Read, understand, and critically examine before you click

Posted on

With damage related to cybercrime projected to hit $10.5 trillion annually by 2025, a call has gone out for global agreements on how to regulate cyber threats, with the World Economic Forum (WEF) and the United Nations leading the way.

For the first time since its inception, the WEF’s Global Risks Report 2023, released earlier this year, placed cybercrime and cyber insecurity in the top 10 rankings of the most severe risks over the next decade, adding that “malicious activity in cyberspace is growing, with more aggressive and sophisticated attacks taking advantage of more widespread exposure”.

But South Africans don’t need a global report to tell them this; all they need to do is to look at the numerous emails and text messages telling them their “lucky day is today” or their “shipment has been put on hold due to a missing house number”, to realise that cybercrime has gone next level.

The National Prosecuting Authority (NPA) recently shared a small victory in the battle against digital crime.

In a media statement released last week, NPA regional spokesperson Luxolo Tyali said the NPA’s Asset Forfeiture Unit (AFU) obtained a forfeiture order in the High Court in in East London for R3 million, “which will be reimbursed to the victim of a scam in line with restorative justice”.

Tyali said the forfeiture order stemmed from a cyber-scam docket that was opened by the owner of a Battery Centre. The company was informed via email on 27 March that its supplier’s banking details had changed.

“As a result, a payment was made into the new bank account on 26 April 2023. The fraud came to light on 11 May 2023, after the business was informed by their correct supplier that their payment was outstanding,” he said.

After swift action by the police, an AFU investigator, and the Financial Intelligence Centre, the R3m was traced, and the AFU office subsequently obtained a preservation order on 23 May.

“After obtaining the forfeiture order on 31 July 2023, the AFU investigator and victim were contacted by the interested party, the suspected fraudster, with requests to ‘meet’ regarding the unblocking of the account. These communications were reported to the Directorate Priority Crimes Investigations (Hawks) for further investigations,” Tyali said.

Digital wallet fraud

But as one head of the hydra is removed, another pops up in its place.

Last week, the Ombudsman for Banking Services sounded the alarm over digital wallet fraud, saying a new scam involving the use of near-field communication (NFC) technology has emerged.

Reana Steyn, the ombudsman, said the swindle involved fraudsters using stolen bank card information – such as the card number, expiry date, and the CVV number – to make fraudulent purchases via a digital wallet.

The ombudsman stated that about 124 NFC fraud-related complaints – with losses in the millions of rands – have recently been reported and investigated.

Customers’ accounts have been fraudulently drained through tap-and-go purchases made with smart devices in mostly foreign jurisdictions such as Dubai, France, and Spain while the legitimate cardholders were in South Africa.

“This is a clear indication that an international crime syndicate is operating within this space and has South African consumers in its sights,” Steyn said.

According to Steyn, the fraudsters used the stolen card information to link their smart devices (smartphones and smart watches) to payment platforms such as Samsung Pay, Apple Pay, Garmin Pay, and Google Pay.

“The fraudster’s smart device is then used to perform fraudulent purchases on the victims’ accounts without OTPs being sent to cardholders to validate the transactions.”

For the fraudsters to be able to link their devices to the stolen bank card information, an OTP or a “smart inContact notification” is required to complete the linkage process. This is sent to a bank customer’s registered number or banking app. After the transaction, registration or linkage is approved via an OTP, or is authenticated by Approve-it, the fraudster’s device is linked to the bank customer’s bank card.

Fake websites and emails purporting to be from the South African Post Office, Courier Services, and VodaBucks were being used, as shown by the complaints received and patterns identified by some of the banks whose clients have fallen victim to the fraud.

Steyn cautioned that any business may be impersonated and urged people to read, understand, and critically examine the OTPs/inContact messages sent to them. She advises bank customers to never be pressured into entering or giving away their OTPs without understanding what exactly they are authorising.

“More importantly, consumers must guard against the practice of accessing unsolicited links sent to them, especially when they are prompted to insert their personal and banking information,” she said.

WhatsApp-ening

As a recent tweet (or is it now Xeet?) by former Public Protector Thuli Madonsela showed, no one is safe.

In June, Madonsela tweeted about an incident that occurred in late 2021. A scammer impersonating one of her friends on WhatsApp stole about R10 000 from her and another friend over a three-month period.

She later told News24 that it should have been obvious the person to whom she was giving the money was not her friend, but it was only when the scammer became “greedy and brazen”, that she worked out what was happening.

Being one of 23 million WhatsApp users in South Africa (2 billion globally), Madonsela is not the first, and not the last, to be caught in this way.

Carey van Vlaanderen, chief executive of ESET Southern Africa, a distributor of security products, says fraudsters use social engineering to trick users into disclosing personal information, downloading malware, or making payments to fraudulent accounts.

“WhatsApp offers various security measures to reduce the risks associated with using the platform, including end-to-end encryption, two-step verification, user reporting and blocking, and biometric lock and unlock. However, it’s important to note that these measures are not 100% foolproof, which means it cannot guarantee protection against user error. As a result, there are some threats that can still pose a risk to users,” Van Vlaanderen says.

She says WhatsApp scams are usually social engineering scams, which can be difficult for users to detect.

“They often rely on exploiting human vulnerabilities rather than technical vulnerabilities. This makes it important for users to be sceptical of unsolicited messages or requests for personal information, and to verify the authenticity of any communication or offer before doing anything else.”

The most common types of WhatsApp scams include:

  • Phishing scams. Fraudsters send messages that appear to be from a legitimate source, such as the WhatsApp business account of a retailer, insurer, or bank, and ask the victim to click on a link or provide personal information.
  • Pretexting scams. Scammers spin a false narrative or use a pretext to gain the victim’s trust, such as pretending to be a customer service representative or a co-worker, and then asking for sensitive information.
  • Baiting scams: Users are offered something of value, such as a gift, discount, or prize, in exchange for personal information or actions, such as clicking on a link or downloading a file.
  • Fake job offers: Scammers send messages claiming to offer job opportunities and ask users to pay a fee or provide personal information to secure the job.
  • Investment scams: Scammers send messages offering high returns on an investment and ask users to transfer money to fraudulent accounts.
  • Romance scams: Con artists create fake profiles on WhatsApp and other dating apps to establish a relationship with users and then ask for money or personal information.

Now experts are warning South Africans to be cautious when using WhatsApp voice notes to communicate. Stephen Osler, the co-founder and business development director of Nclose, recently told BusinessTech that cybercriminals are using generative artificial intelligence to clone the voices of individuals – particularly high-level executives.

These attacks are not only aimed at large corporates; individuals are also being targeted, Osler said.

“While they have already targeted individuals making purchases on platforms like Gumtree or Bob Shop, as well as engaged in fake kidnapping scams, they are now expanding their operations to target high-level executives with C-Suite scams,” he said.

Tax as a target

And don’t forget about the tried-and-tested scareware scam.

Van Vlaanderen says attackers create a sense of urgency or fear to manipulate the victim into acting immediately, such as downloading fake antivirus software or paying a ransom to avoid legal consequences.

Scammers employing this tactic often pose as employees of the South African Revenue Service (Sars). The messages they send create the impression that action must be taken urgently to avoid tax penalties or to claim a tax refund. Clicking the link in the message usually downloads a Trojan, which the scammer can use to hijack a device.

The fraudsters’ platform of choice seems to be email.

So far in 2023 alone, Sars has alerted the public to 20 different scams. The latest example of a fraudulent email, uploaded on 2 August, has “ITR summary and statement” in the subject line. The message section reads: “Electronic Statement Summary – find herewith attached your Sars electronic statement, which includes successful processed returns and other related information.”

According to Sars, members of the public are randomly emailed with false “spoofed” emails made to look as if these emails were sent from Sars, “but are in fact fraudulent emails aimed at enticing unsuspecting taxpayers to part with personal information such as bank account details”.

Examples include emails that appear to be from returns@sars.co.za or refunds@sars.co.za, indicating that taxpayers are eligible to receive tax refunds.

“These emails contain links to false forms and fake websites made to look like the ‘real thing’, but with the aim of fooling people into entering personal information, such as bank account details, which the criminals then extract and use fraudulently.”

To report or to obtain more information on phishing, send an email to phishing@sars.gov.za or call the Fraud and Anti-Corruption Hotline on 0800 00 2870.

To find out more

More information on the various types of scams/schemes can be obtained from the following websites:

https://www.sabric.co.za

http://www.saps.gov.za

http://www.scamwarners.com

http://www.419scam.org

http://www.crimes-of-persuasion.com

http://www.fbi.gov/scams-and-safety/common-fraud-schemes