Beware this email fraud scam when buying a vehicle in South Africa

Hanno Labuschagne

Journalist
Staff member
Joined
Sep 2, 2019
Messages
5,517
Reaction score
3,804
Beware this email fraud scam when buying a vehicle in South Africa

A MyBroadband reader was recently caught out by a complex scam involving the purchase of a Ford Ranger bakkie.

The dealership told the reader they would send the appropriate banking details for the payment via email, but this email was intercepted by a malicious party.

The banking details were altered by the scammer, and the scammer's own bank details were sent to the reader.
 
I still don't get why banks in SA don't show the recipient bank account name when entering the account number when making a payment - they do share this information with each other.
...Or require you to match the name to the account number for a double check. So you supply both rather than have the ability to look up any account name with random numbers.
 
Some companies are asking for a bank letter when you request an EFT. The FNB letter includes a way to verify the account online which will help with this. I have sent this letter a few times to customers. This should become SOP for all new beneficiaries.
 
Before i transfer a big amount ( for me even 15000 is a big amount) I first transfer r500 verify of its received and then transfer the rest. Usually its fnb to fnb so doesnt take much time.
I dont this because of my fear that I will read or type the numbers wrong and the money will end up in the wrong account.
Its frustrating that banks in SA just use the account number as identification for transferring money.
They dont want u to come to the bank, dont want u to use cheques but cant have a better verification process for eft's
 
I still don't get why banks in SA don't show the recipient bank account name when entering the account number when making a payment - they do share this information with each other.
This would leak information on the recipient account and could be abused by malicious parties.

...Or require you to match the name to the account number for a double check. So you supply both rather than have the ability to look up any account name with random numbers.
This is starting to happen in the international arena.

To best understand what is happening, it's best to use standard names for fraud types and use it consistently.

This vehicle scam is nothing else than business email compromise fraud commonly called BEC. It's quite pervasive in South Africa as well. Vehicles being abused is a red herring, it can be any business transaction. One of the email accounts will be compromised, either the payer or payee.

This is also why the owner of Hydro Club in Rivonia, Abdul, was arrested in his Bently and all:

This is not new. BEC is currently the largest form of cybercrime in the world.

Phishing is not the only way the perpetrators gain access, that is a convenient excuse, but is common. Concerted attacks are also common. Puny code and homoglyphs are common, likewise concerted infrastructure attacks. email forwarders may be set and 2FA will not help. It is wise to constantly check for forwarders and other email rules on your email. Being in South Africa or anywhere else in the world does not matter.


Currently many consumer facing experts are working hard to address this issue. News is highly inaccurate, but understandably so as the media is not aware of the extraordinary efforts going on by selfless people around the world in the background. That is also why this article leaves me with a chuckle:


Scammers return money - no such thing.
But my bank put pressure on the German bank ... - lol. Anti-BEC teams swung into action. Both banks and a few more folk actually deserve the credit.

This is just like in the previously mentioned Abdul case.

As for account name and number matching, this is happening abroad. From the UK:

Currently experts are trying to figure out best practice in situations such as a company changing names, being bought out by another or somebody getting married and changing surnames.


A big part of this are those old 419 scams that have evolved. Victim accounts are used. This is also why the US has upped the game in terms of money mules:

While not much has happened from the enforcement side locally, South Africa's law enforcement and banks will be forced to fit in.
 
Innovation is lacking in the banking sector. Too much red tape.
Yes and no. At the regulatory and risk averse level, yes. That will have to change. But there are some excellent savvy folks in the banking industry though.
 
This would leak information on the recipient account and could be abused by malicious parties.

The name of an account is hardly something that could be abused and it would only be part of the payment process thus they would be able to observe any abuse or data mining of the system anyway.
 
Yes and no. At the regulatory and risk averse level, yes. That will have to change. But there are some excellent savvy folks in the banking industry though.
Yeah. Nothing wrong with the individuals I reckon....
 
All info can be abused.

Including the account number however 99% of the time the account number is always together with the account name, branch code etc so I don't see it being as much as an issue.

The issue with providing account name and account number to verify is that often trading names and bank account names may differ - we confirm all our payment profiles and struggle half the time with FNB's verification system where you enter company name, reg and account number etc.

Another option (similar to some credit check systems) is where you enter the account number and it provides a randomized list of 5 account names which you pick from to confirm.
 
Who gets scammed like this through email in any case? When we paid a deposit it was a letter directly from the dealer. This can only mean the person doesn't care enough about their money in any case.

...Or require you to match the name to the account number for a double check. So you supply both rather than have the ability to look up any account name with random numbers.
Should be an optional default rather than a requirement though.
 
My question is, why can't the sending or receiving bank just reverse the payment?
I've made a dunce move a while back with a payment and the bank (Capitec) reversed my payment. Shouldn't this be possible with any bank? Especially taking the amount into account?
 
My question is, why can't the sending or receiving bank just reverse the payment?
I've made a dunce move a while back with a payment and the bank (Capitec) reversed my payment. Shouldn't this be possible with any bank? Especially taking the amount into account?
Not so easy. They pay some random gardener R500 bucks to open an account and then when the money arrives they empty the account. The gardener doesn't realise they're doing something illegal and in a country with such high unemployment who would say no?
 
My question is, why can't the sending or receiving bank just reverse the payment?
I've made a dunce move a while back with a payment and the bank (Capitec) reversed my payment. Shouldn't this be possible with any bank? Especially taking the amount into account?

Did you wait several says before you requested the money back? (if an instant payment option was used the money was in there immediately, if not probably showed the next day) How does one reverse money from an empty savings account? (the scammer would have forwarded the money on immediately)

Because both parties believed the transaction had been completed successfully, it was several days before the dealership realised that they had not received any money for the vehicle.
 
I have to ask though, what business just hands over the goods without checking their bank account to make sure the money was paid?
 
Not so easy. They pay some random gardener R500 bucks to open an account and then when the money arrives they empty the account. The gardener doesn't realise they're doing something illegal and in a country with such high unemployment who would say no?
My point is that we have FICA for a reason.
How does the money get transferred or emptied without a trace to who did it? It doesn't make sense to me. Also it doesn't answer why it can't be reversed. That account will need to foot the bill.
Did you wait several says before you requested the money back? (if an instant payment option was used the money was in there immediately, if not probably showed the next day) How does one reverse money from an empty savings account? (the scammer would have forwarded the money on immediately)
I contacted the bank the same day (started a thread here when it happened).
It took a few days and a few calls to get it sorted. The first round of consultants said it wasn't possible. I was contacted back to say I could have it done. The payment wasn't paid as an instant payment. It was a debit card payment to a sketchy website. I didn't check the site beforehand as I should have.
 
My point is that we have FICA for a reason.
How does the money get transferred or emptied without a trace to who did it? It doesn't make sense to me. Also it doesn't answer why it can't be reversed. That account will need to foot the bill.
Cash is king. It's quite easy to withdraw in a day or two if you transfer it between 10 accounts and banks typically don't even bother investigating once money has left the original account because it always leads to a dead end. And FICA is a joke. It's so easy to get around and with such a large informal housing base it's not even required to be fully implemented. Once they get to the person holding the account they have no info to give them.

I contacted the bank the same day (started a thread here when it happened).
It took a few days and a few calls to get it sorted. The first round of consultants said it wasn't possible. I was contacted back to say I could have it done. The payment wasn't paid as an instant payment. It was a debit card payment to a sketchy website. I didn't check the site beforehand as I should have.
Debit cards are easier to do and I don't know why you were even told it can't be done. It typically takes 2-3 days to be debited and then you also don't get paid immediately plus as long as the service is kept alive there's always additional money coming in.
 
Top
Sign up to the MyBroadband newsletter