WeeklySA_AdminRaid: There is a constant evolution of the techniques adopted by fraudsters to raid bank accounts
By Thuli Zungu
Modern consumers have become used to a plethora of easy pay options when transacting. One does not think twice about using their phone or smartwatch to pay for their morning coffee after a workout session at the gym.
Contactless payments such as tapping an ATM card or using a smartphone or smartwatch at a point of sale (POS) machine, are becoming increasingly popular due to the convenience they offer.
Reana Steyn, Ombudsman for Banking Services says with this convenience becomes great responsibility and the need for consumers to be more alert and aware as this payment method, like any other platform or area where money or the transfer of money is concerned, is also susceptible to fraud.
She says technology has made it easier for fraudsters to steal and manipulate personal information through phishing emails, vishing calls, smishing SMS’s and malware attacks.
These are also referred to as “social engineered attacks” aimed at allowing the fraudsters to gain access to consumers personal and confidential information which the fraudsters then use to raid and deplete bank accounts.
Steyn says although banks have developed fraud detection and prevention systems such as SIM Swap detection, transaction monitoring, 2 factor authentication (2FA) and other customer identification methods, fraudsters are constantly devising new ways to bypass these systems, making it an ongoing battle for banks to stay one step ahead.
The Ombudsman for Banking Services receives hundreds of complaints and phone calls monthly and thus they continue to witness the constant evolution of the techniques adopted by the fraudsters to bypass the vulnerabilities and the loopholes created as a result of consumers not being aware of the dangers and methods employed by the fraudsters.
“While technology has resulted in improved convenience and efficiency, it cannot be disputed that it has also brought with it new fraud challenges that require both the banks and consumers to work together to do all that they can to close these loopholes/vulnerabilities that are continuously exploited by the fraudsters,” Steyn says.
More recently, the Ombudsman for Banking Services has seen the emergence of a new scam involving the use of near-field communication (NFC) technology.
“This involves fraudsters using stolen bank card information such as the card number, expiry date and the CVV number (card data), to make fraudulent purchases via the digital wallet.
“Unlike with the normal card not being present, (CNP) fraud transactions that we are accustomed to where the fraudsters would use the stolen card information to make online purchases which would prompt an OTPs to be sent to the registered cell phone number of the legitimate cardholder for each of the transactions made, NFC/digital wallet payments do not require this added OTP mitigation tool for each and every transaction. “
The NFC/digital wallet payment fraud work as follows: the stolen card information is used by the fraudsters to link their smart devices (smartphones and smart watches) onto payment platforms such as Samsung Pay, Apple Pay, Garmin Pay, Google Pay, etc. and then the fraudster’s smart device is used to perform fraudulent purchases on the victims’ accounts without OTPs being sent to cardholders to validate the transactions.
For the fraudsters to be able to link their devices to the stolen bank card information of the legitimate bank customer, an OTP or a “Smart in Contact notification” required to complete the linkage process is sent to the bank customer’s registered number or Banking App. “Only after the transaction/registration/linkage is approved via an OTP or approve-it authenticated, is the fraudster’s device linked to the bank customer’s bank card.
“Thereafter the fraudsters’ device can be tapped at POS machines allowing transactions to take place on the card with no further verification required for the approval of the individual purchases from the bank customer. “
Steyn confirmed that approximately 124 of these complaints (NFC fraud related complaints) have recently formally been reported and investigated by her office.
She says the losses suffered are estimated at millions of rands with customers’ accounts fraudulently drained through tap and go purchases made with smart devices in mostly foreign jurisdictions such as Dubai, France and Spain whilst the legitimate cardholders were in South Africa.
“This is a clear indication that an international crime syndicate is operating within this space and has South African consumers in its sights.”
Based on the complaints the Ombudsman’s office received as well as the patterns identified by some of the banks whose clients’ fell victim to this fraud, it was evident that fraudulent/fake websites and emails purporting to be from legitimate businesses such as the South African Post Office, Courier Services, VodaBucks, which require clients to enter OTPs to redeem credits, were being targeted for impersonation by the fraudsters in pursuance of their criminal acts.
Through these fake website links and email addresses, the fraudsters were able to obtain all the details they required to approve the linking of their devices to the payment platforms.
Stey cautioned that any business may be impersonated. She advises consumers of the importance of reading and understanding the OTPs/inContact messages sent to them, and critically examining whether it is necessary for a transaction that they initiated. She also advises bank customers to never be pressured into entering or giving away their OTPs without understanding what exactly they are authorizing.
More importantly, consumers must guard against the practice of accessing unsolicited links sent to them especially when they are prompted to insert their personal and banking information. She advised that many of the losses can be prevented if everyone adheres to this simple principle. With the NCF fraud matters received, Steyn advised that many of the complainants had received messages containing their bank card number andor OTP (the stolen information) requesting them to complete an authentication process which they never initiated.
Should you receive such a message in instances that you never initiated any transaction with your bank card, the Ombud advised bank customers to immediately report the incident to their banks.
She says one of the major banks in South Africa confirmed to have received over 6000 related complaints between January 2022 and June 1 2023.
“The said bank’s stats show that between January and June 2022, about 553 customers fell victim to this fraud with their losses amounting to about R427 487.” This year the numbers of the victims jumped to over 5 450 with the combined monetary losses of over R6,5 million. “These are highly concerning numbers and the devastation of the losses caused has the potential of causing bank customers serious financial hardships which in some instances may be impossible to recover from”, says Steyn.
She noted that fraudsters target consumers of all ages and segments and could not be reduced to one specific demographic or profile. Because of this, everyone should always be vigilant and not to be too trusting with card information, especially the OTPs.
One Time Pins (OTPs) are personal identification numbers (PIN) and are usually sent via SMS, email, or generated by an authentication app to provide bank customers with an extra layer of security for online transactions, registrations, or login processes.
“These should therefore be treated with utmost privacy and confidentiality and must be inserted or used to perform legitimate customer initiated and known transactions, especially when it relates to your bank account and/or bank card numbers’’.
VALUABLE TIPS TO AVOID BEING SCAMMED
Steyn would like to assure consumers that her office has engaged the banks affected by this fraud with the aim of working on solutions to this challenge.
Until a solution is found, all bank customers who are victims of NFC payment banking fraud or who suspect that they are victims of OTP fraud, to immediately contact their respective banks to report the incident and or to report unresolved complaints to her office.
Handy Tips
- Be cautious of any unsolicited communication requesting an OTP.
- Verify the authenticity of any request for OTPs by directly contacting the organization or individual purportedly making the request. Do not use contact details provided in suspicious messages. Instead, use verified contact information from official websites or sources.
- Enable two-factor authentication (2FA)methods other than OTPs whenever possible, such as using biometric authentication or hardware security keys. Enquire from your bank about the security measures available to you.
- Regularly update passwords and avoid using the same password across different accounts.
- Keep personal information private and ensure it is not shared with unknown or unverified individuals or service providers.
