Beware of SMiShing (phishing text messages) Appearing to Come from KeyBank
Other peer banks are experiencing a campaign targeting clients and non-clients who are receiving suspicious text messages (a.k.a. SMiShing) claiming to be from that bank. These text messages are not from the bank and should not be trusted. Some of these text messages contain the client/non-client’s first name in the body of the message so it is attempting to deceive the user by appearing more personalized.
These text messages seem to follow a pattern for the sending address including bank name, phone number, @verizon.net. The message tells you that your bank’s security team has posted a secure message for you to review your account information. It provides you a link to click to verify.
If the link is followed, users are taken to a fake KeyBank login page where they are asked to enter login credentials (i.e., username and password) for their KeyBank account, which the fraudsters then steal to try to log into your account.
What to Know
- It is important to remember that cybercriminals have several ways to access cell phone numbers, so you should never assume that someone contacting you via cell phone is an organization or person to whom you’ve given your number.
- Typically, suspicious/fraudulent text messages are unsolicited and appear to come from a legitimate source that wants you to provide important security or account access information. Fraudulent text messages often include a request to take action by following a link or by calling a telephone number.
- Text messages are one of several ways KeyBank may contact clients. One way we legitimately contact you via text is to provide a KeyBank Fraud Alert of a potentially suspicious card-related transaction; the text message will include specific information about the transaction in question with response options via text or phone to confirm or deny the transaction.
What to Do
- If you receive a suspicious text message that appears to come from KeyBank with an urgent tone about an account and a request to provide important security or account access information by clicking a link or calling a phone number, do not take the requested action. Take a screen shot of the text message, attach it in an email and send it to firstname.lastname@example.org, then delete the text message from your phone.
- If you cannot take a screen shot, document the text message content, including the link name or phone number asked to call, into an email and send it to email@example.com.
- If you are unsure whether the text message is legitimate, you can always contact KeyBank’s Customer Service at 800-KEY2YOU® (539-2968). For clients using a TDD/TTY device, please call 1-800-539-8336.
- For Key clients or businesses, if you followed a link or called the phone number in a suspicious text message and provided any personal information or any information about your KeyBank account, immediately contact Key’s Fraud & Disputes Hotline at 800-433-0124.