Text Message Fraud: Protect Yourself From Smishing Attacks

In the digital age, consumers face an array of cyber threats. One threat that's becoming increasingly prominent is smishing. Find out what smishing is, how it works, and most important, how you can protect yourself from smishing attacks.

What is smishing — and how does it work?

Smishing is a fraud tactic involving the use of text messages to trick individuals into divulging sensitive information or clicking on malicious links.

Much like phone number spoofing, which makes unknown callers appear as though they’re calling from a recognizable phone number, smishing attacks send victims text messages that appear to be from KeyBank or another reputable company they may do business with. The messages often claim to be investigating fraudulent activity on the victim’s account.

Common Smishing Tactics

A victim receives a text that requests client verification and asks for their login ID, password, and one-time security code. If this information is provided, the criminals gain account access and can transfer funds to themselves.

A victim receives a text that includes a fraudulent link to a spoofed website that looks identical to a legitimate site, such as KeyBank online banking. Once the victim attempts to sign on to the fake site, their credentials are captured. From there, criminals will attempt to obtain the victim’s one-time passcode to gain access to their accounts.

Best practices to help protect yourself against smishing attempts.

  • Be cautious of all unexpected text messages and suspicious links.
  • Never share sensitive information such as login IDs, passwords, or one-time passcodes.
  • Scrutinize unsolicited text messages and look closely for red flags such as a suspicious URL, an “immediate” request for action, or a sense of urgency, and any links with language such as verify, authenticate, or unlock your account.
  • Verify a suspicious text immediately by calling a known phone number or contact at the business or financial institution.
  • Report any suspicious texts regarding your KeyBank accounts to us immediately by emailing reportphish@keybank.com.

How KeyBank verifies clients.

When you initiate an interaction with KeyBank, we may ask for information such as the last four digits of your Social Security number, or a one-time passcode to verify your identity.

However, KeyBank will never contact you by phone, text, or email and ask for your full Social Security number or online banking login ID.

Should you receive such a request, always refrain from providing sensitive information and verify the request by contacting a known KeyBank resource such as your local branch, 1-800-KEY2YOU® (1-800-539-2968), or our fraud hotline at 1-800-433-0124. Dial 711 for TTY/TRS.

Let’s work together to protect your accounts.

At KeyBank, we want to help you protect yourself from smishing and other forms of fraud.

Learn more about our commitment to fraud prevention and cybersecurity at key.com/consumer-security.