By DAVID BERTOLA
dbertola@bizjournals.com | 716-541-1621

First there was phishing, and now there is SMiShing, which means people with bank accounts must keep an eye on their cell phones since crooks masquerading as banks trawl for account and personal information through them.

Phishing is where fraudsters try to obtain user names, passwords, personal identification numbers and credit card info via e-mail or instant messaging. These messages appear to recipients as communication from their financial institutions.

SMiShing refers to "short message service" delivered through cell phones.

"They work as a hook to get consumers' attention," said Patrick Killeen, director of risk management at First Niagara Bank.

Usually, he said, the text messages are a call to action, informing users that they need to respond since a debit or credit card has been deactivated or account information needs updating.

"They try to get you to go to a spoofed URL, or an Internet address that looks legitimate, or they may have you call a 1-800 number where you go through an automated response unit that requires you to enter your Social Security number or account numbers for verification purposes," Killeen said. "It comes off sounding legitimate."

People tend to willingly share information

"If you receive a suspicious message, do not click on any links, open any file attachments, return phone calls or use an Internet address provided in a text message," said Martin Pfeiffer, KeyBank investigations manager/Northeast Region.

But this may be easier said than done.

"People are socially engineered to give up their PIN numbers," said Michael Bryant, group vice president of M&T Bank. "As a consequence, people give out these numbers. And I would say a lot of people give up this information all of the time."

Bryant, a member of the Secret Service for 26 years, said when it comes to fraudsters obtaining personal and account information to commit crimes, they go after the weakest link in the chain: the customer.

Keep this in mind, Killeen said: Legitimate retail vendors would never solicit personally identifiable information via e-mail.

If a bank customer receives an e-mail seeking detailed information, Pfeiffer said, keep an eye out for misspellings and poor grammar, which can be a giveaway that the message didn't originate from the bank.

"Many of these Phishing attempts originate from overseas where English is not the first language," he said.

Killeen, meanwhile, said personal information may be asked for only in a secure setting - for example, after logging in at the bank's Web site, after the customer has been authenticated, behind the bank's firewalls.

John Walp Jr., M&T corporate information security officer, said fraudsters have created more sophisticated software to gather keystrokes when customers enter info online. At ATMs, Bryant suggested covering the hand that enters the PIN to avoid having it picked up by hidden cameras which record that information while other software collects account data from the card swipe.

According to Killeen, protecting data from retail and business customers is a three-pronged approach. Ongoing communication and having a secure, encrypted Web site are the first two.