Criminals in South Africa are using social engineering to steal personal and confidential information from South Africans, according to SABRIC.
This type of crime relies heavily on personal data, which is why many pickpockets and muggers are now sifting through their victim’s smartphones to see if they can log in to the banking app or other sensitive services.
Phishing, whether it is through email, voice calls (vishing), or SMS (SMishing), remains a common method for criminals to trick victims into divulging their online banking credentials.
“Personal information includes identity documents, driver’s licenses, passports, addresses and contact details amongst others and could be used to eventually commit fraud,” SABRIC said.
“Confidential information includes usernames, passwords and PIN numbers should never be shared with anybody.”
SABRIC said South Africans should be wary of social engineering attacks where criminals call you and pretend to be a bank representative.
“Tactics that continue to be rife are Vishing – where criminals call you and manipulate you into believing that they are from the bank to coerce you into revealing confidential information like PINs or passwords – and SMishing, where you are sent an SMS leading you to believe that you will be assisted to trace your phone and duping you into revealing this confidential information,” she said.
She added that standard email phishing, where you are sent an email which you believe to be from your bank that asks you to click on a link that requests your PINs or passwords.
“Business email compromise remains a concern, as criminals target specific employees in organisations who are authorised to transfer funds or make payments,” SABRIC said.
“Criminals utilise information obtained from company websites and/or other digital platforms to identify the details of CEOs, Financial Directors, and other key senior individuals.”
“They then impersonate these individuals by sending electronic requests via email or text message to junior staff in the accounting or finance function requesting that an urgent payment be made to a specific beneficiary,” she added.
By the time the employee realises that the funds have been paid into the incorrect account, it is too late.
SABRIC said that all of the banks it partners with have robust fraud mitigation mechanisms, which is why criminals find it easier to target customers and use social engineering to steal money.
“Through staying informed and following the safety tips provided by banks and SABRIC, customers can make it difficult for criminals to defraud them of their hard-earned money,” SABRIC said.
“The locking of mobile phones using dual authentication where available and monitoring bank transactions through SMS notifications should be standard practice for all online banking customers.”
Other steps South Africans can take to avoid becoming a victim of common banking crime include the following:
- Do not carry unnecessary personal information in your wallet.
- Do not disclose personal information such as passwords and PINs when asked to do so by anyone via telephone, fax or email.
- Don’t write down PINs and passwords, and avoid obvious choices like birth dates and first names.
- Don’t use any Personal Identifiable Information (PII) as a password, user ID or personal identification number (PIN).
- Don’t use Internet Cafes or unsecured terminals (hotels, conference centre’s etc.) to do your banking.
MyBroadband also spoke to Absa and Nedbank about online banking crime trends, and they echoed the views outlined by SABRIC.
Absa RBB head of fraud strategy Ulrich Janse van Rensburg told MyBroadband that social engineering attacks are becoming increasingly sophisticated and warned customers to refrain from divulging their personal information.
“For clarity, there is an upsurge in social engineering globally, and fraudsters use personal data from data breaches to impersonate banks with the sole purpose of tricking customers into granting them access to their money and bank accounts,” Janse van Rensburg said.
Janse van Rensburg added that Absa has a number of measures in place to defend customers against SIM-swap fraud and unauthorised transactions.
“Absa’s systems are world-class and we encourage customers to adopt the Absa mobile banking application to ensure that their transactions can be authorised securely without reliance on their SIM card, thus minimising the risk of SIM-swap fraud.”
“Absa recently launched a market-first digital fraud warranty for customers who bank using our banking app – signalling our confidence in the security of our app as the safest way to bank,” Janse van Rensburg said.
He added that Absa’s online banking service requires the customer’s account number, user number, PIN, and password to access the service.
The service will send the customer a logon alert on their cell phone to warn them if somebody is logging on to their online service.
“In addition to that, the customer must download the Absa banking app which contains the option to authenticate high-risk transactions performed on the online banking service,” Janse van Rensburg said.
Nedbank RBB head of digital channels Tawanda Chatikobo also told MyBroadband that social engineering attacks remained the biggest threat for online banking users in South Africa.
“We have also noted an increase in instances where customers receive malware via email that then intercepts all the keystrokes of the client, thereby obtain the secret logon credentials,” Chatikobo said.
“There is also a distinct pattern among victims that they do not read the second-factor authentication messages when approving an operation, thereby allowing fraudulent transactions to take place.”
Chatikobo added that the combination of phishing and smartphone theft was also a worrying trend.
“Following the theft of the device, the criminals send a phishing email or SMS to the client that pretends to be from the manufacturer of the device, informing the victim that he or she can track or wipe their stolen device by following the link.”
“The client provides the credentials to their device account which the criminals then use to obtain access to the device and the banking app,” Chatikobo said.
Chatikobo echoed the security advice given by SABRIC, stating that customers should never divulge their personal information and should contact their bank when they encounter any suspicious activity.