A massive smishing attack is under way, say police experts. / sur

Police cybercrime group warns of massive ‘smishing’ fraud aimed at bank clients in the province

The criminals want to gain access to people’s accounts and the temporary two-factor authentication codes sent by banks. Their aim? To steal your money

SUR Malaga

The cybercrime group based at Malaga's provincial National Police headquarters is warning people to look out for another bout of ‘smishing’, a process by which people receive phone or email messages purporting to come from their bank, which aim to gain access to their account details. The police say it is important not to trust these communications and to follow guidelines on how to deal with them.

The criminals send massive amounts of SMS messages, normally to bank clients, warning them of a problem with their accounts. There is normally a link they want people to click on, and that directs them to what looks like the bank website but is actually a fake. That way, when the person who holds the account puts in their log-in details, the fraudsters find out how to access it.

After that, two things could happen. One is that they stay in contact with the victim via some form of electronic messaging, and the other is via a phone call from someone who says he or she is a bank employee, but isn't. Both methods have the same aim: to make people think the warning is genuine and that the bank is helping them resolve the problem.

Two-factor authentication

Having learned the log-in details to access the account, those committing the fraud then want to obtain the temporary code which banks send to clients by SMS message, which they have to enter in order to carry out transactions. This is called Two-Factor Authentication (2FA) and is an automated form of protection for account holders. If the criminals do get hold of it, they are able to operate the bank account as if it were their own, and steal the money in it.

The cybercrime group says anyone who receives a message warning of unusual activity on their account should ignore the link provided, and should never follow instructions given in any message, communication or phone call saying there is a problem with the account.

“Contact your bank directly to check whether the message or call has come from them, and let them know what has happened,” they say.