Mystery of two ‘phishing’ lossesComment on this story
Pretoria - The first thing I asked Durban personal assistant Sue Gardner when she told me that fraudsters had whipped almost R20 000 out of her bank account in two equal R10 000 raids was: do you remember clicking on a link in an email that you thought was sent by your bank?
It’s the question I ask all those who approach me about the same predicament.
In all previous cases, excluding those involving bank card skimming and the like, it has turned out that, yes, they clicked on the e-mail link to “update their security”, as instructed by the e-mail, and provided their bank details, including their PIN.
And thus they’d unwittingly provided not their bank, but a fraudster, with the means to transfer money out of their account. Well, almost.
To ensure that the bank sends the one-time password (OTP) needed to do an electronic funds transfer to them, not the genuine account holder, they hijack the victim’s cellphone by doing a SIM card swop, with the help of an accomplice working for a cellphone network.
And so it was in Gardner’s case.
If someone is found to have responded to a phishing e-mail, the banks take no responsibility for their loss, as they are deemed to have compromised their own security. Of course, such crimes can’t be committed without the fraudster also obtaining the OTP, via cellphone, and that remains a thorny issue.
Gardner was adamant that not only had she not responded to any of the many phishing e-mails she’d received, but that no one could have used her computer to do so.
She lives alone and has no computer at home, nor does she have a smartphone on which to do banking.
She did her internet banking on her work PC, in one quick session at about 7.30am when no one else was around, and in any event, she has a semi-enclosed office tucked away in the corner of an open-plan office.
The first Gardner knew of any suspicious activity on her account was when she got a call from a bank employee at work on the morning of October 11, to say that her account had been blocked as the bank suspected that fraudulent withdrawals had been made. To cut a long story short, money had been transferred from her credit card account into her cheque account, and then two withdrawals of just under R10 000 each were made from that account into a Capitec account.
Interestingly, on Gardner’s bank statement, the words “ABSA Bank Wages” appears next to one withdrawal, and “ABSA Bank Contract” next to the other.
With Gardner being told she was responsible for paying off that R20 000 credit card debt, she approached me for help.
Given her circumstances, and her complete confidence that she hadn’t responded to a phishing email, I suggested to Trevor van de Ven, communications manager for Absa’s digital channels and payments, that the bank conduct a forensic investigation.
He got back to me with the good news: “Our fraud team will provide for a full independent forensic analysis of Mrs Gardner’s devices that she used to access her internet banking.”
In this case there was just one device – the PC she uses at work – to analyse.
An independent investigator duly flew down from Joburg in mid-November, and visited Gardner at her workplace, taking full control of her PC.
Gardner was sent the resultant report in mid-December, which she forwarded to me.
I was delighted to see the following sentence in that report: “No evidence was found on the desktop computer indicating that a phishing website was accessed from the desktop computer.”
Then this: “An unknown device that connected to the internet banking service for (Gardner’s account) on August 23 which could not be matched to the desktop computer (was) investigated.
“A device configured with a Windows 7 operating system using Internet Explorer 7 and connecting through a Telkom internet service provider was identified, which was not submitted for analysis.
“Our investigation remains inconclusive until all devices have been identified and submitted for analysis.”
Then I began asking Absa for a response.
What did the report mean? How did Gardner, who only ever used that one PC for her internet banking, compromise her banking details?
How, exactly, was the fraud committed? Gardner was never told, and nor was I.
All Van de Ven would say was: “The case has been finalised and an amicable outcome reached between the two parties.
“We are committed to respecting the confidentiality of the agreement.”
It was Absa which insisted that the settlement be confidential.
Gardner remains in the dark about what she did wrong, if anything, and has lost confidence in internet banking as a result.
She’s not willing to take the risk of it happening again, so she now pays her creditors the old-fashioned way – in person.
I pleaded with Van de Ven to provide the answers.
“With respect,” I wrote, “this is a matter of public interest. Absa is the entity insisting on the confidentiality of that agreement, not Sue Gardner.
“Over the years, I have been told by various banks, and by Clive Pillay, the banking ombudsman, that there has never been a case of such fraud having been committed without the account holder having been found to have compromised their banking details by responding to a phishing e-mail,” I said.
Gardner claimed that she did not respond to a phishing e-mail and the investigators could find no evidence that she had done so.
“So clearly, the fraudsters got her account number and PIN in some other way, and she doesn’t know how.”
The refusal to reveal exactly how her bank details were obtained in order for her funds to be accessed via that “unknown device” leaves Gardner, Absa account holders and potentially those of other banks, too, feeling vulnerable, I argued.
“I urge you to reconsider your standpoint.”
His response: “Our commitment to the confidentiality still stands.” - Pretoria News
DON’T BE FOOLED
Fake e-mails and the websites they link to look almost identical to the legitimate website of a well-known financial institution or company.
The first tell-tale sign that they’re sent by fraudsters is the fact that they do not address the recipient by name.
If your bank or Sars really needed to contact you about your personal business you’d be addressed by name, with your account details.