A new identity-theft scam that uses “phone spoofing” will be hitting South Africa soon, Visa International announced last week, warning consumers to be wary of giving their personal details to outside sources.
This new scam, reliant on cellphone technology, cons users into disclosing their personal information to individuals whom they believe to be representatives of official financial institutions.
Through the scam, con artists are able to tap into the phone books and caller identities on users’ cellphones and change or modify information to suit their needs. Not only can they alter the details of existing contacts, but they can also create new caller IDs, such as a contact called “Bank”, on a user’s cellphone.
When the con artist then calls the user, the false name will show up as the caller ID. If users are caught unaware, they may not hesitate to answer private questions about their bank account or identity details, Visa spokesperson Beverley Houston said.
The scam, already running in the United States, is expected to filter into South Africa in a few months’ time. “Fraud tends to pass on,” Houston said.
“It is possible for harmful software to be loaded on to a customer’s cellphone which can interact with their cellphone address book,” said Dot Field, spokesperson for Vodacom. “Current measures to prevent harmful software being loaded on customers’ cellphones via MMS are in place.”
However, she acknowledged that there are obstacles in the way of measures put in place by cellphone companies. When, for example, harmful software is loaded on or transmitted to a customer’s cellphone via infrared or Bluetooth, Vodacom would not be aware of it.
“We strongly advise customers not to accept Bluetooth or other connections from any unknown sources, which could result in harmful software to be loaded on the recipient’s cellphone,” said Field, adding: “Prevention lies in the hands of the customer.”
Fake voices
The technology used by con artists also allows them to change or adapt their voices and accents, making the scam more convincing, Visa said last week.
“Anyone can sound professional on the phone. What people should pay attention to is the content they are asking for, not the manner in which they speak,” said Pat Pather, director of group IT security at Standard Bank.
“We always profess to our customers, ‘Never divulge your personal information,'” he added, saying that it is the responsibility of individuals to protect themselves.
The vice-president of risk management for Africa at Visa International, Neil Hawkey, agreed, saying the biggest weapon against fraud is public awareness. “You wouldn’t give your secret PIN [personal identification number] out to a stranger, so why would you share your private details with an unknown source on the internet or the phone? The same principles apply, only deal with credible sources.”
However, Pather admitted, there are times when users do unknowingly give out private banking information to con artists and, for this, banks have added precautions put in place. “From a control point of view, even if a customer gives out his details, [Standard Bank] has measures in place,” he said.
Cellphone banking is “one of the most secure means of banking”, he said, since each separate handset has its own secret information that identifies and verifies it. For internet banking, Standard Bank sends users a time-dependent password via SMS. The password, valid for a single session of about 15 minutes, expires thereafter and can’t be used again.
“It’s a severely sensitive transaction, so these are controls we’ve built in,” Pather said.
Going phishing
Similarly, First National Bank (FNB) also has a one-time-PIN system for internet banking, said Elaine Sekhethela, a fraud specialist at the bank’s risk department.
Internet scams, such as phishing emails, have also posed great problems for FNB. Similar to the cellphone scam, phishing refers to soliciting people’s private information by misleading them about one’s true identity. Victims are usually lured by clicking on links in emails that seem to be from their banks.
Phishing is usually linked to spoofing, which includes setting up fictitious websites that reaffirm con artists’ false identities and helps them to secure users’ personal information, Visa said.
Hacking is another type of scam that has affected South Africa recently, Visa added. But unlike the former two, hacking implies cracking a code of some sort to gain access to private information. It is also more about showing off to fellow hackers than for financial gain.
“It is important to emphasise that no bank in the whole world will ever ask you for your personal identity number or bank details, because they already have it … We will never phone you for personal details unless you initiate something with the bank,” Standard Bank’s Pather added.
“The bottom line is, never give out your information unless you are 100% certain of the recipient,” Visa’s Hawkey said.