Jun 30, 2025 At Turnkey Trading Partners (“Turnkey”), we prioritize equipping our clients and the wider financial community with the knowledge to navigate an ever-evolving security landscape. As a leading CFTC and NFA compliance training provider, Turnkey attempts to stay at the forefront of cybersecurity ongoing education. Many are aware of text or chat message-based cybersecurity attacks, few however have heard of “smishing” as a key word. Phishing, when conducted via text message or “SMS” message is also referred to as “smishing,” and continues to pose a serious threat to the financial service industry. Recent alerts and regulatory bulletins highlight just how deceptive and convincing these messages can be. Users are often lured into clicking malicious links that appear legitimate, underscoring the need for constant vigilance. Turnkey is one of the only CFTC and NFA training vendors in the country to offer ongoing quarterly update coursework. Our most recent quarterly training update explored this topic in depth, reflecting our ongoing commitment to educating clients about emerging cybersecurity threats and best practices. If you have not enrolled for Turnkey’s training, please contact us today to learn how you can receive these updates. Understanding How Smishing Scams Work Most scams leverage a sense of urgency and follow a typical pattern as follows: Deceptive SMS: Scammers send text messages impersonating legitimate financial institutions. Urgent Call to Action: These messages often demand immediate attention, citing issues like “urgent updates to client information” (frequently mentioning tax details) or fabricated security alerts. Malicious Links: The core danger lies in embedded links. These direct users to meticulously crafted fake websites designed to mimic the official login pages of trusted institutions—such as banks, government agencies, tax authorities, and service providers. The goal is to harvest login credentials, personal information, or payment details. If an individual clicks these links and enters their credentials, they are unknowingly handing over their sensitive login information directly to malicious actors. This can lead to unauthorized account access, financial loss, and potential identity theft. Common Examples of Smishing As phishing attacks become more sophisticated, smishing schemes have also evolved into a range of deceptive and elaborate tactics. Common examples include: Account Verification Scams Victims receive a message claiming to be from a bank or delivery service, warning of suspicious activity or requesting account confirmation. Clicking the link leads to a fake login page designed to steal credentials. Prize or Lottery Scams Attackers claim the recipient has won a prize or sweepstakes. To claim it, the victim must share personal details, pay a small fee, or click a link, ultimately giving up sensitive data or money. Tech Support Scams These messages warn of a problem with a device or account and urge the user to call a support number. The caller may be charged or asked to grant remote access, risking full device compromise. Bank Fraud Alerts Pretending to be from a bank, these messages report unauthorized transactions and prompt the user to click a link or call a number. Both lead to the attacker collecting private financial information. Tax Scams Often seen around tax season, these messages claim to be from tax agencies, offering refunds or threatening penalties. They push recipients to provide Social Security numbers, bank details, or other personal data. Service Cancellation Warnings Users are told a subscription or service is about to be canceled due to a payment problem. The message directs them to a phishing site under the guise of resolving the issue. Malicious App Promotions Scammers send links promoting helpful or fun apps. Clicking installs malware that can steal data or monitor activity on the device. Turnkey Trading Partners’ Guidance: “Think Before Your Click” The most important rule to avoid smishing attacks is to “Think Before You Click!”. While direct messages may be convenient, users should always access accounts directly – never click an SMS link to log in. To further safeguard your operations and personal data, Turnkey also recommends the following proactive measures: Direct Navigation is Non-Negotiable: Always type the official website address of the organization directly into your browser or use their verified mobile app. Avoid clicking on links from unsolicited emails or text messages, regardless of how legitimate they appear. Cultivate Healthy Skepticism: Treat any unsolicited communication requesting personal information or urging immediate action with extreme caution, regardless of how legitimate it appears. Financial institutions rarely request sensitive data updates via unprompted text messages. Independent Verification: If you receive a suspicious message, do not reply or click any links. Instead, contact the institution through a known, trusted channel (e.g., the official customer service number on their website or your account statements) to verify the communication’s authenticity. Scrutinize Sender Details & Links: Look for inconsistencies in sender numbers, email addresses, and hyperlink URLs. Often, small discrepancies can reveal a fake. Enable Multi-Factor Authentication (MFA): MFA adds a critical layer of security, requiring a second form of verification beyond just your password. Ensure it’s activated on all sensitive accounts. Stay Informed: Regularly review security communications from your service providers and trusted sources like TURNKEY. As we cover in our updates, awareness is your first line of defense. The “Think Before You Click!” message is more than a catchy phrase; it is a fundamental security principle. By remaining vigilant and adhering to these best practices, you can significantly reduce your vulnerability to these deceptive tactics. Role of Cybersecurity Training in Reducing Risk While awareness is key, training is what embeds secure behavior across teams and operations. At Turnkey, we’ve made cybersecurity education a core component of our CFTC and NFA-focused training programs, helping firms meet regulatory expectations while protecting critical infrastructure. Our structured quarterly updates and specialized compliance sessions include real-world examples, updated threat intelligence, and actionable guidance for staff at all levels. Firms that prioritize regular, focused training create a culture of vigilance- one that catches red flags early and reduces exposure across the board. Learn more about how Turnkey’s training solutions support your compliance and operational security goals by contacting training@turnkeytrainingpartners.com. For increased study on cybersecurity threats, scams, and related risks, please review the following articles: How Generative AI Is Increasingly Powering Scams Targeting NFA-Regulated Firms Unraveling the Most Prevalent Cyber and Financial Scams Cyber Alert: “Pig Butchering” Education CFTC and NFA Identity Theft Training