R2.16m paid out to phishing victims

The country's ombudsman for banking services awarded R2.16 million to consumers who were the victims of phishing attacks last year.

The single biggest claim for a complainant who was lured to a fake site was R289 000, says ombudsman advocate Clive Pillay.

According to the ombudsman's 2010 annual report, the “increasing ingenuity, or more accurately, deviousness of cyber crooks and their ever-more sophisticated phishing schemes brought a surge in Internet banking complaints”.

Board chairman advocate John Myburgh writes that the office saw a spike in cases, from 45 complaints reported to the office in 2009, which accounted for 1% of total complaints, to 484 last year, 13% of the total complaints to the ombudsman.

Pillay says, towards the end of July, the office had already received 253 complaints relating to customers visiting fictitious bank sites and compromising their logon details.

However, while phishing is a “very serious” issue with numerous scam mails doing the rounds, Pillay says the number of phishing complaints seems to have levelled off recently, compared with last year's figures. “In the past two months, the number of Internet complaints has actually dropped.”

The decline is “probably attributable to greater public awareness and greater circumspection and caution on the part of the public,” explains Pillay.

Last year, the ombudsman resolved 43% of complaints in favour of customers, with the banks winning the balance.

explained that the banks cannot always prove the customer entered a fake site, and sometimes do not act quickly enough to prevent further activity after the phishing has started.

“Internet banking fraud-related complaints cases... are notoriously time-consuming to investigate and assess. One case can involve hundreds of separate fraudulent accounts opened with different banks,” says the ombudsman's annual report.

Nedbank Group Risk says there has been a gradual increase over the past four years. According to the bank, research by RSA, EMC's security division, shows SA is now the third most “phished” country in the world by sheer volume of phishing attacks.

The bank says there could be millions of scam e-mails doing the rounds as they are propagated by means of botnets, although there are no accurate statistics available.

Lee-Anne van Zyl, CEO of FNB Online, says: “Phishing, in its current form, has not run its course. We will still see phishing in the future.” The bank offers free anti-phishing software and actively shuts down phishing sites to combat the scourge, she adds.

However, Van Zyl notes that the use of malware and other software, used to steal customers' details, is beginning to increase in reaction to the success of anti-phishing initiatives. In addition, sites that have been shut down are quickly re-opened under a different guise.

Absa Retail Bank CE Gavin Opperman points out that phishing tends to be a seasonal activity with higher levels of activity at certain times of the year. He notes that more sophisticated scams are doing the rounds.

“We are now seeing fraudsters create more authentic-looking e-mails that are intended to dupe customers into clicking on a link and divulging their sensitive information - such as PIN numbers and passwords.”

Absa has dedicated fraud monitoring teams that are constantly scanning the Internet for phishing and spoofing attempts, says Opperman.

It also works with the South African Banking Risk Information Centre, the South African Police Service, other industry bodies, and Internet service providers from around the world, to shut down spoofed online banking sites and curtail phishing attempts, notes Opperman.

Standard Bank says phishing attempts are ongoing and customers should constantly be on the look out for fraudsters trying to get their personal details. However, the number of people falling prey to fraudsters is declining, it adds.

The bank is seeing a gradual move towards SMS-based phishing attempts. Proactive investigations by the bank have led to more than 75 arrests this year alone, the bank adds.