Technology is used to protect people and companies against fraud but unfortunately it can also be used to assist fraudsters during a scam, especially when certain technologies are used widely among businesses to send communications.
Increasingly, reckless communication practices by companies play into the hands of fraudsters. All it takes is one irresponsible communication that fraudsters can replicate and a company's integrity will be at risk and its customers defrauded.
This is true for e-mail where the most common techniques used to defraud people are phishing scams, an attempt to trick a person into revealing personal information, such as credit card details or bank account information, by sending an e-mail with a fake Web address or telephone number, and '419 scams', so named after the section of the Nigerian penal code that addresses fraud schemes, where a person is persuaded to advance relatively small sums of money in return for larger financial gain.
Due to the broad appeal of SMS for business communications, phishing scams now also target cellphone users by using an SMS to initiate a communication. SMS phishing, or "smishing", occurs mainly when customers receive an SMS from what seems to be a reputable financial institution prompting them to call a telephone number due to a possible fraudulent transaction on their account.
They are then requested to divulge their bank PIN number, or other personal details, on the pretence of changing their PIN to securing their account. The fraudster, however, is now able to access the callers' funds. Customers become a victim of the very fraud they were trying to prevent when they were proactively following up on the SMS.
Communications conundrum
While SMS messaging can be used in many ways to make transactions safe and reliable, it requires the careful planning and the implementation by companies of suitable communication policies and procedures.
Companies require a good understanding of the benefits of SMS in that messages are read immediately as people have cellphones with them all the time. Companies also need an understanding of SMS's weaknesses, in that messages are not encrypted and are easy to imitate.
Some banks even perpetuate the impression that it is acceptable to divulge personal information via insecure electronic channels - as long as you provide it only to your own banking institution. For instance, a South African private bank credit card guide encourages their clients to request electronic statements by e-mailing their name, credit card number, ID number and preferred e-mail address to the e-mail address, or call the client care centre telephone number provided. Not only is e-mail an insecure means to send personal information but fraudsters can quite easily pretend to be your bank and imitate marketing material, e-mails and SMS communications.
Some banks even perpetuate the impression that it is acceptable to divulge personal information via insecure electronic channels - as long as you provide it only to your own banking institution.
Pieter Streicher is MD of BulkSMS.com.
Phishing scams go so far to disarm customers by including the warning: "don't divulge your personal information to anyone but your trusted bank" in an e-mail sent to a bank's client.
Then there are the typical SMS banking notifications telling you that someone has logged onto your Internet banking account. The bank's name is followed by: "Internet - confirmation of log on: Account number ending in ...5601: 26June08: 17h45: Helpline: 021 xxx xxxx".
As SMS messages are plain text, it is very easy for a fraudster to imitate this message and include their own contact number in a message. In addition, by sending you this message, you would suspect that someone has fraudulently logged onto your Internet bank account.
You call the number displayed in the SMS thinking it's your bank's call centre, and there is someone on the line that asks for all your relevant personal and account details and then offers to change your PIN to ensure the security of your account. At that point, you have given all your account details and are now open to fraudulent activity on your account.
While it is easy to get caught up in the threat of SMS phishing scams, the most effective solution to combat this fraud is for businesses to educate their customers about the risks involved when responding to an SMS. Fraudsters rely to a large degree on the ignorance of people and the trust customers place in their bank or another reputable brand.
Tips for businesses
1. Only send out relevant information and never ask customers to provide sensitive information via insecure electronic channels such as e-mail or SMS.
2. When communicating with a customer using SMSes, personalise the messages and include information that would not be available to phishers. This will enable customers to distinguish between legitimate and phishing messages.
3. Look critically at SMS and e-mail communications, and consider whether fraudsters could benefit from imitating this message. Educate customers on potential phishing scams. Inform customers as soon as you are aware that someone has been using the company name fraudulently.
4. Make SMS messaging policies known (ie, message will always be personalised, or we will never ask you to give us your PIN number).
5. Ensure marketing material is consistent with the communications you send to customers and that call centre staff are well trained.
Tips for customers
1. Never respond to an SMS or e-mail message that requests personal information. Do not divulge sensitive information such as credit card numbers via insecure electronic channels such as SMS, e-mail or over the telephone.
2. Be aware that it is easy for criminals to imitate organisations by using electronic communications and initiate e-mails or SMS phishing scams. If unsure whether something is a scam, always take the time to investigate it.
3. Always verify a contact number, especially those in e-mails or SMS messages. If the "bank" called you, call them back. Double-check phone numbers that appear in an SMS - you can do this via the Internet or by referring to any marketing material. For ease of reference, store banking phone numbers on your mobile phone, along with e-mail and Web site addresses.
4. Never, ever give a PIN number or password to a PERSON. Only use your PIN on systems that have been designed for this purpose, ie ATMs and official Internet banking sites. These systems have been designed such that employees at the bank cannot access this information.
5. Report it. If unsure of how a company received your number, or are suspicious about an SMS that you have received, contact the company and report your concerns. You can also report an SMS scam to WASPA, the industry body that handles all complaints relating to commercial messaging in SA.
* Dr Pieter Streicher is MD of BulkSMS.com.
Share
