A recent spate of Sim-swap fraud cases saw First National Bank and MTN South Africa portrayed as the least trustworthy companies in their respective industries. Dozens of people have fallen victim to the Sim-swap scam, having hundreds of thousands of rand transferred out of bank accounts without their knowledge, after fraudsters hijacked their cell phone numbers in order to receive one-time Pins (OTP).

Other companies are not immune, but it would appear that FNB and MTN clients are targeted more often. There is even a Sim-swap fraud Facebook group that carries the hashtag #HackedAtMTN as its slogan and features more comments about FNB than any other bank.

Gail Jacklin, client of forensic investigator David Klatzow, had more than R300 000 stolen from her bank account in what Klatzow alleged was an inside job at MTN and FNB.

“[Jacklin] went to the bank after about R200 000 had been [withdrawn], asking that they freeze the account,” Klatzow said. He explains that FNB then reopened the account in the process of changing Jacklin’s login details, and another R100 000 was withdrawn as a consequence of “negligibility”.

FNB did not answer questions in its response to Klatzow’s allegations, other than to say: “FNB strongly refutes unsubstantiated claims made recently in the media by a private forensic consultant.”

“Fraud is a global concern in the financial services industry and affects many banks around the world,” said Marcel Klassen, FNB Business head of growth and acquisitions.

Something phishy

Banks tend to be unsympathetic towards those who are defrauded because, even with an OTP, fraudsters can only access an Internet banking account using login details that only the account holder is privy to. More often than not, banks find that someone had unknowingly fallen prey to a phishing attack, and was thus liable for their own loss.

In a recent interview with Moneyweb, FNB CEO Jacques Cilliers said that the bank’s two most recent cases of Sim-swap fraud were confirmed to be phishing incidences.

According to Schalk Nolte, CEO of mobile security company Entersekt, chances of an inside job at the bank are slim. He said that unlike big companies, which force their employees to change their passwords monthly, most people never do this for their Internet banking. So they may have fallen victim to a phishing scam long before they became vigilant about them and, because they never change their login details, the fraudsters wait until there’s a large enough sum of money in the account to strike.

“Then, all the fraudsters do is find an insider at MTN to do the Sim swap,” he said. MTN is no stranger to this type of cellular fraud, and given the number of reports involving MTN (irrespective of the banking clients), it is arguably most fraudsters’ network of choice.

Moneyweb sent questions to MTN asking it to respond to the claim that an overwhelming majority of this Sim-swap fraud was taking place via its network. More than a week has gone by without receiving a response other than this press release detailing the measures MTN was taking to better protect its customers. This includes its Subscriber Identity for Third Parties service, which immediately alerts banks of Sim-card changes. It is freely available, and has been offered to banks at a cost since 2009.

Klatzow is unconvinced by the phishing argument, saying it could not be a coincidence that all the victims had been scammed for similarly large amounts of cash.

“How do these scammers know that I have a business account with R400 000? Why don’t we hear of people losing R20 000, or R5 000?” he questions.

“We have about 30 people on our register who have a similar problem… We will debate whether a class action is appropriate. In the meantime, it is our duty to warn the public that there is a problem at FNB and that there is a problem [with using an MTN Sim card to do Internet banking with FNB].”

Although Sim-swap fraud is not unique to FNB and MTN clients, Klatzow singled out the two companies because he felt there seemed to be many more victims that were clients of either or both of them.

Fighting a losing battle

If history is anything to go by, it would appear that Klatzow is fighting a losing battle.

Only three of the 99 Sim-swap fraud cases opened with the banking ombudsman in 2015 were fully upheld (meaning the consumer got all their money back). Only nine were partially upheld.

Of those, only 12 involved FNB. But, according to the ombudsman for banking services Clive Pillay, the number of files/complaints per bank is not necessarily indicative of an individual bank’s handling of customer complaints or its performance in general.

“Banks vary considerably in size, client profile, product mix and liability to the public,” said Pillay, adding that “the last-mentioned variance ranging from less than 1% to as high as 30%. All of these factors impact on the number of complaints made against a bank.”