The Internet User Security Office (OSI) warns about the detection of several fraudulent SMS sending campaigns (smishing) that supplant the identity of banking entities such as CaixaBank, BBVA and Banco Santander.
The objective of these messages is to lead the victim to a false page that pretends to be the bank’s legitimate website in order to steal the credentials for accessing the online banking service and banking information. The text of the message tries to alarm the user to quickly click on the link and follow the steps indicated without stopping to analyze the situation.
Fake SMS for CaixaBank, BBVA and Santander clients
This wave of fake SMS impersonating banks is not the first time it has happened. It is increasingly common for cybercriminals to try to impersonate banks or large companies by sending SMS or via email (phishing) with the sole purpose of stealing personal data, access to accounts and passwords of the victims who receive these posts.
The SMS detected in this campaign are identified with the following messages:
CaixaBank
“You cannot use your account. Activate the new security system now: [malicious URL] “
BBVA
“Your account has been temporarily suspended for security reasons, follow the link to verify your identity:
[Malicious URL] “
Santander Bank
“Our system alerts us of an unauthorized pre-charge of 379.99E with your card. To cancel the payment follow our link: [malicious URL]”
“A fraudulent operation has been carried out in your online banking. Check immediately at: [malicious URL] “
However, it is not ruled out that other messages with similar characteristics are being used. Nor do they rule out that these messages are reaching mobile devices via email.
In general, all messages inform about some type of problem in our bank account and to solve it it is necessary to click on the link provided in the SMS . As you may have seen, some messages contain spelling and grammatical errors , which allows us to suspect that it is a possible fraud, since banks of these characteristics would not make this type of errors when writing.
It is possible that some messages are identified with the sender of the bank itself, that is, that the sender is impersonated, although in other cases an unknown number appears. Once the fraudulent link is accessed, the user is redirected to a page where they are asked to enter the credentials (username and password) in order to access the supposed online banking service. After entering the access credentials, the cybercriminals will have been in possession of the victim’s data and will be able to access the accounts of the users who have fallen into the trap.
How to avoid it
If you have received an SMS with the characteristics described above, you have accessed the link and provided your credentials, as well as any other personal data, the first thing you should do is contact your bank as soon as possible to inform them of the situation and cancel possible transactions that may have been carried out fraudulently. Also block access to your account , cards and update the access data to your online banking service to prevent third parties from accessing. In addition, it is also recommended to modify the password of those accounts or services in which the same password was used to access your online banking.
Some of the recommendations that you should follow to avoid being a victim of smishing fraud are the following:
- There will be no messages from unknown users. It is best to delete them directly and in no case reply to these SMS.
- Pay attention when following links, even if they are from known users.
- He usually checks the URL of the web page. If there is no certificate, do not provide any personal information.
- If in doubt, contact the company involved.
Additionally, take into account the advice provided by banks and financial institutions in their security section:
- Close all applications and programs before accessing your website.
- Write the URL of the entity directly in the browser.
- Your bank never notifies incidents of your account through an SMS or email including a link to its website in the message.
- Pay attention that the app you download is the official one of your bank.
- Always use strong passwords and double verification systems.
- It is advisable not to access your online banking through public devices or those connected to public WiFi networks.