Security warning to cellphone network users in South Africa
Criminals are using increasingly sophisticated and convincing tactics to execute One Time PIN (OTP) scams in South Africa.
Armed with a wealth of sensitive data, scammers are able to craft personalised and persuasive attacks to trick people into giving them their OTPs.
These attacks have conned even tech-savvy users under the right circumstances, and MyBroadband has received several reports from technically skilled readers about such incidents.
In one recent case, a reader was contacted by scammers claiming to be from MTN with all the personal information to convince him of their claims.
Although he acknowledges that giving out any kind of OTP was stupid, he said the scammers had all the personal information to convince him they could be from MTN’s fraud department.
Scammers use many different approaches to con people, but they usually involve creating an urgent scenario to cloud your judgment.
For example, they might call and claim to be from your operator’s fraud division with a warning that someone was trying to clone your number or perform a fraudulent SIM swap at that very moment.
To create a false sense of urgency, they might say that if you don’t cooperate immediately, they won’t be held liable for any theft as a result of the SIM swap.
In this specific case, the attackers attempted to take over the victim’s cellphone account through the MTN app, which only requires a cellphone number and OTP to log in.
Once logged into the app, the attackers have access to information and features that can help them convince victims of their legitimacy.
For example, they can generate a full itemised bill and email it to you from an mtn.com address.
If you don’t know the app can do that, or haven’t yet clicked that you’re dealing with an OTP scammer, receiving a genuine invoice while on the phone with them could help reinforce the belief that you are speaking to an MTN staff member.
While they have access to your account, attackers may exploit the network’s airtime and data transfer features to steal your credit and send it to another number under their control.
From here, the criminals may attempt various approaches to steal money from you.
One popular attack is to try and convince the victim to send funds to their mobile money wallet, which the criminals then transfer out.
This usually requires that the attackers obtain an additional OTP, which is where the reader who contacted us about their incident realised what was happening.
When he challenged the attackers, they briefly tried to keep the ruse going before hanging up the call.
MTN has said that OTP scams are among the leading scam tactics used by criminals but that it has observed an overall decline in these types of incidents.
“OTP-related fraud has shown fluctuating trends over the past two years. However, in recent months, we have observed a decline in such cases,” a spokesperson told MyBroadband.
“This can be attributed to the proactive measures we have implemented to mitigate these scams, alongside our ongoing customer communication campaigns aimed at educating customers on safeguarding their information.”
Last week, MTN South Africa announced that branches of law enforcement had arrested key individuals involved in an OTP scam syndicate.
“The arrests followed a successful search and seizure warrant on what was believed to be the syndicate’s headquarters in Eldorado Park, Soweto,” MTN said.
MTN said the Commercial Crimes Unit obtained search warrants for five properties believed to be the syndicate’s front businesses and call centres thanks to various stakeholders and anonymous tip-offs.
“This is a major milestone for MTN and a victory for all our customers who are regularly being targeted by these criminals. OTP scams are among the leading scam tactics used by the criminals,” the mobile network said.
“We continue to urge customers to remain vigilant and protect their OTPs to prevent similar incidents.”
MTN said customers can report incidents of fraud to [email protected] or [email protected]. There is also the option of calling 083135 and selecting the fraud desk option.