Warning over new tap-and-go banking scam in South Africa

·2 Aug 2023

The Ombudsman for Banking Services (OBSSA) has identified a new banking scam in South Africa that allows criminals to make fraudulent purchases via a digital wallet.

The ombud said that the scam works by exploiting near-field communication (NFC) technology and tap-and-go payment systems.

Tap-and-go or contactless payments – such as tapping your card or using your smartphone or smartwatch at a point of sale (POS) machine – are becoming increasingly popular due to their convenience, the ombud said.

Although banks have developed fraud detection and prevention systems, such as SIM Swap detection, transaction monitoring, 2-factor authentication (2FA) and other customer identification methods, fraudsters are constantly devising new ways to bypass these systems, making it an ongoing battle for banks to stay one step ahead.

The OBSSA said it is receiving hundreds of complaints and phone calls per month related to fraud, evidencing the evolution of techniques adopted by the fraudsters to bypass the vulnerabilities and loopholes, as well as consumers not being aware of the dangers and methods employed by the fraudsters.

New scam

According to the OBSSA, the growing number of NFC tech scams involve fraudsters using stolen bank card information, such as the card number, expiry date and the CVV number (card data), to make fraudulent purchases via digital wallets.

Reana Steyn, the Ombudsman for Banking Services, said that NFC/digital wallet payments differ from typical card-not-present (CNP) fraud transactions.

In CNP fraud, thieves use stolen card information to make online purchases, triggering a one-time password (OTP) to be sent to the legitimate cardholder’s registered phone number for each transaction.

However, NFC/digital wallet payments do not require OTPs for every transaction.

How it works

According to Steyn, stolen card information is used by fraudsters to link their smart devices (smartphones and smartwatches) to payment platforms such as Samsung Pay, Apple Pay, Garmin Pay, Google Pay, etc.

Then, the fraudster’s smart device performs fraudulent purchases on the victims’ accounts without OTPs being sent to cardholders to validate the transactions.

Steyn pointed out that for the fraudsters to be able to link their devices to the stolen bank card information of the legitimate bank customer, an OTP or a “Smart inContact notification” required to complete the linkage process is sent to the bank customer’s registered number or Banking App.

Only after the transaction/registration/linkage is approved via an OTP or approve-it authenticated is the fraudster’s device linked to the bank customer’s bank card.

After that, the fraudster’s device can be tapped at POS machines allowing transactions to take place on the card with no further verification required for the approval of the individual purchases from the bank customer.

Based on the complaints the Ombudsman’s office received and the patterns identified by banks whose clients fell victim to this fraud, it was evident that fake websites and emails purporting to be from legitimate businesses such as the South African Post Office, Courier Services, and VodaBucks are involved.

Through these fake website links and email addresses, the fraudsters could obtain all the details they required to approve the linking of their devices to the payment platforms.

This type of fraud is on the rise

Steyn confirmed that approximately 124 NFC fraud-related complaints have recently formally been reported and investigated by her office.

The losses suffered are in the millions of rands, with customers’ accounts fraudulently drained through tap-and-go purchases made with smart devices in mostly foreign jurisdictions such as Dubai, France, and Spain while the legitimate cardholders were in South Africa.

“This is a clear indication that an international crime syndicate is operating within this space and has South African consumers in its sights”, said Steyn.

She added that just one of the central banks in South Africa was confirmed to have received over 6,000 related complaints between January 2022 and 1 June 2023.

The bank’s stats show that between January and June 2022, about 553 customers fell victim to this fraud, with their losses amounting to approximately R427,487.

This year the number of victims jumped to over 5,450, with combined monetary losses of over R6,5 million.

Tips to prevent OTP fraud

Steyn outlined five tips to help banking customers avoid becoming victims.

Be cautious of any unsolicited communication requesting an OTP;
Verify the authenticity of any request for OTPs by directly contacting the organization or individual purportedly making the request. Do not use contact details provided in suspicious messages; instead, use verified contact information from official websites or sources;
Enable two-factor authentication (2FA) methods other than OTPs whenever possible, such as using biometric authentication or hardware security keys. Enquire from your bank about the security measures available to you;
Regularly update passwords and avoid using the same password across different accounts; and
Keep personal information private and ensure it is not shared with unknown or unverified individuals or service providers.

Read: FNB warns of serious financial crime – how not to become a victim

Warning over new tap-and-go banking scam in South Africa

Must Read

Eskom announces load shedding for the week ahead – here’s the new schedule

The worst areas for hijacking in South Africa – and the cars being targetted

Property prices are surging in this part of South Africa

Top-selling used cars in South Africa right now – including average price, year, and mileage

The R50 billion pastime for South Africa’s elite

Employees are scamming their bosses in South Africa – costing them billions

Industry News

Hohm Solar – the gift that keeps on giving!

South Africa’s best business podcast

Attention ICT resellers – Get Huawei eKit from Mustek and receive huge Black Friday discounts

Huawei joins AfricaCom 2023 and advocates for accelerating digital Africa for a prosperous and sustainable continent

Unlocking your best Black Friday deals: Navigating solar specials

Harnessing the power of Artificial Intelligence in e-commerce

More News

Eskom hikes load shedding for the weekend

Load shedding isn’t South Africa’s biggest problem anymore: report

SAPS taking no prisoners

Election poster rules – what political parties can and can’t do for 2024

Big win for Eskom – finally

12 of the cheapest hatchbacks you can buy in South Africa – starting from R174,000

Poll

Newsletter

Business Talk

JustSolve CEO Botha van der Vyver explains how low-code development greatly improves ROI

Konica Minolta SA CEO Marc Pillay on the evolution of South Africa’s printing industry

Nandi Mxokozeli on Nedbank Private Wealth being crowned South Africa’s Top Private Bank

Trending Now

Warning over South Africa’s new two-pot retirement system withdrawal benefit

A look at the R80 million ‘protea house’ in Cape Town

Big week ahead for South Africa

South Africa gets R10 billion loan from Germany to move away from coal

Fewer people getting murdered in South Africa – but criminals haven’t stopped trying

South Africa’s new state bank is dropping the ball

Oops! Government got it very wrong

Sasol appoints new CEO