There has been a spate of SIM swap and Internet banking fraud recently, resulting in many South Africans losing large amounts of money. ABSA’s head of digital banking, Adrian Vermooten, has provided more information about these crimes.
Phishing attacks to get Internet banking details
The first thing which typically happens, said Vermooten, is that an Internet banking client falls for a phishing attack. This gives the scammer access to a client’s Internet banking details, including their username and password.
He warned that the phishing attacks do not only ‘pretend’ to come from ABSA. It can be messages promising a SARS refund, Discovery rewards points and the like.
After a successful phishing attack, which gives the scammer access to a client’s Internet banking account, a SIM swap is needed.
Getting a victim’s mobile number, SIM swap fraud
The fraudster needs to gain access to the victim’s cellular messages to intercept the Random Verification Number (RVN) sent to a user’s cellphone to create a beneficiary. A SIM swap makes this possible.
To find a victim’s mobile number is easy, said Vermooten. A good search typically does the trick, and if that is not successful social media is another great tool.
If all else fails, explained Vermooten, the victim’s work can be called in a social engineering attack. It is typically very easy to get a mobile number using this method.
Armed with a mobile number, a fraudulent SIM swap must be done. Vermooten explained that this step may involve weaknesses within the cellular operators’ security or even rogue employees working with syndicates.
Armed with a victim’s Internet banking details and their cellphone messages, a fraudster can create beneficiaries, lift daily transfer limits and move money around at will.
Bypassing some SIM swap security measures
Vermooten explained that Vodacom’s SIM swap security measure – where users are sent an SMS when a SIM swap is requested – is easily bypassed by scammers.
He said that the scammers often flood the victim’s number with useless calls, prompting them to switch their phone off. This gives the scammers the opportunity to do a SIM swap undetected.
Another method is for the scammers to call the victim before the SIM swap, saying that they are from Vodacom, and alerting them that some testing is done on their number. The victim is told to ignore all the messages.
Getting a bank account to transfer money to
Vermooten said that fraudsters typically buy bank accounts to transfer money to, rather than opening them with fake identification.
He said that these bought accounts do not have much money in them, and the original owner is not usually aware that they will engage in fraud.
What people should watch out for
Vermooten said that banks will never send an e-mail asking their clients to click on a link and entering their banking details.
He further urged Internet banking users to always type in the URL (like www.absa.co.za) manually when doing Internet banking.
Up to date anti-virus software can also help with safeguarding users against certain attacks.
People should also be vigilant when it comes to strange action on their cellular number, like many calls or SMSs flooding their SIM.