Card fraud chaos in South Africa
In 2023, card-not-present (CNP) fraud accounted for over 68% of all card fraud committed in South Africa, costing citizens over R700 million.
This is according to the South African Banking Risk Centre’s 2023 annual crime statistics report, which attributed this to the country’s rise in digital payments and online shopping.
CNP fraud refers to a scam where a payment is made using a debit or credit card that does not belong to the person making the payment. This is often because the perpetrator has stolen the card or the card’s information.
To counter these crimes, online merchants must implement advanced security measures to ensure the customer has their card at hand when making a payment, such as asking for the CVV number.
Despite these security measures, South Africans lost R764.4 million to CNP fraud in 2023. Most of this was stolen using debit cards — R425.9 million, while credit cards were used to steal R338.5 million.
This meant that CNP fraud had increased by roughly 18% since 2022.
However, it was found that 63.1% of CNP fraud perpetrated using South African-issued credit cards was committed outside the country.
Similarly, 57.7% of CNP fraud using South African-issued debit cards was committed in a foreign country.
The countries where these fraudulent transactions occurred were the UK, UAE, US, Spain, Netherlands, Luxembourg, Ireland, Hong Kong, Estonia, and Cyprus.
Sabric found that the most prominent merchant groups where credit CNP fraud was perpetrated were travel agencies, advertising services, electronic sales, and supermarkets.
On the other hand, those perpetrating debit CNP fraud preferred dating services,
Phishing and OTP vishing were the most prevalent attacks used to obtain credit and debit card information, according to the report.
Phishing is a type of social engineering where victims are manipulated into revealing sensitive information — in this case, their card details — using emails or text messages.
OTP vishing refers to a type of phishing (voice phishing) used to obtain the OTP needed to approve a transaction over the phone. Scammers often pose as bank employees to gain the victim’s trust.
Stay safe this Black Friday
A form of phishing that has been particularly prevalent in South Africa recently is HTTPS phishing, where fraudsters create phoney or replica websites to harvest card information from their victims.
These websites are often advertised on social media, drawing in victims by advertising deals that seem too good to be true, only for them to be precisely that.
To protect against these scams, Sabric has identified several tips for shoppers and merchants to avoid becoming victims of online scams.
One way to check a website’s legitimacy — the first step in deciding whether to transact — is to use the South African Fraud Prevention Service’s Yima website.
The tool scans websites for scams and vulnerabilities, using a combination of risks and feedback from users who have interacted with the website to create a Trust Score.
Users can also install a plugin on their browsers.
In the case of website spoofing, the user interface can be very accurately replicated. Attackers often change a single character in the URL, which often goes unnoticed, even upon close inspection.
Artists Against 419 (AA419), an international volunteer group dedicated to identifying and shutting down scam sites, has a list of over 160,000 fake websites.
Another indicator of potential fraud is if a user is not redirected to their bank’s 3D secure page or mobile app to confirm the transaction.
3D Secure adds an additional layer of security to online transactions by requiring two-factor authentication for transactions.
Sabric also suggested that shoppers choose a strong password or passphrase when registering on a secure site and never save it on any device. The same goes for payment credentials.
For most people, remembering strong and unique passwords for every sensitive website they have an account at is impossible, so it’s advisable to use a reputed password manager.
Considering that these fake websites aim to steal personal information, it is never a good idea to share personal information such as ID numbers or date of birth — something retailers don’t need to process an order.