South African fraudsters are becoming increasingly sophisticated at using social engineering to target unsuspecting victims.
This is according to Ulrich Janse van Rensburg, Head of Fraud Strategy for Everyday Banking at Absa Group.
“There is an upsurge in social engineering globally, and fraudsters use personal data from data breaches to impersonate banks,” said Janse van Rensburg.
Rakesh Ranchod, Nedbank Executive for Card, Payments, and Transactional Customer Experience, concurred.
“Clients are called and cohered into divulging sensitive information pertaining to their banking profile, bank cards or passwords which are in turn used to commit fraud against the clients’ accounts or access their banking profiles.”
Janse van Rensburg said studies have shown that 86% of all consumer information has been compromised through spam emails and data breaches.
The biggest consumer banking scams in South Africa
Janse van Rensburg highlighted three banking scams that are particularly prevalent in South Africa at the moment:
- Tax and SARS Scams – As it is tax season, customers are being approached by fraudsters for their details, promising tax refunds in return.
- Account detail changes – Syndicates are hacking emails and forwarding customers invoices or letters informing them of account detail changes. “Customers must always contact their known third parties to confirm these email instructions,” said Janse van Rensburg.
- Social engineering – Customers are contacted via Phishing, Vishing, and SMSishing to obtain customer “keys to the safe.” Janse van Rensburg advises that users do not click on links in emails or SMSes, nor should they provide personal details over these communication platforms.
Janse van Rensburg also highlighted four preventative measures South Africans should take to protect themselves against fraudsters:
- Keep your online ID, password or PIN private. Never write these details down or share them with anyone, not even with a relative or friend.
- Never respond to emails from your bank that request your personal details. No bank will ever ask you to confirm or update your account details or ask you to provide your account login credentials (PIN & Password) either electronically or telephonically.
- Keep your personal information as confidential as possible. This will make it more difficult for unscrupulous entities to defraud you.
- Do not open emails from unknown sources. Even if the title and sender details appear to be related to your bank, rather delete them immediately.
Ranchod said that ATM fraud is another prevalent banking scam in South Africa at the moment.
“Clients are being interfered with at ATMs, where they have their cards stolen and they compromise their PINs as they believe the ATM has retained their cards.”
Ranchod said that South Africans should protect themselves by never accepting help from strangers at ATMs.
“If you believe your card has been retained, call your bank immediately and block your card,” said Ranchod.
Another serious threat to South Africans is card skimming.
SABRIC acting CEO Susan Potgieter said that card skimming can happen anywhere, and South Africans should never assume that point-of-sale devices are safe to use – even in a trusted restaurant or store.
Potgieter said that South Africans should ensure that their card is “dipped” into the PoS devices rather than swiped.
They should also make sure that the card is inserted into the PoS device while you are present, and should not be distracted while the transaction takes place.
She recommended that users enable payment notifications via SMS so they can see if they have been billed incorrectly or multiple times.
Business email scam
SABRIC also recently warned South Africans about a scam affecting companies known as “Business Email Compromise.”
The scam involves criminals impersonating high-ranking company staff and convincing junior employees to make payments to specific beneficiaries.
By the time the employee realises they have been scammed, it is too late – as these criminals use bank accounts belonging to money mules.
To protect against this scam, SABRIC recommended that South African businesses use multi-tiered risk mitigation strategies.
It also offered a few basic rules to protect against the Business Email Compromise scam:
- Never list your main email address publicly anywhere online – in forums, in online advertisements, on blogs, social media or any place where it can be harvested by spammers.
- Use a separate email address for the internet which is not linked to your personal or business email account.
- Any unplanned or urgent payment instructions should be questioned. Always check with the person issuing the directive in-person or via a credible channel – preferably one where you can see them.
- Any requests for a change in beneficiary account details should be verified by contacting the sender using normal, legitimate historically sound contact details.