know why and how these things happen, and I still got scammed.”

‘Smishing’ for confidential information

Doug had fallen victim to smishing, or SMS phishing, an increasingly common type of social engineering scam designed to manipulate people into divulging confidential information through mobile phone texts. Scammers use spoof texts and fake sites that look legitimate to gather bank account numbers, Social Security numbers, and passwords to commit fraudulent transactions.

“When Wells Fargo contacts a customer, we will never ask for a card PIN, access code, or online banking password. If you feel uncertain at all, don’t respond and instead call the number on the back of your card to verify the legitimacy of any request.” — Gary Owen

Gary Owen, Wells Fargo’s chief information security officer, says awareness of these social engineering scams are critical, especially as cybercriminals become more adept at spoofing friends, family, and businesses to catch potential victims off-guard.

“When Wells Fargo contacts a customer, we will never ask for a card PIN, access code, or online banking password,” said Owen. “If you feel uncertain at all, don’t respond, and instead call the number on the back of your card to verify the legitimacy of any request.”

In Doug’s case, once he gave up his personal information, thieves were able to make multiple $500 withdrawals through card-free ATM transactions. It wasn’t until his debit card was declined a few weeks later while trying to make a purchase that he realized he had been scammed.

He contacted Wells Fargo’s Online Fraud department, and the bank worked with him to log the details of the cybercrime and return the funds.

“They took the time to really walk through what they were doing to fix the problem and what my expectations should be,” he said of the fraud team. “They were incredibly helpful.”

Other common scams

Screenshot of a phone with the text message: WellsFargoMobile Dear customer, for your protection please update now your mobile app:
These screenshots show how scammers have spoofed Wells Fargo’s identity to trick customers into revealing personal and account information.

Another common social engineering scam involves tech support, which Owen says make up about one-third of calls to the Online Fraud department. In these scams, victims see an urgent message pop up on their computer screens, or receive a call warning them of computer problems, and they are urged to call a fake support number to fix it. Then payment is requested, usually through ZelleSM or prepaid gift cards.

Daniel Boe, a Wells Fargo financial crimes specialist, recently helped a customer in Arlington, Texas, who had been conned by thieves promising a refund for tech services. In the span of a day, the elderly customer was tricked into letting scammers access his computer to purportedly remove a virus program, as well as buying prepaid gift cards for them and relaying the redemption information over the phone.

Boe helped the customer secure his accounts, and walked through the details of the scam to help the customer avoid its pitfalls again in the future.

Tips for protecting personal information

October is National Cybersecurity Awareness Month, which is a great opportunity to familiarize yourself with the latest information to stay safe online. Visit Wells Fargo’s Fraud Prevention Tips page to get started.

“Customers should be wary of divulging any information through phone calls or text messages from people they don’t know,” said Adam Vancini, head of Virtual Capabilities & Operations for Wells Fargo Virtual Channels. “It’s also important to regularly review your account activity through online or mobile banking and report any suspicious or unauthorized transactions immediately.”

See the image description for complete alt text.

Other best practices to help keep bank accounts safe include choosing usernames and passwords that are different from other online accounts. For stronger passwords, use a unique phrase with a mix of letters and numbers. Activating two-factor authentication, which requires an additional verification step to sign on to online banking — usually in the form of a code sent to your phone or email — also helps keep accounts secure.

Ultimately, as cyberthieves continue to cook up variations on scams, customers should take caution with any request for personal information or payment for unsolicited services. Doug, who received the texts spoofing Wells Fargo, says scammers are still sending him similar messages, but he’s learned the hard way to ignore them.

“I’m definitely on red alert now,” he said.

Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Zelle and the Zelle related marks are wholly owned by Early Warning Services, LLC and are used herein under license.