Online fraud is on the increase in South Africa, with criminals seeing individuals’ online banking accounts as particularly rich pickings. By Zane Renou, chief commercial officer at Cellfind
Cybercrime, of which online banking scams account for significant portion, is costing South Africa about R5.8 billion a year, according to the Center for Strategic and International Studies (CSIS).
Phishing and SIM swap fraud in particular are becoming headaches for the banks and their customers. The banking ombudsman’s annual report for 2014 shows phishing complaints from banking customers have increased from 30% to 45% of all complaints about online banking. So, how do these scams work and how can you protect yourself?
Online banking scams usually start by getting you to surrender your online banking password and login via a phishing email or phone call.
Cybercriminals are becoming more and more sophisticated in how they trick you to give them your details – for example, many are now using “spearphishing”, which means that they target users with personalised mailers rather than mass emails.
In addition to phishing, criminals sometimes use malware, such as keylogging software, to collect your details. The next step is to get a new SIM card for your cellphone number via identity theft or with the collusion of an employee working for an operator.
Once the criminal owns your mobile phone number, he or she can receive one-time PIN codes for online transactions or to use your mobile banking PIN. At this point, the fraudster can start emptying your bank account. Here are some tips about how you can avoid becoming a victim.
Be careful which emails you open
Be wary of emails that appear to come from your financial institution – criminals have become adept at mimicking the look-and-feel of banks’ communications in their phishing emails. Your bank will not ask you for personal details via email, nor will it prompt you to log in to your bank account from a link in an email.
Do not follow the instructions such mails give to click through to a website and change your password. Invariably, they will take you to a site run by a fraudster with the sole purpose of collecting online banking account passwords and log-ins. If you are not sure whether a mail is from your bank or not, simply delete it.
Never give your password or pin codes to someone else via email or the phone
Just as your bank won’t ask for your details via email, it won’t phone you out of the blue to ask for personal information such as your online banking password or your credit card number. Hang up if someone calls you asking for this information.
Keep an eye on your text messages
Ensure that you receive SMS notifications about any transactions across your bank accounts, and act immediately if you see something suspicious. Also, remember that your mobile operator will send you a text if you swap your SIM card out for a new one. If you receive a message letting you know that the network will soon be activating a new SIM for your number, get hold of your operator right away if you didn’t request the SIM swap. Typically, you have only a couple of hours to act.
Monitor security advisories on your bank’s web site
Most South African banks post regular advisories about the most recent scams – online and otherwise – on their web sites. This is a good way to stay ahead of the criminals’ latest schemes. Banks’ websites also offer some good advice about how you can protect yourself from cybercriminals and other fraudsters.
Install antimalware software
Many criminals use malware such as spyware and keyloggers to harvest sensitive personal information. Thus, it’s a good idea to install reputable antimalware software on your devices and keep it up to date.
Don’t access online banking from someone else’s PC
Ensure you access Internet- and mobile banking only through your own or trusted devices and avoid using PCs or devices that could be compromised by viruses like keyboard sniffers and recorders. Don’t use public computers for online banking.
Be careful about how you manage your personal information
Identity thieves just need a few pieces of information – your address, your bank account or card number, ID number, full name – to get a start on stealing your identity and thus your money. With just a piece of information, they can gather more data about you until they have enough to impersonate you. Then, they can use your personal details to take out a loan, impersonate you when doing a SIM swap on your mobile number, or even accessing your bank accounts. For that reason, you can’t be too careful with personal information.
Closing words
The SIM card is perhaps the biggest soft spot for criminals’ attacks on users’ bank accounts as it is the recipient of the one-time-pins for transactions, but we are seeing innovative solutions arise to this problem. For example, there is technology that secures mobile financial services by validating that both the user and SIM card are who they say they are. In time, we shall hopefully see more banks make use of this technology to protect their customers, and more customers taking the necessary measures to protect their personal information.