Bank of America, Wells Fargo, and Key Bank are among bank accounts being phished, SMiShed and vished by scammers who are sending SMS text messages to users, directing them to call hijacked Holiday Inn Express phone numbers which the scammers have disguised to make them sound like automated banking systems. So far this current crop has happened primarily in the Houston area.
SMiShing is simply phishing via SMS, and vishing refers to luring users into making a call to an automated voice system which in turn is spoofing the institution being targetted, prompting the user to enter confidential information
One of the hijacked Holiday Inn numbers is 281-866-0500 (832-237-899 was also compromised), and when you call that number, you reach a computer-generated recording that starts with “Thank you for calling Key Bank. A text message has been sent to inform that your debit card has been limited due to a security issues.”
You are first asked to identify yourself with the last four digits of your debit card. Of course, after that, you are prompted to enter all sixteen digits of your debit card.
(You can listen to an example of the phone message here, courtesy of NumberCop.)
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
In an interview with security researcher and writer Bryan Krebs, NumberCop CEO Jan Volzke explains that “Two separate Holiday Inns getting hijacked in such short time suggests there is a larger issue at work with their telephone system provider. That phone line is probably sitting right next to the credit card machine of the Holiday Inn. In a way this is just another retail terminal, and if they can’t secure their phone lines, maybe you shouldn’t be giving them your credit card.”
As always, the primary take-away here is never trust a message, email, SMS, or other, that requires you to take action directly, rather than securely logging in to your account. The social engineering twist here is that the text message urges you to call in to your bank, which makes it seem pretty secure, and relies on users not knowing the actual phone number to their bank, so as to be able to recognize the scam. So, the secondary take-away is to be ultra-alert and careful.
And finally, the third take-away is that there is something to be said for a plain old telephone service (POTS) line, which is far less hackable (although not impossible to hack) than digital and VOiP systems.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
