South African Banking Risk Information Centre (SABRIC), on behalf of the banking industry, is warning bank clients about protecting their mobile devices, following a significant increase in phone snatching criminal activity.
The theft of mobile phones is not a new phenomenon, however, SABRIC is seeing an emerging trend where mobile phones that are being snatched from owners are affording criminals the opportunity to gain access to the victim’s personal and even confidential information which can then be used to commit a crime.
“During 2020 a significant increase in Bank App fraud as a result of cellphone snatching was recorded,” it said in an annual report on crime committed last year. “It is important to note that there have been no reports where the banking app software was compromised to commit the fraud,” SABRIC said.
It said that although there are various methods and techniques used in mobile phone snatching modus operandi, the correct credentials are used to access the app. “These credentials may have been previously compromised through social engineering methods, such as shoulder surfing or phishing, however, in many cases, the credentials were compromised through vulnerabilities in the management of such information.”
For example, the credentials were saved elsewhere on the device or the same username and password were used across multiple apps. SABRIC noted an increase in the number of incidents involving SIM swops in 2020 with 26.11% (2,684) as compared to 8% (855) in 2019.
There are a number of ways that criminals could access information stored on your mobile phone if it is stolen, to try and defraud you, the association said. “One way is to literally access all open applications on your unlocked phone and view your sensitive data. Another is to use social engineering to obtain your usernames and passwords stored in the cloud.”
Tactics used could be vishing, where criminals call you and manipulate you into believing that they are from the bank to coerce you into revealing confidential information like PIN’s or passwords or phishing where you are sent an email, which you believe to be from the bank or a legitimate service provider, which asks you to click on a link that requests your PIN’s or passwords.
Once your password has been compromised on your snatched phone, all other credentials are available and may be exploited. In addition to social engineering, your credentials could also be compromised through shoulder surfing in public places such as restaurants.
Insurance broker and risk advisory service, Aon said brazen criminals are willing to risk life and limb to snatch a R20,000 smartphone and make off with it – phones left on tables right next to you in restaurants, in vehicles hooked up to car kits, peeping out of back pockets, and even while in use and against your ear – its all fair game to criminals who will accost anyone to get their hands on a smartphone payday.
Criminals look for soft, distracted targets who are not paying attention to their surroundings, and usually strike at lighting speed, snatching the phone from your hands and then disappearing into a waiting car for a quick getaway.
With a booming illicit market for these stolen goods, Aon South Africa is warning consumers to be extra careful and vigilant, and to keep phones out of sight and safely stored away when not in use. Besides the theft of the phone, the big concern is that criminals are equally interested in the valuable personal data stored on the device.
“Criminals typically snatch your phone while you are busy on it and the phone is unlocked, giving them full access to everything on your cell phone. This includes banking apps, delivery services and any other personal information that can be used for fraud, such as a copy of your ID, bank statements, proof of residence in addition to full access to your e-mail and SIM card.
“Even if you have security measures in place, such as fingerprint readers or facial recognition software, criminals can bypass these measures in seconds, gain access to your information and then make your phone disappear on the illicit cell phone market,” said Ann Cloete from Aon South Africa.
“There are many ways that criminals can access and use the personal data stored on your mobile device – from viewing all your personal data, where you live, to social engineering to obtain sensitive data and duping others into thinking they are transacting with you, to phishing and SIM swaps, to conning you into thinking you are dealing with a legitimate service provider and compromising your passwords and pins,” said Cloete.
Aon provides the following tips to mitigate and manage your risk as far as possible:
- Avoid becoming a victim of cellphone snatching as far as possible – hide your device inside your bag or jacket, never ‘walk and talk’ while out in public as this makes you an easy and distracted target. Leave messages, WhatsApp texts and news feeds until you are at home or work and in a safe place to view and respond to these. Never leave your phone unattended or on a table in view of criminals. Stay off your phone in the car and put your phone away and out of sight.
- Inform your bank – If your phone is stolen, immediately contact your bank to secure your accounts and cards and deactivate your banking app. Confirm with your bank any next steps, should the criminals gain access to your account.
- Freeze your contract – Contact your mobile service provider and freeze your cell phone account and block your sim card to stop data usage and any phone calls from your cell phone, which has the potential to be a pricy added cost that you would be responsible for. Blacklist your phone with your mobile service provider.
- Safeguard personal documents – If your device contains any personal information such as your identity details, proof of residence and any other sensitive information, make contact with the South African Fraud Prevention Services (SAFPS) via phone (0860 101 248), email or online. Any fraudulent activity on your account could affect your credit rating and could even get you blacklisted, which is why it will be wise to contact the Credit Ombudsman if you fall victim to fraudulent activities to resolve disputes.
- Change Passwords – make a list of all applications, e-mail and social media accounts that you have on your phone and change the password to each of these. It will greatly assist in narrowing any fraudulent activity using your cell phone.
- Notify family and friends – Let your family and friends know that your cell phone has been compromised and to not entertain any requests from individuals fronting as you – known as social engineering.
Insure correctly for the replacement of your phone, Aon said. Make sure your mobile devices and those of your family members are specified under your All risks cover of your policy right down to the make, model, and serial number.
Some insurance policies also include cover for the mechanical and electrical breakdown of phones such as cracked screens, water damage and touch screen or camera damage.
Aon said it has a ‘Funds Protect’ solution, which covers you for loss from an account in your name as a result of a funds transfer that is irrecoverable from your financial institution or a third party. The cover is specifically designed to cover you for funds that are transferred out of your account, whether the loss from your account was authorised or unauthorised.
The cover provided by a personal Funds Protect policy will trigger in the event of:
- Email interception fraud
- Transactions due to your stolen identity
- EFT/deposit scams
- Hacking /phishing/vishing attacks
- Demands for ransomware attacks, denial of service attacks, etc
- Fraudulent invoices
- Sim Swap fraud
- EFT Fraud
- Online banking fraud
- Online shopping fraud
- Holiday scams
- Fake classified adverts
- Bogus property rentals
“It is vital to contact your bank immediately should your phone be snatched or stolen in order to stop all transactions. Make sure that you have purchased enough Funds Protect cover in order to mitigate the full financial loss as the banks are not likely to reimburse any transactions related to the theft of a cellphone.
“For example, if you have purchased R25,000 Funds Protect cover but all your bank accounts are accessed, your losses could amount to much more than R25,000 and potentially be financially crippling. Funds Protect cover is relatively inexpensive for what it provides and will be a lifeline in the event of a loss of funds,” said Cloete.