Bank customers hit by SMS text message phishing scam

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

SMS message

Many of us are used to receiving emails in our inbox that claim to come from a bank, and asking us to log in urgently. But have you ever received a phishing text message on your mobile phone?

According to local media reports, people in Texas began to receive unsolicited SMS messages on their cellphones on Tuesday, claiming to come from the Commercial Bank of Texas.

The SMS text messages told recipients that their debit card had been deactivated, and that if they wanted to reactive it then they should call the given number.

Sign up to our free newsletter.
Security news, advice, and tips.

Commercial Bank of Texas
Alert: Your card has been deactivated.
Please contact us at: (936) 622-6016.
to reactivate your card.

However, the text messages did not come from the bank located in Nacogdoches, Texas, and it wasn’t the bank waiting at the other end of that phone line. Instead, calling the number resulted in bank customers hearing an automated voice ask them for their account details. Naturally some people will have been fooled into doing this, believing that it was the bank confirming their identity rather than an elaborate scam to steal information.

A warning on the Commercial Bank of Texas’s website has warned the public not to call the number in a security alert published on the bank’s website, and issued advice for customers who may have handed over their personal and bank account information.

CBTx warning

This isn’t the first time we’ve seen scammers set up an automated switchboard to phish identity information and potentially break into bank accounts (a technique sometimes known as “vishing”).

For instance, in February last year we published information about a phishing scam targeted at customers of a small credit union, Kessler Federal. Spammed-out emails encouraged users to dial a phone number which greeted them with an automated voice that asked for bank card numbers and a PIN – sufficient information for the cybercriminals to steal money from the user’s bank account at a cash machine.

In the case of Commercial Bank of Texas, however, it appears that vishing has combined with smishing (SMS phishing).

* Image source: Kiwanja’s Flickr photostream (Creative Commons 2.0)


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.