Warning to South Africans with banking apps on their phones

Several prominent South African banks say they have seen a marked uptick in banking app fraud impacting their customers.

KnowBe4 Africa recently warned that thieves are increasingly targeting smartphones to gain access to banking apps. However, Absa, Capitec, Discovery Bank, Nedbank, and Standard Bank say phishing is a more significant threat.

MyBroadband asked prominent South African banks about the prevalence of banking app fraud in the country.

Absa’s chief fraud strategy and analytics officer, Ulrich Janse van Rensburg, said there had been an increase in banking app fraud. However, he largely attributes this to increased app use, which attracts more fraud.

“We’re also seeing a significant increase in investment-and-false goods scams linked to mobile payments that surface on social media platforms,” said Janse van Rensburg.

“Most of the mobile app fraud is driven by customers being instructed by criminals impersonating bank officials to move funds to a safe account or to approve transactions.”

Capitec agrees. It said the most common form of banking app fraud involves scammers coercing victims to initiate payments.

“This type of scam is leading to significant financial losses,” it added.

Capitec also listed several common scams that it has observed:

• Investment scams and Ponzi schemes, where fraudsters promise high returns with little risk, encourage victims to invest in illegitimate schemes.
• Courier scams, where victims are coerced to pay deposits or full amounts for goods or services that are never delivered.
• Advance fee scams, where fraudsters instruct victims to pay an upfront fee for a job, loan, prize, or inheritance that doesn’t exist.

Discovery Bank echoed this, saying social engineering tactics such as phishing and vishing — phishing over phone calls — are the most significant threats when it comes to banking app fraud.

“The instigators are not afraid to call clients directly to authenticate the fraudulent transactions,” it added.

“However, it is important to note the increase is also aligned with our customer base growth.”

According to Nedbank fraud detection head Lucas Venter, digital banking fraud, particularly fraud through mobile apps, has increased significantly over the past five years.

“Nedbank has also seen an increase in fraud and attempted fraud against our clients,” said Venter.

He emphasised that the majority of banking app fraud results from social engineering rather than technical vulnerabilities.

“Phishing is a common method, where criminals send emails that appear to come from financial institutions, prompting users to disclose their login credentials,” said Venter.

“Another method involves tricking clients into installing malware on their devices, which then grants the criminals access to their banking information.”

Advocate Athaly Khan, head of Standard Bank fraud risk management, agrees. He explained that Standard Bank has seen a shift in orchestration from phishing and SMS-phishing (smishing) to vishing and remote access through malware.

“Through manipulation and deception, we are now seeing fraudsters employ the aid of customers to facilitate payments or unknowingly grant access to their banking app,” said Khan.

“Most customers are actively seeking ways to cut costs and spend when there are discounts. This gives fraudsters an opportunity to present offerings that are too good to be true, preying on customers’ vulnerability.”

The banks also each listed numerous ways for customers to avoid falling victim to these scams. These are collated below:

• Don’t process transactions when asked by someone purporting to be from your bank. End the engagement and contact your bank directly to verify.
• Read any messages from your bank carefully before you act.
• Use your bank’s “Account verification service” to confirm that the account you’re making payment to belongs to the real entity.
• Be sceptical of offers that appear too good to be true, especially those promising quick or high returns.
• Avoid paying upfront fees for jobs, loans, or prizes. Reputable companies will not ask for such payments.
• Thoroughly research any investment opportunities to ensure they are offered by authorised financial services providers.
• Don’t click on links in unsolicited messages asking for personal or banking information.
• Ensure you only load applications from trusted marketplaces and that you keep them up to date.
• Don’t share sensitive information. A bank will never ask for your passwords or OTPs.
• Immediately report stolen cards or devices.
• Don’t authorise transactions you didn’t process.
• Check the transaction’s currency and in-app authorisation match.
• Don’t download files so anyone can view your device’s screen.
• Don’t allow remote access to your computer through software like AnyDesk or TeamViewer.
• Avoid using public Wi-Fi to access your banking app.
• Ensure your device’s browser and security software are up to date.
• Unlink your banking apps from devices that are no longer in use.