For most people, opening a text message is a matter of habit — especially when that text seems to come from a trusted source.
But not every text may be quite what it seems. Even when the sender may seem like a trusted source or the link may seem legitimate and important to click on, a closer look may reveal discrepancies.
The security challenge posed by fraudulent text messages has emerged prominently in recent years, and this form of social engineering has been termed “smishing” — a combination of SMS and phishing. The result has been highly sophisticated attempts by cyber criminals to impersonate legitimate brands to commit fraud and theft.
As consumers are faced with these advanced threats across all industries, PNC Financial Services Group is one of many financial institutions attempting to think creatively of new, innovative ways to protect customers.
PNC Manager Jacqueline Kahwash talked to BuiltIn about the “text abuse project” her team embarked on in 2023 to combat smishing.
Smishing exploits the widespread use of smartphones, making it a convenient avenue for cybercriminals to target a wide swath of the population. As Kahwash explained, smishing leverages the high likelihood that someone who receives a text message will open it. This makes smishing especially concerning as a threat to consumers who may be accustomed to quickly clicking through their messages without thinking through the consequences.
Given these behavioral patterns, PNC’s Security set out to find a way to minimize the risk this presented. The “text abuse project” — as they referred to it amongst themselves — identified different measures that could be taken to help create additional layers of protection against this threat.
First, they gathered the data. They leveraged existing reporting mechanisms, such as the PNC Abuse mailbox, [email protected], to track and analyze customer reports of suspicious activities. This data-driven approach enabled them to identify trends and patterns, essential for formulating countermeasures. Once the data was collected and the trends were identified, the team then asked: “What can we do to disrupt this?”
An answer stood out: Work together with telecommunications providers as partners to make it more difficult for fraudsters to impersonate PNC via text. By working collaboratively with their telecom partners, PNC was able to identify ways to have carriers create filters to help block certain bad messages before they made their way through the network.
“This effort was all about collaborating — not just across the organization, but working with our telecommunications partners to help disrupt these criminal tactics. Now that we have created a model, our team is out in the industry, evangelizing the solution to other banks. The most important thing to us at PNC is making it safer for all to bank,” said PNC Chief Information Security Officer Susan Koski.
PNC also implemented new policies, one of which involved transitioning to using short codes to text customers rather than full 10-digit phone numbers. Short codes are unique five- or six-digit numbers PNC uses for certain reasons. For instance, one short code is used just for IT support. So, PNC was able to communicate to customers that, should they receive an SMS from this particular number, they could proceed with a high level of confidence that it was legitimately coming from IT support.
These combined efforts reduced one type of smishing incident by more than 90 percent within a matter of months. Beyond quantifiable metrics, the bank’s efforts have bolstered customer trust and awareness, crucial elements in combating evolving threats.
“Now that we have created a model, our team is out in the industry, evangelizing the solution to other banks. The most important thing to us at PNC is making it safer for all to bank.”
Looking ahead, PNC remains committed to staying vigilant and proactive in addressing cybersecurity threats. The team continues to engage with industry peers, share best practices and advocate for innovative solutions — and are seeking talent to join them.
“We’re looking for creative thinkers who want to tackle these problems, propose solutions and seek new ways of doing things,” Kahwash said. “We’re also looking for people who want to grow their careers and have the willingness to figure it out along the way.”
Kahwash also emphasized the importance of building a team with varied skill sets and backgrounds to help address complex challenges.
“In the cybersecurity space, we have to expand our approach as it relates to recruiting,” Kahwash said. “Having people with different backgrounds and experiences helps create a holistic program that can address the threats that we need to address today and beyond.”
“We’re looking for creative thinkers who want to tackle these problems, propose solutions and seek new ways of doing things.”
