The amount of people being scammed by phishers is on the rise, and attacks are expected to escalate in line with Internet penetration.
The number of complaints received by the ombudsman for banking services (OBS) from people who have been phished is on the rise, and is already double that of complaints lodged last year.
Advocate Clive Pillay, the ombudsman, says 106 complaints have been filed with his office this year so far, compared with 45 last year. He says, based on the figures, there is “definitely an increase” in the number of people being phished.
Absa, SA's largest retail bank, was aggressively targeted by scammers earlier this year, and more than 100 people have taken unresolved complaints to the ombudsman – the port of last resort.
Since the middle of last year, Absa clients have filed 124 complaints, after a slew of attacks on the bank in February. At the moment, the ombudsman is dealing with 124 cases relating to Absa clients, 10 from Standard Bank clients, five from Nedbank clients and four from First National Bank.
“There appears to have been a concerted effort to target Absa,” says Pillay. He explains that syndicates rotate from one bank to the next and, a year-and-a-half ago, a similar scenario was experienced by Standard Bank.
The ombudsman expects more complaints to “come out of the woodwork” as the year progresses. Pillay adds that complaints reported to his office are the “tip of the iceberg” as he only sees issues that have not been resolved by the bank.
Christo Vrey, GM of Absa Digital Channels, says there is an increase in cases at the ombudsman from clients who were victims of phishing attacks during February. He says Absa's investigations into the attacks can take up to eight weeks to complete.
Vrey could not provide information as to how many accounts were compromised during the phishing attacks, but says it is a “fraction of a percentage point”. Absa has 1.1 million clients who bank online.
Internet banking is currently stable and there has been a significant decrease in phishing e-mails from an Absa point of view over the last eight weeks, since the arrests of the some of the fraudsters.
In April, the South African police bust a syndicate of seven people who allegedly defrauded South Africans of at least R55 million.
Last year, the ombudsman's office resolved 21 cases in favour of the banks and 24 cases in favour of the client. Often, the bank cannot prove the client in fact entered a fictitious site, says Pillay.
Banks are often reactive and do not alert customers to suspicious activity quickly enough, adds Pillay. In addition, banks do not always make sure accounts opened to act as beneficiaries on a hacked account have been legitimately created.
If banks allow people to open accounts without following legislative requirements, such as a proof of address, and these accounts are then used to receive fraudulently transferred money, the bank must pay that amount back, he says.
One case study highlighted in the ombudsman's latest annual report is of suspicious transfers worth R161 000, after the complainant logged into a phishing site.
“During its investigation, the OBS found no evidence of negligence by the complainant's bank, as the bank's systems were not compromised or hacked into,” the annual report says.
However, “fraudulent transactions to the value of R22 000 could have been prevented had the bank reported the fraud to the beneficiary bank timeously. It was recommended that the bank refund the R22 000,” it says.
Steven Ambrose, MD of WWW Strategy, says phishing is a growth area, and as more people become connected to the Internet in SA, the number of attacks will rise.
IT Web Security