“Who has taken your money? How? When?” I asked a million questions all at once while trying to console and get her off the floor. The backstory was: she’d been saving her salary for the past one year to enable her start a business when she stops working for me. Sadly, she was tricked by fraudsters who posed as her bank to obtain her personal financial information. She ignorantly gave them her information, and they were able to access her account and steal all her money.
Smishing and vishing are all fancy terms for cyber-attacks conducted via SMS and telephone calls respectively. According to a 2018 cybersecurity report by Deloitte, social engineering attacks conducted via emails, SMS and calls, are still the number one cyber threat being faced in Nigeria.
Vishing is the criminal practice of using the telephone system to obtain personal and financial data from people for the purpose of committing fraud. Vishing calls often impersonate financial institutions, popular business firms or government organizations.
Smishing is the equally famous brother of vishing, an attack type that involves the fraudster sending a text message to the prospective victim’s mobile phone in an attempt to get them to divulge personal information. It’s much like the dubious SMS I received some years ago, which read “Dear customer, due to our system upgrade your ATM CARD has just been de-activated, to reactivate, kindly call Customer care, 081-xxx-xxx-xx.” I laughed so hard my cheeks still ached half an hour later. I can bet that this message was not sent to me alone. It was most likely sent to hundreds or thousands of other people, and didn’t prompt the same reaction across all recipients.
There is something in play when it comes to all types of fraud: human psychology. In fact, given the advancement in technology, it has become far easier to trick someone into handing over their password than to go through the trouble of hacking them. This is where social engineering comes into play.
Social engineering is the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques.
5 Common Tactics Used by Fraudsters
Ask to victim to confirm personal or financial data
For example, “Madam, we have two BVNs for you and it is causing problems on your accounts with us, please can you confirm which one is correct?” Note how the fraudster is trickily requesting this information from you.
Use fear as a weapon to disarm victims
Let’s take the text message I received as a case study, especially since it was sent on the eve of the start of a long bank holiday. That message had the potential to evoke the fear of inaccessibility of my money and immediately send me into panic mode. I could immediately start thinking to myself, “Ahhhh, how will I buy food and other necessities before and during the holiday?” As humans, we are hardly logical in our thinking when we are overwhelmed with fear. Fraudsters know and use this for their selfish gains.
Cybercriminals take advantage of your ignorance of technology and/or processes to make unrealistic threats
No, your BVN (Banking Verification Number) will never expire, neither will your Apple ID. Your bank will never notify you of fraud on your account, then proceed to request your details to help you stop it. Its awon boys trying to wind your head o.
Pretending to help solve a problem that doesn’t exist
A friend received a call, supposedly from his bank, reporting that some unusual activity that resembled a fraudulent transaction was flagged on his account. He was asked to disclose his financial details, so the theft attempt could be stopped. My friend immediately gave his details. Unknown to him, there was no fraud attempt on his account. In fact, he only just gave fraudsters access to his bank account, by disclosing his card number, CVV and BVN on that phone call.
Leverage near real time knowledge of a challenge you’re facing and use that information as an attack entry point
For example, a caller on CyberSafe, a radio program segment I co-anchor, said he was trying to make a transfer to his wife and was battling the frustration of many unsuccessful attempts at completing his transaction. It was in this moment that a fraudster called and told him that his bank account had problems and these issues account for why he was facing challenges with the funds transfer he was trying to make. Of course the fraudster was able to easily obtain his sensitive financial data. How the fraudster could have gotten such accurate insight of this caller’s plight is a conversation for another day, but your guess is as good as mine: that his story did not have a happy ending.
10 commandments to prevent vishing and smishing
- Thou shall guard your privacy and limit the amount of personal information you share online.
- Thou shall educate yourself on the latest vishing and smishing strategies. One of the easiest ways to achieve this is by following cyber security evangelists like me, on social media…wink wink.
- Thou shall turn on SMS and/or email notifications or transactions on your bank account. The key to detecting and stopping fraudulent activities on time is monitoring. Most Nigerian banks can stop ongoing fraud and ensure you don’t lose money if suspicious activity is reported on time.
- Dearly beloved, no, your card will never be deactivated because of a bank upgrade. Moral of the story is: thou shall always do a fact check of whatever anyone tells you over the phone.
- Dearly beloved, please say after me, I will never, under any circumstance, disclose my financial data (e.g. OTP, account number, online banking username and/or password, ATM PIN, Debit card number, CVV, BVN, etc.) to anyone over the phone. Come to think of it, your bank will not ask you for details they already have.
- If an offer is too good to be true, it probably is. That business deal you’ve been asked to invest ₦100,000 today cannot yield a profit of ₦5 million in two weeks. Let’s be guided.
- Thou shall not click on links you get on your mobile phone, unless you are sure who the sender is.
- Thou shall report suspicious calls and text messages. This is very important because relevant authorities can launch an investigation and apprehend the scammers. It could also assist them to know about a new technique in vishing, and can warn other people.
- Thou shall validate phone numbers who claim to be calling you from your bank by searching online and checking if the number is coming from a legitimate source. For example, if the call is truly from your bank, the phone number used to call you will match the number published on the bank’s official website and printed on the back of your debit card.
- Thou shall not assume that all calls are well-intentioned. When you start to become suspicious, hang up immediately and do a bit of research.
This article is by no means exhaustive, so please share your thoughts, additions and feedback in the comment section. No go fall maga o, so your hard earned money is not used to pop bottles at night clubs or to buy luxury cars.