Contact Center Industry News

TMCNet:  Mystery of Sue's two R10 000 'phishing' losses DON'T BE FOOLED [Pretoria News (South Africa)]

[March 10, 2014]

Mystery of Sue's two R10 000 'phishing' losses DON'T BE FOOLED [Pretoria News (South Africa)]

(Pretoria News (South Africa) Via Acquire Media NewsEdge) THE first thing I asked Durban personal assistant Sue Gardner when she told me that fraudsters had whipped almost R20 000 out of her bank account in two equal R10 000 raids was: do you remember clicking on a link in an |e-mail that you thought was sent by your bank? It's the question I ask all those who approach me about the same predicament.

In all previous cases, excluding those involving bank card skimming and the like, it has turned out that, yes, they clicked on the e-mail link to "update their security", as instructed by the e-mail, and provided their bank details, including their PIN.

And thus they'd unwittingly provided not their bank, but a fraudster, with the means to transfer money out of their account. Well, almost.

To ensure that the bank sends the one-time password (OTP) needed to do an electronic funds transfer to them, not the genuine account holder, they hijack the victim's cellphone by doing a SIM card swop, with the help of an accomplice working for a cellphone network.

And so it was in Gardner's case.

If someone is found to have responded to a phishing e-mail, the banks take no responsibility for their loss, as they are deemed to have compromised their own security. Of course, such crimes can't be committed without the fraudster also obtaining the OTP, via cellphone, and that remains a thorny issue.

Gardner was adamant that not only had she not responded to any of the many phishing e-mails she'd received, but that no one could have used her computer to do so.

She lives alone and has no computer at home, nor does she have a smartphone on which to do banking.

She did her internet banking on her work PC, in one quick session at about 7.30am when no one else was around, and in any event, she has a semi-enclosed office tucked away in the corner of an open-plan office.

The first Gardner knew of any suspicious activity on her account was when she got a call from a bank employee at work on the morning of October 11, to say that her account had been blocked as the bank suspected that fraudulent withdrawals had been made. To cut a long story short, money had been transferred from her credit card account into her cheque account, and then two withdrawals of just under R10 000 each were made from that account into a Capitec account.

Interestingly, on Gardner's bank statement, the words "ABSA Bank Wages" appears next to one withdrawal, and "ABSA Bank Contract" next to the other.

With Gardner being told she was responsible for paying off that R20 000 credit card debt, she approached me for help.

Given her circumstances, and her complete confidence that she hadn't responded to a phishing |e-mail, I suggested to Trevor van de Ven, communications manager for Absa's digital channels and payments, that the bank conduct a forensic investigation.

He got back to me with the good news: "Our fraud team will provide for a full independent forensic analysis of Mrs Gardner's devices that she used to access her internet banking." In this case there was just one device - the PC she uses at work - to analyse.

An independent investigator duly flew down from Joburg in mid-November, and visited Gardner at her workplace, taking full control of her PC.

Gardner was sent the resultant report in mid-December, which she forwarded to me.

I was delighted to see the following sentence in that report: "No evidence was found on the desktop computer indicating that a phishing website was accessed from the desktop computer." Then this: "An unknown device that connected to the internet banking service for (Gardner's account) on August 23 which could not be matched to the desktop computer (was) investigated.

"A device configured with a Windows 7 operating system using Internet Explorer 7 and connecting through a Telkom internet service provider was identified, which was not submitted for analysis.

"Our investigation remains inconclusive until all devices have been identified and submitted for analysis." Then I began asking Absa for a response.

What did the report mean? How did Gardner, who only ever used that one PC for her internet banking, compromise her banking details? How, exactly, was the fraud committed? Gardner was never told, and nor was I.

All Van de Ven would say was: "The case has been finalised and an amicable outcome reached between the two parties.

"We are committed to respecting the confidentiality of the agreement." It was Absa which insisted that the settlement be confidential.

Gardner remains in the dark about what she did wrong, if anything, and has lost confidence in internet banking as a result.

She's not willing to take the risk of it happening again, so she now pays her creditors the old-fashioned way - in person.

I pleaded with Van de Ven to provide the answers.

"With respect," I wrote, "this is a matter of public interest. Absa is the entity insisting on the confidentiality of that agreement, not Sue Gardner.

"Over the years, I have been told by various banks, and by Clive Pillay, the banking ombudsman, that there has never been a case of such fraud having been committed without the account holder having been found to have compromised their banking details by responding to a phishing e-mail," I said.

Gardner claimed that she did not respond to a phishing e-mail and the investigators could find no evidence that she had done so.

"So clearly, the fraudsters got her account number and PIN in some other way, and she doesn't know how." The refusal to reveal exactly how her bank details were obtained in order for her funds to be accessed via that "unknown device" leaves Gardner, Absa account holders and potentially those of other banks, too, feeling vulnerable, I argued.

"I urge you to reconsider your standpoint." His response: "Our commitment to the confidentiality still stands." Fake e-mails and the websites they link to look almost identical to the legitimate website of a well-known financial institution or company.

The first tell-tale sign that they're sent by fraudsters is the fact that they do not address the recipient by name.

If your bank or Sars really needed to contact you about your personal business you'd be addressed by name, with your account details.

Pretoria News (c) 2014 Independent Newspapers (Pty) Limited. All rights strictly reserved. Provided by, an company

[ Back To Cloud Contact Center's Homepage ]


Featured Resources

Featured Report
Millennial Research on Customer Service Expectations

Millennial Research on Customer Service Expectations

The "why" behind this research is simple: our clients recognize that different generations bring different expectations, varied communication preferences and new customer service patterns to the customer experience...
Featured Report
Optimizing the Customer Experience through Cloud Contact Centers

Optimizing the Customer Experience through Cloud Contact Centers

Adoption of cloud contact centers is on the rise. Findings from Aberdeen's January 2014 'Public Cloud vs. On-Premise: How to More Effectively Deploy a Cloud Center' study shows that 31% of contact centers are deployed in the cloud, and our related blog post highlights that companies anticipate their adoption of cloud technology to rise further throughout 2014...
Featured Report
Aberdeen report

Aberdeen Report: Cloud for Mid-Sized Contact Centers – What You Must Know

Cloud Technology is opening new doors for many businesses. However, it does so only when it's combined with the use of best practices and key technology enablers. This document highlights the adoption of cloud technology by mid-size contact centers and illustrates the reasons driving their investments...
Featured Whitepaper
Aberdeen report

Seven Critical Capabilities to Demand From Your Cloud Contact Center Provider

To deliver a world-class customer experience, your contact center must be flexible and reliable, while providing all the tools agents and supervisors need to manage their workflows. Here are seven critical capabilities to look for when deploying a contact center in the cloud...
Featured Webinar

Contact Center Economics and the Cloud

Together, Bob and Drew will help you understand the economic value of upgrading technology, important business and financial considerations, and how to compare total cost of ownership of a premises vs. cloud or hosted solution. Watch the webinar on-demand now...
Featured Datasheet
Zipwire Cloud Contact Center

Zipwire Cloud Contact Center

The appeal of moving services to the cloud is obvious. Cloud services offer reliability and robust feature sets without the need to implement or maintain complex contact center infrastructure. The Zipwire™ cloud-based contact center allows businesses to leverage the flexibility and cost savings of cloud architecture while offering a seamless, first-class customer experience...