Written by Ulrich Janse van Rensburg – (Head of Fraud Strategy for Absa’s Retail and Business Bank)
A heartfelt call to exercise vigilance when it comes to money matters
The past few months have been a really tough period for Jack and Sarah. While they are committed to curbing the spread of COVID-19 and have gone out of their way to protect themselves and the people around them during this time, they co-own a popular barber shop, which was closed for business during the first phases of the national lockdown. The lack of income has been a massive worry. Fortunately, the couple had accumulated some savings over the years, which was seeing them through this tough period, but it was running out fast.
At 7am on a cold May morning, Jack received a perplexing call from their bank – their business account and personal savings had just been wiped clean by fraudsters. The previous day, Jack received a call from a representative of a COVID-19 Debt Relief Fund targeting small businesses impacted by the lockdown – Jack’s business was selected to receive a financial donation from a “Good Samaritan”. Hardly believing his luck, Jack rushed to tell Sarah about their good fortune and quickly confirmed his personal details with the Debt Relief Fund representative.
The representative was professional and explained the need for full cooperation to avoid losing out on the opportunity. He detailed the precise requirements, which included the need for Jack to share his online banking logon credentials – his account number, password and Personal Identity Number (PIN). He even processed the approval instructions. Unfortunately, the Relief Fund never existed –Jack and Sarah had been scammed.
Fraudsters, impersonating a reputable organization, duped them into disclosing their personal details or “keys to the safe”. We all think that it will never happen to us and we know the usual advice such as “no bank would ever ask for such details”. However, significant financial pressure can make even the most vigilant of us fall for scams. Jack was desperate to improve their situation, the business applied for support and the details shared by the Debt Relief Representative sounded more than credible.
Jack and Sarah’s story is not unique. The profound financial consequences of COVID-19, compounded by South Africa’s pre-existing dire economic situation has created ripe conditions for fraud to flourish.
According to Stats SA, the official unemployment rate increased by one percentage point to 30.1% in the first quarter of 2020. The economy also recorded its third consecutive quarter of economic decline, falling by 2% in the first quarter of the year. Worryingly, the number of unemployed South Africans has again increased.
These numbers are really a double-edged sword – tough financial conditions are forcing fraudsters to intensify their efforts. On the other hand, the significant financial pressure brought on by the pandemic has put many consumers in a position where any financial lifeline may sound like a solution to a dire situation.
As inhumane as these crimes are, fraudsters are getting increasingly sophisticated in targeting unsuspecting people through social engineering (duping customers into disclosing their personal and confidential information). Worryingly, there is an upsurge in social engineering globally, and fraudsters use personal data from data breaches to impersonate banks with the sole purpose of tricking customers into granting them access to their money and bank accounts.
In Jack and Sarah’s case, they are prolific bloggers. Their personal information was harvested through the social media platform and used by the fraudsters to deliberately trick the couple into parting with their hard-earned money. In this instance, a little bit of data created the impression that the caller was legitimate, as they knew the couple’s personal details.
Typically, criminals will approach unsuspecting consumers via email, phone or text message and present themselves as members of a reputable organisation (an accredited non-profit organisation, a bank or a professional body). This lie is made even more convincing by the sharing of personal information with consumers (to convince them of their reputability). Fraudsters then attempt to deceive unsuspecting people into disclosing their “keys to the safe” including their online PIN, online passwords, card PIN, card CVV number, OTP, and/or authentication messages (RVN/TVN/SureCheck). Usually, fraudsters offer “deals” that are simply too good to be true and package these as a “once-in-a-lifetime opportunity”.
Syndicates trade consumer data widely and harvest information through data theft, ransomware, password guessing, data breaches and social media platforms. Consumers are often unaware of this.
Armed with this data, expert fraudsters then try to influence customers’ rational thinking by causing excitement, distress and urgency. In Jack and Sarah’s case, the fraudsters played on their state of desperation, resulting in Jack urgently “doing everything possible” to access a much-needed donation to support his business. The approach will lure consumers to interact and willingly share sensitive information that will grant syndicates access to funds or convince consumers to direct payments to the scam. In both instances consumers are defrauded. Popular and effective social engineering themes are phishing (email message where consumers respond), vishing (phone call where consumers are asked to approve authorisations) or pretexting (contact consumers using emails or phone calls and ask for their financial information).
To compound matters, the COVID-19 pandemic has accelerated digital adoption as many consumers seek to minimise their exposure to the virus. With e-commerce on the rise, we expect to see cybercriminals targeting these electronic transaction methods with renewed zest. Consumers and the industry need to prepare for the rise in e-commerce and the associated rise in sinister, fraudulent behaviour.
The current financial context requires us to preserve as much of our financial resources as possible. In Jack’s case, the modus operandi dictated that the fraudster asked him to disclose his online banking logon credentials. The fraud succeeded because Jack shared his confidential details (including turnover statements, company registration, tax certificates, bank statements and online banking logon credentials). To make it more plausible, the fraudsters did not merely highlight the need for the customer online banking logon details – they asked Jack for various inputs to disguise the obvious need to get hold of his online banking details.
We all need to be ahead of the game when it comes to new fraud threats, trends and leading indicators. Just as one would follow medical advice, it is vital that consumers apply maximum diligence when it comes to their finances.
While the industry is making substantial investments into our safeguards, successful fraud prevention requires all parties – banks, industry bodies and customers to play their respective roles in full.
So how does one avoid falling victim to scams and schemes? For every “fraud symptom”, there is a related counter or response:
In the immortal words of David Bernstein, President of the Bernstein Agency, “For every lock, there is someone out there trying to pick it or break in”.
Falling for a scam is easy, arming yourself with enough information to prevent this is even easier.