Johannesburg - David Makgatho, 61, is the latest victim to fall prey to the card-not-present (CNP) scam when an amount of R8 500 was fraudulently removed from his account while he had the card with him.
According to an Accenture 2020 report, there has been a 100% increase in mobile banking application fraud and a 79.5% increase in card-not-present (CNP) fraud on South African-issued credit cards, making this scam the leading contributor to gross fraud losses in the country.
The report says that R2.2 billion a year is lost to cybercrime in South Africa - ranked third among countries with the most cybercrime victims worldwide - owing to the low investment in cybersecurity and inadequate cybercrime legislation.
Makgatho should know this because he believes his card was cloned to access his Standard Bank accounts, transferring money from one account to another using the CNP scam, before withdrawing the funds.
He said that on the same day after he withdrew money from a Standard Bank ATM at Goodman Crossing in Johannesburg, an amount of R24 000 was first transferred from his emergency savings account to his Access account, and from there four transactions - three amounting to R2 500 and one worth an R1 000 - were made from a Checkers outlet in Glenvista, according to Standard Bank’s Anti-fraud Department records.
According to Makgatho, he blocked his cards the following day and reported the matter to the bank but his claim was rejected with the proviso that: “Standard Bank was not the beneficiary of the proceeds of the unauthorised transactions.” Therefore, Standard Bank would not reimburse him.
Makgatho said he feels bullied by the bank because it is distancing itself from the entire matter.
“I have been a client of Standard Bank for many years and this is how they treat their customers? How many more people are faced with this?” he said. “We are told our monies are safer with banks, instead, we are vulnerable. We fall victim to fraudulent activities such as these. I cannot afford to lose R8 500 just like that. All I want is for them to pay me back. I am in a bid to get my money back and I am looking for further steps to take from here onwards.”
In its response letter, the bank stated that the only assistance it could offer was to “co-operate with the SAPS, insofar as any criminal case (is) opened”.
The letter further reads: “SBSA has concluded our investigation and could not find any wrongdoing on the bank’s part, the transactions were performed either by you, a person or persons unknown to you or the bank.”
Makgatho then penned another letter pleading with the bank.
“I am 60-year-old and I am constantly told that cyber crimes are prevalent with people our age. I am very careful and have educated myself enough to not be in the firing line. How much more does Standard Bank expect me to do when I am playing my part?
“Isn’t the bank supposed to meet me halfway by making sure that their security measures are tightened constantly?” asked the frustrated father of two from Protea North.
“The bank’s response suggests that I am at fault and yet I have entrusted my money to them.”
However, spokesperson Ross Linstrom, when approached, has confirmed that SBSA is committed to investigating all matters brought to their attention, thoroughly.
“While I would love to have given you a response sooner, our teams are still investigating this matter. I extend our apology to our customer but can assure you that our investigation will be thorough. As soon as we have resolved this complaint, we will be in contact with the customer,” he said.
In another case, Thabo Ngwenya lost his FNB bank card and although he says he blocked it, it continued to be used at various N1 toll gates en route to Limpopo.
Ngwenya, 45. then cancelled his card on the app as soon as these transactions started, but the card was continuously used even thereafter.
After three months of trying to get help, they finally refunded his money, he said, “but only after I threatened them. As their client, why is it that the safety of our money is not taken seriously? Why must we fight for banks to up their security?” he asked.
Ngwenya has since changed banks.
Ryan Mer, the managing director of Eftsure Africa, which provides web-based payments and verification service, said cybercrime was lucrative and could be perpetrated from anywhere in the world, with targets being anywhere.
Mer said due to the “behind the screen” nature of the crime, it was difficult to catch and prosecute these criminals and this made it attractive.
“In addition, the growing use of and reliance on online interactions globally means the ‘total addressable market’ for these criminals continues to grow and they are incentivised to innovate, become more sophisticated and complex in their attacks.
“Digital transformation has taken place at a rapid pace with rapid adoption, and this is great, but people across the spectrum are ignorant of some of the risks associated with it – both the general public and businesses (who of course are still run by and generally rely on people).
“This means that a large part of the risk could be addressed by people’s behaviours. This requires educating people and creating awareness on a continuous basis of the risks as they evolve through various different channels such as the banks, the media, businesses/employers.”
According to Mer, cybercrime attacks on South African businesses or the public do not have to be perpetrated by South African criminals. In fact, many of the syndicates that are responsible for these attacks are not based in South Africa.
“That is the very thing that makes this problem a whole lot more scary and difficult to tackle. In relation to fraudulent activities that have been perpetrated by people within companies, for example, the recently reported fraud case of a financial manager who allegedly defrauded her employer of R17m by directing funds meant for suppliers to her bank account, these people are simply resourced with the knowledge of the gaps in the manual controls environment within businesses and how easily they can be exploited,” he said.
Sidebar
According to Ryan Mer, the managing director of Eftsure Africa, which provides web-based payments and verification service, it is predicted that there will be 7.5 billion internet users by 2030 and that more than 111 billion lines of new software code will be produced each year.
“While the growth is exciting, these statistics also outline the number of vulnerabilities open to exploitation. Together with an estimated 96 zettabytes of digital content currently produced, this sheer volume will lead to increased cyber attacks and security events, all of which will be virtually impossible for humans to contain.
“Cybersecurity is more than a tech issue – it’s a business problem, too. A concerning number of South African companies are not prepared for the inevitability of a cyber attack, despite the significant financial and reputational risks. Cybercrime costs the South African economy millions each year and is increasing at an alarming rate.”
He provides tips specifically applicable to organisations
1. Understand the risks. This means testing your current processes and systems to identify vulnerabilities, perhaps with the help of more experienced external experts.
2. Beef up your basic security. Consider restricting user access to certain systems and applications and ensure those who leave the company no longer have any access. Review whether there are any vulnerabilities in how your company provides remote access. Make sure approval authorities are built into processes and workflows.
3. Tighten your payments security. Once you understand the threats out there, take a hard look at your payment processes and identify potential weaknesses. Independent third-party platforms can help manage supplier data and automate payment checking and supplier verification, saving time on manual processes and reducing human error.
4. Train your staff, create awareness. Since employees are usually the target of cybercrime, especially those in finance and accounts payable, equip them with the skills and tools to spot threats and respond effectively. Also, instruct them on how to identify and report suspicious online activity.
5. Make cyber security part of your DNA. Constantly reminding staff at all levels about the risks of cybercrime will, over time, help build a strong security-conscious culture for your entire business.
6. Ensure you have systems in place that allow for full oversight and have audit trail and accountability
Ultimately though, businesses need to be able to operate, at speed, without being so bogged down with paranoia and manual control processes, so they should be considering where technology can play a role from this perspective, as it has in every other perspective.
Related Video:
The Sunday Independent