This morning I received a text message purporting to be from CIBC:
Please call CIBC at 1-866-454-4339 to verify recent transactions on your credit card ending in¡XXXX.
Yes, the ¡s were part of the text message, and I’ve X’ed out the last four digits in my credit card.
This text came from the number “242-222”. I signed up for CIBC alerts via text message, and they’ve all come from this number, but there’s nothing guaranteeing that CIBC did in fact text me to get me to call them. In fact, if you search for 1-866-454-4339, you don’t get any CIBC webpages in your results.
It’s very nice that CIBC has this service. It was actually a legitimate request, as someone ordered over $1000 worth of stuff from walmart.com using my credit card.
But CIBC is doing it wrong. There is nothing on this text message verifying that this is actually CIBC. Sure, they get the last four digits of my credit card right, but those are all over the place, and they’re not considered to be sensitive data, which means that vendors do not need to do anything special to store them. It would be rather trivial to get the last four digits of my credit card number, my name, and my phone number, and then send a spoofed SMS. If I were naive, I’d call the number listed in the text message, tell them my full credit card number, and they’d be off to the races.
Never trust a text message, voicemail, or email that asks you to call a random phone number to verify any sort of personal information. Never. Always call a number that you know for a fact is linked with the company in question. For CIBC, you can either look at the back of your credit card or look up customer contact numbers on their website.
What CIBC should do is change their text message to read:
BRAD, please call CIBC Credit Card Services at the number listed on the back of your Visa card to verify recent transactions on your card ending in XXXX.
It’s a simple change but one that would help make people less likely to fall for phishing attacks.
CIBC should also list the 1-866-454-4339 number on their website, proving that it is actually a CIBC number. I didn’t call that number because there’s no way of verifying that it’s actually CIBC.
In fact, this text message raises all kinds of red flags that CIBC themselves ask you to watch out for:
A phishing text message may request that you send personal information back to the sender through text message or call a phone number.
In order to increase the chances of a response, messages may imply a sense of urgency or an immediate risk to bank accounts or credit cards if you fail to answer.
CIBC Credit Card Fraud Department, you’re doing it wrong. Even according to your own website.
Update: But wait, there’s more!