Unwary divulge bank details on bogus websites
Beware: If you are one of the more than four million South Africans using the internet to do your banking, and are not being vigilant, you stand a high chance of being robbed. The threat is serious. You need to take stringent precautions to avoid falling victim to the plethora of online criminal activities, phishing in particular. According to the South African Banking and Risk Information Centre (Sabric), the incidence of phishing has more than trebled since January this year. The banks says that as quickly as one bogus website is shut down, another one pops up. Neesa Moodley-Isaacs reports on this growing scourge, what the banks are doing to protect you, and how to protect yourself.
What is phishing exactly?
Phishing is the most common type of online banking fraud. You receive an email that looks as though it is from your bank. The contents of the email will typically include a request to confirm your personal details, such as your identity number and your pin. Ironically, the email usually uses the pretext of preventing fraud to get you to disclose your details.
Kalyani Pillay, the chief executive of Sabric, says although the banks have been detecting and shutting down phishing websites to prevent people from falling victim to fraud, the perpetrators are still able to use the information they have already managed to collect.
She says the content of phishing emails that dupe clients into accessing fake websites is no longer limited to the pretext of security alerts from banks’ online divisions, consumer education information or related information a client would expect to receive from the bank. “Because many clients have become alert to the fact that they should never expect to receive an email of this kind from their bank, there is a newer generation of phishing emails that, for instance, pretend to originate from other organisations such as the South African Revenue Service, enticing you to supply your details in order to get your tax refund,” Pillay says.
According to Sabric, there are now cleverly constructed variations of phishing scams that target clients of multiple banks simultaneously, thereby increasing the perpetrators’ chances of success. “Not only will your bank never send you an email requesting you to update your information online by accessing their website via a hyperlink, but you should also view with extreme suspicion any similar emails received from third parties requesting you to log into your internet banking facility. Any such requests should automatically be considered a scam,” she says.
Banks must prove you were negligent
Banks have a role to play in ensuring that you are provided with a safe and secure banking environment. If they fail to meet their obligations, they could be held liable if you are a victim of phishing, the Ombudsman for Banking Services, Clive Pillay, says. In his annual report for 2009, Pillay says that of the 45 complaints about internet banking received by the ombud last year, 53% were resolved in favour of consumers.
“The onus is on the bank to prove that the fraud was a result of the consumer responding to a phishing attempt. To do this, banks should obtain the customer’s permission to examine their hard drive and have a forensic analysis carried out by an independent company. If there is no proof that you entered a phishing site or compromised your banking details in any way, the bank can be held liable,” he says.
Pillay also held banks liable in cases where an online banking session was initiated and a one-time password (OTP) was automatically generated. He says the banks should confirm that it is the customer who is transacting before releasing the OTP.
In other cases, phishing fraudsters had opened beneficiary accounts with banks. For example, if you bank with Bank A, the fraudster might get into your account and then list on your profile beneficiary accounts at Bank B. Transfers of money may be made from your account into these beneficiary accounts, to reduce signs of suspicious activity.
However, Pillay held the beneficiary banks liable where he found that they had not complied with Fica requirements when opening the beneficiary accounts or had allowed transactions on these accounts in excess of their limits. “The banks have tightened their processes considerably in recent months,” he says.
In one case, transfers of R161 000 were made from the complainant’s credit card. The bank’s investigation revealed that he had fallen victim to an internet phishing scam. But fraudulent transfers to the value of R22 000 could have been prevented if the complainant’s bank had reported the fraud to the beneficiary bank and placed a hold on the money timeously. Pillay ordered the bank to refund the complainant R22 000.
What the banks are doing
It takes banks anything between an hour and 24 hours to shut down a phishing website once it has been discovered, Carl Louw, Absa’s head of internet channels, says. He says the current spate of phishing emails appears to originate mainly in the Ukraine, Russia and Nigeria. Other countries include Taiwan and Indonesia.
Last month, Absa’s fraud risk management team, working together with the South African police, was able to track down and arrest five people in Sunnyside, Pretoria, who were suspected of belonging to an international phishing ring.
Christo Vrey, the head of Absa’s digital channels, says the arrest was a breakthrough. One of the arrested men is thought to be the ringleader of the South African arm of the phishing ring. Arthur Goldstuck, the chief executive of technology research company, WorldWideWorx, says there were about four million online banking users at the end of 2008 and he expects research out later this month to show growth of about 15%. He says the main difficulty with tracing online criminals is that they are based in other countries.
“There have been cases where international criminals have been traced and arrested, but this is usually achieved when the banks and local police force work together with Interpol. In Eastern Europe, for example, law enforcement is not as strong and South African authorities require the co-operation of the police in those countries,” he says.
Goldstuck says criminals use legitimate internet service providers. “The banks can then approach the internet service provider to shut down the website. However, more often than not, the criminals use fraudulent credit card details to pay for the sites and are difficult to trace as a result,” he says.
Beware the con that says you have qualified for a tax refund
There has been a steady increase in the number of phishing emails that purport to be from the South African Revenue Service (SARS). The emails typically inform you that you have qualified for a tax refund, and in order to receive your refund, you need to confirm your banking details.
Some of the email addresses you should watch out for include email@example.com and firstname.lastname@example.org The email says there may be delays in the payment of your money, which include “applying after the deadline” or submitting incorrect details. You are required to click on a link that takes you to what looks like a SARS website. You are then asked to fill in your banking details, including your credit card details.
SARS has issued a notice that it will never ask for your personal banking details through an email request or via links to websites. You should provide your banking details on your tax return forms. Contact SARS on 0800 00 72 77 before acting on any email.
- First published in Personal Finance newspaper on 1 May 2010.