| 15.8°C Dublin

BOI customers hit by 'smishing' text scam set to be reimbursed


About one in 10 customers are set to lose out

About one in 10 customers are set to lose out

About one in 10 customers are set to lose out

Bank of Ireland will reimburse customers hit by a cyber fraud that dropped fake texts into genuine interactions between the bank and account holders.

The bank said it is launching a fraud awareness campaign highlighting tactics deployed by criminals to trick customers into providing their banking details.

It will also reimburse customers identified as being impacted by a targeted text 'smishing' campaign - which dropped fraudulent texts into the genuine Bank of Ireland text thread - which has been active during Covid-19.

The nationwide fraud awareness campaign will advise customers on how to protect themselves from fraud including through text 'smishing' attacks.

So-called 'smishing' is serious criminal activity which targets customers of a range of institutions around the world - including banks, postal authorities, social welfare payments, and tax collection.

Fraudsters gain access to confidential information then move quickly to extract funds.

Smishing attacks can be either crude or sophisticated.

In the case of Bank of Ireland and AIB, the fraudsters managed to insert their criminal texts into legitimate text conversations between the banks and their customers. Security experts say that this isn't easy to do and sometimes involves manipulation of SMS services called 'gateways' that are often commercially used by big companies.

But global security experts have been warning about such vulnerabilities in SMS delivery systems for years.

Once the criminal has entered a pre-existing text chat, the fraudulent text will ask the customer to click on a link, usually by claiming their card or account has been frozen or that there is some other problem that needs quick attention.

It is related to the scam of 'spoofing,' where a fraudster makes it seem that an email address, phone number or web address is someone else's, typically that of a legitimate business.

This is very easy to do at a low level on the internet, ranging from so-called 'prank' services such as Spoofbox, Deadfake and Anonymailer to much more sophisticated bespoke systems.

Anyone with even a cursory knowledge of programming can also get in on the act with a few simple lines of code.

In about 10 minutes, it's possible to send someone an email purporting to show the email address of almost anyone - private or public - you choose.

Often smishing attacks are not obvious. Misspelled text messages or emails throw up obvious red flags right away.

But others, framed in typical banking language and terminology, may not be as clearly fake. And it is especially hard to spot if it's part of what appears to be a pre-existing text conversation.

Most legitimate services will never text or email with just one or two lines and a link.


There's a recurring fake text message purporting to be from Ros.ie (Revenue Online Services), claiming that a "tax return" is ready to be claimed.

There are also scam texts labelled 'An Post' claiming that 'a parcel is being held' and asking you for €2 plus your bank details to release it.

Then there's the fraudulent WhatsApp drivers' licence scam where criminals try to get you to contact the National Driver License Service (NDLS) through WhatsApp to apply for or renew your driving licence at a cost of €200.

There's even a fake contact-tracing app text going around, saying: "Someone who came into contact with you tested positive or has shown symptoms for Covid 19 and recommends that you self-isolate".

It then asks you click the scam link.