Beware of SMiShing (phishing text messages) Appearing to Come from KeyBank
Key employees, clients and non-clients have reported that they’ve received suspicious text messages (a.k.a. SMiShing) claiming to be from KeyBank. These text messages are not from KeyBank and should not be trusted.
These text messages state: “KeyBank is undergoing a server upgrade. Follow this link http://... to update your account to avoid account limitation.” (Note: The link name is not shown in full here for security purposes.)
If the link is followed, users are taken to a fake KeyBank login page where they are asked to enter login credentials (i.e., username and password) for their KeyBank account, which the fraudsters then steal to try to log into your account.
What to Know
- It is important to remember that cybercriminals have several ways to access cell phone numbers, so you should never assume that someone contacting you via cell phone is an organization or person to whom you’ve given your number.
- Typically, suspicious/fraudulent text messages are unsolicited and appear to come from a legitimate source that wants you to provide important security or account access information. Fraudulent text messages often include a request to take action by following a link or by calling a telephone number.
- Text messages are one of several ways KeyBank may contact clients. One way we legitimately contact you via text is to provide a KeyBank Fraud Alert of a potentially suspicious card-related transaction; the text message will include specific information about the transaction in question with response options via text or phone to confirm or deny the transaction.
What to Do
- If you receive a suspicious text message that appears to come from KeyBank with an urgent tone about an account and a request to provide important security or account access information by clicking a link or calling a phone number, do not take the requested action. Take a screen shot of the text message, attach it in an email and send it to firstname.lastname@example.org, then delete the text message from your phone.
- If you cannot take a screen shot, document the text message content, including the link name or phone number asked to call, into an email and send it to email@example.com.
- If you are unsure whether the text message is legitimate, you can always contact KeyBank’s Customer Service at 800-KEY2YOU® (539-2968). For clients using a TDD/TTY device, please call 1-800-539-8336.
- For Key clients or businesses, if you followed a link or called the phone number in a suspicious text message and provided any personal information or any information about your KeyBank account, immediately contact Key’s Fraud & Disputes Hotline at 800-433-0124.