The South African Weather Service (SAWS) is still relying on alternative channels to render critical marine, aviation and severe weather services after a cybersecurity attack by “criminal elements” on Sunday evening.
A recent flurry of fraudulent transactions involving personal bank accounts suggest that South Africa’s financial sector is battling to stay on top of increasingly sophisticated methods of cybercrime.
One such victim is Yasmin Bakharia, who owes two banks R90 000 after falling prey to scams, including a fake online purchase and another transaction that resulted in her depositing money into a fake account in the mistaken belief that she was paying off her credit card.
South Africa’s largest bank by assets, Standard Bank, recently had to issue a statement assuring customers that it was taking measures to keep their deposits safe, after a backlash on social media from account holders who said they had been victims of fraudulent transactions that saw their money disappear.
In the statement, the bank said it continued to receive customer queries relating to potential fraud, adding that its fraud mitigation measures “are robust and continue to protect and inform customers of any potential fraud on their accounts”.
“Standard Bank is aware of further fraud attempts on some international transactions. Our fraud detection systems will continue to actively identify and block any suspected fraudulent transactions and/or affected cards,” it said.
The bank issued the statement in the wake of social media posts by irate clients who accused it of being slow in responding to their complaints.
In one post on the X platform, a user, @ayandamthethwa_ warned fellow Standard Bank account holders: “Check your accounts. There’s a massive security breach with that bank & they are going about their day as if nothing happened. Several fraudulent transactions were attempted on my account last night. 3k [R3 000] gone with no explanation.”
In response, Standard Bank posted: “Hi Ayanda, the security of your account is a top priority. In the event of any unfamiliar transactions on your account, please reach out to our fraud team without delay on 0800 222 050, alternatively send an email to [email protected].”
Responding to questions from the Mail & Guardian, Standard Bank denied there had been a security breach in its system, and pointed out that fraud was “an ongoing global phenomenon”.
“Cybercrime is a growing concern globally and is something that impacts all customers, all banks and all organisations that manage and keep data equally. It’s a risk that comes with running a digital business,” it said.
“Standard Bank has initiated many contingencies and provided customers with tools to assist them in securing their personal information. However, it is very important for the customer to protect their personal data, especially their card and PIN details. New types of scams continue to emerge in which fraudsters lure you into providing confidential info — often via email, SMS, phone call, malware or remote access. Anyone can be a target.
“Ultimately, it’s up to you to stay informed about scams and think twice before sharing your personal details online or over the phone.”
According to the South African Reserve Bank’s consultation paper on cyber resilience published in 2022, the banking sector remains one of the primary targets of cyberattacks in South Africa, and the increased usage of digital banking products for payment has significantly increased their likelihood.
The South African Banking Risk Information Centre’s latest annual crime statistics report for 2022 showed that there was a 24% surge in reported incidents of digital banking fraud, compared with the previous year.
It said the financial losses associated with digital banking fraud escalated from R440 million in 2021 to just under R741 million in 2022, reflecting a 68% rise. Cybercriminals relied on various methods such as spear phishing, whaling, smishing, business email compromise, vishing, pretexting and angler phishing.
In the case of Bakharia, she received a call that she must settle her credit card urgently by paying into a bank account number provided to her during the conversation. But when she checked a week later, her R25 000 payment was not reflected. When she queried this with her bank, she was told the payment must have gone elsewhere.
Bakharia has taken the matter to court but after six months there is still no resolution.
(Graphic: John McCann/M&G)
In another instance, Bakharia owed R65 000 on her credit card for online purchases she is adamant were not made by her.
But her bank says that for all the purchases there was a one time pin (OTP) sent to her cellphone and its records show that she authorised the transactions. A query with Bakharia’s mobile service provider showed that a SIM-swop was made for her phone number without her knowledge.
A legitimate SIM-swap is usually done when a person wishes to replace a lost or damaged SIM card while retaining their phone number.
“I think they are targeting old people or they are using old people’s numbers. I am a pensioner and this thing is happening to old people,” Bakharia said.
According to Karl Blom, a partner in charge of technology, media, telecommunications and intellectual property practice at law firm Webber Wentzel, cybercriminals are usually indiscriminate in identifying their victims.
“If they find someone who is not as sophisticated but has access to mobile banking, that creates a potential risk and that someone is a target. I would not say we are any worse or better than most places around the world, it’s a global scourge,” he said.
Other South African banks have not been spared. In November 2020, Absa announced a data leak, which resulted in personal information linked to 200 000 accounts being stolen. The employee linked to the attack was later criminally charged.
In a statement this week, the bank said it had extensive measures in place “to safeguard our systems and our protection mechanisms are reviewed regularly in the context of an evolving cybercrime landscape”.