Tap-and-go, Sangoma and WhatsApp scams: These are new techniques scam artists are using

File picture: Pexels

File picture: Pexels

Published Aug 17, 2023


Just when we thought we know all the scams and could see through all the tricks, there are new scams to watch out for.

We take a look at a bank card scam where they don’t need an OTP to rip you off, WhatsApp scams that are doing the rounds (goodbye Nigerian princes, hello fake job offers), and scams that use a person’s beliefs against them, and more.

NFC tech scams

The latest and arguably one of the worst ones is this new bank card scam. Gone are the days when the scam artist needs the physical card to duplicate it and bleed you of your hard-earned money.

Rather, this scam entails exploiting near-field communication (NFC) technology and tap-and-go payment systems.

According to Reana Steyn, the Ombudsman for Banking Services, fraudsters can use stolen bank card information, such as your card number, expiry date and the CVV number, to make fraudulent purchases via digital wallets.

Unlike the usual card-not-present (CNP) fraud transactions that trigger a one time password to the legitimate card-holder’s number when a purchase is made, NFC/digital wallet payments do not require OTPs for every transaction. This makes it harder to identify a fraudulent transaction and take action.

The stolen card data is used by fraudsters to link their smartphones on payment platforms and digital wallets such as Samsung Pay, Apple Pay, Garmin Pay and Google Pay.

They use their smart device to make fraudulent purchases using your account details. Bear in mind, that as this is an NFC scam, no OTPs will be sent to you to validate the transactions.

However, a criminal can’t just link their devices to your stolen bank card information whenever they feel like it. An OTP or a “Smart inContact notification” would be required to complete the process. This notification would be sent to your registered number or your banking app.

But you wouldn’t just willy-nilly give someone else details to your bank account, right? Not necessarily.

Steyn says victims of this scam would receive emails or communications from fraudulent websites purporting to be legitimate businesses. These scam artists can pose as the South African Post Office or courier service companies, asking consumers to enter OTPs.

Once this authorisation is granted, the fraudster’s device is linked to your bank card, leaving them free to tap their device at point-of-sale with no further verification required.

It is believed that an international crime syndicate is behind this scam in South Africa.

WhatsApp scam

A number of WhatsApp scams are on the rise in South Africa.

Scam artists are getting more crafty and manipulative with these scams as they are using social engineering scams, designed to exploit human vulnerabilities.

Pretexting scams entail fraudsters using a pretext to gain the victim’s trust. They can pretend to be a relative, a co-worker or anyone you deem as trustworthy and then ask for sensitive information.

As the unemployment rate in South Africa is still high, fake job offers are still rampant. Scammers send messages posing as recruiters to offer job opportunities. They will then ask users to pay a fee or provide personal information to secure the job.

Using sangomas and traditional beliefs to scam

Social engineering scams do not only stop at WhatsApp. Scam artists are now abusing cultural belief systems and are taking advantage of the believers’ financial desperation to scam them.

Nazia Karrim, Head of Product Development at the Southern African Fraud Prevention Service (SAFPS) said the modus operandi is not only intricate, but very malicious.

As with the NFC scam, this scam is also run by a syndicate, who profile their potential victims before approaching them.

When the potential victim is vulnerable, a member of the syndicate (the communicator) contacts them and says they have been sent on behalf of a sangoma who claims to have been contacted by the victim’s ancestors and that the victim’s ancestors need to contact the potential victim immediately to address their plight.

This is when a second person of the syndicate steps in. They act as the sangoma who is receiving the messages from the potential victim’s ancestors. They will inform the potential victim that they need to be cleansed to help improve their financial circumstances and life in general.

The potential victim will be instructed to bring a set amount of cash to be ‘cleansed and blessed’.

On arrival to the meeting, the bogus sangoma tells the victim to drink a cleansing herbal remedy as part of the ritual.

This drink contains hallucinogens. The victim will reportedly hear the voices of their ancestors that are prompting them to hand over the bag of cash to the bogus sangoma.

As the victim is intoxicated from the drink, the scammers add additional cash into the bag during the ritual, but say the money is being blessed. This will make the victim believe the ruse.

The victim is told to return to the sangoma after they have withdrawn a significant sum of money (either after liquidating their pension fund or withdrawing their life savings).

"The communicator within the syndicate promises the victim, that the sangoma will cleanse and bless the money which may double or triple this amount upon their next visit," says Karrim.

However, at the next meeting with the sangoma, the victim is drugged again and convinced to hand over their life savings, and in return the victim is handed a bag filled with counterfeit money or paper, but they usually only discover this once they’ve recovered from the concoction, by which time it is too late.

The Covid-19 con

As the first case of the new Covid-19 variant was confirmed in South Africa, the disease has once again presented another opportunity for fraudsters.

Some scam artists are using the pandemic to obtain personal information.

When signing up for a vaccine, fill in a survey or apply for Covid-19 relief grants, take caution. These all often ask for personal information, including your address, phone number, identification number and email, so double check the source of the sender before handing over such personal data.