Shopper beware! Social engineering targets you

International players like Temu, Shein and Amazon are shaking up the local market, offering attractively lower prices for the latest gadgets or fast fashions through incessant social media advertisements. The increasing popularity of these online shopping platforms means more consumers are now exposed to e-commerce and possible fraud that may accompany these transactions.

Social engineering is currently one of the most common techniques used by fraudsters in this environment. According to Interpol, it refers to “all the techniques used by criminals to exploit a person’s trust to directly steal their money or get confidential information to enable a subsequent crime. The aim is to influence a target to reveal specific information or perform a specific action for illegitimate reasons”.

A study by World Wide Worx shows that online spending in SA grew by 23 percent (to R71-billion) in 2023. As more consumers become online shoppers, cybercriminals are also getting smarter, utilising various social engineering techniques, at scamming them out of their hard-earned money. Anyone can be a target, regardless of profession, age or social standing. To combat these scams, the importance of education, vigilance and technological safeguards cannot be overstated. To this end, here are the most popular tactics and mitigating safeguards:

Beware these social engineering tactics

Social media phishing – an increasing trend has been observed where scammers are interacting with customers on social media channels such as Facebook purporting to be bank employees or employees of your favourite retailer. They inbox the victim impersonating the bank or retailer in an attempt to assist the victim with support queries and then convince victims to share their personal information which can be used to log-into their bank accounts. They could also obtain private information in order to conduct a SIM swap on the victims number at their mobile carrier which they use to obtain OTP (One Time PIN) security PINs.

WhatsApp phishing – WhatsApp has evolved to be one of the most popular channels for communicating and marketing products which makes it a lucrative channel for fraudsters to leverage. The main tactic used by scammers is impersonation, disguising themselves as your bank or your favourite retail store, or a courier company – asking for just one click. Often cybercriminals will cause excitement with a subject line like “Approve your delivery” or maybe it’s an ambiguous financial phrase like “Payment Advice.”  It’s all an attempt to make you curious enough to click the attachment or link in their email. The sender appears to be legitimate, but if you click on the Link, the page that opens asks you for personal information including passwords, that fraudsters will then use to access your accounts or commit other fraud. There is also a risk of malware being downloaded on the phone.

Smishing – one of the most popular methods cybercriminals use is text messages, to try and trick you into clicking on malicious links, a method known as “Smishing.” For example, they will send a fake text message that says a package is unable to be delivered to you due to incomplete information or maybe you need to settle a balance for your order to be completed. The text typically contains a link, and a sense of urgency to the message, i.e. “you must use the link to confirm your delivery information within 12 hours in order to receive your package”. If you follow the instructions and open the link, you will be taken to a web page that appears to belong to the package carrier or a payment website. You will be asked to enter your personal or financial information on the website. However, the website is fake, so entering your personal details will allow cybercriminals to steal this information.

Vishing – short for “voice phishing”, vishing is a phone-based cyberattack where scammers use the phone as their tool for attack. During a vishing phone call, a scammer may impersonate your bank or the retailer to try and get you to share personal information and financial details, such as bank account numbers and passwords. Vishing is often combined with social media or WhatsApp scams.

AI-powered social engineering

With the rapid adoption of AI tools such as ChatGPT, Scammers can now leverage these tools or voice-generation technologies to craft convincing messages. Which means the typical red flags of dodgy grammar and typos in emails and texts may not be detected. And it’s frighteningly easy to teach AI software to sound like a specific person. These scams are currently aimed at high value targets but could also be used on small scale individual targets. All they need to recreate your voice is a short audio clip, like one from a recorded phone call or a video posted to social media. Once the cybercriminals have your voice, they can target friends, family members, and coworkers.

Avoid falling victim to phishing, smishing or vishing

Your best defence against such fraud tactics includes the strict scrutiny of all communication, especially those containing links related to account details, deliveries or invoices. Scrutinising electronic communications and being wary of suspicious links are essential practices that can mean the difference between staying safe online and falling victim to a scam that could result in financial loss, identity theft or compromise of sensitive data.

NB: Never give your confidential banking information such as OTPs, Bank Card PIN, login and PIN for your banking Apps to anyone.  The bank will never ask you for this information.

In summary:

• Be sceptical. If an email from a company looks suspicious or contains unusual grammatical errors and typos, this is likely a phishing email.
• Never download unexpected attachments or click on unknown links. If you’re not expecting an email from someone (or a company) that you don’t know, don’t open it.
• Be aware of unusual or urgent instructions in a text message. The message will likely instruct you to take action quickly. Cybercriminals frequently use this technique to try and trick you into acting impulsively.
• It is suspicious to receive a text message for a package delivery if you are not expecting a package. Always ask yourself if the message is expected. And if you are expecting a delivery, double-check the order status on your shopping app or website. It’s always safer to navigate to the official website.
• Take action quickly by reporting suspicious activity to your bank immediately, even if you are unsure. Place a temporary on hold/lock on your account in the Tyme Bank app while investigating.
• If you are called by a bank or retailer and asked to provide personal information over the phone, hang up and call the company directly using their official listed number.
• Always read security tips from your bank, they are likely warning you about known and prevalent scams that customers are being affected by.
• The general rule of thumb is to treat every unsolicited communication, be it a text, phone call, WhatsApp message or email, with a healthy dose of scepticism. 

Always stop and think before you click!