Nedbank last week warned customers – both active and no longer active – that their personal information had potentially been compromised due to a breach at a third-party service provider.
At the same time, it stated that its own systems, as well as the passwords an personal identity numbers (PINs) of customers are safe.
“We assure you your accounts and money are safe,” it wrote in an SMS to affected customers.
Paul Ducklin, principal research scientist at Sophos, comments on the Nedbank breach: “The good news is that according to publicly available information, the data breach didn’t happen inside Nedbank’s actual banking network.
“As far as we can from what has been announced, a security incident resulted in the breach of Nedbank-customer related data held by a marketing company,” he says. “The data appears to be limited to names, ID numbers, phone numbers and addresses.
“The bad news is that the customers who were affected now face what you might call a double-whammy of phishing risks. First, if this data ends up in the hands of cybercrooks, they will be in a position to send bogus emails, or to make fraudulent phone calls that are much more believable than usual.
“The crooks won’t say ‘Dear Sir/Madam’, they’ll say ‘Dear Siyabonga’ or ‘Dear Sarah’. They’ll be able to send you a document that’s password-protected with your ID number, just like some banks do. They’ll know where you live so they can find out your closest branch and thus add a personal touch when they contact you.
“Second, although just some Nedbank customers were affected, all its customers will now be waiting for a message from the bank to find out if they are on the list or not. (Nedbank has said it expects to know whom to contact within a few days. That sort of delay is not unexpected because it allows time to investigate the breach properly first.)
“Crooks can take advantage of that by sending out bogus messages that prey on people’s fears, telling them they were affected and trying to trick them into giving over more data, or to convince them to click through to phoney websites.”
His advice to customers is as follows: “If you want or need to contact Nedbank about anything, don’t rely on any contact information shared through email, text or phone calls.
“In fact, make this a general rule. Even if you feel 100% certain that a warning email or SMS is genuine, you should never use any phone numbers or contact details from the message itself. Go and find the contact details by yourself. This will protect you from scammers who give you fake contact details, wait for you to get back in touch, and just continue scamming you from there having won your trust.
“If you have a bank card, turn it over and look for contact details on the back – the crooks can’t change the phone number or website name on a card you’ve already got! You can also look at the screen of one of the bank’s own ATMs, which usually display contact information, even if you don’t have a bank card, or look at the paperwork or brochures you got when you opened your account.”