Smishing - Another New Frontier in Banking Scams

The ever agile techno-fraudsters have recognised that their targets are far more likely to click on text messages than any other type of link, according to Constant Contact whose report states SMS click-through rates hover between 8.9% and 14.5%, by comparison, emails have an average click rate of 2%, which has led to the development of “smishing” (short for "SMS phishing") a form of cyber-attack particularly related to banking or investments.  With smartphones now widespread across all age groups, these frauds primarily occur through text messages, phone calls, or emails.  This form of cybercrime is aimed at vulnerable often less “tech-savvy” individuals such as older people who are likely to be more susceptible to this approach by the fraudsters.

The fraudsters have various tactics and the messages take various forms, in some cases they will send a concerning message from what appears to be a trusted source such a bank, a government agency or another substantial organisation.  The message is designed to alarm the recipient by saying “…your bank account has been compromised click here immediately to secure it…” this message will have a link to a fake website that has been created, often in great detail, to resemble a legitimate authority.  Then the victim will receive a request to verify their account which induces the victim to provide their bank account details requesting passwords, credit card numbers, or other personal information.

Alternatively, the message may state “…you have an unpaid bill. Pay immediately to avoid penalties…”  which very often is of great concern to older people who have an inherent fear of owing money, inevitably this is swiftly followed a demand for money. 

The recipient of such a message should not in any circumstances interact with the message.  This could lead to being subscribed to premium services that charge them money or the download of damaging software or identity theft.

Vito Anello, a senior associate based in the Milan office commented “malware, which is often downloaded to a device if the recipient interacts with the message, is extremely dangerous as it can access passwords, intercept communications, or provide remote access to the attacker.  It is extremely perilous to engage in any way with the sender of smishing message, it is infinitely better to delete the message and any other connection to the message to avoid any future accidental interaction.”  Vito further commented “there are limited circumstances where, if you succumb to the scam, you can obtain reparations from your bank. From a legal perspective, the concept of the account holder’s "culpable cooperation" frequently excludes the bank’s civil liability for compensating amounts lost to the scam.

If you have clicked the link,

• change your passwords as well as the passwords for accounts that might be compromised, especially banking, email, and social media accounts and enable two-factor authentication where possible.
• Notify your bank, credit card provider and any other financial organisation if you shared financial details. They can monitor your account for fraudulent transactions or issue new cards.
• Monitor Your Accounts and watch for unauthorised transactions or activity.
• Check your credit report for signs of identity theft.

Gradually the recognition of new methods of fraud introduces new levels of defence.  In Italy consumer protection is governed by Legislative Decree 11/2010 introduces the concept of "active collaboration by the user." Compensation is provided to the account holder only for unauthorised transactions where collaboration is absent.

However, recent jurisprudence by the Court of Cassation (Judgment 3780, February 12, 2024) establishes that banks must implement all necessary measures to reduce or prevent fraudulent use of digital systems linked to bank accounts. For instance, banks should send alerts whenever a transaction is made.

The manipulation of customers' banking information by third parties falls under the business risk borne by the bank or financial institution.  If a financial institution fails to prove that it has implemented such preventive measures, responsibility for unauthorised access to sensitive information lies with the institution itself.

In England and Wales new laws have been introduced to enable banks and other financial institutions to delay payments from their customers’ bank accounts if there is the suspicion that the payment is fraudulent, thereby providing time to investigate the transaction.

Experienced professionals can make a significant difference for victims seeking to recover lost savings. Our experts in Giambrone & Partners banking and financial fraud litigation department have extensive experience in recovering funds erroneously invested in dubious platforms and accessing the liability of financial institutions involved in handling fraudulent financial transactions.

Vito Anello specialises in the regulation of online trading platforms and the recovery of funds lost in investment fraud. He provides advice and legal assistance to clients involving financial instruments of all types, both for contractual matters in compliance with Italian and European regulations. Vito deals with the regulation of financial markets, with a specific focus on investment services and activities and collective asset management. In particular, he assists private clients, companies and financial intermediaries, both Italian and international, in the wide areas of sector compliance, prudential rules and financial regulation. He also has experience in the field of crypto-assets and blockchain.

If you would like to know more about how to crypto currency regulation please click here