If you get a text from someone claiming to be your bank, don’t click on the link. A new mobile phishing scam is texting people in the US and Canada claiming to be your bank. When you click on the included link, you’ll be taken to a website that may look like your bank’s website, but is actually a way to steal your login credentials.
In general, you should never click on a link that claims it’s coming from your bank, email service, or anywhere else where you might store personal or financial information. If you do get a message that you think might be legit, instead log in by typing that website into your browser personally, or in the case of banking, using the bank’s mobile app.
The current phishing campaign was discovered by researchers at the mobile security company Lookout, ZDNet reports. Lookout was able to determine at least 4,000 different IP addresses visiting the phishing websites, which suggests that at least 4,000 people received those fraudulent texts, clicking on the links, and potentially handed over their website credentials in the process.
The links those people clicked on where in a text saying that the bank had detected unusual activity on this account, asking them to follow a link to check if that activity is correct. Even the scam-savvy might consider the text legit and click on it.
Beyond stealing a user’s account info, some versions of the scam also asked additional “security” questions to allegedly confirm a user’s identity, often asking users to confirm their account number or enter their card’s expiration date.
Lookout has already contacted the banks that were targeted with this particular scam and all of the phishing sites have been taken down. Still, it’s a good reminder to never click on those links. Whenever you bank texts, emails, or calls you you’re a lot better off just contacting your bank directly rather than clicking on links or passing out personal info on a call you did not initiate.