More consumers who have been victims of online banking fraud coupled with fraudulent SIM swops came forward this week, following a report in Personal Finance last week about Monica Kruger, a George businesswoman who was defrauded of R1.8 million.
Kruger has launched a High Court application to compel Absa and Vodacom to give her information so that she can establish who is liable for her loss.
All the consumers who contacted Personal Finance this week are Standard Bank customers and Vodacom subscribers.
• Mr NC, who is 76 years old, was defrauded of R708 000 in September. “The bank says there is no liability on its part and I am free to complain to the Ombudsman for Banking Services.”
• Mrs BB was defrauded of R150 000. “The bank says I must have compromised myself, although it has not provided me with proof of this. They have refused to give me any information unless it is subpoenaed. I know only that the money was transferred to nine other Standard Bank accounts.”
• Mrs SH was defrauded of R108 000. “Standard Bank says I must have ‘inadvertently’ given my online banking credentials to fraudsters.”
Just as we invest in personal security and keep our wits about us in the physical world, so too must we be alert to threats online, says Gerhard Oosthuizen, the chief information officer at Entersekt. Protecting ourselves online doesn’t require huge investments of time or money, he says. But we do need to apply a few “golden rules”:
1. Be password savvy
Email phishing is the most commonly employed line of attack, Oosthuizen says. Fraudsters use cleverly crafted emails to dupe you into entering your user name and password on a fake site or mobile app. These details are then used to access legitimate sites or apps used by you. “If they have your name, hackers can go onto your social media accounts and use clues there to guess your passwords,” he says.
When it comes to security verification questions, never repeat a theme, pattern or “recipe” in any of your passwords, he says. It is advisable to use lower-case phrases as passwords (“theappletree” or “ienjoysunsets”), instead of versions of the same password.
2. Always use two-factor authentication
If an online service gives you the option, implement two-factor authentication, Oosthuizen says. Instead of relying solely on email to reset your password for a website or app, two-step verification requires you (or a hacker) to provide more information – such as a one-time password or an answer to a security question over a separate communication channel. This option is rarely the default security setting. It is, therefore, up to you to ensure that two-factor authentication has been activated for the websites and apps you regularly access and on which you share personal information. “This reduces the risk associated with weak or stolen passwords.”
3. Use your discretion with password managers
“Password managers are an important tool in an age where we maintain scores of online accounts and depend on several apps daily,” Oosthuizen says. Use password managers for most of your frequently visited sites or apps (and thus use random/complex passwords that are difficult to remember each time) but also create entirely new and unique passwords for two or three important financial/banking sites. Keep these independent of your password manager, he advises.
4. Always be a sceptic
“Whenever you are working or transacting online, employ a healthy dose of scepticism and common sense. Hackers tend to use personalised emails to lure you into clicking on an unsecure link.” So if you haven’t heard from an ex-boss for five years and you receive an unexpected email from him, don’t open it. It’s best to call the supposed sender. The same applies to emails about winning or retrieving money – these should immediately trigger alarm bells, he says.
5. Use the security tools at your disposal
There are numerous tools and apps available to help you become more secure and cyber-savvy, Oosthuizen says. Websites such as haveibeenpwned.com allow you to check if you have an account that has been compromised in a data breach. You can also use VirusTotal, a free service that analyses suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.
“It is also very important to check the validity of the security certificate on any site through which you will be transacting. If the URL starts with ‘http’ instead of ‘https’, beware. And always keep your devices updated with the latest software,” Oosthuizen advises.