Did you get a text message from your bank saying there has been unusual activity on your account and ask you to click on an internet link? If you clicked, you may have given hackers access to your account.
ZD Net reports almost 4,000 smartphone users were tricked into clicking through as part of a mobile phishing campaign. Most of the victims were in the U.S. and Canada, according to mobile cybersecurity company Lookout. The scam is designed to get people to visit a website that looks like their bank site, but it's a trick to lure victims into giving up their login information and other details.
How was it discovered? ZDNet reports that the hackers left part of their infrastructure exposed. Lookout was able to identify nearly 4,000 IP addresses that visited the fake website.
The hackers reportedly didn't know which bank the victims used. But they sent out a huge blast of messages from different banks to multiple people. By the law of averages, some would match the right bank to the right person.
ZDNet reports there were more than 200 bogus websites set up for this, designed to look like mobile versions of the websites of real banks.
Information that was taken included login information, answers to security questions, card expiration dates and bank account numbers. The hackers could then take money out of the accounts or sell the information to others, according to ZDNet.
All the phishing sites have reportedly been removed and the banks have been notified, but someone is likely already trying to build a similar scheme right now.
It's always a safe bet to never click on any links or call any phone numbers sent to you from unsolicited calls, texts or emails. If you get a text like this, you should either call the business directly at a known phone number or log in to their known website. And you should always sign up for two-factor authentication, which usually means the business will send you a text message or email with a temporary code to log in.
It's also important to make sure to not use the same login and password on multiple accounts. And if the site requires a security question, make up a nonsensical answer. For example, if they ask your mother's maiden name, write "grapefruit" or something you will remember.