Know when something is phishy with your banking
Murray says that at 8.30pm on Tuesday, May 21, he received an SMS that R19 890 had been paid from his account to G Reuck.
He says that two days earlier he received an SMS about a new beneficiary, “but I thought it was an existing beneficiary, Mr de Reuck, a builder, and deleted it”.
“I went online to investigate and realised it was not Mr de Reuck, the builder, who had previously done work for me. Next day I reported the fraudulent transaction to Standard Bank at the Blue Route Mall.
“The consultant, Petrus Lottering, was very helpful, but we spent 90minutes on the phone waiting for the fraud department’s findings. Meanwhile, Lottering cancelled my cards, except my debit card, which I would still be able to use until the new ones arrived,” Murray said.
“Finally, the fraud department said they had traced the identity of the ‘upcountry’ perpetrator who had transferred the money to an FNB account. Lottering, who was unfailingly polite, assured me I would get my money back within five weeks, as did the other consultants when I collected the new cards. I reported the theft to the police when I left the bank. About two days later, the fraud department gave me a case number and said it would take 10 days to finalise.”
Murray says it was difficult to contact the fraud department even on the alternate number he was given. He then received a request for a copy of the police affidavit.
After about eight weeks since reporting the incident, the bank told Murray it had been able to retrieve R4800, but was unable to retrieve the balance of R15090, and it was not liable for the loss.
Murray contacted Standard Bank’s internal ombud and received a response telling him he had compromised his details and there had been no lapse in the bank’s security.
The bank said Murray was free to contact the banking ombudsman if he was unhappy with the decision.
So he did.
Gerrit van der Merwe, adjudicator in the banking ombud’s office, agreed with Standard Bank’s ruling. “The bank repudiated your claim for R15090 as the evidence shows you were a victim of crime. The perpetrators gained access to your internet profile using your confidential details. The funds were transferred from your account prior to the bank becoming aware of the fraud and was not in a position to prevent the loss,” Van der Merwe said.
The adjudicator explained there were several ways the fraud could have been perpetrated - by phishing, for example, where the fraudster sends emails purporting to be from the bank asking for personal details.
“We can’t say when your confidential internet banking access credentials were compromised, but the sequence of events suggests that it could have occurred days or weeks before the fraudulent transactions.”
Van der Merwe said R19890 was transferred to the beneficiary’s account at FNB. The scamster made a cash withdrawal of R9980 and concluded point-of-sale purchases totalling about R5 000, leaving R4800 in the account, which was returned to Murray.
Murray was left in a catch-22 situation: he would have to open a criminal case against the perpetrators. But he would have to get a court order compelling the bank to disclose the identity of the beneficiary. If the beneficiary was found guilty, Murray may be able to recover the money, according to Van der Merwe.
Joop Dekker, Standard Bank’s customer dispute adjudicator, said it was clear Murray had been the victim of a phishing attack. Dekker sent the results of a confidential forensic report (a log) to the ombud which shows how the fraud was perpetrated. However, as it contains banking details of the third party (read “criminal”) it could not be shared with anyone. Not even Murray, the victim.
“The SMS containing the required one-time-pin to amend a new beneficiary was successfully delivered to the cellphone and validated by Murray, which allowed the fraudsters to transact, which was how the R19890 ended up with FNB. There is no evidence showing any internal staff involvement or a compromise of security by the bank,” Dekker said.
Murray says he did receive an email about a new beneficiary.
“But I incorrectly thought it was an existing beneficiary, as the name was virtually the same. The fault was with me because I should have been more diligent. So I guess this is seen as my error. The astonishing thing is that a fraudster is able to create a new beneficiary using my confidential banking credentials.”