There is an increase in phishing and smishing attempts aimed at loading debit and credit cards on to criminals’ digital wallets.
Phishing is a type of cybercrime in which people are duped into providing sensitive information such as login credentials, passwords, PINs, card details, or ID numbers by using deceptive techniques such as fake emails and websites. Smishing is the use of text messages – apparently from reputable institutions – to trick people into disclosing similar information.
Criminals have realised that the process of loading a debit or credit card onto a digital wallet is similar to the process of making an online payment using these cards. Both processes require card details to be entered into an online portal and both require the submission of a one-time password (OTP) to confirm the process.
Criminals might, therefore, send SMSs asking for a small fee to be paid – for example, to release a parcel for collection. This will require the user to enter their card details. The user has no idea that the criminal is actually entering those details into their digital wallet.
When a bank sends the criminal a request for an OTP to confirm the loading of the card, the criminal then asks the user for the OTP which the user mistakenly believes has been issued in relation to the fraudulent payment. If they hand it over to the fraudster, the criminal is now able to use the card by presenting their own biometrics – because the card has been fraudulently loaded on the criminal’s own device.
With cybercriminals becoming more sophisticated, consumers must remain vigilant and take proactive measures to protect themselves. FNB shares the following safety tips:
* Don’t panic: Fraudsters rely on people acting hastily, due to a sense of panic. Their tactics include threats that your accounts will be blocked or that fraud has been identified and must be stopped immediately. Whatever the scenario, keep in mind that such things will never compel you to give away OTPs, PINs, or passwords. It is safer to end such communication and contact your financial institution right away.
* Do not click on email or SMS links: When opening emails from unknown sources or those that appear suspicious, proceed with caution. Credible financial institutions will never ask you to click on links. Clicking on links or downloading attachments from these kinds of messages should be avoided because they may include harmful malware or redirect you to fake websites.
* Pay careful attention to the wording of OTP requests. FNB will never require a customer to share their OTP with anyone to use it anywhere on their behalf and there should never be a need to share an OTP over a phone or via message with any 3rd party to complete a payment. The wording for an online transaction OTP request is different to that of a digital wallet OTP request – don’t rush or make assumptions about communications you might receive. An authentic digital wallet OTP notification from FNB will always warn you that you are attempting to link a specific card (indicating the last four digits of the card) to a specific wallet, and it will always inform you to call 0870 30 30 30 or log into the FNB app to complete or cancel the action.
* Enable two-factor authentication (2FA): Enable 2FA wherever possible since it adds an extra layer of security by requiring a second verification step, which is often transmitted to your mobile device or an authenticator app, such as the FNB Apps for FNB customers.
* Take note of the card and digital safety measures recommended by your financial institution: There is a lot of misleading information about how people may protect themselves from fraud but it is always preferable to follow your financial institution’s recommendations on how to secure your money.
* Keep software and devices up to date: Update your operating system, web browsers, and antivirus software on a regular basis to guard against vulnerabilities. To ensure that you get the most recent security fixes, enable automatic updates whenever possible.
* Verify contact details: If you are suspicious of a message or request, contact your bank using details directly from their website so that you’re not redirected to the fraudster’s ‘help line’.