5 SMART 2017 MOVES BY FRAUDSTERS TO DRAIN YOUR BANK ACCOUNT

The rate at which fraud cases have risen in the past 5 months has been alarming, just 2 months ago, a well-established bank in Nigeria witnessed about 3 different frauds of over 19 million Naira all together.

Even though there has been rumor that a good sum of that amount had been recovered and that banks are doing everything possible to tighten security on their customer’s account. Banks in Nigeria try as much as possible to protect their customer's account, they have been adding different security measures to complete transactions.

However, this fraud case is still on the rise, this guys are really smart, all they think about all day is to figure out loopholes in the banks system to enable them scam their victims.

From experience I have come to realize that 60% of the fraud cases are caused by the carelessness of the victim, yes! Don’t be surprised, it's most times caused by the victims themselves.

I had a fraud case that happened just on the 21^st of July 2017, this customer called into the bank yelling, that the bank has taken his money, he just got a debit alert of N140,000 that was transferred out of his account. The first thing we had to do to salvage the remaining cash on his account was to place a restriction on his account to prevent more cash from leaving the account, though it was already too late cos the guy have already withdrawn the money that was transferred from his account.

We ran a trace on the account the money was transferred to and realized what this guys do is that they have somebody stand by at the ATM terminal, as the cash is hitting their account from the victims account, the ATM guy is withdrawing it immediately. Though we had to also place an “apprehend on sit” text on the fraudsters account, just in case they visit the branch for any further transaction, but the chances of them using this account again is very slim. Thank God now for BVN.

Now the above scenario is one of the moves fraudsters use to defraud their victims, let’s discuss it in detail:

1. PHISHING MAIL: This mail usually come with a link attached to it asking the receiver to click on it for resolution on their account. In the case of our victim above, the narration he got on the mail was that “Your debit card has been deactivated due to our system upgrade, to reactivate it, kindly click on this link”. He read the mail thinking it came from his bank cos it has the banks URL (but hovering your mouse on that URL, you will see the real URL) and he immediately clicked on the link and it redirected him to his Internet Banking page where he was asked to call the customer care line (on a different number that does not belong to his bank).

Because he is a customer that uses his debit card very often and would not want it to be deactivated, he immediately called the fraudster thinking he was calling his bank. After explaining to them, they told him to log in to the platform in front of him which is his Online Banking Platform, meanwhile, this fraudsters already have access to his Online Platform the only thing they needed was the Secured Token Code to complete the transaction and he was the only one with the device.

They logged in with him and kept him on the phone while they were initiating the transaction and asked him to give them the Token code to complete the reactivation and he ignorantly gave them the one security code that has kept his account intact for long.

The rest they say is history. I said in my mind when he was complaining, why did he not think that the number he was asked to call when he clicked on the link was not his bank’s number? And why would he agree to give out his Token code to a guy that claimed to be his bank? I don’t want to believe that there is an atom of African Juju involved in all this.

2. FALSE TRANSACTION YOU DID NOT AUTHORIZE: This method also come as phishing, both as mail and SMS. Here the victim gets a text message or mail that their transaction have been authorized and that N25, 000 will be deducted from their account and if they did not initiate this transaction that they should click on the link to cancel the transaction.

Just because of the fear of losing N25, 000, most victims end up losing millions by clicking on the link and giving out vital information on their account. Some times I wonder, 1^st of all, I never initiated any transaction of such, so why should I bother when I get such message, 2^nd of all, I have my bank’s mobile number, in case of doubt, I will always call them for clarity.

These victims will not think of calling the bank’s real numbers until they start getting debit alert on their account that is when they now remember to call and accuse their bank of not doing enough to secure their accounts. Asides from haven worked in a bank, I also have bank accounts with other banks, in as much as I expect my bank to safeguard my account, I am also expected by my bank to play my own role as well. So let’s remain mindful of the security features on our accounts.
INSTRUCTION FROM CBN:

Still on the phishing mail thingy, the fraudsters send out mails/SMS to their victims, this time around claiming to be Central Bank of Nigeria (CBN). They send a text saying that due to CBN regulation, that the victims account has been restricted for BVN update and that victim needs to call them to update some information on their BVN. BVN simply means Biometrics Verification Number, this was introduced by CBN just recently for unification on accounts, and this is to say that customers that have different accounts with different banks will have to tie them together using the BVN.

It was made mandatory to all Nigerians to enroll for the BVN and once you enroll with one bank, you submit the BVN to your other banks for them to link it to your other accounts. This has actually helped to curb fraud to an extent.

Once the victim calls the supposed CBN staff for BVN update, they go ahead to ask the customer some authentication questions on the account with which they will use to penetrate the account.

  4. THE USSD TRANSFER METHOD: Unstructured Supplementary Service Data, simply called the USSD is a platform where by you initiate transaction using your registered mobile number, unlike the Mobile Banking where you have to download the app and must have data service for browsing before you can use the platform, the USSD does not require data. Just by dialing a unique string with the type of transaction you want to initiate, using your registered mobile number of course and then inputting the Last 4 numbers on your debit card and the transaction goes successfully.

This process was very vulnerable from inception until recently when some banks added transaction PIN to complete transaction instead of just the last 4 digit of the customer’s debit card.

Prior to the addition of a unique PIN to complete the USSD transaction, customers complained a lot about unauthorized transactions from their accounts and when we checked, we realized that the transactions were done using their mobile number. Remember, this type of transaction can only be initiated using the mobile number on that account.

So it’s either of two things, 1: Somebody had access to their phone and also had a glance of their debit card and quickly initiated that transaction before they realized it.

2: Or that they are no longer in possession of that mobile number and whoever has it knows the Last 4 digit of the debit card and used that to initiate the transaction.

Thank God for some innovative banks that has added the creation of PIN to complete transaction via the USSD platform, at least the rate of fraud on this platform has reduced drastically.

      5. EMAIL PASSWORD RESET: This is the latest fraudster trick of 2017, here their end game is to reset your email password to enable them get your online banking password reset that will be sent to your email address. And this enables them login your online or mobile banking platform so as to initiate a transfer from your account. Let me explain. What they do first is to input your Gmail address in Gmail and click on forgot password as they don’t have your password (what they only have is your Gmail address and mobile number). Then they click on forgot password and Gmail instructs them to input their registered mobile number, they input your number then Gmail sends them verification code to your number.

Now these guys calls you to inform you that they mistakenly inputted your number for their registration stuff and their OTP (One Time Password) was now sent to your number, that you should please call out the number to them to enable them complete their registration.

So as you finish calling out the OTP to them, just know that in the next few hours, the figures in your account will start reducing drastically. Hehe! They will now complete the password reset on Gmail using the OTP you gave to them.

The next step will now be to visit your banks online banking platform and also claim that they forgot their password (claiming to be you), then they go through forgot password process again  and this time, the online banking password will be sent to your Gmail account that they now have access to. Then what they do next will be to login to your online banking platform or the mobile banking using the new password they received and start transferring money out of your account.

These things are not magical neither are they spiritual, they only require us to be at alert and always remember to call our bank’s official number when even we are in doubt.

Please note that your bank will never send you any link to click on and they will never give you a different or new number to call them on. So stay calm and smart as they are getting smarter by the day.

That’s it for now, don’t forget to leave a comment below if I missed any trick you have noticed or witnessed by fraudsters. Together we can force them into doing legit business.