Illustration: Colin Daniel
Illustration: Colin Daniel

Don’t fall victim to fake emailed bank statements

By Martin Hesse Time of article published Sep 25, 2017

Share this article:

I BANK with one of the traditional “big four” banks and have my monthly account statements emailed to me, as I’m sure many of you do.

Because I can check my transaction history online, I admit that I often file away the emailed statements without giving them much more than a cursory glance. 

I was surprised, therefore, to begin receiving emailed bank statements from two other banks. I quickly realised that these were phishing emails, which the creators had taken quite a lot of trouble to make look authentic, even including seemingly genuine bank contact details and fine print containing the financial services provider registration number. 

I then went through the statement emails I had filed away from my own bank, and found several of them to be fraudulent. 

One give-away was the email address of origin. The "statements" from all three banks had an email address with the domain And if you compare them side by side, the text is almost identical.

They require you to click on the attachment (a link to a website), where you will be prompted to enter your log-in details and password.

If you do, you are unlikely to be robbed immediately, thanks to additional security measures banks have in place, such as one-time-passwords sent to your cellphone. But you’re certainly a step closer to having your account raided by cybercriminals.

These phishing emails that look like bank statements “have been around for a while and come out in different versions and formats from time to time”, says the chief executive of  the South African Banking Risk Information Centre (Sabric), Kalyani Pillay. 

She says the link (or, in this case, the attachment) takes you to a “spoofed” website – a site designed to fool you into thinking that it is legitimate – to obtain, verify or update contact details or other sensitive financial information. The emails are typically sent in large numbers to consumers’ email accounts. 

“All it takes is a few duped individuals to make phishing a profitable business for cybercriminals,” Pillay says.


The banks are aware of these phishing tactics and have generally tried to keep pace with the criminals by adding layers of security to internet banking.

Kovelin Naidoo, the chief cyber security officer at First National Bank (FNB), says FNB never sends any links in its emails. The only way that FNB customers should access its website is by typing into the URL address bar on their browsers. 

He says that, once your details have been ”phished”, the fraudster’s modus operandi is to illegally SIM-swop you (see “Definitions”, below). 

However, he says most FNB customers who use online banking have the FNB Banking App and Smart InContact, which protects them from illegal SIM-swops and phishing.

Smart InContact, which allows customers to receive secure online banking transaction approvals on the FNB Banking App, does not rely on SMSes or emails, which could be intercepted by fraudsters, Naidoo says. Smart inContact notifies customers of all transactions, with full control to report fraud through the Report Fraud button to FNB’s fraud line. Only verified devices with the app installed receive Smart inContact transaction approvals.

And he says fingerprint identification is also possible on certain devices.

He says criminals’ attempts bank to get at your details do not stop at emails. Sometimes they will phone you and pretend to be from their bank, service provider or a reputable retailer. During this conversation, they may ask you to verify your personal and banking information. 

He says if you are at all suspicious about a phone call, it is preferable to hang up and call the company directly to verify if the call was legitimate.

Naidoo says FNB proactively monitors and closes down fraudulent phishing websites used by criminals to try to access customers’ confidential banking details. All FNB customers are regularly notified of these types of emails and current fraudulent scams when they login to Online Banking, and are required to acknowledge the information before continuing with their banking. 


Kalyani Pillay from Sabric offers the following advice:

• Don’t click on links or icons in unsolicited emails. Don’t reply to these emails; delete them immediately.

• Don’t blindly believe the content of unsolicited emails. If you have doubts about an email’s origin, check by telephoning the entity that supposedly sent the email using a number you know to be genuine (not one included in the email).

• Don’t respond to emails that claim to be from your bank (or any other company) asking you to send your account details.

• Access your bank’s webpage by typing in the URL (the internet domain name) of your bank in the internet browser. Do not click on a link in an email.

• Check that you are on the genuine site before entering any personal information.

• If you think that you might have been compromised, contact your bank immediately.

• Create complicated passwords that are not easy to decipher, and change them often.

FNB’s Kovelin Naidoo has the following additional tips:

• Never use the same username and password for banking as you use for other apps, social media websites and online email accounts.

• Always do internet banking on a secure computer that you regularly use at home or work. Never bank online at public facilities such as at internet cafes, or on shared computers, because you do not know whether software has been loaded that may compromise your transactions.

• Download your bank’s free security software for your computer and/or smartphone. 

• Download the latest software and app updates for your computer and smartphone.

• Monitor your phone’s reception. If you have lost signal for an unusually long time, you may be a victim of SIM-swop fraud. Immediately call your bank’s fraud line to report a suspected SIM swop.

• Make online purchases with your card only on reputable websites that are verified as secure (look for the padlock icon in your browser and ensure that the address starts with https://).

• Never save usernames, passwords or PINs on your phone or computer, because this may allow others to access your banking details.


Phishing: a method of deceitfully obtaining personal information such as passwords, identity numbers and credit card details by sending emails that appear to come from trusted sources, such as banks or legitimate companies.

SIM-swop: criminals gain access to your cellphone and extract the SIM card, replacing it with another one. They install your SIM card in a phone of their own, enabling them to receive one-time-passwords sent by your bank.

[email protected]

Share this article: