How to Stay Safe

Contact your bank and financial institutions

Immediately inform your bank about the theft, especially if your wallet contained bank cards . They can help you freeze your accounts and prevent unauthorised transactions. If you use mobile payment services (e.g., Apple Pay, Google Pay, any other app or online platform where you have stored your bank card details), de-link your stolen device from these services as soon as possible. Please see your banks number below:

  • FNB (First National Bank)

    Fraud Hotline: 087 575 9404
  • Investec:

    Fraud Hotline: 0860 110 161
  • Nedbank

    Fraud Hotline: 0800 110 929
  • Post Bank

    Fraud Hotline: 0800 53 54 55
  • Standard Bank

    Fraud Hotlines: 0800 020 600 or 0860 033 269
    International: +44 (0) 1624 643643
  • Absa

    Fraud Hotline: 0860 557 557
    International: +27 11 501 5089
  • African Bank

    Fraud Hotline: 0860 000 000
    or 011 256 9988
  • al Baraka Bank

    Fraud Hotline: 0860 225 786
  • Bidvest Bank

    Fraud Hotline: 0860 111 177
  • Capitec Bank

    Personal Banking Fraud Hotline: 0860 10 20 43
    Business Banking Fraud Hotline: 0860 30 92 50
    WhatsApp: 067 418 9565
    International: +27 21 941 1377

Report the theft to the South African Police Service immediately

Visit the nearest police station immediately to report the theft and obtain a case number. This is crucial to getting police assistance and your case docket number which will be required for any insurance claims and for tracking progress on the case you registered.

Use tracking services

If your device has a tracking feature (like "Find My iPhone" or "Find My Device" for Android), use it to locate your device. However, be cautious and do not attempt to retrieve it yourself; instead, inform the police of its location.

Notify Your mobile network provider

Contact your mobile provider to report the theft of your phone or SIM card. They can suspend your service to prevent unauthorised use.

Secure your online accounts

Change passwords for any online accounts that may have been accessed via your stolen device. Enable two-factor authentication where possible to enhance security.

AI-Driven Scams
Selfie & Biometric Fraud
USSD
Cryptocurrency_Scams-Awareness
Illegal_Gambling Websites Awareness
ATM Fraud
phishing
Changing of Banking Details
App Download & Identity Theft
Be Cyber Safe
Card fraud and skimming

Business Email Compromise

 

Cybercrime includes Business Email Compromise (BEC) which can be defined as “a criminal act where criminals illegally access an email account and communicate as if they are the user”. They do this by stealing account holders’ usernames and passwords through phishing or other means, to trick users into disclosing their details. They then utilise the compromised information to access and use the user’s email account.

Symptoms of a possible compromised email address include:

  • Complaints about spam being sent from your email address.
  • Emails are not being received.
  • Missing emails.
  • Receiving large numbers of undeliverable or bounce messages for emails you did not send.
  • Not being able to log into your email account.
  • Seeing unknown emails in your Sent Items folder.

TIPS

  • Make sure your PC has the most up-to-date OS updates and antivirus/malware software.
  • Depending on the extent to which your account was abused, you may have to contact all email recipients who were spammed by your hacked mailbox to advise them that these communications were not legitimate.
  • Set up several email addresses. Use your original email address for personal or business communication as you’d normally do and use an alternative email address to communicate with your service provider, since many now ask for a different address for added protection. Then, use yet another email address for registering for websites, newsletters, online shopping and other services. In this way, the risk of a possible compromise is spread.
  • Use different and strong passwords for each account – one that is at least six characters long, and is a combination of letters, numbers and capitals/lowercase.
  • On a secure PC, log into your email and then check if any of the settings have been changed. This could indicate that your email account has been hacked, so ensure that if any of the settings have been altered, that you delete these immediately.
  • Once you have changed the settings, create a new password, and add your secondary email account as your alternative address.
  • Never list your main email address publicly anywhere online – in forums, in online advertisements, on blogs, social media or any place where it can be harvested by spammers. Use a separate email address for the internet which is not linked to your personal or business email account.
  • Don’t use public computers to check email; there’s virtually no way to know if they have been accidentally infected with malware or have had key-logging spyware installed intentionally.
Pig Butchering

Vishing

 

Vishing is when a fraudster phones a victim posing as a bank official or service provider and uses social engineering skills to manipulate them into disclosing confidential information, while at the same time leading them to believe that they are speaking to the bank or service provider. This information is then used to defraud the victim. 

TIPS

  • Be conscious of the fact that criminals can mask their telephone numbers seem as if a legitimate individual or company is making the phone call.
  • Never share personal and confidential information with strangers over the phone.
  • Also note that Banks will never ask you to confirm your confidential information over the phone.
  • If you receive a phone call requesting confidential or personal information, do not respond and end the call.
  • If you receive an OTP on your phone without having transacted yourself, it is likely that it is a fraudster who has used your personal information. Do not provide the OTP telephonically to anybody. Contact your bank immediately to alert them to the possibility that your information may have been compromised.
  • If you lose mobile connectivity under circumstances where you are usually connected, check whether you may have been the victim of a SIM swop.

Internet Banking

 

Criminals want access to your online facilities to steal your money and will use any number of tactics to access your confidential information. Criminals use tactics like phishing and the installation of malware onto a victim’s device to steal the personal information necessary to access their online banking profile. They also conduct fraudulent SIM swops to ensure that the One Time Password (OTP), sent by the bank to authorise a transaction, is sent to a SIM card under their control.

Phishing:

Criminals often use phishing to trick you into disclosing your personal information like usernames, passwords, credit card details and mobile phone numbers. They sometimes also request your One Time Password/PIN (OTP) that will be sent to your mobile phone when transacting. They do this by sending emails that look like they come from trusted sources such as banks or legitimate companies. These mails entice the recipient to respond by clicking on a link. When clicking on the link, a victim is diverted to a fraudulent website (spoof site) under the control of the criminal, and any information entered on this page, for example, your banking username and passwords or cell phone numbers, will be sent to the criminals. The information harvested in this manner is then used by criminals to access your online banking profile illegally. Once they have viewed your profile and find that there is money to be accessed, they will commit fraud on your internet banking account.

Prior to launching a phishing attack, criminals collect email addresses to which they send their spam phishing mails. They also ensure that they have control over other bank accounts into which they can pay the proceeds of crime. They arrange a fraudulent website that resembles the real website of the company from whom the phishing mails purports to come, and host it on a vulnerable website. They then ensure that all communication received through this website is relayed to an email address under their control. Once a victim responds to the phishing email by clicking on the link and “logging in”, the sensitive information is relayed to them. Sometimes they use this information immediately to access the victim’s profile and can trigger an OTP to be sent to the victim’s mobile phone. The spoof website will then prompt the victim to submit the OTP. The criminal will then use the OTP to move funds fraudulently.

If they are not ready to use the compromised information immediately, they will save it for a later date and do a SIM swop to gain control over the victim’s communications when the OTP is generated during the fraudulent transaction.

Malware:

Clicking on an unsolicited link or icon could also result in a victim’s computer being infected with malware. The malware (malicious software) used in internet banking fraud, is software designed to gather and send sensitive information to a predetermined destination under control of the criminal. You could be tricked into infecting your computer with malware through clicking on a link or an attachment in an email as well as through accessing a fake website purporting to sell you software to fight malware. Criminals deploy malware designed to harvest banking credentials. These malicious programs relay the keys typed to the criminals who then decipher bank related usernames and passwords. The compromised information is then used to access the victim’s online banking profile unlawfully, and should there be funds available, these are transferred into the criminals account.

SIM Swops:

Through fraudulent SIM swops, criminals can take control of their victim’s mobile number enabling them to receive SMS’s sent by the bank to the client. These include Transaction Verification Codes (TVC), Random Verification Number (RVN), PINs or One Time Passwords (OTPs). Using these codes together with compromised login credentials, criminals can change, add beneficiaries and transfer money out of the victim’s account.

Criminals are also known to port their victim’s cell phone number fraudulently before doing a fraudulent SIM swop. Mobile Number Portability (MNP) gives mobile phone users the ability to move to another mobile network and still retain their mobile number (MSISDN). In this scenario, the victim’s SIM card is deactivated and the criminal receives communication for the new SIM card issued by the second mobile network operator, enabling them to receive a victims Transaction Verification Codes (TVC), Random Verification Number (RVN,) PIN or One Time Passwords (OTPs).

TIPS

  • Ensure that the device you use for internet or mobile device banking has the latest version of antivirus and antispyware software installed from a reputable vendor. Robust solutions should identify malware and prompt you to delete it.
  • Do not do your banking on a public or unfamiliar computer found at libraries, internet cafes and hotels.
  • Avoid using WiFi hotspots, and ensure your own wireless network is encrypted before performing any banking transactions on your private computer. Prevent illegal software from being downloaded on your computer by creating administrative rights.
  • Be suspicious if you receive lots of spam email or SMS messages. It could indicate that your computer or cell phone has been infected.
  • Beware of fake anti-virus software that is offered at no charge, as it could contain malware.
  • Do not use unknown devices, such as USB flash drives on your system, as they may transfer malware unknowingly.
  • Avoid downloading pirated software as it may contain malware.
  • Memorise your PIN and passwords and never write them down or share them, not even with a bank official.
  • Make sure your PIN and passwords cannot be seen when you enter them.
  • If you think your PIN and/or password has been compromised, change it immediately either online or at your nearest branch.
  • Choose an unusual PIN and password that are hard to guess and change them often.
  • For your security you only have three attempts to enter your PIN and password correctly before you are denied access to your services.
  • Register for your bank’s cell phone notification service and receive electronic messages relating to activities or transactions on your accounts as and when they occur.
  • If the reception on your cell phone is lost, immediately check what the problem could be, as you could have been a victim of an illegal SIM swop on your number. If confirmed, notify your bank immediately.
  • Inform your Bank should your cell phone number changes so that your cell phone notification contact number is updated on the banking system.
  • Regularly verify whether the details received from cell phone notifications are correct and correspond to recent activity on your account. Should any detail appear suspicious, contact your Bank immediately and report all log-on notification that are unknown to you.
  • Log onto your Bank’s website by typing in the web address yourself instead of accessing it via Google search as it might lead you to a spoofed site.
  • Do not use web links that are saved under your favourites and never access your Bank’s website from a link in an email or SMS.
  • Remember to log off immediately when you have finished banking.
  • Make sure that no one has unauthorised access to your PC.
  • Be especially aware that there are no security cameras trained on your PC and keyboard.
  • Make sure that the software loaded onto your PC is correctly licensed.
  • Never click on links or attachments in unsolicited or suspicious emails as harmful viruses, spyware & trojans could infect your PC.
  • Install a personal firewall on your PC.
  • Be cautious when using storage devices such as memory sticks and portable hard drives, and if you do make use of them, ensure that they are password protected.
  • Don’t send emails that contain personal information, such as your card number and expiry date.
  • Install a spam blocker on your system. This will ensure that fraudsters find it difficult to send you phishing emails.
  • Keep your operating system and browser patches, and antivirus software up to date on your personal computer/laptop or cell phone, as they include important security enhancements to help detect phishing sites and malware.
  • Should you realise that you have responded to a phishing mail, change your internet banking credentials immediately and advise your bank.

Debit Order Scams

 

Media statement: PASA on unauthorised debit orders

14 January 2019 – Unauthorised debit orders, sometimes referred to as “R99 debit order scams” (although amounts vary), have once again received close press attention in recent weeks. The South African Reserve Bank, the Payments Association of South Africa (PASA), the banks, and a number of user associations are aware of the problem; they have been actively focused on the matter and on a number of steps to address it.

Customers are understandably frustrated by the issue, but there is also some confusion and misinformation around the issue which deserves some clarification – which we hope to achieve by responding to a few frequently-asked questions.

Why do banks allow debit orders to go through?

Banks act as facilitators of payments and are bound by law to honour debit orders submitted into the payment system by other banks on behalf of their clients. Each debit order transaction involves an entity (called a “user”) as well as the banks, and if all parties do not collaborate in an organised manner, the debit order system, through which 55 million payments to the value of over R80 billion are processed every month, would cease to function. Accordingly, when banks submit transactions on behalf of users, they do so on the basis that such a user has included only valid debit orders backed by a paper or voice mandate. These mandates are, however, held by the user, and not by the sponsoring bank — the bank simply facilitates the transaction on behalf of their client.

Then why don’t they just refuse debit orders from companies that customers regularly reverse?

The vast majority of disputed debit orders are in fact legitimate ones agreed to by customers, but which are reversed for “cash management” reasons – so that the money can be used for something else.

To put the numbers in perspective, on average about 1,5 million of the 55 million monthly debit orders are disputed – less than 3%. Based on PASA and bank estimates, however, of the 1,5m only about 10% of the debit orders disputed by customers are actually unauthorised.

This is a major problem for the industry. First, customers need to be aware that it is illegal, not to mention unethical, to reverse a debit order they have authorised as payment for a legitimate legal contract or service. Second, the millions of monthly reversed legitimate debit orders make it extremely difficult to identify those debit orders initiated by fraudsters. For example, a corporate user that is completely compliant to the rules in every respect and only submits debit orders with valid mandates may still face high levels of disputes through no fault of their own.

Are the banks profiting from this?

PASA CEO Walter Volker explains, “Banks are certainly not profiting from debit orders being reversed; on the contrary, by virtue of their sponsorship of the transactions and the associated legal obligations, they are exposed to the full value of the debit orders being disputed.

“If a bank reverses a debit order on instruction from a customer, and it turns out there was a valid mandate, the bank risks losing that entire amount if they cannot get it back from the consumer. On the other hand, in the event that an illegal debit order is disputed, the sponsoring bank would be liable to reimburse the full amount, even after the so-called rogue user has been exited from the system.” There are therefore many hidden costs and risks, which consumers are not always aware of.

Why are some banks charging consumers when they dispute a debit order?

Reversing disputed debit orders takes time and work. As explained above, banks take on the risk that the company submitting a debit order has either been excluded from the system or is no longer in business, so the cost of managing and upholding disputes is high. At the same time, as explained above, 90% of disputes are ultimately found to be illegal. Some banks, therefore, have introduced fees in the hopes of limiting such illegal disputes. Even for banks who do charge, however, a consumer would be within their rights to request a refund if it is found that there was no valid mandate and that the debit order is in effect unauthorised or fraudulent.

Which banks have been hit by the so-called “R99 scam”?

No bank is immune to unauthorised debit orders. Volker says, “This is not just a problem involving one bank, one company or one scam. It is an industry-wide problem and PASA is working with all the banks to improve the safety of the system, both for consumers and for companies.”

What is being done about the problem?

PASA has been working with the banking industry since 2013 to implement a wide-reaching and complex system called DebiCheck, the first of its kind anywhere in the world. The initial phase went live on 1 August 2018, by which time all 11 participating banks had implemented DebiCheck operationally.

Right now, user companies are busy implementing the systems and introducing the new business processes that are necessary to fully utilise DebiCheck. Volker explains: “Thousands of user companies, from large corporates to small business, will be using the system – so we need to ensure it remains stable and that consumers are not adversely affected.”

With DebiCheck, banks will require customers to electronically confirm debit order information with them directly at the start of a new contract with a user, before any collection can take place; thus ensuring that both consumers and their banks know precisely what should be debited from their bank account. Once the consumer has authorised the electronic mandate, it will be stored on their bank’s mandates database and can be verified or monitored at any time.

Will DebiCheck be available as an option in all instances?

In its initial phase, only consumers dealing with companies that have implemented DebiCheck will be required to confirm their debit order information electronically. Although the system is working already, it will take time for all DebiCheck users to ramp up their usage of the system. This number will grow over time, and the aim ultimately is to eradicate any and all unauthorised debit orders, through a combination of DebiCheck and other, more general debit order abuse measures.

While DebiCheck is ramped up, what other protection is provided?

In addition to DebiCheck, PASA is working with the banks to improve the processes by which new companies are allowed into the debit order system and to ensure rogue companies are identified and removed from the payment system. “This is a very serious matter for us and we are doing everything we can to identify those companies who are abusing the debit order system,” says PASA Senior Legal Counsel Charl Ackerman.

PASA and the banks are also working to refine existing rules and processes in the payment system to further curb debit order abuse. Informational material has been developed and is being rolled out to educate consumers on their rights and obligations in the debit order environment.

In some instances, individual banks have put in place other measures such as SMS alerts for all debit transactions, free debit order reversals below a certain amount and cheaper app- or online-based debit order dispute procedures.

Why is DebiCheck taking so long?

The scale and complexity of DebiCheck means that it has taken a great deal of work and time to implement. As of August 2018 the system is in place and in use, and companies are being added to the system all the time. New DebiCheck debit order customers are already receiving confirmation requests from their banks, but there is still work going on to mature the systems and to fully implement all functionalities required by users and banks.

The Reserve Bank recently granted a 12-month extension (until October 2020) to fully implement DebiCheck. This only affects the final date by which the old systems will be switched off. Nevertheless, says Volker, “The eleven banks participating in DebiCheck are committed to the process and still aim to have most companies on the system this year.”

These additional 12 months will also be used to mature the system and to phase out old contracts and systems.

What can customers do to protect themselves?

  • Check your bank statements regularly for transactions you do not recognise.
  • Query unauthorised debit orders with your bank or the service provider who is processing them, to discuss stopping the debit orders.
  • Ensure that your bank has your correct cellphone number so that you receive SMS alerts when money is deducted from your account and also to receive DebiCheck confirmation requests.
  • Be wary when entering into contracts verbally, electronically or in writing.
  • Do not share or confirm your banking details, including your account number and branch code, if you are not certain exactly what they will be used for.
  • Do not dispute debit orders that you have authorised.

For more information about debit order abuse, DebiCheck and what the public can do to protect their accounts, please visit www.pasa.org.za

For regular updates, follow the Payments Association of South Africa on Twitter @PASA__ZA and Facebook.

About PASA

PASA is the payment system management body recognised by the South African Reserve Bank (SARB), in terms of the National Payment System Act of 1998, to organise, manage and regulate the participation of its members in the payment system. For more information, please visit www.pasa.org.za

Ponzi & Pyramid Schemes

 

MODUS OPERANDI

In South Africa, these schemes generally meet the criteria of either a traditional Ponzi or Pyramid scheme. Both schemes see returns generated for earlier investors through revenue paid by new investors, rather than from legitimate investments or business activities. At the point where there are more existing investors than new investors, the scheme collapses and all monies invested, are lost. People who were expecting to make a good return on their investment, not only get nothing, but also stand to lose most, if not all the money they initially invested. This type of fraud is perpetrated when an ‘investor’ lures their victim by guaranteeing high profits that promise little or no financial risk. In most instances the investor will be vague about the nature of the investment but will stress the rate of return. These investors hype their high-level financial connections; the fact that they’re privy to inside information through social engineering techniques and that they’ll guarantee the investment. To close the deal, they often come up with phony statistics, misrepresenting and stressing the uniqueness of their offer.

TIPS

Signs to look out for that it is a “Get Rich Quick scam”

  • It claims to pay out double-digit returns.
  • It claims to be an opportunity of a lifetime.
  • You can’t understand how it generates money.
  • It is not a registered product, or a product offered by an authorised financial services provider.
  • Returns or profits earned are dependent on recruiting more members to the scheme.
  • If it sounds too good to be true, its most likely a scam.
  • Be sceptical of any investment’s insistence that you act NOW.
  • Be careful of investments that guarantee you high profits with little or no financial risk.
  • Exercise due diligence in selecting investments and the people with whom you invest – DO YOUR HOMEWORK BEFORE INVESTING YOUR MONEY.
  • Consult an unbiased third party- like an unconnected broker or licensed financial advisor before investing.

HOW TO SPOT A PONZI SCHEME

  • The promoter promises high returns, which could not be achieved through normal conventional investment opportunities, within a short period.
  • In some cases, the promoter will use fake qualifications or references to entice investors for example, an ‘attorney’ with ‘many years’ experience in the stock market.
  • Often high returns are paid initially and then investors are lured into investing even more money.
  • They often promise guaranteed returns –no return is ever guaranteed; all investments carry some risk.
  • Promoters are usually quite secretive about the actual business model.
  • The promoter becomes unavailable and returns dry up.
  • Usually the scheme collapses soon thereafter.

HOW TO SPOT A Pyramid SCHEME

  • The promoter promises high returns over a short period and your returns increase with the number of people that you recruit to the scheme.
  • A fee or initial investment is required to participate in the scheme.
  • Participants are asked to recruit more investors and rewarded for bringing them into the scheme.
  • The scheme has multiple levels of members, all collecting commission on a single transaction.
  • There is no underpinning financial investment that generates growth.
  • Participants are sometimes taught how to circumvent detection methods.
  • They are often disguised as stokvels and may even use virtual currencies like Bitcoin to side step the formal banking sector where they could be detected.
  • A tiered investment structure to incentivise larger investments into the scheme (e.g. silver, gold and platinum membership).
  • The investor complaints (usually on social media) that returns have dried up. The scheme operator typically responds with (1) promises that payments are imminent and (2) blame shifting to the banks where accounts have been frozen or closed.
  • There is general secrecy and. no details are made available regarding where the funds will be invested or in what. Very general terms will be used to describe the scheme.
  • Schemes offering investment in “commodity trading”, “forex trading” or “virtual currencies”/“virtual currency mining”.
  • There are short investment periods, sometimes as little as ten days promising very high rates of return and strong encouragement to reinvest automatically.
  • These could be requests to invest pension funds or similar savings/capital.
  • People should know that these schemes operate on trust and an invitation to invest can therefore often come from someone close to you, such as a family member, community leader or religious figure. 
  • They make use of closed user groups with an increasing trend towards messaging across WhatsApp, presumably due to the belief that the app offers end to end encryption and therefore anonymity.

Dating and Romance Scams

 

MODUS OPERANDI

The internet is used for almost everything, including finding a lifetime partner. There are thousands of online dating sites that provide the service of matching potential partners based on specific requirements. Unfortunately, there are predators that prowl legitimate dating sites for victims to scam. Scammers often create profiles and post them on legitimate dating sites waiting for potential victims to fall bait to their scam. They may even go as far as targeting specific kinds of people by creating a profile that meets the requirements of a match for the person they are targeting. These scammers are con artists and are skilled at building trust and making victim fall in love with them as they pose as their ideal partner. Once the victim’s defence are lowered and they become emotionally vulnerable they trick to you into giving them money. The scammer will contact the victim and will offer to share lots of personal information with them in the hope of building a trusted relationship. The information and profile pictures are all false and are often used repeatedly with various victims. Once they feel that the victim trusts them and they have a bond with them, they will often suddenly claim to be called away on business or claim to have a serious personal crisis. What then follows is a request for the victim to either send them money or to pay their travel expenses to visit them. They might even promise to refund the money to the victim when they meet them. Should the victim provide them with the requested money they may either disappear or request that they send more money. If the victim doesn’t give them the money their messages will often become more desperate and persistent to convince them to give them money.

TIPS

  • Be suspicious of people who have out of the ordinary jobs and other jobs that require large amounts of travel.
  • Watch out for emails where content has been pasted into the email, the fonts and font sizes always vary, or where the emails are not personally addressed to you i.e. “Hi beautiful”. Scammers often target several victims at the same time and make use of the same content in their emails to all victims.
  • Never send money to anyone that you are communicating with over the internet.
  • Look out for inconsistencies in the communication that is sent to you. Syndicates often have several people manning their online dating sites so you could possibly be chatting to two or three different people.
  • Be wary of people who keep promising to meet you but then always cancel at the last minute: don’t give someone money to come and visit you.
  • Should you arrange a meeting with someone you have met online, ensure that you meet in a public area and possibly with friends.
  • Be careful how much personal information you share on social networking sites. Scammers can use this information to target you with a scam.
  • Should you suspect that you are being targeted by a scammer, stop all communications immediately and report it to the online dating service immediately.

Money Laundering

 

MODUS OPERANDI

Be aware! Allowing proceeds of crime to be laundered through your Bank account, knowingly or unknowingly, is a criminal offence. Bank clients can be charged and convicted for money laundering and even receive a prison sentence.

Criminals approach bank customers with requests to have funds paid into their accounts and often offer them a reward for the use of the account. Often the money that is paid into the account is proceeds of another crime. The account holder can be charged with money laundering even if it was unknown at the time that the money was proceeds of crime.

An example of the above modus operandi is where the criminal informs the account holder of the sale of a motor vehicle and instructs the buyer to specifically pay into an account with a particular Bank (the same Bank as the one that the victim banks with) so that the funds can be cleared faster. Because the “seller” needs to the money urgently, the use of the victim’s account is requested and the victim is promised a reward for the favour. To most people, the explanation given appears to make sense, and the promised reward serves as a motivation, making them likely to assist especially if the “seller” is known to them.

Criminals also approach people with valid identification documents and ask them to open accounts for them to transact on because they do not have the correct documentation to qualify for an account. Because foreign nationals experience such difficulties and people want to be neighbourly, many people have been tricked into opening accounts that are subsequently used by criminals to launder money.

TIPS

  • Do not open a Bank account in your name on behalf of another person, irrespective of the circumstances.
  • Do not allow your account to be used by another person to deposit or transact on.
  • If you suspect that the money you are being paid with is the proceeds of crime; immediately report this matter to the police.

Messaging Cash Send Scam

 

Through fraudulent SIM swops, criminals can take control of your mobile number using your stolen personal information. The criminal then accesses one of your messaging platforms and poses as you. Your contacts receive a tragic story from “you” requesting money for a fabricated emergency. Your contacts think it is you, have empathy and transfer money making use of bank or the retail sectors transaction facilities.

To prevent becoming a victim of a SIM swop or the victim of the scam, please follow the tips below:

Victim of the SIM swop:

  • Check for signal loss on your cell phone as this could indicate that you have been the victim of a SIM swop.
  • Should you lose signal, contact your mobile network operator ASAP.
  • Activate international cell phone roaming when travelling.
  • Always inform your bank when travelling abroad.
  • Never share your geolocation on social media platforms.
  • Don’t click on unsolicited links.
  • Ensure that you install the latest security updates on all your devices.

Victim of the scam:

  • Never act on text messages requesting that funds be transferred to someone purporting to be one of your contacts, due to an “emergency”
  • If you are requested to transfer money via a bank or retail sector facilities, make direct contact with your friend, family member or acquaintance to verify that the request came from them.
  • In addition, contact their family member who is allegedly having a crisis, and confirm if they have requested assistance.
  • In the event that telephonic contact is made, pay attention to any changes in the voice or communication style to assist you to identify if the person is an imposter, and not your contact.

Online Gaming Scam

 

What is an ONLINE Gaming scam

The growth of the internet and digital platforms have made it possible for industries to flourish, and the online gaming industry is no exception. In 2018, the global gaming industry consisted of 2.3 billion consumers, who spent nearly $138 billion on games. Where previously, it only attracted the younger men, these days people of all genders and ages play online games for recreation or even professionally. As the online gaming industry has expanded, so too have opportunities for fraudsters, who know players are vulnerable, and use social engineering to exploit them and steal money using fake apps and websites.

MODUS OPERANDI

Online gaming scams are used to steal personal information and could take several forms. Fraudsters may send you a link to click on to download a gaming file which then installs malicious software onto your device which logs your keystrokes. Another tactic is account takeovers where fraudsters exploit a real games online account to send other innocent players free skins and points when they put in their username and password. In addition, players could be offered free trials or other ‘freebies’ such weapons or tokens if they click on a link. There are even a fake game apps which can be downloaded at a cost from the Google Play or Apple’s App Store onto one’s mobile phone. Fake competition video games are also prevalent and are designed with the intent to dupe users into paying fraudulent entrance fees and steal personal banking details. Finally, legitimate online gaming marketplaces may sell ‘keys’ that are stolen or are fake.

TIPS

  • Never click on links in unsolicited emails, even if it refers to an online game you recognise;
  • Do not believe the content of unsolicited emails blindly. If you are worried about what is alleged, use your own contact details to contact the sender to confirm;
  • Watch out for spam messages in your player mailboxes
  • Only download online games or extension packs from website that you are familiar with and ensure it is a legitimate release;
  • Always cross check the name of the developer on legitimate websites or platforms to check if a game is genuine; 
  • Use YIMA, a website vulnerability scanner, where you can do website security check for scams, known vulnerabilities and security headers.
  • Create strong complicated passwords that are not easy to decipher and change them often;
  • Protect your online gaming account login credentials;
  • Be careful who you befriend in online gaming communities, and never share any personal information with just anyone you play against online;
  • Trust your gut – if it sounds too good to be true, it probably is.

Festive Season Awareness

 

THE FESTIVE SEASON IS HERE. OPPORTUNISTIC CRIMINALS HAVE NO KE DEZEMBA CHILL. CHECK OUT THESE TIPS RIGHT AWAY AND PREVENT THEM FROM RUINING YOUR HOLIDAY!

Mobile phone snatching fraud

Pins & Passwords:

  • Set different and complex passwords for each app or service. Ensure that these are not stored on a password manager app, browser password manager, or on the phone itself.
  • Disable the autosave function on your smart phone.
  • Ensure that you have set additional security controls on your device for adding biometrics such as fingerprint or facial recognition, for instance you can enable your device to ask for the device password to add another person’s biometric to your device.

Social engineering:

  • Do not click links in SMS’s or emails stating that your lost or stolen device has been located as criminals use this to obtain sensitive personal information.
  • Always be vigilant by being aware of who is around you when using your phone in public.

Device:

  • Treat your mobile device the same way you would treat your bank card.
  • If your mobile device is lost or stolen notify your bank immediately to freeze your banking profile and prevent the perpetrators from using your banking app.
  • When calling the bank to report the phone as stolen, request that they place a temporary hold on your entire account to allow you the time to change, replace and update all your info.

Banking App:

  • Always log out of your banking app manually once you have finished transacting.
  • Keep your daily EFT and ATM limits low as some banking apps and internet banking profiles will require that contact be made with the bank before the limit can be increased on your profile.

ATM Fraud

DO’S:

  • Be alert to your surroundings. Do not use the ATM if there are loiterers or suspicious people in the vicinity. Be aware that fraudsters are often well dressed, well-spoken and respectable looking individuals.
  • If you are disturbed while transacting at the ATM, your card may possibly be skimmed by being removed and placed back into the ATM without your knowledge. Cancel the transaction immediately and report the incident using your Bank’s Stop Card Toll free number, which is displayed on all ATMs, as well as on the back of your bank card.
  • After successfully transacting at the ATM, leave immediately. Be cautious of strangers requesting you to return to the ATM to finalise any transaction as skimming may occur during this request.

DON’TS:

  • Never force your card into the slot if you experience initial difficulty, as it might have been tampered with.
  • If your card is swallowed by the ATM, do not leave the ATM before you have cancelled your card.

TIPS TO PROTECT YOUR PIN:

  • Your PIN is your personal key to secure banking, and it is crucial to keep it confidential.
  • Memorise your PIN, never write it down or share it with anyone, not even with a family member or a bank official.
  • Key in your PIN yourself in such a way that no one else can see it, for example, cover your hand that is punching the numbers even when alone at the ATM, as some criminals may place secret cameras to observe your PIN.

TIPS TO PROTECT YOUR CASH:

  • Some fraudsters wait until you have drawn your cash to take advantage. Be wary of people loitering around the ATM and ensure that you are not followed.
  • Be cautious of strangers requesting that you return to the ATM to finalise/close the transaction because they are unable to transact. Skimming may occur during this request.
  • Never allow your children to draw money using your card, since they’re the most vulnerable to perpetrators.

Classified/Holiday Scams

  • Don’t fall for offers that are available at a very low price. If it seems to be too good to be true, it usually is.
  • Shopping for cheap online specials can be an expensive mistake. If a deal seems too good to be true, it probably is.
  • Phishing: Don’t click on links that reroute you to online shopping screens. Always type in URL manually.
  • Always use the payment gateway provided by the site you are shopping on, and don’t be conned into making a payment outside of the site.
  • Protect yourself against fraud by registering for additional security that sends a One-Time PIN (OTP) to your phone when making a payment.
  • Don’t read back OTP’s you receive to anyone over the phone regardless of who they say they are.

Social Engineering

 

MODUS OPERANDI

Social engineering exploits human psychology, and is a form of manipulation used by criminals to gain personal or confidential information from an unsuspecting victim. Criminals know that the weakest link in the security chain is a human and will pose as technical support engineer, or bank staff, and will exploit the victim’s inclination to trust. The victim then willingly divulges any information requested by the criminal. In other cases, victims are guided by the criminal, purporting to be a technical support engineer requested to follow several steps to “fix” something on their computer. The victim then unwittingly installs malware, which sends their personal or confidential information back to the criminal.

TIPS

  • Keep your software up to date, using the latest security patches available.
  • Ensure that you have the latest anti-virus software applications installed on your computer.
  • Do not give control of your computer to a third party who call you unexpectedly.
  • Do not rely on call line identification (CID) alone to authenticate a caller. Criminals spoof CID numbers. They may appear to be calling from a legitimate company or a local number, even when they’re not in the same country as you.
  • Never provide your password, credit card or other financial information to someone who calls and claims to be from tech support.
  • If you’re concerned about your computer, call a reputed security software company directly and ask for help.
  • Never respond to emails appearing to be from your bank that request your personal details. No bank will ever ask you to confirm or update your account details via email
  • Do not click on links or icons on unsolicited email.
  • Never provide your online ID, password or PIN to anyone.
  • Change your PIN and passwords frequently.
  • Place sensible transaction limits on your accounts.

Smishing

 

Smishing, short for SMS Phishing, is where criminals send an SMS often purporting to be from your bank requesting your personal or financial information such as your account or PIN number. Criminals are aware that people are spending more and more time on their smartphones, but also know that users are often using their smartphones on the go, or when in a hurry, and may be less likely to scrutinise and deliberate SMS’s with suspicious links. Clicking on these suspicious links may install malware onto your phone, or could take you to a spoof website where you will be asked to enter personal or confidential information.

TIPS

  • Do not click on links or icons in unsolicited SMSs.
  • Do not reply to these SMSs. Delete them immediately.
  • Do not believe the content of unsolicited SMSs blindly. If you are worried about what is alleged, use your own contact details to contact the sender to confirm.
  • Check that you are on the authentic/real site before entering any personal information.
  • If you think that your device might have been compromised, contact your bank immediately.
  • Create complicated passwords that are not easy to decipher and change them often.
  • Don’t store your credit card or banking information on your smartphone in case malware gets installed on your phone.
  • Regard urgent security alerts, offers or deals as warning signs of a hacking attempt.

Cellphone Banking

 

The mobility of your cellphone allows you to bank at any time from practically anywhere. It is a safe way of doing your banking as it relies on encrypted SMS messages or secure WAP connections. WAP uses similar security as that used by Internet Banking. It is therefore important to make sure that your cellphone is locked at all times and that the latest software is downloaded to ensure your safety.

IMPORTANT NOTES:

  • Memorise your PIN, never write it down or share it with anyone.
  • Make sure no one can see you entering your PIN.
  • Choose an unusual PIN that is hard to guess and change it often.
  • Remember, for your own security you are required to re-enter your PIN before each transaction.
  • If you think your PIN has been compromised visit your nearest branch and change it immediately.
  • Protect your phone content and personal information you saved by using a PIN or Password to access your phone. Do not leave your phone unlocked.
  • Do not respond to competition SMS’s or MMS’s.
  • If you receive a phone call requesting personal information do not respond and end the call.
  • If you use a Smartphone, install an up-to-date anti-virus application to your cellphone. Most banks provides this free of charge to its customers.

Contactless Bank Cards

 

MODUS OPERANDI

Contactless technology (Tap and Go) was introduced for the convenience of cardholders and while relatively new in South Africa, has been available in many jurisdictions for some time. The convenience lies in the fact that these cards can merely be tapped on a near-field communication (NFC) Point of Sale (POS) device to make certain payments, which is quick and easy for the card holder. Videos online suggest that criminals could exploit contactless technology and steal money or card data by simply tapping an NFC enabled POS device near enough to a victim’s bank card.

Stealing money by tapping a near-field communication (NFC) enabled Point of Sale (POS) device near enough to a bank clients card is not likely. Acquiring an NFC POS device involves a rigorous vetting process by the issuing Bank which includes the mandatory submission of Know Your Customer (KYC) documentation. In addition, Banks also monitor merchant transaction activity and conduct merchant site visits. Should any irregularities be identified, an investigation will be launched immediately. Collusion with a merchant could be a possible way to defraud people, however this is also unlikely as the proceeds of crime resulting from this specific modus operandi would go into a merchant’s bank account which, again, is closely monitored. Furthermore, this payment option is only available for a predetermined number of low value transactions on any specific day, after which a PIN would be required to complete the transaction, so the financial reward associated with these transactions is low, whilst the reputational and prosecution risk to the merchant remains high.

Stealing card data by criminals is also not a viable option, as merely holding an NFC enabled POS device close to a bank card will not provide enough information to enable fraudulent card-not-present transactions. South African issued contactless cards are embedded with an RFID (Radio Frequency ID) tag, identifiable by the WiFi-type symbol, which is then read together with the cards EMV chip which is encrypted. Even if a criminal tapped a victim’s contactless card using an NFC POS device near in their wallet or bag, all they would get is the card number and expiry date. Neither the CVV nor the PIN number would be exposed, both of which the criminal would need to make fraudulent online purchases.

TIPS

  • Ensure that you always tap the POS device yourself, and that your contactless bank card never leaves your hand.
  • Report lost and stolen cards immediately.
  • Register for SMS notifications to ensure that you are alerted to any transactions on your account.
  • Always inform your bank immediately if any suspicious or unauthorised transactions are conducted on your account.

Deposit and Refund Scams

 

MODUS OPERANDI

A criminal orders goods or services from a business and tricks the victim into thinking the money has been paid into their account by providing proof of payment in the hopes that they will receive the goods or service before the victim realises the money has not cleared. By the time the victim notices they’ve been scammed, it is too late as they are already out of pocket as they do not have the goods nor the money. In other instances, the order is cancelled and an urgent refund is requested. Alternatively, a payment is made in “error” and an urgent refund is requested

 TIPS

  • No “refund” should be made without first verifying with the Bank that the deposit that has been made into your account is indeed valid.
  • In addition, a Bank customer should wait for all payments to first be cleared before releasing the goods and proving the service.
  • Take great care to protect personal information and that of your company as it is through access to this information that perpetrators gain access to you and your organisation.
  • Staff dealing with finances in your organisation must also be educated about such scams.

Technical Support Scams

 

MODUS OPERANDI

The scam relies on social engineering techniques to convince the user of the technicians’ credentials. The scammers call, claiming to be a technical support assistant associated with well-known companies for example Microsoft. They will state that they have detected viruses or other malware on the user’s computer and then trick them into giving them remote access or paying for software they do not need. In most cases scammers can get names and other basic information from public directories and then guess what computer software the computer user is using.

The scammer will ask the victim to log onto their computer so that they can talk them through the fix. They convince the user to visit legitimate websites to download “Remote Access Control” software that will allow them to take control of the computer remotely and adjust settings to leave the computer vulnerable. They may also trick the user into installing malicious software that could capture sensitive data, such as online banking usernames and passwords or remotely install malware themselves. The objective is to compromise internet banking profile credentials for later use. The victim then needs to pay for the service via a credit card and is asked for the credit card details, or is asked to make an internet payment.

TIPS

Awareness Tips for consumers to avoid falling victim:

  • Keep your software up to date, using the latest security patches available.
  • Do not give control of your computer to a third party who call you unexpectedly.
  • Do not rely on call line identification (CID) alone to authenticate a caller. Criminals spoof CID numbers. They may appear to be calling from a legitimate company or a local number, even when they’re not in the same country as you.
  • Never provide your password, credit card or other financial information to someone who calls and claims to be from tech support.
  • If you’re concerned about your computer, call a reputed security software company directly and ask for help.
 

419 Scams

 

MODUS OPERANDI

A 419-scam illegal way of getting money from an individual/s by sending them an email promising that they will make a lot of money if they invest in a business activity which in fact does not exist. The details given to the recipient (“Victim”) vary, but the common element is always large sums of money being mentioned to make it attractive. While the vast majority of recipients do not respond to these requests, a very small percentage do, which is enough to make this type of fraud worthwhile. The modus operandi entails requesting the victims’ banking details as well as sums of money in advance, to facilitate the payment of the promised funds. Essentially, the promised money transfer to the victim never happens and in addition the fraudsters may use the victims’ banking details to withdraw money for themselves.

Some indications that this could be a 419 Scam:

  • Email content that sounds too good to be true.
  • The promise of large sums of money for little or no effort on the victim’s part.
  • A request to provide money upfront as a processing/administration fee. The request usually contains a sense of urgency.
  • The victim does not know the person who has sent the email.
  • At times, the sender requests confidentiality.
  • An email which states that the victim has won a prize/lottery or has been left an inheritance.
  • Payments requested to be made by MoneyGram.
  • Genuine companies’ letterheads are utilised to convince the victim of the authenticity of the request. 

General characteristics of a 419 Scam:

  • The amount of money involved is usually substantial (millions of dollars or pounds).
  • The communication is generally sent by someone claiming to be in a position of authority, such as a Government Official, Prince, Chief, Doctor, Solicitor, Lawyer or Bank Official.
  • They may use emotional bribery, such as claiming someone has died or is suffering from an illness.
  • The impression is given that you alone have been contacted, but the reality is that the same email was sent to multiple other people.
  • The victim is always promised either all, or a substantial percentage, of the money in return for assisting the fraudster in some way.
  • The victim will almost certainly be asked to communicate by email.

TIPS

    • If you receive a scam email, do not reply.
    • You can however forward a copy of the e-mail to the Internet Service Provider from where the e-mail originated. example: abuse@hotmail.comabuse@yahoo.com;abuse@compuserve.cometc
    • Forward the email to the South African Police Services at 419scam@saps.org.za
    • If you have fallen victim, immediately contact the South African Police Services.

Classified/Holiday Scams

 

MODUS OPERANDI

Criminals set up bogus website offering specials on certain gifts, from holiday accommodation to air tickets. The victim then clicks on the website as it looks professional and the price appears to be cheap. The victim then makes a purchase using their credit card details thinking they are buying from a genuine company. The purchase goes through but the victim never receives the goods as the website was fake. The criminals then have access to bank customer’s bank details and can use these fraudulently and could also include stealing the identity of the victim.

TIPS

  • Do not trust websites you do not know.
  • Don’t fall for offers that are available at a very low price. If it seems to be too good to be true, it usually is.
  • Register for 3D Secure to secure your card details.
  • Do not send emails that quote your card number and expiry date.
  • If you are requested to confirm your banking or personal details via a link, don’t click on it.
  • Use YIMA, a website vulnerability scanner, where you can do website security check for scams, known vulnerabilities and security headers.

Carrying Cash Safely

 

MODUS OPERANDI

When it comes to carrying cash, two crime types remain prevalent; victims are followed out of a bank branch after a cash withdrawal has been made, which comprises most cases, and then incidences where they are followed after withdrawing money at an ATM. In both these cases, criminals follow the victim to their residence, place of work or any other place where it is easy to rob them. In the case of bank branches, “spotters” still operate and communicate the victims’ description to accomplices who wait outside the bank. Small business owners are also at risk, particularly when drawing cash to pay weekly wages.

 TIPS to Avoid Being a Victim of Cash Robberies for Individuals

  • Carry as little cash as possible.
  • Consider the convenience of paying your accounts electronically (consult your bank to find out about other available options).
  • Consider making use of cell phone banking or internet transfers or ATMs to do your banking.
  • Never make your bank visits public, even to people close to you.

TIPS to Avoid Being a Victim of Cash Robberies for Businesses

A small business which is cash based and needs to deposit money on a regular basis at the bank should apply the following TIPS which will minimize the chances of you being a victim of robberies:

  • Alternate the days and times on which you deposit cash.
  • Never make your bank visits public, even to people close to you.
  • Do not openly display the money you are depositing while you are standing in the bank queue.
  • Avoid carrying money bags, briefcases or openly displaying your deposit receipt book.
  • It is advisable to identify another branch nearby you that you can visit to ensure that your banking pattern is not easily recognisable or detected.
  • If the amount of cash you are regularly depositing is increasing as your business grows, consider using the services of a cash management company.
  • Refrain from giving wages to your contract or casual labourers in full view of the public, rather make use of wage accounts that can be provided by your bank.
  • Consider arranging for electronic transfers of wages to contract or casual labourers’ personal bank accounts.

TIPS to Avoid Being a Victim of Cash Robberies for Savings Clubs and Stokvels

If you are a member of a cash savings club, advise members of your club of the following TIPS that will assist your club from being victim to cash robberies:

  • Refrain from making cash deposits of club members’ contributions on high risk days (e.g. Monday after month end).
  • Ensure persons depositing club cash contributions or making withdrawals are accompanied by another club member.
  • A stokvel savings club or burial society can arrange for members to deposit cash directly into the club’s account instead of collecting cash contributions.
  • Arrange for the club’s pay-out to be electronically transferred into each club member’s personal account or accounts of their choice.
  • Take another person with when going to deposit club cash contributions.

FICA (KYC)

 

In order to be legally compliant, Banks have to hold the latest and most accurate information about all their customers in compliance with the Financial Intelligence Centre Act 38 of 2001 (FICA). Internationally, governments have agreed to fight organised crime and terrorism, and many countries have passed laws that demonstrate their commitment to this effort. South Africa is equally committed to ensure that its laws to combat money laundering, organised crime, terrorism and tax evasion remain in line with international best-practice. FICA was therefore introduced by the South African Government to combat these crimes and to simultaneously protect bank customers from fraud and similar crimes.

Accurate information about customer identities is also one of the ways to enable banks to help banks provide financial services responsibly and securely, and this legal compliance is not merely a once-off initiative but an ongoing process. The law requires institutions to regularly test to ensure that they retain the correct customer information. The Banks are not only doing this for compliance purposes but also to minimise customers’ exposure to bank crimes such as fraud, identity theft and cybercrime.

Banks are compelled, under law, to enforce strict measures if they do not have accurate and up-to-date information about their customers. Such measures could include the freezing of a customer’s account. If a bank customer is not certain of their FICA status, they should contact their account or relationship manager to find out.

  • Bank customers are therefore urged to take their latest “Know Your Customer” (KYC) documents to their banks to ensure FICA compliance.
  • These documents include, among others, identity documents, proof of address (for example a utility bill) and proof of authority (should a person be acting on behalf of another in the banking relationship).

For more information visit http://www.fic.gov.za/ or contact your bank directly.

Muti Scam

 

MODUS OPERANDI

In order to steal from you, a criminals smear you with an unknown black substance after you have withdrawn money from an ATM or at a bank and lead you to believe your money has been cursed.

They then ask you to hand over your money and put it into an envelope, promising to remove the curse. When they return the envelope to you it contains worthless paper. But by the time you discover this, it is too late, and the criminal is long gone – with your money.

Criminals are experts at social engineering and will use these tactics to manipulate you and steal your cash. If you are smeared with an unknown substance after making a withdrawal, leave! Do not engage with anyone who wants to talk to you. It’s a scam.

TIPS

  • Be aware of your surroundings, even when transacting inside the bank.
  • Never make your bank visits public, even to people close to you.
  • Never trust anyone that approaches you after you have transacted at the bank or at an ATM

Online Shopping Scams

 

Online shopping has only grown in popularity due to the endless catalogue of purchasable items, the convenience of making purchases at your fingertips, fast delivery and great deals. It has also created lucrative opportunities for criminals scammers to trick you into paying for goods you won’t receive or obtain your personal information for their own financial gain. Unbeknown to you, you could be creating the opportunity for them by being enticed by a really good deal online via a mailer or Facebook advert. After you have paid for your purchase in full, you don’t receive the goods and when you try to make contact with the online retailer, there is no response. They have simply disappeared and your money is gone.

MODUS OPERANDI

TIPS

  • Only shop at reputable retailers and avoid unknown ones, even if the offers seem amazing;
  • Shopping for cheap online specials can be an expensive mistake. If a deal seems too good to be true, it probably is; use YIMA, a website vulnerability scanner, where you can do website security check for scams, known vulnerabilities and security headers.
  • Be aware that the ‘s’ in the ‘https’ no longer guarantees that a website is secure.
  • When registering on an e-commerce website, always choose a strong password or even better, a passphrase and never save these on any computer or mobile device.
  • When registering on a secure site, choose a strong password and do not save your login details on any computer or mobile device.
  • Identify subtle clues – such as spelling errors – that may indicate the email they seemingly received from a retailer is actually from an imposter;
  • Watch out for spoof e-commerce sites advertising specials. Criminals only need to change one digit of a web address to create a spoof website and steal your data; again, check the url using YIMA.
  • Be wary of unfamiliar e-commerce sites, especially if they do not redirect you to confirm your transaction via your banks 3D secure page or via your own banks mobile app before you pay;
  • Don’t save your card details on e-commerce sites;
  • Never re-use the same password on multiple domains.
  • Avoid sharing your personal information, online merchants don’t need your ID number or date of birth to process your order, but cyber criminals can use this to steal your identity.
  • Check your bank balance after making any shopping payment, and report any fraudulent transactions to your bank immediately.
  • Ensure your antivirus software is installed, activated and updated regularly. Cybersecurity habits can reduce your risk of becoming a victim.
  • Make sure that your mobile shopping apps are the latest available versions by updating these regularly;
  • Protect yourself against fraud by registering for additional security that sends a One Time Pin to your phone when making a payment;
  • For added online shopping verification, register your bank card with 3D secure.
  • Never supply your OTP to anyone while conducting an online transaction;
  • Change your Wi-Fi’s wireless router password as most people use the default router password provided by their ISP (Internet Service Provider). Changing the wireless router password makes the connection more secure;
  • Never click on unknown links in emails, or open email attachments from unknown sources;
  • Never forward emails that may contain malicious attachments or links.

Tips for merchants

  • Be aware that online fraud is on the increase and that organised crime syndicates are behind it. These criminals want your banking details as well as the banking details of your customers.
  • When it comes to high cost orders, including from established customers, always check with the card operator. In addition, check the fulfilment address as a sudden unexplained change of address could be a sign of fraud.
  • Note that both credit and debit cards are equally likely to be used for fraud.
  • High value purchases can be used to launder money using stolen credit cards. If you are selling high value goods, always take note of large orders and double-check all details.
  • Your customers data i.e. names, addresses, telephone numbers, email addresses, bank card or bank account numbers etc. are your responsibility. Criminals want these details and may try to hack into your data repository to steal this data. Ensure that your data repository is secure. 
  • Because your customer data repository is your most valuable asset, you must take every precaution to secure it by investing in robust anti-hacking software. Ensure that you keep this updated by installing all updates and security patches. This also applies to websites using a Customer Management System (CMS) such as WordPress or Drupal.
  • In addition to updating security patches, ensure that you regularly updated all other systems to their latest versions.
  • Should your data repository be hacked, inform your bank and card schemes. SABRIC can assist you to inform your bank. Should there be a risk to your customers as advised by your bank, please notify your customers immediately. 
  • Implement a breach plan as soon as possible so if this occurs, you can notify the correct parties immediately to reduce the impact of potential fraud and other cybercrime activities. The longer you wait once you find your data repository has been compromised, the greater the damage to your customers trust in your business and to your business’s reputation.
  • Never open attachments from unknown sources as the attachment can carry malware allowing criminals to access your data repository which could enable them to steal your customer data.
  • Frequently check all the links on your website with a special focus on your payment links. Links can be compromised to divert your customers to other bogus/dummy websites designed to steal payments.
  • Conduct a monthly search on your domain name. Criminals can create bogus/dummy sites using a URL almost identical to yours to divert your customers and steal their payments.
  • Merchants must look to both POPIA and possibly GDPR as well to ensure PCI compliance. By following the conditions set out by POPIA and the guidelines issued by the Information Regulator means that you are taking your customer’s data and privacy rights seriously thereby reducing the risk of personal information breaches. With regards to PCI DSS, meeting the security controls set out by the Payment Card Council and using PCI DSS level 1 certified service providers means you are protecting yourself as far as possible. Ensure that you always keep 3DSecure on as well.
  • Merchants should add an “Online Shopping Safety Suggestions” section to their website to guide customers about things like 3DSecure, and OTP’s (One Time PINS), YIMA and other updates about new fraud trends used by criminals
Scroll to Top