Category Fraud/Crime

Cyber criminals are always a step ahead of the game

16 August 2010 Gareth Stokes
Gareth Stokes, FAnews Online Editor

Gareth Stokes, FAnews Online Editor

If you’re a customer of one of South Africa’s “big four” banks then you’re a perfect target for a growing band of brazen criminals. Computer fraudsters are using the Internet to launch unprecedented attacks on consumers’ bank accounts. They operate in the virtual world, with no boundaries, no physical addresses and absolutely no conscience. And they never get caught! I recently voiced my concerns to a senior staff employee at one of the bank computer fraud divisions. Since our chat I’ve been even more careful about how I conduct my banking online.

He told me the Internet made it possible for criminals to go on fishing expeditions for personal information – the common term for this type of fraud is ‘phishing’ – with virtually no fear of being caught. What is phishing? Online information hub provides a perfect definition: “phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, credit card details and bank account details by masquerading as a trustworthy entity in an electronic communication.”

How phishing works

The advent of the Internet means everyone has access to one or more bank accounts and credit card accounts online. All you have to do to enjoy the processing capability previously reserved for the bank teller is to log in using your username and password… Once you’ve logged in you can pay accounts, transfer money between accounts, add beneficiaries etc. Imagine what would happen if your user name and password gets into the wrong hands.

The same technology that makes our banking experience a pleasure is being harnessed by cyber criminals to make quick and easy money. They soon realised that bank customers were easily conned out of personal information. Their typical modus operandi is to secure lists with millions of email addresses, then send emails to each of these email addresses purporting to contain instructions from the customers’ bank. Let’s say the send 10-million emails from Happy Valley Bank. They don’t care if only 10 000 of those 10-million recipients actually bank with Happy Valley – and they don’t care if only 10 of the 10 000 respond to the email… Because 10 out of 10-million is good odds for them!

Now here’s where it gets really smart. They know to get a customer ‘hook, line and sinker’ they need to look and feel like the customers bank. So they typically include a link in their email which – you guessed it – takes the unsuspecting user to a website that looks and feels exactly like his or her bank… I’ve checked out one or two of these links and it’s truly frightening how accurate they are. The unfortunate customer who lands up on this website is asked to part with usernames and passwords. The cyber criminal uses this information to log into the victims’ bank account – often in real time! They’ve even worked out clever ruses to get around the SMS authentication system used by many of our local banks.

An example of a phishing email

Early phishing attacks were easy to spot. The perpetrators often used poor language, and the ‘false’ websites were very amateurish. But things have changed since then. Here’s an example that landed in my inbox last week, you can simply substitute Bank X with your bank:

Dear BANK X Customer,

BANK X has introduced a new online banking feature to prevent its customers from being vulnerable to online phishers. We have sent you this message because we noticed some invalid login attempts into your online bank account and have therefore limited its ability to send money. Please click below to the BANK X Secure Website and follow the steps required to remove this limitation.


Bank X will not be responsible for loss of funds to online Phishers as a result of failure to follow this directive.

The cheek of it! These phishers are playing on the customers’ fear of phishers to con them into parting with their details. Apart from the fact your bank will never ask you to log in to the banking website, the best way to know about the scam is to hover you mouse cursor over the CLICK HERE link. In this case I could immediately see the website I was going to visit had nothing to do with my bank. It was going to take me to:

Phishers hardly ever get caught

These cyber-criminals are very difficult to track down. They exist in the virtual world and typically hack into dozens of different computer networks to launch their criminal attacks and cover their tracks at the same time. On the odd occasion investigators BREAK successfully track the machine or network the attack was launched from, the perpetrators are nowhere to be found. Banks typically handle this type of attack by blocking the website concerned… If you fall victim to such a scam you should immediately contact your bank to minimise your loss.

Follow these rules and you should never fall victim a phishing scam:

1. Never give your personal details to anyone unless you are 100% sure who they are.
2. Never engage in conversation with someone who has sent you an unsolicited email.
3. Never provide your personal details – especially your bank PIN number or password – to anyone.
4. Never log in to your bank account by following a link in an email. ALWAYS type the bank’s website address yourself.
5. If you receive a suspicious email, or suspect your account has been compromised, report it to your bank:

Standard Bank: – or telephone 0800 02 600

Absa Bank: – or telephone 08600 08600

First National Bank: – or telephone 011 632 2226

Editor’s thoughts: I get roughly three of these phishing emails each week. Mostly I ignore them – because I don’t bank with the bank they’re talking about… But every now and then I actually do a ‘double take’ – amazed at the skills of these con artists. Have you been the victim of a phishing scam – and was your bank sympathetic to your plight? Add your comment below, or send it to


Added by AndreK, 16 Aug 2010
Simply move your mouse over the adres or link you have to click and look at the bottom of the screen on the left hand side, just above start, there it will show you where you are going. If it is not www.banks name be sure that you are scammed. I do receive much more than three of these per week, sometimes almost daily and have in the past reported it to the banks, but they dont even give you feedback. Fortunately they do not charge you for giving them the information...
Report Abuse
Added by Stupid Ass, 16 Aug 2010
I was stupidly done for R184k 3 months ago. Got back R180k within the first week with no contact or confirmation from my bank (Standard Bank). Numerous emails and telephone calls to a new department that has been set up just to handle internet fraud. Quote..unquote... We are dealing with a tsunami of fraud and dont know what to do. I am R4k down but very lucky that it was not the full amount. Scarey thing is that my bond account was attacked and the bond dept. said they could not put a block on my account and that only if I was in arrears could the credit dept put a block. ???? Credit card dept was very good. The rest very poor. Try and get through to the correct department to stop your accounts being raided is impossible. Once again I am still luck that I got most back...some dont and the banks say it is not their problem.
Report Abuse

Comment on this post

Email Address*
Security Check *
Quick Polls


The shocking crime and motor vehicle accident statistics shared during a recent SHA presentation suggests that group personal accident and personal accident cover are a no-brainer. Do you agree?


Not sure
fanews magazine
FAnews April 2024 Get the latest issue of FAnews

This month's headlines

FAIS Ombud lashes broker for multiple compliance blunders
TCF… a regulatory misfit initiative?
The impact of NHI on medical malpractice insurance
Fixed versus variable: can you have your cake and eat it too?
The future world of work
Subscribe now