There has been a sudden rise in the number of incidents where bad actors are using social engineering tricks in order to trick people into giving them their One Time Pin which they then use to gain unauthorised access to your bank or social media account. Standard Bank South Africa (an affiliate of Stanbic Bank in Zimbabwe) has warned its customers and the public about such a new trick happening south of our borders.
While the attack is targetted against South Africans there are two things to note here:
- The latest attack shows how crafty the people behind these sort of attacks are. They take social engineering seriously and often tailor and modify their attacks to lure certain victims. They also pay attention to headline items and will incorporate them as part of their attacks as we will see below.
- There is a good chance that Zimbabweans will see a modified version of this scam. As already pointed out the people who perpetrate these attacks are quite savvy and know enough to hit you with a tailored version of the scam that can fool even the most vigilant.
How the current SARS scam works
It’s tax season in a lot of countries including South Africa and a lot of people and businesses are filing their tax returns. When you do file your tax returns its possible for the tax authorities to discover that you have overpaid due to different interpretations of the law. It’s rare but it happens and sometimes when this happens tax authorities might give you a refund.
The scammers are tricking people by sending them an email claiming to from Standard Bank and involve a payment from SARS (South African Revenue Service which is like ZIMRA). The phishing emails tell the recipients that they are due to receive some sort of refund payment from SARS. Given how everyone is having a tough time due to COVID-19 who wouldn’t be delighted to discover that they will be getting an income boost.
When hapless users click on the provided link so they can receive the payment they are sent to a phishing link, enter their details and an OTP is send which you must verify. When you do so, your account is automatically emptied. You are basically authorising the scammers to get into your account.
How to avoid being scammed like this?
We have been over this multiple times on this site but for your convenience, we will again share some helpful tips that can thwart these attacks. The biggest piece of advice I give to anyone is to be very wary and vigilant when you are using your online banking portal. Pay attention to everything on your screen don’t habitually click stuff without reviewing what’s on there. Also, make sure you are really in the portal and not on some phishing site by checking the URL in the address bar.
Beware of offers that sound to be too good to be true. Most scammers recycle tricks so you can even copy the text of your email and paste it in Google and add words like a scam to the query and you will likely get a hit from several security sites that specialise in the matter. Also, be suspicious of offers that come from people or entities you have never interacted with in the past. For example, a prize for a competition you have never entered into or a cheque from Coca Cola UK when you live in the teapot-shaped country.
Make it a habit to check the sending address of the email. By default, Gmail flags emails that violate DMARC policies e.g. when an email is not from an authorised sender or has the wrong DKIM keys. Also ignored such emails when they come from free email services such as Gmail, Yahoo and Outlook. How can someone want to give you millions when they cannot afford US$10 for a domain?
Talking of millions these scammers often come up with unusually large winning sums. Something like “you have won $10 million US dollars”. Now that sounds too easy and too large in my book especially when it’s money coming from a competition I have never heard of. No one is ever going to hand over that money to you on a platter for doing basically nothing.
Do not click on any of the links within such emails. It’s a bad security practice. If there is a pending payment, if such a thing exists, you can usually confirm it by logging in using the official URL, one that you type yourself or get from the bank’s official documents. Also do not disclose your personal details by replying to the email, instead use the official bank support email.
Also never ever pay money in advance before you get whatever money you are being promised. Genuine lottery companies do not need you to pay them for any reason. They simply send you your millions. For example companies such as theLotter even call you when you win and they have bankers who handle everything for you. They give you the money for free and do not need processing fees.
And finally, don’t give or forward your OTP to anyone ever. Do not enter your OTP on any third party website unless it’s a trustworthy website like DPO or PayFast and even then pay attention to what’s on your screen!
You should also read
- Beware of the DStv gift card scam
- Econet & NetOne HAVE NOT partnered on a promotion, its a scam
- Scammers targeting businesses with fake payment notices
- POTRAZ: SMS and e-mail phishing scams on the rise
- Why and how to use WhatsApp’s 2-factor authentication
- “Sent my 6 digit code by mistake” text is from hackers trying to gain access to your WhatsApp
One response
Here in Zimbabwe, I recently experienced an OTP scam attack from +1 (226) 314-1422 but fortunately I’m a Computer Science student and I’m very aware of such scams but i want everyone to be alarmed it’s not everyone who has that knowledge, so please TechZim help by spreading the knowledge i am willing to work with you in carrying tech and security campaigns with you so that we help our families out there.
Thank you!