Think before you believe it's the bank on the phone
Crooks have taken to impersonating the bank's fraud department.
Unauthorised debit orders are an evil that affects customers at all of the banks.
So when someone claiming to be from your bank calls you to say the bank has detected a new debit order on your account and would like to check its legitimacy, you're likely to trust them - especially if the caller has your full name and ID number.
Renee Marais, a Pretoria-based debt counsellor, said she nearly fell for a scam when she received a call last week from a person identifying herself as Sindi Ngcobo from Absa.
After telling her the bank had picked up a new debit order on Marais's account, "Ngcobo" said Absa would be sending her an SMS so that she can confirm or reject authorisation for the debit order, allegedly in favour of Assupol for R2000.
"I thought the bank was being proactive in dealing with unauthorised activity on my account," Marais said. But the caller said she needed Marais's "block number".
"When I asked her what that was, she said it was the industry term for the number printed on the card. That made me suspicious. I said to her, 'You're the bank; you called me; you should have my card number.' And so she told me my card number, which made me think she was actually calling from the bank."
As promised, an SMS was delivered to Marais' phone. The SMS, which appeared to be from Absa, contained a reference number followed by an ellipsis - or a set of dots - indicating that it is incomplete.
Ngcobo told Marais that to lodge a complaint with the fraud department, Marais would have to complete the reference number with her "authorisation code".
"I asked her, 'What do you mean by an 'authorisation code'? And she said it was the code I use when I use my card. She was referring to the PIN but at no time did she use the word PIN."
Marais said at one point she was put on hold and during that time she heard a recorded message identical to one used by Absa's fraud division.
She was also transferred to another person, allegedly in the fraud department, who also told her that the fraud reference number was "too short".
Ngcobo came back on the line claiming that unless Marais gave Absa her "authorisation code", the debit order would go ahead.
When Marais said she would visit an Absa branch to sort it out, the caller hung up on her.
The purpose of the call was to harvest Marais's PIN number. This type of fraud is known as "vishing".
The South African Banking Risk Information Centre defines vishing as "when a fraudster phones their victim posing as a bank official or service provider and uses social engineering tactics to manipulate them into disclosing confidential information."
Phumza Macanda, the head of media relations at Absa, said bank staff will never ask you for your PIN, password or passcode. Nor will they ever ask you for the full number on your card. She said bank staff will also "never" ask you for your CVV number.
If you suspect that anyone has tried to dupe you, contact your bank's fraud hotline and change your password and PIN, she said.
Various tactics used to glean information
Phishing, smishing and vishing are all scams attempting to defraud you of money through email, SMS and telephonic contact, respectively. Letting your guard down just once can lead to a cascade of serious losses, Nedbank warns. In order to protect yourself from falling for a fraud, it helps to understand exactly how the different types of scams work.
Phishing - is a scam that takes place when an email, appearing to be from a bank or a legitimate financial institution, is sent to you requesting that you click on a link to update or verify your personal or account information.
The fraudsters often try to scare you by saying: "Your account has been accessed" or "your account will be blocked". When you click on the link, it directs you to a website, which is a site set up by the fraudsters. After you enter your account details, PIN and password on the website, they are able to glean your information to enable them to access your bank account and transfer your funds into their specially-opened bank accounts. Their accounts are then cleared of the funds within minutes.
Smishing - Here the fraudsters use SMSes to send you messages. You could be asked to click on a link which leads to a website where you are asked to supply your account's information. You could also be asked to contact a tollfree number where a fake automated voice-response system asks you for your personal details.
Vishing - This entails social engineering over the telephone where you receive a phone call and are lured into divulging personal information.