Nedbank warns of new banking scams

Nedbank has warned South Africans to be wary of increasingly sophisticated techniques fraudsters use to steal their money, including sneaky tactics to bypass biometric identity verification.

Nedbank fraud detection head Lucas Venter recently told MyBroadband about the emergence of “selfie scams.”

Venter said criminals using this technique typically approach victims in a public place, such as a mall parking lot or on the street, creating a false impression of trustworthiness.

They would then offer a free voucher to their intended victim if they enroll in a supposed rewards programme.

“The fraudster uses their own phone and asks the victim to complete the enrolment process, which includes using facial biometrics for verification,” Venter explained.

“Unbeknownst to the victim, they are actually enrolling in a banking app under the fraudster’s control.”

Venter said the fraudsters then trick the customers into handing over their own phones to accept an approval message or get a one-time PIN to provide access to their banking accounts on the fraudster’s device.

“Once the enrolment is complete, the criminal has access to the victim’s financial information and can use the app to steal money from the victim’s accounts,” Venter said.

Venter advised that people take these steps to avoid falling victim to selfie scams:

• Always check with the store that the person claims to represent to ensure that they are running a promotion.
• Don’t let a stranger do a selfie verification of you.
• Don’t hand your smartphone to a stranger.
• Read your banking notifications carefully before accepting them.
• If you suspect fraud, call your bank immediately.

Another common scamming technique that has become popular is a combination of “client coaching” and “vishing”.

In these scenarios, a fraudster pretends to be a representative from the victim’s bank to gain access to their funds or account.

Venter said these fraudsters would typically try and create a sense of urgency by claiming that the victim’s account has been compromised and immediate action is required to protect their funds.

“The fraudster then instructs the victim to transfer their money into a ‘safe account’ to prevent any unauthorised access,” Venter stated.

“The so-called safe account is actually controlled by the fraudster.”

“Once the transfer is complete, the fraudster has full access to the victim’s funds, leading to significant financial loss.”

Alternatively, the fraudsters might ask the victim to provide sensitive information such as their card number and PIN under the guise of verifying their identity or securing their account.

This is commonly known as voice phishing or “vishing”.

“In some cases, the fraudster may instruct the victim to change their online banking login details to details provided by the fraudster, claiming it is for security purposes,” Venter said.

“Once the fraudster has this information, they can access the victim’s accounts, potentially leading to unauthorised transactions and financial loss.”

“The fraudster may already have some of the client’s personal information and use that to make the call seem real.”

Venter provided the following basic guidelines to help people avoid falling victim to client coaching and vishing:

• Never share your online banking login details, card PIN, expiry date, and CSV with anyone, even your own bank
• Read your banking notification messages carefully before accepting them and never share an OTP with anyone
• Don’t be rushed into processing a transaction or sharing your personal information — check with your bank first
• If you receive a notification for a transaction you did not perform, do not ignore it, notify the bank immediately
• Don’t trust caller identity apps, fraudsters use number-masking software to make it look like the call is from a bank when it is not

Avoid downloading these apps

A third common issue Nedbank has recently observed is the proliferation of malicious apps, primarily on Android devices.

Venters said that fraudsters using this technique often posed as representatives from well-known companies, including video streaming services and airlines, sometimes in social media adverts.

They would then offer enticing discounts on products or services.

In other cases, the fraudsters impersonate police officers, claiming that the client is either a victim of impersonation or an accused individual.

They then urge the client to download a supposed SAPS app to resolve the issue, furthering their malicious intent.

“To claim these offers, they instruct clients to download an app via a link they provide,”

“Once the client clicks the link and installs the app, they are prompted to approve several permissions, which secretly grant the fraudsters access to the device or install malware.”

Venter advised that people only install apps from official stores like the Apple App Store or Google Play Store.

These platforms perform security checks and audits on apps to significantly decrease the likelihood that they contain harmful coding.

Venter advised, “Don’t install apps from links, and don’t ignore the warnings on your mobile device about installing apps from unknown sources. “

“Keep your antivirus software updated and be cautious of apps asking for too many permissions.”

“If you suspect you have been scammed, change your banking passwords immediately and notify your bank immediately.”