New Scam Gets Around OTPs
Watch Out For This Banking Scam
A new banking scam is doing the rounds that allows criminals to use smart devices and digital wallets to get around OTPs.
Despite banks implementing various fraud detection and prevention measures, such as SIM Swap detection, transaction monitoring, and 2-factor authentication, sneaky crooks continuously find new ways to try and bypass these security systems.
Recently, the Ombud for Banking Services has reported a spike in reports of consumers hit by this particular scam with just one bank reporting almost 5500 cases with combined losses of over R6,5 million.
‘one bank reporting almost 5500 cases with combined losses of over R6,5 million’
The scam takes advantage of near-field communication (NFC) technology and tap-and-go payment systems, which are becoming more popular and common in SA.
Tap and go payment linked to digital wallets work differently to how other card payments work and these crooks have seen the gap and are abusing it before the banks figure out a solve. Unlike typical “card-not-present” fraud, where thieves use stolen card details for online purchases and require a one-time password (OTP) sent to the legitimate cardholder’s phone for each transaction, NFC/digital wallet payments do not require OTPs for every purchase.
How the Scam Works
Fraudsters use the stolen card information to link their smart devices (like smartphones and smartwatches) to payment platforms such as Samsung Pay, Apple Pay, Google Pay, etc.
Because NFC/digital wallet payments do not require OTPs for every purchase the crooks are able to make many purchases without the consumer being notified of money moving out of their account.
By the time they realise it is normally too late.
They can perform fraudulent transactions on the victim’s account without OTPs being sent to the cardholders to verify the transactions.
They Need You To Give Them an OTP Just Once
Several fake websites and emails pretending to be from legitimate businesses like the South African Post Office, Courier Services, and VodaBucks are involved in this scam.
By using these fake links and addresses, fraudsters obtain the necessary details to link their devices to the payment platforms.
Typically, a consumer will get an email asking them to go to a site and make a small transaction to release a parcel (for example). The OTP sent for that transaction is key to their scam as they need you to give them that OTP.
To complete the linkage process, an OTP or a “Smart inContact notification” is usually sent to the bank customer’s registered number or Banking App. The consumer thinks this is for whatever transaction they are doing on the fake website. They then enter that OTP onto the fake site.
But the OTP is actually to link the smart device to your account.
Once approved, the fraudster’s device is linked to the victim’s bank card, allowing them to conduct transactions at point-of-sale (POS) machines without further verification. They then make several transactions and then move on to their next victim.
Scams can be hard to spot. Especially when there are several layers to the trap. One thing you can do is check what your OTP message says carefully. It may give you a clue as to what it is being used for.
Another is to very carefully check email addresses and website addresses closely.
It is also good to monitor your bank account for any weird payments and query any that look strange immediately. Hopefully you are getting prompt notifications of payments from your bank.
There are many ways to put a temporary freeze on your accounts. Never hesitate to do so if you suspect something is wrong.