Fraudsters are using the age-old phishing scam to defraud online banking customers and have revived advance fee scams to target more businesses.
Absa fraud solutions head Ally Mafunzwaini told MyBroadband that fraud campaigns have increased alongside relaxed Covid-19 restrictions.
“As the economic climate changes, there’s a marked increase in social engineering, where fraudsters or syndicates trick customers into disclosing their personal and confidential information,” he said.
Bank Zero said that phishing remains one of the most prevalent scam techniques.
Phishing refers to cybercriminals posing as legitimate companies, usually over email and increasingly over WhatsApp, Facebook, and Twitter, to trick targets into providing sensitive data.
These messages typically contain hyperlinks to malicious websites.
Nedbank said that fraudsters send emails that look like they come from the bank.
“When you click on the link, you are asked for your Nedbank ID username and password or card number and PIN,” Nedbank said.
“The fraudsters then use the details to access your bank account.”
On the other hand, vishing, or voice phishing, involves attackers calling consumers pretending to be official representatives of a bank.
“Clients receive calls from individuals purporting to be Nedbank employees and convince the victims to divulge their login credentials, giving fraudsters access to their Internet banking profiles,” Nedbank said.
SMS phishing, or smishing, tries to lure individuals into providing sensitive information like one-time passwords (OTPs) and online baking login passwords.
Absa’s Mafunzwaini said malicious text messages also direct customers to call back a number created to impersonate a bank.
FNB and Absa noted that scammers were reviving advanced fee fraud, also known as the 419 scam, to target small and medium businesses.
Advanced fee fraud typically exploits businesses in two ways.
One method involves tricking businesses into paying upfront for goods and services that never get delivered.
The second technique attempts to convince targets to pay money in advance to receive a loan or promised funds.
“Although this scam has been around for some time and consumer vigilance has heightened, fraudsters have taken advantage of digital platforms to revive [it],” FNB Commercial fraud head Roshan Jelal said.
“Fraudsters mostly use email communication, vishing and falsely advertise their services online or via social media platforms in order to lure unsuspecting victims,” he said.
Another variant of this fraud targets jobseekers, tricking them into paying for medical tests, transport, and other items after being informed they were selected for a job.
Absa’s Mafunzwaini added that the South African banking industry is experiencing a significant increase in ransomware attacks and data breaches.
Ransomware is a form of malicious software that encrypts files and renders them unusable.
Attackers extort ransomware victims by demanding payment for decrypting their data.
They may also steal data while infiltrating a system to infect it with ransomware and threaten companies with a data leak in addition to holding their data hostage.
Mimecast’s state of email security 2022 report showed that 2021 was the worst year on record for cybersecurity, with ransomware attacks targeting businesses up by 61% compared to 2020’s statistics.
Mafunzwaini explained that the number of data breaches has increased due to ransomware and exploitation of “zero-day” vulnerabilities.
Zero-day vulnerabilities are software security flaws that security researchers have not yet discovered or disclosed, but attackers know about.
Attackers often use these “zero-days” to break into companies’ systems, from where they can launch ransomware attacks and exfiltrate data.
These data breaches, in turn, lead to more phishing, identity theft, and ransomware attacks, Mafunzwaini said.
Orange Cyberdefense South Africa managing director Dominic White told MyBroadband that identity theft could involve attackers using data from breaches and leaks to impersonate victims.
To prevent being defrauded, banks advised avoiding clicking on suspicious links or attachments, using strong passwords, and immediately changing any compromised login details.
“Do thorough research before making a payment to an unknown person, especially when your only source of communication is via social media,” Nedbank said.
Bank representatives will never ask clients to share their usernames, passwords, card numbers, CVV numbers, OTPs, or PINs via a phone call, SMS, or email.
Absa said that successful fraud prevention requires all parties — the banks, customers, and the banking industry — to play their part.