Unfortunately, vishing is not new, but customers may be new to the scam. That’s why the Banking Ombudsman wants to warn customers, particularly in these tough economic times, when consumers are more vulnerable.
Vishing is a method used to trick banking customers into divulging their confidential banking details, to scam unsuspecting bank customers out of their hard-earned money,” says Banking Ombudsman Reana Steyn. .
Fraudsters phone bank customers posing as bank officials or service providers and manipulate the unsuspecting bank customers into disclosing their confidential information such as their card details and one-time passwords (OTPs). “The caller may seem so believable or genuine, because they already have the customer’s telephone number and often other personal details such as card number, ID number or address.
However, the mere fact that the caller is in possession of such information does not prove that they are who they are claiming to be. This information could have been stolen, found in a dustbin or willingly handed over to another service provider at some point in the past during another transaction” explains Steyn.
According to the Banking Ombudsman the majority of internet banking fraud and credit card fraud cases opened by her office related to vishing fraud. This type of fraud targets everyone, from the more sophisticated bank customers who have access to internet banking, to all customers whose bank cards have the capability to make card-not-present purchases, such as credit and some debit cards.
“What is most important for bank customers to note is that fraudsters do not need to be in physical possession of the bank customer’s card to make online purchases. If the fraudsters have your personal information, card number and CVV number, they will be able to perform card-not-present transactions, such as online and telephonic purchases. It is for this very important reason that banks require their customers to keep their bank cards safe and the CVV number confidential,” the Ombudsman adds. .
Although the office recognises the role bank customers must play in keeping their card details confidential, Steyn emphasises that they also recognise the reality that card details can be obtained by the fraudsters without customer negligence and/or bank staff involvement.
To add another layer of security to safeguard customers against this type of fraud, the banking industry introduced OTPs and other similar methods to authorise card-not-present transactions. When investigating such complaints, and depending on the facts of the matter, the OBS requires banks to provide proof that the OTP or other form of authorisation necessary to complete the transaction, was indeed sent to the customer.
Another alarming fact is that the OBS continues to receive cases where the fraudsters were able to circumvent the bank’s efforts to protect their customers by sending an OTP, through the reemergence of vishing scams accompanied by sim swaps. In such cases, the OTP and authorisation is sent to the correct number, however, it is not received by the customer, but by the fraudster instead.
When it comes to vishing scams, customers are in the best position to avoid falling victim by not providing their confidential information to the fraudsters. While acknowledging that it is very difficult for bank customers to tell whether it is a legitimate telephone call from their bank, the Ombudsman stresses that banks will never ask their customers to disclose their confidential card details or OTPs. Steyn advises bank customers to be extra vigilant in the following circumstances:
- when receiving a call from someone saying that they are from their bank and asking them to provide their OTP, or
-
being asked for their bank card details, or
-
If they suddenly lose cellphone reception and/or receive an SMS from the cellphone network provider of a pending sim swap.
If any of these events happen, or anything about the call from the alleged bank employee feels suspicious, customers should immediately call their bank’s fraud department to report these issues.
In instances where it can be proven that a bank customer provided fraudsters with their card details and/or OTPs, banks could deny liability unless the OBS’s investigation established that there was some maladministration on the part of the bank which resulted in financial loss to the customer. In some instances, the banks have made a commercial decision in line with their customer centric approach to refund their customers, even in instances where no legal liability could be established.
Steyn cautions that the banks’ decision to refund is on a case by case basis and that there is no blanket approach. “The OBS welcomes any decision by banks to contact their clients directly, even after her office has made a legally sound finding, with the aim of customer retention and satisfaction”, Steyn adds.