Standard Bank recently sent out a mail to its customers warning them of a scam which targeted their online banking channels.
“It has come to our attention that fraudsters are impersonating Standard Bank to request your OTP (one-time password),” the bank said. “Please note, Standard Bank will never ask for your OTP.”
“Standard Bank values you as a client and therefore wants to ensure your safety when you make online purchases.”
These types of scams are common across the world, and South Africans have become particularly vulnerable for a number of reasons – including the local prevalence of SIM-swop fraud.
The type of attack described above – when a criminal impersonates your bank in an SMS to get you to supply them with information – is called “smishing“.
The South African Banking Risk Information Centre (SABRIC) told MyBroadband that while smishing is relatively popular in South Africa, increasingly-prevalent scams occurring locally including Card Not Present (CNP) fraud, and “vishing”.
Vishing is a serious threat, as it leverages a social engineering attack to get users to divulge their online banking details or PIN.
Many times, these attacks take the form of a phone call which is purportedly from your bank’s fraud department. The fraudster on the other end invents a fake transfer which they say has occurred on your account, scaring you into providing them with your CVV number, PIN, and any other information needed to reverse the “fraud”.
After this, the fraudster now has access to your account and can withdraw money freely.
In its mail, Standard Bank stressed that you should never provide information like your ATM PIN or CVV number to anyone, adding that it would never ask customers for their OTP.
Of course, South African banks often do call customers to verify suspicious transactions, and it is important for clients to identify whether it is actually the bank they are speaking to.
To aid in this effort, MyBroadband asked local banks which numbers they can expect their banks to call them on, as well as when they would normally be called.
It is important to note that even if you do receive a call from one of these numbers, you should not provide any of the private information mentioned above, as fraudsters are able to spoof numbers and there is no reason your bank should ask for this information.
Standard Bank promptly calls customers when it detects an irregular online transaction. The bank does not require the CVV, PIN, or OTP of the client and simply asks them to verify their birth date before informing them of the transaction.
“If you suspect that your OTP or CVV has been compromised, please call 0800 020 600 immediately,” Standard Bank said in a mail to customers.
“If you receive a message from +27 87 240 6256, please treat as urgent as this is Standard Bank notifying you of suspicious activities on your account.”
The company told MyBroadband that at the moment, it does not have a single number for Call Line Identity on the customer side.
“FNB Card Fraud may call customers from time to time to verify suspicious transaction attempts on their accounts. During these interactions, a customer will never be asked to disclose their full card numbers, One Time Pins or Card Pins,” said FNB head of Card Fraud Senzo Nsibande.
“FNB would like to reaffirm that clients should never disclose these details unless actively shopping on a secure site or mobile applications.”
The bank said it uses multiple methods to contact customers, including voice calls, SMS, email, and the banking app. The most common numbers used for voice contact are 087 736 9250 and 087 577 4162.
“Customers should immediately report any suspicious calls or activity to the bank by contacting the numbers on the back of their cards,” Nsibande said. “The bank reiterates that it will never ask for a customer to divulge card details over the phone.”
“We also encourage our customers to download our banking app so they can be able to report fraudulent transactions instantly. It’s easy, seamless and takes less time rather than being on a call.”
Nedbank head of Card Fraud Deon Louw said the bank sometimes calls and sends SMSs to clients to verify transactions.
“Unfortunately, there is not a single number that the department dials out from due to the setup of the telephony systems,” Louw said.
He added that the clients should be aware of the following guidelines to improve their resilience to phishing attacks:
- Nedbank will not ask you for your CVC number.
- Never share your card PIN, online banking PIN, or password or your Nedbank ID with anyone.
- Always read Approve-it or SMS messages you receive carefully before accepting them.
- If you receive an Approve-it message for a transaction you did not initiate, decline the transaction and report the incident to us immediately on 0800 110 929.
Capitec said it does call customers to verify suspicious transactions, but did not supply any number from which customers could expect their bank to call.
“Our fraud team monitors clients’ CNP (card not present) transactions and will call them to confirm any transactions that appear suspicious,” the bank said.
“When contacting clients we will never ask them to provide any personal details such as their account number or PIN.”
“Capitec clients can report any suspected fraud by calling our 24-hour client care centre on 0860 10 20 43.”
MyBroadband asked Absa for comment, but the bank did not respond by the time of publication.