Unfortunately, vishing is not new, but customers may be new to the scam. That’s why the Banking Ombudsman wants to warn customers, particularly in these tough economic times, when consumers are more vulnerable. Vishing is a method used to trick banking customers into divulging their confidential banking details, to scam unsuspecting bank customers out of their hard-earned money,” says Banking Ombudsman Reana Steyn.
Fraudsters phone bank customers posing as bank officials or service providers and manipulate the unsuspecting bank customers into disclosing their confidential information such as their card details and one-time passwords (OTPs). “The caller may seem so believable or genuine, because they already have the customer’s telephone number and often other personal details such as card number, ID number or address.
However, the mere fact that the caller is in possession of such information does not prove that they are who they are claiming to be. This information could have been stolen, found in a dustbin or willingly handed over to another service provider at some point in the past during another transaction” explains Steyn.
According to the Banking Ombudsman the majority of internet banking fraud and credit card fraud cases opened by her office related to vishing fraud. This type of fraud targets everyone, from the more sophisticated bank customers who have access to internet banking, to all customers whose bank cards have the capability to make card-not-present purchases, such as credit and some debit cards.
“What is most important for bank customers to note is that fraudsters do not need to be in physical possession of the bank customer’s card to make online purchases. If the fraudsters have your personal information, card number and CVV number, they will be able to perform card-not-present transactions, such as online and telephonic purchases. It is for this very important reason that banks require their customers to keep their bank cards safe and the CVV number confidential,” the Ombudsman adds.
Although the office recognises the role bank customers must play in keeping their card details confidential, Steyn emphasises that they also recognise the reality that card details can be obtained by the fraudsters without customer negligence and/or bank staff involvement.
To add another layer of security to safeguard customers against this type of fraud, the banking industry introduced OTPs and other similar methods to authorise card-not-present transactions. When investigating such complaints, and depending on the facts of the matter, the OBS requires banks to provide proof that the OTP or other form of authorisation necessary to complete the transaction, was indeed sent to the customer.
Another alarming fact is that the OBS continues to receive cases where the fraudsters were able to circumvent the bank’s efforts to protect their customers by sending an OTP, through the reemergence of vishing scams accompanied by sim swaps. In such cases, the OTP and authorisation is sent to the correct number, however, it is not received by the customer, but by the fraudster instead.
When it comes to vishing scams, customers are in the best position to avoid falling victim by not providing their confidential information to the fraudsters. While acknowledging that it is very difficult for bank customers to tell whether it is a legitimate telephone call from their bank, the Ombudsman stresses that banks will never ask their customers to disclose their confidential card details or OTPs. Steyn advises bank customers to be extra vigilant in the following circumstances:
- when receiving a call from someone saying that they are from their bank and asking them to provide their OTP, or
- being asked for their bank card details, or
- If they suddenly lose cellphone reception and/or receive an SMS from the cellphone network provider of a pending sim swap.
If any of these events happen, or anything about the call from the alleged bank employee feels suspicious, customers should immediately call their bank’s fraud department to report these issues.
In instances where it can be proven that a bank customer provided fraudsters with their card details and/or OTPs, banks could deny liability unless the OBS’s investigation established that there was some maladministration on the part of the bank which resulted in financial loss to the customer. In some instances, the banks have made a commercial decision in line with their customer centric approach to refund their customers, even in instances where no legal liability could be established.
Steyn cautions that the banks’ decision to refund is on a case by case basis and that there is no blanket approach. “The OBS welcomes any decision by banks to contact their clients directly, even after her office has made a legally sound finding, with the aim of customer retention and satisfaction”, Steyn adds.
The following case study demonstrates the typical modus operandi of the fraudsters and how the OBS approaches such matters:
Mrs Van der Merwe* received a telephone call from someone claiming to be from the bank’s fraud department who asked her for her card number and CVV details. She provided the said details and clicked “accept” after receiving the “approve” messages from the bank. Online purchases totalling R45 000.00 were made on her credit card account. She lodged a complaint with the bank for a full refund of the funds, but the bank declined her claim as she had compromised her confidential credit card details to the fraudster.
The dispute was escalated to the OBS and the OBS’s investigation revealed that although the complainant compromised her confidential card details, the fraudulent purchases exceeded her available credit balance by R5000.00. The OBS recommended that the bank refund the exceeded amount and the bank agreed. Unfortunately, since the bank could show that there was no sim swap made and that all the “approve” messages required to make the payments were sent to her registered cell phone number the bank has on record, the OBS could only uphold her claim partially.
Bank denied liability
Mr Bond* received a call from a person purporting to be an employee of the bank (“the fraudster”). He was advised by the fraudster that there was suspected fraudulent activity on his account and mentioned three transactions which Mr Bond denied making. The fraudster then advised Mr Bond that he will call him on his landline to afford Mr Bond the opportunity to view the transactions on his cell phone. Mr Bond asked for the fraudster to identify himself and the fraudster gave him a name and phone number which Mr Bond called and it went through to the bank’s fraud department.
Mr Bond advised that the fraudster had all his personal details including his card number. Transactions reflected on Mr Bond’s cell phone and the fraudster asked him to verify them but Mr Bond denied knowledge of the transactions. An amount of R49 500.00 was debited from Mr Bond’s credit card account. Mr Bond disputed the transactions but the bank denied liability as the OTPs necessary to complete the transactions were sent to his cell phone number.
The OBS investigated the dispute and found that Mr Bond was a victim of a vishing scam. The investigation concluded that, on a balance of probabilities, Mr Bond provided the OTPs that were sent to his cell phone number to the fraudster as he believed that he was talking to someone from the bank.
Sim swap fraud
In another matter, the customer, Ms Dube* discovered that her phone was dead. She went to her telecommunication service provider and she was advised that she needed to replace her sim card which she did. She then discovered from her Bank App that her account had been depleted. She called the bank’s fraud department to report the incident and her card was blocked. The complainant lodged a claim with the bank for the refund of her loss but the bank declined her claim.
The bank disputed liability on the basis that the complainant’s card details were used to make the transactions. The bank further advised that all the OTPs needed to complete the transactions were sent to the complainant’s registered cell phone number. The bank denied that a sim swap had taken place.
The OBS’s investigation confirmed that the disputed transactions were made with the complainant’s card details and the OTPs that were sent to her registered cell phone number. The OBS was, however, able to establish that a sim swap had been fraudulently made on the day of the fraud, resulting in the fraudsters receiving the OTPs. To escape liability, the bank was asked to prove that the complainant was negligent in compromising her card details and the OTPs, but the bank could not. The OBS recommended that the bank refund the complainant’s loss amounting to R30 698.00 and the bank agreed.
Tips From The OBS On How To Protect Yourself from a Vishing Scam:
- Be aware – Always remember that legitimate businesses will never ask you for your personal, sensitive, or confidential banking information. Anyone who does this over the phone is probably trying to scam you.
- Don’t give in to pressure – If someone tries to coerce you into giving them sensitive information, hang up and immediately contact your bank’s fraud department to report the incident.
- Stay calm and don’t panic – Since these criminals frequently play on your emotions, keep a cool head and hang up the phone. Immediately call your bank, credit card company, or wherever the caller claimed to be from and verify whether there is a real problem.
- Be sceptical always – Even if your Caller ID gives the name of a bank, or some other company or organisation, it could be a trick.