The FBI Issues Holiday Warning About Smishing, Vishing, and Other Scams by Cyber-Criminals

November 29, 2010

It's not just the holiday season for shoppers -- Cyber-criminals look forward to this period of increased retail activity as a way to steal our money and personal information. This new wave of fraud is no longer simply targeting your somewhat antiquated desktop computer or even your laptop, but the scamsters are now finding ways to rip you off via all your wireless devices.  In response to this wave of fraud, the Federal Bureau of Investigation (FBI) has warned the public to use caution when making online and cellphone purchases.

Smishing and Vishing During this holiday season, you may receive a text message or an automated phone call on your cellphone saying there's a problem with your bank account. You're given a phone number to call or a website to log into and asked to provide personal identifiable information-like a bank account number, PIN, or credit card number-to fix the problem.

Beware: It could be a "smishing" or "vishing" scam…and criminals on the other end of the phone or website could be attempting to collect your personal information in order to help themselves to your money. While most cyber scams target your computer, smishing and vishing scams target your mobile phone, and they're becoming a growing threat as a growing number of Americans own mobile phones. (Vishing scams also target land-line phones.)

"Smishing"-a combination of SMS texting and phishing

"Vishing"-voice and phishing

Smishing and Vishing are two of the scams the FBI's Internet Crime Complaint Center (IC3) is warning consumers about as we head into the holiday shopping season. These scams are also a reminder that cyber crimes aren't just for computers anymore.

Here's how smishing and vishing scams work:

  • criminals set up an automated dialing system to text or call people in a particular region or area code (or sometimes they use stolen customer phone numbers from banks or credit unions).
  • The victims receive messages like: "There's a problem with your account," or "Your ATM card needs to be reactivated," and are directed to a phone number or website asking for personal information.
  • Armed with that information, criminals can steal from victims' bank accounts, charge purchases on their charge cards, create a phony ATM card, etc.
  • Sometimes, if a victim logs onto one of the phony websites with a smartphone, they could also end up downloading malicious software that could give criminals access to anything on the phone.
With the growth of mobile banking and the ability to conduct financial transactions online, smishing and vishing attacks may become even more attractive and lucrative for cyber criminals. Here are a couple of recent smishing case examples:

Account holders at one particular credit union, after receiving a text about an account problem, called the phone number in the text, gave out their personal information, and had money withdrawn from their bank accounts within 10 minutes of their calls.

Customers at a bank received a text saying they needed to reactivate their ATM card. Some called the phone number in the text and were prompted to provide their ATM card number, PIN, and expiration date. Thousands of fraudulent withdrawals followed.

Gone Phishing: Illegitimate Delivery Services The major legitimate delivery service providers do not e-mail customers directly regarding scheduled deliveries; you have to already have an existing account for this type of communication. Nor will they state when a package has been intercepted or is being temporarily held. E-mails about these issues are phishing scams that can lead to personal information breaches and financial losses.

Be Safe: Never immediately reply to emails from purported providers such as FedEx, UPS, etc. The better practice is to find the authentic website or 800-number for such companies and to confirm any delivery queries. Most reputable delivery firms have an online "Track My Order" link you can use to trace a delivery.

Think about this: Why would a delivery company need to know confidential information or financial data in order to deliver a package to you?

Have I Got A Deal For You The FBI warns that Internet criminals post classified advertisements on auction websites for products they do not have. If you buy merchandise promoted via an online ad or auction site but receive it directly from the retailer, it could be stolen property. You can protect yourself by not providing the seller with your financial information.

Use legitimate payment services for transactions. Fraudsters will also offer reduced or free shipping to auction site customers. They provide fake shipping labels, but they don't pay for the packages' delivery. Parcels shipped with these phony labels are intercepted and identified as fraudulent.

The Gift That Doesn't Keep On Giving It's safest to purchase gift cards directly from merchants rather than through auction sites or classified ads. If the merchant discovers the card you received from another source was initially fraudulently obtained, the card will be deactivated.

FBI's Internet Crime Complaint Center (IC3)
Consumer Protection Tips
  • Treat your mobile phone like you would your computer…don't download anything unless you trust the source.
  • When buying online, use a legitimate payment service and always use a credit card because charges can be disputed if you don't receive what you ordered or find unauthorized charges on your card.
  • Check each seller's rating and feedback along with the dates the feedback was posted. Be wary of a seller with a 100 percent positive feedback score, with a low number of feedback postings, or with all feedback posted around the same date.
  • Don't respond to unsolicited e-mails (or texts or phone calls, for that matter) requesting personal information, and never click on links or attachments contained within unsolicited e-mails. If you want to go to a merchant's website, type their URL directly into your browser's address bar.
  • Be cautious of e-mail claiming to contain pictures in attached files; the files may contain viruses. Only open attachments from known senders. Scan the attachments for viruses if possible.
  • Avoid filling out forms contained in e-mail messages that ask for personal information.
  • Always compare the link in the e-mail with the link to which you are directed to determine if they match and will lead you to a legitimate site.
  • Log directly onto a store's website identified in the e-mail instead of linking to it from an unsolicited e-mail. If the e-mail appears to be from your bank, credit card issuer, or other company you deal with frequently, your statements or official correspondence will provide the proper contact information.
  • Contact the actual business that supposedly sent the e-mail to verify if the e-mail is genuine.
  • If you are asked to act quickly, it may be a scam. Fraudsters often create a false sense of urgency.
  • Verify any requests for personal information by calling the business or financial institution using the phone numbers listed on a billing statement or credit card.


If you have received a suspicious e-mail, file a complaint with the Internet Crime Complaint Center:

For more information on e-scams, visit the FBI's E-Scams and Warnings webpage: