/ 27 September 2011

Phishing can cost you, big time

Sitting at your desk doing internet banking may make you feel safe. After all, it is not a bank, where someone can steal your bulging wallet when you step outside. But that friendly email claiming to be from your bank and asking you for your details could cost you and you alone.

If you fall foul of a phishing scam and give away your details because of your own negligence, banks are probably not liable, according to Aslam Moosajee of law firm Norton Rose.

Phishing is when fraudsters masquerade as a legitimate organisation, such as a bank. They create fake websites or send emails that appear to be from the organisation. Usually these ask customers to re-submit their personal and banking details, such as ID, pin and account number. If the customer does this his or her details are used to take money out of the account. International cyber security company Symantec says one in 319 emails worldwide is some sort of phishing attack.

Moosajee said a ruling last year in Nashua Mobile vs GC Pale CC showed the way for banks not to be liable. In this case Pale tried to sue Nashua after R160 000 was transferred illegally from its bank account. It blamed Nashua because someone performed a “SIM-swap”, which allowed the person to get the details of someone in the organisation and, therefore, the banking details.

This form of phishing occurs when someone manages to convince a cellphone company that he or she is another person. The phisher gets a copy of the person’s SIM and acts in his or her stead, taking all other information.

The chief executive of Absa, Gavin Opperman, said this scam is on the rise in South Africa.

Pale lost its case and Moosajee said what emerged from the ruling was that banks are not liable in cases like this. Instead, the customer’s “negligence” was blamed by the court, he said.

He said the courts understand that banks are doing “a lot to improve security”. As a result he did not know of any cases where a bank was held responsible. The ruling has not been tested.

Bongani Diako, spokesperson for the South African Banking Risk Information Centre, said his organisation is also “not aware” of any court cases where banks have been held liable for phishing.

In some cases, he said, banks have compensated victims.

Opperman said customers “should educate themselves” so that they can avoid such scams. This is the time of year when they start escalating, he said.

A report by Norton internet security earlier this month found that 84% of South Africans who are online have experienced a cyber-crime in their lifetime. The global average is 69%. And, although phishing is not the largest part of this, it is one of the most harmful.

Norton also found that the blame for this might lie with outdated security software — 24% of online South Africans are running old programmes.

Banks have reacted swiftly to phishing attacks in the past.

Last month Absa suspended all credit card payments to EasyPay, an online payment portal, because a third of all transactions had been fraudulent.

It was reported that R500 000 was returned to customers. Absa said it is investigating how much in total was stolen.

Although banks are safe from liability, Moosajee said he thought there was a chance of this being challenged under the Consumer Protection Act.