Arguably the most alarming, surprising thing to emerge from the news that Brazil-based hacking group N4ughtySecTU gained access to most South Africans’ personal information on TransUnion’s database was how they did it.
ITWeb news editor Admire Moyo reported that he was contacted by one of the hackers, who told him: “They left the door open. What a joke. They were using the word ‘password’ as their password.”
You really couldn’t make that up.
At the weekend, I received an SMS from TransUnion — though you can never be too sure — warning me: “Please remember that a TransUnion representative will never ask for your banking details, bank pin or user login password.”
Then it provided a link: https://www.transunion.co.za/customer-support/faq
A few days later, a friend got an email, also purportedly from TransUnion.
It gave the same information, but he was directed to a slightly different link: https://www.transunion.co.za/faq
How many times have I warned consumers about fraudsters hacking into companies’ email platforms or cloning their websites, and tweaking the content, meaning we must be on high alert for differences in email and website addresses?
The scammer really did an excellent impression of being an MTN employee. In fact their customer service was exemplary — I should have realised something was up with that, but I didn’t.
— Meredith, scam victim
Both links appeared to lead to the same site, but in this context, even the tiniest inconsistency is naturally highly suspicious.
And that’s not all.
Remember that SMS warning that a TransUnion representative “will never ask for your banking details, bank pin, or user login password”?
Well, when you click on either of those FAQ links, a TransUnion chat box pops up with the words: “Please do not disclose any personal information with your questions unless requested by a live agent.”
OK, it’s OK for a live agent to ask us for personal information, and for us to provide it.
That’s playing nicely into the hands of fraudsters who routinely pose as live agents on many a corporate website.
So I asked TransUnion’s PR agency to respond.
“The one link is a ‘vanity’ link — a shorter one just to help consumers type in a shorter address. But both links should still work,” I was told.
If ever there were a time for consistent messaging with absolutely no variations, this is it, for goodness sake!
Despite repeated requests for a response to the apparently contradictory advice about divulging personal information, none had been forthcoming at the time of writing.
It’s not just TransUnion’s breach-related correspondence that has rang alarm bells for consumers recently.
Glynne Newlands was highly suspicious of an email she received from Absa a week ago — also about the compromising of personal information. Unnerved, she emailed me to ask if she should consider closing her bank account.
It was this bit which alarmed her: “As part of heightened precautionary measures to protect your financial interests, you might receive a phone call from Absa to validate potentially suspicious transactions.”
The bitter irony is that if you get a call from “your bank” alerting you to the fact that fraudsters are targeting your account, there’s about a 90% probability that the caller is the fraudster.
It’s called vishing — they have some of your bank details, thanks to a breach, but they need the passwords and one-time pins to raid your bank account, and only you can provide them.
I’ve repeatedly advised people who get such calls to disengage and call their bank’s fraud division on a number they’ve previously saved under contacts in their cellphone.
It turned out to be a genuine email from Absa, related to its data leak of November 2020, and its recent discovery of more compromised data.
Newlands was among those recently identified by the bank as having had their personal information compromised, hence that email.
Some of those Absa customers may be very distrustful should they get a call related to that breach, but there’s a simple way to tell the difference between a real bank fraud department employee and a faking fraudster.
The former will never ask you to read out your bank account number, password, one-time pin or anything else that could give someone access to your account.
The key advice is to never make any assumptions, because recent events have made the normal abnormal.
Many vishing victims have told me that they truly believed the caller was from their bank, because there were sounds of a busy call centre in the background.
Truth is, thanks to Covid, most call centre staff are still working from home, so the sound of a dog barking is now more authentic.
When Meredith wrote to me about falling victim to a MTN scammer recently, she began by acknowledging that it was her fault as she had divulged her one-time pin to the scam artist.
“The scammer really did an excellent impression of being an MTN employee. In fact their customer service was exemplary — I should have realised something was up with that, but I didn’t.”
I got a good laugh out of that one.
When people want something out of you, they are nice; very, very nice.
Too nice, but sadly Meredith only realised that too late.
Crazy world.
What to do? Doubt every fraud-related call, email or SMS you receive. Do nothing, say nothing to the source of the communication.
Instead verify what they are telling you by contacting your bank, cellphone company or any other company, via phone or web address you’ve sourced yourself.
You really can’t be too careful.
CONTACT WENDY: E-mail: consumer@knowler.co.za; Twitter: @wendyknowler; Facebook: wendyknowlerconsumer
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.