Online banking and SIM swap fraud remains a big problem in South Africa. The 2015 Columinate Internet Banking SITEisfaction survey showed there is a continued rise in digital banking crimes in the country.
The survey revealed the number of people targeted through any type of fraud is 55%, while 12% fell victim and incurred some sort of financial loss.
Over the years banks and mobile operators have implemented security measures to protect their clients against SIM swap and online banking fraud.
Criminals are constantly devising new ways to bypass these security measures, though, and continue to steal money from online banking users.
Online banking criminals typically use five steps to steal money (also see How criminals steal money from your online bank account):
- Get the person’s Internet banking details, typically through a phishing attack.
- Get a banking account/s to which money can be transferred to and withdrawn.
- Clone the SIM card used by the person.
- Create beneficiaries (using the list of banking accounts) and transfer money to these beneficiaries.
- Withdraw the money from these accounts.
An overview of what to watch out for with regards to online banking fraud attempts is detailed below.
Stealing online banking details
Phishing attacks are used by criminals to steal a victim’s Internet banking login details – account number, username, and password.
Emails are often used to convince a victim to visit a fake website which resembles their bank’s.
These emails contain a threat or a promise. Threats are normally account closure, suspended access, or loyalty point loss if the client does not take action. Promises normally entail a refund or an ad hoc payment, more loyalty points, or a chance to win big.
The victim then clicks on a link in the email, which takes them to a phishing website asking them to log in to their banking account. Their details are then stored.
There are many other phishing methods, including asking for passwords via email, or targeted calls to a client pretending to be the bank asking for banking details.
Criminals may use information about a person which they received from a source, then call the client pretending to be someone from their bank.
The fraudster asks the victim to confirm certain personal details, including banking details and passwords.
Phishing is not the only way to steal online banking details. Login details can be attained by criminals accessing computers in public areas which record sensitive information, have keystroke logging software, or use malware which provides criminals access to a victim’s computer.
Cloning a SIM card
One of the most challenging steps for criminals to steal money using online banking is to gain access to a victim’s mobile number. Without this the criminal cannot create new beneficiaries to send money to.
Here a SIM swap is typically used. Mobile operators have implemented numerous measures to limit SIM swap fraud, but criminals have devised ways to bypass these methods.
For example: an SMS is sent to a client after a SIM swap is requested. They can then stop a SIM swap within 2 hours if it is fraudulent.
To bypass this, criminals harass their victims with multiple “wrong number” or other calls, until they switch off their phone. After the phone is switched off, they do the SIM swap without fear of detection.
Getting a bank account to move money to
With the Financial Intelligence Centre Act (FICA) laws, it should be challenging for a criminal to open a bank account which cannot be linked to a person.
However, criminals have figured out ways to make this law ineffective.
They use other peoples’ accounts, use fake identities to open new accounts, and even have rogue banking employees who assist them with their criminal activities.
One banking expert said that clients who legally are able to open an account often work with a fraudster and allow their accounts to be used for the fraudulent activity.
There is no way that any bank can detect the fraud before it happens – as all the account opening criteria is within the framework of the law.
Creating beneficiaries, transferring the money
After the SIM swap has taken place and the fraudster has access to the number used by the Internet banking victim, beneficiaries are created and the money transferred to these beneficiaries.
During this time it is important for the criminals that the account holder is not alerted to their activity.
Withdrawing the money
In the case of ATM withdrawals, the money is often transferred shortly before midnight. The maximum daily amount is withdrawn before 00:00, and the same amount just after midnight. The card is then destroyed.
In a case where banking clients work with criminals to commit fraud, they leave their daily limits at the highest levels possible.
To remove the money before the fraud is detected they need many accounts to withdraw from as quickly as possible. Buying with the card or doing online transactions to the maximum limits is also done.
It is understood that large amounts have been withdrawn by people inside banks, but details about these incidents remain sketchy.