Within the banking industry, one may point to two types of fraud; 1. Fraud orchestrated by tech savvy thieves who use identity theft, social engineering techniques or outright hacking to defraud careless customers and 2. Managerial Fraud where top banking officials collude to defraud the bank itself of its cash flow. The former type is the kind that leads to a painful loss for an ordinary bank customer like you and me, and as such, is what we should be keenly aware of in order to protect our bank accounts.
Social engineering techniques are some of the most common ways fraudsters use to swindle bank account holders by taking advantage of human psycho-social weakness to make you share your private information and gain access to your financial assets. The techniques may range from:
- Phishing – A fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information;
- Pretexting – Where attackers create a fabricated scenario in which targets are asked to confirm their identity, and personal info under the guise of threats and urgency;
- Baiting – E.g. click baits that’s usually common in those ‘my Facebook has been hacked’ scenarios); and
- Quid pro quo – Where attackers make calls to unsuspecting individuals and try to convince them about a service that needs correcting or updating but first they must part with certain crucial information e.g. their mobile banking PINs.
As banking becomes more digitized, the use of social engineering techniques and brute force hacking have also become more popular. For example, a 2020 Security Culture Report released by KnowBe4 and CLTRe found phishing to be the number one cyber threat during the COVID-19 pandemic, while mentioning Banking, Financial Services and Insurance to be the most affected sectors. What this means is that either banks haven’t put in place sufficient measures to protect their customers against phishing or the customers themselves are not aware of the various social engineering techniques the fraudsters are using to steal their banking information.
To try and avert the use of the said social engineering and identify theft schemes, certain banks e.g. Equity Bank have put in place several measures that if used effectively should provide adequate protection to their banking customers. One such measure that was recently introduced to Equity Bank’s EazzyBanking App is the One-Time PIN (OTP). OTP is a random PIN that the bank sends to the customer’s registered phone number that the customer must input in order to validate a transaction. This internal control is meant to protect the customer by ensuring that those who initiate digital transactions to draw money from bank accounts are the rightful people.
To prevent unauthorised access to the EazzyBanking App, the App has allowed for biometric login – a secondary login option in addition to the usual PIN login that is supposed to authenticate the user of the gadget. In most cases though, the usual PIN together with the one time pin (OTP) are supposed to be sufficient protections against fraudulent access to a user’s bank account.
But bank customers can also succumb to the quid pro quo social engineering technique. To protect its customers against such fraudulent calls, Equity recently introduced the 0763 000 000 universal number for outgoing calls; a number aimed at helping Equity Bank customers and stakeholders in many respects. For example, today no Equity Bank customer should be conned by any fraudster who calls pretending to be Equity Bank Staff. “Branch managers, relationship managers, account opening officers, credit or loan officers, insurance officers,
agriculture officers, procurement managers, investment advisors will all call Equity Bank customers and stakeholders using 0763 000 000″, Equity Bank said in a statement. What that means is that at no time will you ever receive a call from another number purporting to be from Equity Bank if it’s not 0763000000.
One thing that customers should also know is that banks including Equity Bank do not ask customers for their passwords or PINs whenever they want to resolve issues on behalf of the customer. Additionally, bank employees are not allowed to give instructions for banking transactions over the phone, and if such a phone call is made, bank customer should NOT ENGAGE but instead forward the number to 333.
Typically, banks will always authenticate the customer by asking for Account Name, ID Number, Email address associated with the account, Phone number associated with the account and details about the last a transaction (e.g. last transaction).
Banks are doing their best to put in place measures aimed at protecting customers against such schemes; but because social engineering techniques are always evolving with the times, the success of the measures the banks have put in place depends on how vigilant the customer is in being aware of the different ways the fraudsters may attempt to defraud them.
The rule of thumb however, is to always be aware of phishing links and to never provide personal details particularly PINs/ OTPs/ Passwords to anyone, be they bank employees or not.