In its Annual Crime Statistics report for 2023, released in October, the South African Banking Risk Centre (Sabric) said digital fraud cost South Africans over a R1 billion last year.

Sabric highlights three types of digital crimes as the main drivers — fraud related to banking apps, online banking fraud, and mobile banking fraud.

For its report, banking apps involve a smartphone app, whereas mobile banking allows users to transact on a non-smart device.

Fraud involving banking applications comprised 60% of all reported digital crimes and cost South Africans R626 million in 2023.

The 89% increase in these crimes from the year before was attributed to the growing number of South Africans downloading banking applications.

Sabric highlighted that fraudsters have begun employing several social engineering techniques to get users to disclose their sensitive data, such as usernames and passwords.

One particularly prominent technique used was vishing, or voice phishing, where instead of manipulating victims into clicking on a link, they pose as banking officials or service providers during calls.

These attacks often require the perpetrator to obtain personal and sensitive information about their victims beforehand to initiate the scam and make it more convincing.

Sabric noted the efforts by South African firms to raise awareness about these crimes but pointed to users’ apathy towards adopting safe practices on these apps as a contributor to the rise in fraud.

Many banks provide customers with the necessary know-how to avoid becoming victims of scams, which the lenders are aware of.

For instance, Capitec’s mobile app allows users to log in during a call to confirm whether the caller is one of the bank’s representatives due to the volume of such scams.

Online banking fraud comprised 21% of digital banking crimes. However, this resulted in South Africans losing R412 million.

It was found that phishing and vishing were the preferred methods used by fraudsters.

Phishing attacks involve fraudsters sending emails or SMSes to victims, manipulating them into clicking on links that redirect to fake websites resembling actual banking sites.

This would allow attackers to harvest victims’ sensitive information, such as passwords and usernames, that are entered into the site.

If users are unsure about a website, an online tool called Yima can also run a free security check to determine whether it is safe to use.

The vishing attacks are similar to those used by fraudsters targeting banking app users, where victims are manipulated into revealing validation tokens such as One-Time Pins (OTPs).

Synthetic identity fraud was a trend noticed by Sabric in 2024, where attackers combine fictitious and real identities to make detection challenging.

Attackers were also found to use AI to emulate voices, create fake IDs and manipulate biometric tools to allow for more sophisticated attacks.

While mobile banking crimes increased by 48%, they only accounted for 4% of total gross losses, or R45 million.

Most of these attacks resulted from SIM swap fraud, where attackers convince a mobile operator to transfer a victim’s cellphone number to a new SIM card.

This allows them to gain unauthorised access to a victim’s accounts.

Mobile operators taking action

Given the prevalence of these vishing and SIM swap fraud cases, mobile operators are beginning to crack down on these crimes.

MTN told MyBroadband that although it has seen an inconsistent trend in attempted fraud and fraud-related incidents over the past two years, it has declined in recent months.

“This progress is largely due to MTN’s proactive measures and ongoing customer education campaigns, which empower users to safeguard their personal information,” MTN South Africa said.

“MTN believes operators play a critical role in fostering awareness, implementing robust security controls, and ensuring advanced authentication systems are in place to protect customers.”

The operator cited the recent arrests of individuals involved in an OTP scam syndicate in collaboration with the South African Police Services as a testament to their efforts to crack down on scam callers.

Vodacom is taking a similar approach by collaborating with industry stakeholders, such as other mobile operators, financial institutions, and Sabric, to mitigate attacks.

A Vodacom spokesperson told MyBroadband that the company also attempts to create awareness regarding the crime by publishing information on the Vodacom Portal and social media to help customers stay abreast of different scams.

When asked about efforts to crack down on the crime, the spokesperson said Vodacom has “deployed Machine Learning as a tool to identify and block known instances of smishing/vishing fraud.”

“Any identifiable information that can assist in criminal investigations is shared with law enforcement and other relevant agencies.”

“All implicated mobile numbers are investigated for fraudulent activity, and appropriate action, such as locking them on the Vodacom network, is taken,” they continued.

source:South African banking app cybercrime warning – MyBroadband