Criminals want access to your online facilities to steal your money and will use any number of tactics to access your confidential information. Criminals use tactics like phishing and the installation of malware onto a victim’s device to steal the personal information necessary to access their online banking profile. They also conduct fraudulent SIM swops to ensure that the One Time Password (OTP), sent by the bank to authorise a transaction, is sent to a SIM card under their control.
Criminals often use phishing to trick you into disclosing your personal information like usernames, passwords, credit card details and mobile phone numbers. They sometimes also request your One Time Password/PIN (OTP) that will be sent to your mobile phone when transacting. They do this by sending emails that look like they come from trusted sources such as banks or legitimate companies. These mails entice the recipient to respond by clicking on a link. When clicking on the link, a victim is diverted to a fraudulent website (spoof site) under the control of the criminal, and any information entered on this page, for example, your banking username and passwords or cell phone numbers, will be sent to the criminals. The information harvested in this manner is then used by criminals to access your online banking profile illegally. Once they have viewed your profile and find that there is money to be accessed, they will commit fraud on your internet banking account.
Prior to launching a phishing attack, criminals collect email addresses to which they send their spam phishing mails. They also ensure that they have control over other bank accounts into which they can pay the proceeds of crime. They arrange a fraudulent website that resembles the real website of the company from whom the phishing mails purports to come, and host it on a vulnerable website. They then ensure that all communication received through this website is relayed to an email address under their control. Once a victim responds to the phishing email by clicking on the link and “logging in”, the sensitive information is relayed to them. Sometimes they use this information immediately to access the victim’s profile and can trigger an OTP to be sent to the victim’s mobile phone. The spoof website will then prompt the victim to submit the OTP. The criminal will then use the OTP to move funds fraudulently.
If they are not ready to use the compromised information immediately, they will save it for a later date and do a SIM swop to gain control over the victim’s communications when the OTP is generated during the fraudulent transaction.
Clicking on an unsolicited link or icon could also result in a victim’s computer being infected with malware. The malware (malicious software) used in internet banking fraud, is software designed to gather and send sensitive information to a predetermined destination under control of the criminal. You could be tricked into infecting your computer with malware through clicking on a link or an attachment in an email as well as through accessing a fake website purporting to sell you software to fight malware. Criminals deploy malware designed to harvest banking credentials. These malicious programs relay the keys typed to the criminals who then decipher bank related usernames and passwords. The compromised information is then used to access the victim’s online banking profile unlawfully, and should there be funds available, these are transferred into the criminals account.
Through fraudulent SIM swops, criminals can take control of their victim’s mobile number enabling them to receive SMS’s sent by the bank to the client. These include Transaction Verification Codes (TVC), Random Verification Number (RVN), PINs or One Time Passwords (OTPs). Using these codes together with compromised login credentials, criminals can change, add beneficiaries and transfer money out of the victim’s account.
Criminals are also known to port their victim’s cell phone number fraudulently before doing a fraudulent SIM swop. Mobile Number Portability (MNP) gives mobile phone users the ability to move to another mobile network and still retain their mobile number (MSISDN). In this scenario, the victim’s SIM card is deactivated and the criminal receives communication for the new SIM card issued by the second mobile network operator, enabling them to receive a victims Transaction Verification Codes (TVC), Random Verification Number (RVN,) PIN or One Time Passwords (OTPs).
- Ensure that the device you use for internet or mobile device banking has the latest version of antivirus and antispyware software installed from a reputable vendor. Robust solutions should identify malware and prompt you to delete it.
- Do not do your banking on a public or unfamiliar computer found at libraries, internet cafes and hotels.
- Avoid using WiFi hotspots, and ensure your own wireless network is encrypted before performing any banking transactions on your private computer. Prevent illegal software from being downloaded on your computer by creating administrative rights.
- Be suspicious if you receive lots of spam email or SMS messages. It could indicate that your computer or cell phone has been infected.
- Beware of fake anti-virus software that is offered at no charge, as it could contain malware.
- Do not use unknown devices, such as USB flash drives on your system, as they may transfer malware unknowingly.
- Avoid downloading pirated software as it may contain malware.
- Memorise your PIN and passwords and never write them down or share them, not even with a bank official.
- Make sure your PIN and passwords cannot be seen when you enter them.
- If you think your PIN and/or password has been compromised, change it immediately either online or at your nearest branch.
- Choose an unusual PIN and password that are hard to guess and change them often.
- For your security you only have three attempts to enter your PIN and password correctly before you are denied access to your services.
- Register for your bank’s cell phone notification service and receive electronic messages relating to activities or transactions on your accounts as and when they occur.
- If the reception on your cell phone is lost, immediately check what the problem could be, as you could have been a victim of an illegal SIM swop on your number. If confirmed, notify your bank immediately.
- Inform your Bank should your cell phone number changes so that your cell phone notification contact number is updated on the banking system.
- Regularly verify whether the details received from cell phone notifications are correct and correspond to recent activity on your account. Should any detail appear suspicious, contact your Bank immediately and report all log-on notification that are unknown to you.
- Log onto your Bank’s website by typing in the web address yourself instead of accessing it via Google search as it might lead you to a spoofed site.
- Do not use web links that are saved under your favourites and never access your Bank’s website from a link in an email or SMS.
- Remember to log off immediately when you have finished banking.
- Make sure that no one has unauthorised access to your PC.
- Be especially aware that there are no security cameras trained on your PC and keyboard.
- Make sure that the software loaded onto your PC is correctly licensed.
- Never click on links or attachments in unsolicited or suspicious emails as harmful viruses, spyware & trojans could infect your PC.
- Install a personal firewall on your PC.
- Be cautious when using storage devices such as memory sticks and portable hard drives, and if you do make use of them, ensure that they are password protected.
- Don’t send emails that contain personal information, such as your card number and expiry date.
- Install a spam blocker on your system. This will ensure that fraudsters find it difficult to send you phishing emails.
- Keep your operating system and browser patches, and antivirus software up to date on your personal computer/laptop or cell phone, as they include important security enhancements to help detect phishing sites and malware.
- Should you realise that you have responded to a phishing mail, change your internet banking credentials immediately and advise your bank.