Staying protected from cybercriminals is something everyone needs do now that we’re living in a digital world. Data breaches, robocalls and phishing scams seem to be popping up constantly.
Certainly, by now you’ve heard us warn you against phishing. This is when a scammer goes to great lengths to create an email or text that appears to be from someone you trust, hoping you’ll click on a malicious link.
These attacks can have horrifying results, such as your gadget being infected with malware, or worse, having your banking login credentials stolen.
And these criminals, like technology itself, evolve with the times as they develop new techniques and high-tech ploys to fool you. Take this new attack, for instance – it takes one modern banking convenience and turns into an opportunity to drain your bank account dry.
Do you use cardless ATMs?
Have you heard of cardless ATMs yet? A growing number of banks are now allowing customers to withdraw money from these machines with just their smartphones. With the use of a banking app and contactless payment methods like NFC, Apple Pay, Samsung Pay or Android Pay, customers can simply hold their smartphones to withdraw cash from a cardless ATM.
It’s convenient, for sure, since it skips the need for a physical banking card to make quick ATM transactions. However, it comes with its own set of loopholes, as usual.
The problem is that criminals are now clued into this new method, and with the help of SMS text-based phishing (also known as smishing), they’re now able to use stolen credentials to quickly drain an account with the use of their smartphones.
Security website KrebsOnSecurity warns that this cardless ATM scam is spreading fast! In fact, scammers have already victimized 125 Fifth Third Bank customers from Cincinnati, Ohio, netting them around $68,000 from 17 ATMs in Illinois, Michigan and Ohio in less than two weeks.
Aside from skimmers, shimmers and spoofed phone scams that are duping even the experts, cashless ATM smishing is definitely another growing scheme that you have to watch out for.
How the scam works
Here’s how the cardless ATM + smishing scam works. First, the scammers will send you a text message that claims to be from your bank, warning you that your account has been locked.
To unlock your account, the text message then conveniently provides you a link for that purpose. You probably know what’s next, right?
Yep, the link goes to a fake site that mimics your bank’s official website. The fake site will then prompt you to enter your banking credentials such as your username, password, one-time passcodes and PIN numbers – everything the criminal needs to take over your account.
After grabbing this info, the thieves will log in to your bank as you, add their own phone number to your account and then use it to withdraw your funds from cardless ATMs with just their smartphones.
Krebs said that in some cases, the scammers don’t even need your PIN code to associate another phone number to your account.
In fact last year, a woman in California had almost $3,000 stolen from a cardless ATM when thieves were able to add a phone number to her account by merely providing her username and password.
Are cardless ATMs worth it?
As I mentioned earlier, cardless ATMs offer their own set of conveniences to customers, but unless banks shore up their security against phishing scams, they are likewise convenient to criminals, offering a quick and dirty way to drain bank accounts.
Naturally, as more and more banks adopt cardless ATM transactions, the more prevalent this scam will be. Although cardless ATMs were limited to big banks last year, many smaller and regional banks are starting to upgrade their machines to adopt this new method.
To quickly find out if your bank already supports cardless ATMs, do an online search for your bank name followed by “cardless ATM.” Better yet, call its customer support number to verify for sure.
If you think the convenience of cardless ATMs outweigh the risks, go ahead and enable it through your banking app. Keep in mind that you’ll need to be extra vigilant against phishing attempts when you turn this on. You can always disable it later,
In the meantime, here are valuable tips on how to avoid text-based smishing scams.
How to avoid a smishing scam:
- Phone number – If you receive a text or email claiming to be from your bank, do NOT call the phone number that is provided. Whenever you need to discuss banking details, always call the number that is printed on the back of your debit or credit card. That way you know the number is legit and you’re not going to be scammed.
- Don’t follow links – Never assume that a text message or email is genuine. Scammers can spoof phone numbers and email addresses to make them look official. Don’t click on links within these messages, always type the website address into your browser or call the phone number located on the back of your card.
- Security details – You should NEVER reveal your security details like your full passwords or PIN code over the phone. A bank will never ask for your online account password over the phone. They might ask you to answer a preset security question, which is fine, but never your password.
- Trust your instincts – If a text or email seems suspicious, delete it immediately. Follow up by calling the company using the trusted phone number on the back of your card.
- Take your time – If you receive a call from someone claiming to be from your bank, don’t let them rush you into giving them sensitive information. The incoming number could have been spoofed and a scammer might be on the line. Just tell them that you need a moment and you will call them back. Then call using the phone number that you know is correct.
- Don’t feel pressured – If the person calling is pressuring you to give them sensitive data, stay calm and refuse. Just hang up the phone and call the company’s trusted number to follow up with the issue.