Sitting at your desk doing Internet banking may make you feel safe. After all, it is not a bank, where someone can steal your bulging wallet when you step outside. But that friendly e-mail claiming to be from your bank and asking you for your details could cost you and you alone.
If you fall foul of a phishing scam and give away your details because of your own negligence, banks are probably not liable, according to Aslam Moosajee of law firm Norton Rose.
Phishing is when fraudsters masquerade as a legitimate organisation, such as a bank. They create fake websites or send e-mails that appear to be from the organisation. Usually these ask customers to submit their personal and banking details, such as ID, Pin and account number. If the customer does this, their details are used to take money out of the account. International cybersecurity company Symantec says one in 319 e-mails worldwide is some sort of phishing attempt.
Moosajee said a ruling last year in Nashua Mobile vs GC Pale CC showed the way for banks not to be liable. In this case, Pale tried to sue Nashua after R160 000 was transferred illegally from its bank account. It blamed Nashua because someone performed a “Sim swap”, which allowed the person to get the details of someone in the organisation and, therefore, the banking details.
This form of phishing occurs when someone manages to convince a cellphone company that they are another person. The phisher gets a copy of the person’s Sim and acts in their stead, taking all other information.
The chief executive of Absa’s retail bank, Gavin Opperman, said this scam is on the rise in SA.
Pale lost its case and Moosajee said what emerged from the ruling was that banks are not liable in cases like this. Instead, the customer’s “negligence” was blamed by the court, he said.
He said the courts understand that banks are doing “a lot to improve security”. As a result he did not know of any cases where a bank was held responsible. The ruling has not been tested.
Bongani Diako, spokesman for the SA Banking Risk Information Centre, said his organisation is also “not aware” of any court cases where banks have been held liable for phishing. In some cases, he said, banks have compensated victims.
Opperman said customers “should educate themselves” so that they can avoid such scams. This is the time of year when they start escalating, he said.
A report by Norton Internet Security earlier this month found that 84% of South Africans who are online have experienced a cybercrime in their lifetime. The global average is 69%. And, although phishing is not the largest part of this, it is one of the most harmful.
Norton also found that the blame for this might lie with outdated security software — 24% of online South Africans are running old programs.
Banks have reacted swiftly to phishing attacks in the past. Last month Absa suspended all credit card payments to EasyPay, an online payment portal, because a third of all transactions had been fraudulent.
It was reported that R500 000 was returned to customers. Absa said it is investigating how much in total was stolen.
Although banks are safe from liability, Moosajee said he thought there was a chance of this being challenged under the Consumer Protection Act. — Sipho McDermott, Mail & Guardian
- Image: Don Hankins
- Visit the Mail & Guardian Online, the smart news source