FNB fraud warning

FNB has warned about a scam that its customers are increasingly falling victim to, where criminals are impersonating bank fraud department staff and gaining access to people’s banking profiles.

Like many scams, a remote access attack employs social engineering to manipulate victims into giving an attacker access to sensitive information, like their bank account details.

The South African Banking Risk Information Centre (Sabric) said that “criminals know the weakest link in the security chain is a human and will pose as bank staff to exploit the victim’s inclination to trust.”

In other situations, fraudsters pose as technical support staff and offer to help the victim “fix” something on their computer.

The attacker then attempts to trick victims into transferring funds to an account under their control or installs malware that can relay personal or confidential information back to the attacker.

Fortunately, FNB has identified how best to avoid and mitigate such attacks by being aware of vulnerabilities fraudsters try to exploit.

Targeting a human’s gullibility is the central modus operandi for several other scams, including phishing, vishing, and dating and romance scams.

For instance, phishing is an attack where attackers try to lure targets to a phoney website by clicking on a link often posted to social media or sent via email.

The bait is often a major sale or a prize that can be claimed, usually something that is too good to be true.

Scammers also use fear to trick people into clicking, painting a scenario that requires immediate action to prevent something dire from happening.

Once on the fake website, victims are encouraged to enter sensitive information, such as at a fake checkout portal. Not only will they not receive what they ordered, but fraudsters will now have access to this information.

This can take place by clicking on a link sent via SMS, known as smishing, or when the victim is contacted via phone and encouraged to reveal an OTP sent to their device, known as vishing.

Phishing attacks typically target a large number of people in the hope that some take the bait and fall victim to the scam.

Dating and romance scams, on the other hand, employ a far more sophisticated form of social engineering as fraudsters hone in on a few targets at once, and the attack takes place over a more extended period.

In this case, con artists set up fake profiles on online dating sites, waiting for potential victims to take their bait.

Once they do, the attacker lowers the victim’s defences by building an online relationship. The best case scenario for the fraudster is that their victim falls in love.

The attacker then exploits the victim’s benevolence, claiming to have a personal crisis or some other falsehood they can use to ask for money.

Once the money has been sent, the scammers may disappear completely or continue to milk the victim’s generosity.

Remote access scams

Remote access scams may seem like something that can easily be avoided. However, given what the victim believes to be at stake and their lack of technical knowledge, many fall into this trap.

FNB said the attack typically starts with a fraudster contacting the target via phone call and offering assistance to block fraudulent transactions.

If the assistance is accepted, the fraudster tells the potential victim that to do so, they will need to download and install protective software on their personal computer (PC).

While the software may look legitimate to the unsuspecting eye, it will allow the fraudster to access their victim’s computer remotely via the Internet, hence the attack’s name.

After being guided through the installation process, the fraudster will ask their target to log into their personal Online Banking profile.

FNB said that once the person has done this, their screen will immediately go blank, and they will start receiving several one-time pins (OTPs) on their phone for transactions they have not made.

The fraudster, still in contact with their victim via the phone, will then reassure them that these are fraudulent transactions and that the OTPs must be sent to them.

However, they instead use these OTPs to authenticate the transactions made using the stolen banking details.

To protect against such scams, FNB says its customers should immediately hang up if the caller instructs them to download software or release a payment claiming to be from the bank.

It also reminds customers that a bank will never ask them to share an OTP to reverse pending transactions or block their banking profile.

Customers must also remember to never disclose their banking credentials on the phone, even to a banking official.