Phishing is the act of tricking consumers into revealing information or doing things that they would not normally do online by means of bogus emails or social media posts. Smishing is its mobile phone equivalent and it is on the rise, with many scammers imitating private banks.

SMiShing, according to McAfee which coined the term in 2006, is a version of phishing in which fraudsters send text messages rather than emails. These texts appear to come from a legitimate, trusted organisation such as the user's bank, asking him to click on a link or provide credentials (such as account/credit card information, log-in names, passwords) in an answering text message. The term is a condensed way of referring to “short message service phishing,” or “SMS phishing.” Users have grown wary of unexpected emails because of the hundreds of newspaper articles they have read about phishing attacks, but McAfee believes that they have still not heard enough about the likelihood of fraudulent SMS communications to be wary of them.

Banks, which are obliged by regulators in many jurisdictions to tighten up security in the field of mobile banking, would do well to discourage their HNW customers from clicking links within text messages or otherwise responding to such ruses.

The beauty of the scam from the point of view of the fraudsters is that they need not hack into the bank's systems at all. One very high-profile example of smishing came when fraudsters hacked an SMS message threat from Banco Santander to one of its customers, who lost £22,700 from his account, in January last year. The victim was apparently tricked into downloading a virus so that the fraudsters were able to impersonate his bank in text messages, hijacking genuine threads to steal passwords and security details. The press reported that Santander did not feel inclined to refund his loss because he had consented to the transaction.

To deal with this, according to McAfee and other experts, private banks ought to encourage every customer to only download mobile apps from official app stores, such as iTunes and the Android Market, and read user reviews before downloading them; never to agree to reveal his personal information just to participate in a promotion; never to disclose his security details, such as PINs or full banking passwords; not to assume that any text is authentic; not to be rushed, because a genuine organisation will never mind waiting; and not even to press 'reply' to tell the sender to leave him alone, because he is only confirming that his phone number is valid, thereby opening the door to further frauds.

There are other signs that the customer might be sharing his mobile phone number with too many people. He might start receiving odd-looking charges on his monthly phone bills. He ought to be encouraged not put his mobile number on social media or to enter contests that ask for it.

The UK's Financial Conduct Authority mentions smishing in SUP 16 of its rulebook, which lists the things that ought to go into firms' annual financial crime reports. It is not, however, a mandatory item and firms need not tell the FCA whether they have experienced it if they do not want to. Data element 30-35A-D asks each firm to enter its view of the top three most prevalent frauds it has witnessed, saying whether they are increasing, decreasing or unchanged. The list of specific "fraud typologies" in the drop-down list consists of: 419 emails and letters; abuse of position of trust; account takeover; advance-fee fraud (also 419 in reality); application fraud; asset misappropriation fraud; bond fraud; carbon credits fraud; cashpoint fraud; cheque fraud; companies – fraudulent; computer hacking; credit card fraud; debit card fraud; expenses fraud; exploiting assets and information; fraud recovery fraud; hedge fund fraud; identity fraud and identity theft; insurance fraud; landbanking fraud; loan repayment fraud; short and long firm fraud; malware-enabled fraud; mandate fraud; mortgage fraud; pension liberation fraud; phishing; Ponzi schemes; procurement fraud; pyramid schemes; share sale fraud; smishing; and vishing. This is the same data return in which the firm must state the number of investigative court orders (production orders, disclosure orders, account monitoring orders and customer information orders) it received during the last year.

In TR14/15, a thematic review paper on the subject of mobile banking, the Financial Conduct Authority added: "It is important that the regulated firm with ultimate responsibility for providing the mobile banking service to the consumer has appropriate oversight over the key parties involved in its delivery." These relationships bring the payer's credit institution (i.e. the bank) into contact with such businesses as the mobile manufacturer (eg. Apple, Nokia); the mobile network operator (eg. O2, Vodafone); the payment wallet provider (eg. Starbucks, Weve); the mobile software company (eg. Android, iOS); IT providers (eg. Monitise, Zapp); and the payee’s credit institution (eg. Nationwide, The Co-operative Bank).