Internet15.01.2025

Delivery scam warning in South Africa

Delivery scams involving recipients of online orders receiving fraudulent messages telling them to settle a fee before they can receive their package are evolving to target specific individuals.

This is according to South African Express Parcel Association CEO Garry Marshall, who told Cape Talk that these new scams indicate potential data leaks and no longer involve spamming thousands of cellphone numbers or email addresses.

“Spear phishing” is a type of social engineering attack in which a victim is sent a fraudulent email or SMS and duped into revealing sensitive information, such as bank account information.

“There seems to be a growing trend towards a link to actual orders that have taken place,” said Marshall.

“That would then imply some form of internal leakage towards syndicates and individuals that are hellbent on taking your money from you.”

He says that many people are involved in the delivery supply chain, including the sender, the airlines, customs clearance brokers, and delivery agents, indicating a number of points where leakages could occur.

To mitigate the risk of falling victim to one of these scams, Marshall says not to act on any messages received regarding an order, as this may take the user to a false address, prompting them for their banking credentials.

However, because some messages may be legitimate, he suggests going directly to the shipper or originator and tracking the order from there.

While these scams may seem harmless, as they often ask their victims to pay between R20 and R30 for some shipping charge, much more is at stake.

Often the attacker tries to trick victims into providing their payment card information via a fraudulent website or Google form.

Once they have the card number, expiry date, and CVV, they can attempt to press the attack to potentially empty their victim’s account or max out their credit card.

An example of this was an attack software developer and MyBroadband reader Herman Stander fell prey to last year.

Stander lost his entire month’s salary after a cybercriminal used one of his FNB Virtual Cards to make several R4,998 purchases and failed to receive a single notification from his bank.

Screenshots from Stander’s proof-of-concept attack: Example phishing SMS (left), attack site (middle), and card details loaded into Google Wallet (right)

After FNB informed Stander that his money was gone through his own fault and it wouldn’t be paying him back, he set about building a proof-of-concept to see if he could replicate the attack.

Stander recreated the attack in an effort to understand how the criminals were able to use one of his FNB Virtual Cards without him receiving transaction notifications or requiring multi-factor authentication.

To his horror, he discovered that building a phishing attack that lets you empty someone’s bank account or max out their credit card is extremely simple.

The rotating CVV of FNB’s Virtual Card provided no protection, and the bank not sending notifications of the transactions meant he didn’t realise the fraud was happening until it was too late.

In Stander’s case, a phishing attack disguised as a South African Post Office customs clearance message lured him in.

He received an SMS stating that he needed to pay R30 for customs clearance within 24 hours or his parcel would be returned to the sender.

Although he acknowledged he should’ve known better, Stander said he was expecting a parcel, and the link and webpage it pointed to looked exactly like one you might receive from the Post Office.

Stander’s proof-of-concept attack shows what such an attack site might look like and how easy it is for cybercriminals to harvest the information needed to hijack someone’s payment card.

He demonstrated how the attack works between two willing participants — him and his wife.

The proof-of-concept attack

The attack begins by querying your card information and then slyly asks for a one-time PIN (OTP) to “verify the payment”.

This is a huge red flag, but someone in a rush or unfamiliar with online payment systems might not register that the OTP request is out of place.

In reality, the OTP is not used to verify a payment but to register the card with a digital wallet platform like Google Pay.

Stander showed how he could register his wife’s FNB Virtual Card in a Google Wallet using the details harvested using the attack site.

He then waited a few hours before performing several transactions, including filling up his bakkie, buying groceries, and picking up a can of paint.

None of these transactions generated notifications on his wife’s phone.

MyBroadband contacted FNB for comment, and the bank explained that its virtual card system’s rotating CVV does not apply to digital wallets.

When you make a tap payment using a card stored in such a wallet, it works like a regular card transaction and doesn’t use the CVV.

“A CVV is not required for card present transactions,” FNB explained.

“The CVV and OTP is required at the time that the digital wallet is registered on a device to transact.”

FNB said that, in this case, this was done when the customer’s card details were phished and compromised.

“With cybercriminals becoming more sophisticated, customers are encouraged to remain vigilant and take proactive measures to protect themselves at all times,” the bank said.

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter