Online banking and investment fraud have increased during the pandemic.
Last week, my colleague was phoned by her bank’s security team and told that her account had just paid three sums of R10 000 each to a bank in Thailand. The caller, who identified himself by name, asked her to log on to her account to check if the money had actually been transferred out.
While she was hesitating the caller as if to reassure her, confirmed the bank account number, her street address and the name of the account holder. All these details, as quoted to her, were correct. The only detail that was ‘off’, (besides the fact that he was calling at all) was the fact that he did not seem to know that the account in question was her husband’s and not hers. When she offered to call the purported bank official back, he cut the call.
Earlier this year, the UK’s financial regulator, the Financial Conduct Authority, issued a statement that said that the number of fraudulent warnings on fraudulent banking and investment scams issued in 2020 was double the level seen in 2019, and was on course to double again in 2021.
Investment scams made up the highest proportion of authorised fraud losses in 2020, with more than £135 million lost to increasingly sophisticated deceptions often involving the grooming of potential victims over several months and credible-looking cloned websites of banks and investment advisors. In some cases, fraudsters paid ‘dividends’, while convincing their victims to invest more, before vanishing with their stolen money.
The FCA has a section of its website dedicated to helping investors detect fraud, called Scamsmart, as well as a list of unauthorised firms and individuals on its website. South Africa’s regulator, the Financial Services Conduct Authority (FSCA), publishes a list of regulated services providers, but unlike the UK’s regulator, does not publish lists of unauthorised firms. Like its UK equivalent, the FSCA only has the authority to prosecute the complaints against its regulated providers, so bitcoin fraud (a growing category of fraud) falls outside its authority.
With respect to banking fraud, fraudsters have not taken a sabbatical during the Covid-19 pandemic. On the contrary, as ‘face to face’ shopping has dropped, along with opportunities to steal debit cards and credit cards, fraudsters have adapted their skills to new forms of fraud. New-to-digital consumers have proved especially vulnerable and have created new channels to exploit.
UK Finance, a trade association for the UK banking and financial services sector, noted in their recent publication Fraud – The Facts 2021: The definitive overview of payment industry fraud that impersonation scams had seen the biggest increase of any scam type. The report noted the following:
- Impersonators might pretend to be from the victim’s bank, and con victims into transferring money to fake accounts. Alternatively, they impersonated online shopping services, parcel delivery companies, e-commerce platforms or broadband providers.
- A common modus operandi was to trick victims into parting with information using fake messages about missed parcel deliveries, or posing as software providers to target home-based workers.
- Fraudsters also used sophisticated techniques such as Search Engine Optimisation and creating fake comparison websites to drive customers to cloned scam websites. Targeted victims would be instructed to complete online forms to register their interest, before receiving a call from someone impersonating a genuine investment firm or broker.
- Criminals might send out professional-looking fake documentation to make the scam appear more convincing, or provide access to online portals that claim to allow the victim to monitor how their investment is performing.
- Criminals were also adept at using social media and digital messaging services to promote bogus investment opportunities, including in forex trading and cryptocurrency – the latter fuelled by the success of and demand for currencies such as Bitcoin and Ethereum.
- The pandemic had contributed to increasing the number of cases of ‘romance fraud’, as social distancing restrictions had increased the popularity of online dating, providing criminals with opportunities to take advantage of this.
- The UK report noted that the highest categories of victims by age were under 25s followed by over 75s.
Trends described in the UK report are broadly in line with those in South Africa, as described by the South African Banking Risk Information Centre (SABRIC), a non-profit company formed by the four major banks to help prevent bank-related crime. In the most recent report on fraud trends, released in June 2020 (and therefore pre-dating the pandemic), SABRIC Annual Crime Stats 2019, it was noted that:
- With respect to digital banking fraud, there had been a 20% increase in the number of incidents and an 8% increase in gross losses. This type of fraud had taken place on both banking apps and via online banking. The report noted that Phishing, Vishing, SMishing and email hacking or business email compromise had been the most prominent fraud types affecting the digital banking space. However, the banking industry had reported some incidents where malware had been used as a method of compromising a client’s digital banking credentials.
- With respect to banking apps, there had been a 45% increase in the number of incidents and a 1% increase in gross losses between 2018 and 2019.
- With respect to online banking, the number of incidents had decreased by 23%, but the gross losses had increased by 14%.
What are phishing and vishing?
Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce you to reveal personal information, such as passwords and credit card details. Vishing is when a fraudster phones you posing as a bank official or service provider and uses social engineering skills to manipulate you into disclosing confidential information.
Tips to prevent phishing and vishing and protect your personal information. *
Phishing
- Do not click on links or icons in unsolicited e-mails, do not reply and delete them immediately.
- Do not believe the content of unsolicited e-mails blindly. If you are worried about what is alleged, use your own contact details to contact the sender to confirm.
- Type in the URL (uniform resource locator or domain names) for your bank in the internet browser if you need to access your bank’s webpage.
- Check that you are on the real site before using any personal information.
- If you think that you might have been compromised, contact your bank immediately.
- Create complicated passwords that are not easy to decipher and change them often.
Vishing
- Banks will never ask you to confirm your confidential information over the phone.
- If you receive a phone call requesting confidential or personal information, do not respond and end the call.
- If you receive an OTP on your phone without having transacted yourself, it was likely prompted by a fraudster using your personal information. Do not provide the OTP telephonically to anybody. Contact your bank immediately to alert them to the possibility that your information may have been compromised.
- If you lose mobile connectivity under circumstances where you are usually connected, check whether you may have been the victim of a SIM swop.
Tips for protecting your personal information
- Don’t use the same username and password for access to banking and social media platforms.
- Avoid sharing or having joint social media accounts and be cautious about what you share on social media.
- Activate your security settings which restrict access to your personal information.
- Don’t carry unnecessary personal information in your wallet or purse.
- Don’t disclose personal information such as passwords and PINs when asked to do so by anyone via telephone, fax or even email.
- Don’t write down PINs and passwords and avoid obvious choices like birth dates and first names.
- Don’t use any Personal Identifiable Information (PII) as a password, user ID or personal identification number (PIN).
- Don’t use internet cafes or unsecured terminals to do your banking.
- Use strong passwords for all your accounts.
- Change your password regularly and never share them with anyone else.
- Store personal and financial documentation safely.
- Keep PIN numbers and passwords confidential.
- Verify all requests for personal information and only provide details when there is a legitimate reason to do so.
- To prevent your ID from being used to commit fraud if it is ever lost or stolen, alert the SA Fraud Prevention Service immediately on 0860 101 248.
- Ensure that you have a robust firewall and install antivirus software to prevent a computer virus from sending out personal information from your computer.
- When destroying personal information, either shred or burn it (do not tear or put it in a garbage or recycling bag).
- Should your ID or driver’s licence be stolen report it to SAPS immediately.