Beware of this scam by criminals who steal money by simply asking for it
The SA Banking Risk Information Centre (Sabric) is warning bank customers about a new scam in which criminals "steal money by asking for it".
The scam, referred to as "business e-mail compromise" has been flagged by the US Federal Bureau of Investigations (FBI) and in the Mimecast "State of E-mail Security Report" as concerning - citing an increase in organisations affected by impersonation attacks.
"This scam targets specific employees in organisations who are authorised to transfer funds or make payments," said Sabric spokesperson Louise van der Merwe, who noted that South African incidents were in line with the global trend.
"Digital technology, combined with social engineering which exploits our human tendency to be compliant when faced with a directive from an authority figure, enables criminals to perpetuate this type of crime," said Sabric acting CEO Susan Potgieter.
Criminals use information from company websites and other digital platforms to impersonate CEOs, financial directors and senior individuals before targeting junior employees with e-mails requesting urgent payments to specific beneficiaries.
"Another way criminals glean information to perpetuate this crime is through phishing attacks, where users are sent e-mails containing malicious links and are then manipulated into clicking on them to install malware," said Van der Merwe.
"This malware is designed to access the network and monitor mailboxes to enable criminals to learn about payment patterns, who the role players are and to understand individual communication styles, including typically used words or phrases," she said.
"This is to ensure that when a criminal impersonates the person issuing the directive to make a payment, it comes off as authentic and does not arouse any suspicion."
"Money mules" then remove the funds from the "beneficiary" account, making it too late to correct the payment when victims realise they have been defrauded.
"We urge staff to be vigilant about checking a sender's e-mail address very carefully should they receive an e-mail instructing them to make a payment. Often, the address will only differ by one or two characters," said Potgieter.
Sabric advised that companies put in place robust policies and procedures with inherent checks and balances, as well as educating staff about fraud risks.
Sabric offered the following safety tips:
- Do not click on links or icons in unsolicited e-mails;
- Do not reply to these e-mails. Delete them immediately;
- Be alert to hyperlinks that contain misspellings of the actual domain name. In some cases, it could be one character;
- Never give anyone your confidential information, such as login usernames or passwords;
- Never send anyone your personal or confidential information. Personal information includes identity documents, driving licences, passports, addresses and contact details. Confidential information includes usernames, password and PINs.
- Ensure the domain visible in received e-mails is associated with the business it purports to be from.
- Ensure that permissions are enabled to allow your employees to view full e-mail extensions on their computers.
- Do not believe the content of unsolicited e-mails blindly. If you are worried about what is alleged, use your own contact details to contact the sender to confirm.
- Don't ignore reports from colleagues about mysterious e-mails coming from your accounts.
Business e-mail compromise
- Never list your main e-mail address publicly anywhere online - in forums, in online advertisements, on blogs, social media or any place where it can be harvested by spammers. Use a separate e-mail address for the internet which is not linked to your personal or business e-mail account.
- Any unplanned or urgent payment instructions should be questioned. Always check with the person issuing the directive in-person or via a credible channel – preferably one where you can see them.
- Any requests for a change in beneficiary account details should be verified by contacting the sender using normal, legitimate historically sound contact details.