A new digital-banking scam linked to selfie verification is doing the rounds. In common with most such frauds, scammers try to trick you into revealing details like your ID. The twist is that they then ask to take a selfie of you using their mobile device – so that they can load a Nedbank Money app profile on their device in your name without your knowledge. In some instances, they then use the app to change your cellphone number, which allows them to intercept your Approve-it messages and banking notifications.
If they succeed, they then have full access to all your bank accounts on the Money app.
Using selfies for biometric identification
Online selfie verification is a form of biometric identification that ensures secure and convenient digital banking on your cellphone. Biometrics use personal features that are unique to you and therefore difficult for criminals to copy and use in fraudulent transactions.
The most common form of biometric identification already in use is fingerprinting. Technological innovations, however, mean that we can now use face, eye and even voice prints to do the same job, often on your mobile device. This is an extra layer of security that banks have included to make banking on your device safer, as fraudsters no longer need only a PIN or password to access your banking profile – they also need you there physically.
Cybercriminal strategies adapt constantly
However, selfie verification is also becoming a popular target of scammers trying to intercept your information and use it for crimes like stealing money from personal accounts, money-laundering and identity theft. Banks and many other organisations and individuals that you interact with daily often require personal or sensitive financial information. You’ll most likely provide this information in an automated or data-based format, usually via the internet. As the amount of data being collected and shared increases, so does the number of cybercriminals trying to steal personally identifiable information.
Never hand your phone to a stranger or pose for a selfie taken on their device
For your own cybersecurity, don’t be rushed into sharing your personal information. Many of these scams include offers that are too good to be true, or urgent messages or calls threatening serious consequences like account closures. They’re designed to make you panic and do what you’ve been told to do immediately, ‘to fix the problem’.
How the selfie scam works
Step 1: Fraudsters pose as cellphone or retail store employees and offer you free airtime or shopping vouchers. By now you should know that free offers are usually too good to be true.
Step 2: To ‘load’ the non-existent voucher, the scammer asks you for personal information like your ID number, and then asks if they can take a selfie of you using their own device. While you think you are being registered for a voucher, the criminals are registering you on the Money app using their own cellphone number.
Step 3: Once the scammers have your Money app information registered on their device using your selfie, they then trick you into handing them your phone, so that they can secretly accept the Approve-it message for the registration of their device with your selfie. So, you will not even be aware that someone else has linked their device to your Money app profile.
Step 4: Now that the fraudster has your app on their device, they can change cellphone numbers, process transactions, and have full access to your banking profile.
Combating the selfie scam
Firstly, it is essential that you never hand your phone to a stranger or pose for a selfie taken on their device.
Follow these tips to keep safe:
- Always check with the store to ensure that they are running a promotion.
- Don’t let a stranger take a selfie of you.
- Don’t hand your cellphone to a stranger.
- Read Approve-it messages carefully before accepting them.
Other types of banking scams to be aware of
Apart from the selfie scam, other types of banking scams and identity fraud include:
- Impersonation scams: A common scam in which someone pretends to be a bank employee. You receive a phone call from the imposter claiming that there is a debit order or fraudulent transaction that needs to be reversed. They will then ask for your banking login credentials or card and PIN to reverse the transaction. Don’t be rushed or scared into handing over your personal information: your bank will never call you and ask you for your banking login credentials or card details and PIN.
Being mindful of what information you’re sharing and how the information can be used is critical
Another common bank employee impersonation scam involves someone calling you and asking you to change your banking login credentials to details that they give you, supposedly ‘because your account has been compromised’. Remember that you are the only one who should know your banking login credentials and card PIN, and don’t share them with anyone. Scammers may even ask you to move your money to another bank account to ‘keep your money safe’. Don’t be tricked into moving your money into a fraudster’s account. Your bank will never ask you to move money to another account.
- Phishing or smishing scams: You receive an email or SMS that looks like it comes from the bank stating that your account needs to be updated or it will be blocked, or that you have a pending debit order or payment that they need to reverse urgently. They may ask you to click on an attachment or link to view your statement or proof of payment.
In all these examples, you are asked to click on the attachment or link – which will take you to a fake website where you are asked to enter your banking login credentials or card and PIN. Your bank will never send you an email or SMS with a link that takes you to a screen asking for your Nedbank ID username and password, or your card PIN.
- Investment or loan scams: You see an advert on social media for a broker or loan agent with great client reviews, claiming that they can assist you with investments with guaranteed high returns or a guaranteed loan. Once you reply to the advert, you are contacted and asked to share your personal information, banking login credentials, card and PIN – or you are asked to make a payment into an account that the fraudster has access to.
Only invest your money with credible institutions registered with the Financial Sector Conduct Authority (FSCA), that you have researched properly. Beware of investments that guarantee unrealistically high investment returns, much higher than the returns financial institutions can offer. Only take loans with credible lenders registered with the National Credit Regulator (NCR) – if they’re a registered financial services provider, the lender’s name or registered number will be listed on the NCR site.
Cybersecurity and protecting your information
Generally, it’s necessary to protect your personal information at every step and limit the possibility of it ending up in the wrong hands. Whether handing over any personal information, posing for a selfie or handing your phone to a stranger, being mindful of what information you’re sharing and how the information can be used is critical to avoid becoming a victim.
The best way to avoid having your bank account or other personal information compromised is to be proactive in managing who has access to it. The potential scams we’ve touched on here, while specific to banking, are only part of the larger world of identity theft. Because bank accounts are one of the main ways in which most of us interact with sensitive information online, they’re a clear target for scammers and demand extra vigilance