The South African Banking Risk Information Centre (SABRIC) issued a report last year portraying the digital banking crime landscape in South Africa.
The statistics noted that the number of digital banking crime incidents had increased signifcantly, with SIM swop fraud more than doubling over the course of a single year.
If this trend continues this year, it would mean that a great deal more South Africans would lose money to online scams, SIM swop fraud, and other attacks.
Criminals have also increasingly begun relying on social engineering to compromise user credentials as the level of security at major institutions has increased.
The selection of weapons at an online attacker’s disposal is quite varied, and we asked SABRIC what attacks South Africans should look out for in 2019 and how they should defend themselves.
SABRIC CEO Kalyani Pillay told MyBroadband that the organisation urges its clients to protect against a variety of attacks by practicing good online security habits and remaining aware of possible scams.
A summary of common and potentially dangerous attacks is listed below, along with tips on how to combat them.
Phishing, Vishing & SMishing
These attacks try to trick users into giving up sensitive information such as online banking login details or other data through email, cellphone, or SMS requests.
Many of these are easy to spot as scams, but others can be far more convincing.
Pillay recommends that users never click on icons in unsolicited emails and delete them immediately.
“Do not believe the content of unsolicited emails blindly. If you are concerned about what is being alleged in the email, use your own contact details to contact the sender and confirm,” Pillay said.
Users should also always type out the URL or domain name for your bank in the address bar of your internet browser if you need to access your bank’s website, and to make sure that you are not on a spoof site, you can also click on the security icon in your browser tool bar to see that the URL begins with https rather than http.
“If you receive an OTP on your phone without having transacted yourself, it was likely prompted by a fraudster using your personal information,” Pillay said.
“Do not provide the OTP telephonically to anybody. Contact your bank immediately to alert them to the possibility that your information may have been compromised.”
“Banks will never ask you to confirm your confidential information over the phone.”
SIM swop fraud is when an attacker gains access to your number by impersonating you to a mobile operator and fraudulently performing a SIM swop operation.
This allows them to receive OTP notifications from various platforms, and the only warning you will usually receive is a sudden loss of reception.
“If reception on your cell phone is lost, immediately check what the problem could be, as you could have been a victim of an illegal SIM swop on your number,” Pillay warned.
“If confirmed, notify your bank immediately.”
She added that users should inform their bank should their cell phone number change so that their contact number is updated on its systems.
“Register for your Bank’s cell phone notification service and receive electronic messages relating to activities or transactions on your accounts as and when they occur,” Pillay advised.
“Regularly verify whether the details received from cell phone notifications are correct and according to the recent activity on your account.”
Users should memorise their PIN and passwords and never write them down anywhere, she added.
Change of Bank Details
This is a devious type of attack which can be devastating to businesses.
Attackers use a method such as email spoofing to assume the identity of a receiving party in a business transaction and convince a user making a payment to send the money to them instead of the real recipient.
This can be conducted as a man-in-the-middle attack or just a legitimate-looking notification that a payee’s payment details have changed.
“Ensure that you confirm any change of banking details with someone you usually deal with at the organisation before making any changes to beneficiary accounts,” Pillay said.
“When calling the organisation to confirm the changes to banking details, use a number from the telephone directory and not the number on the letterhead or email as you will most likely be calling the fraudster.”
Pillay added that staff responsible for paying invoices should be instructed in the potential dangers of this scam and made aware of the consequences.
“Ensure that your company’s private information is not disclosed to third parties who are not entitled to receive it, or third parties whose identities cannot be rightfully verified,” Pillay said.
“Rather shred your business and suppliers’ invoices or any communication material that may contain letterheads, than to discard in rubbish bins.”
This type of attack is relatively self-explanatory and comprises of an attacker somehow gaining access to your email account.
This can be done through malware, viruses, or exploitation of data breaches and bad password security. An email account can be valuable to gain access to a user’s bank account, to verify online banking login attempts, or even to reset the user’s password.
If you are targeted by this attack, you may have to do some serious damage control by contacting all email recipients who were spammed by your hacked mailbox and advising them that these communications were not legitimate.
Pillay said that you should use different and strong passwords for each account – and each should be at least six characters long and a combination of letters, numbers and capitals/lowercase.
“Set up several email addresses. Use your original email address for personal or business communication as you’d normally do and use an alternative email address to communicate with your service provider, since many now ask for a different address for added protection,” Pillay said.
“Then, use yet another email address for registering for websites, newsletters, online shopping and other services. In this way, the risk of a possible compromise is spread.”
“Never list your main email address publicly anywhere online – in forums, in online advertisements, on blogs, social media or any place where it can be harvested by spammers,” she added.
“Use a separate email address for the internet which is not linked to your personal or business email account.”