Cybercriminals are finding new ways to scam and con you
Remember those halcyon days when the biggest consequence of having a cell phone stolen was the inconvenience and the potential loss of your photos and contacts? It’s hard to believe that was only around 10 years ago. If your phone is stolen now, the damage is far greater than a few lost memories. Back then, thieves wanted your phone purely to sell it on for cash. Now they have a much more sinister motive: they want access to your life. Cybercrime has moved on from theft of passwords to enable impersonation on social media. The rise of AI and other sophisticated tools means we are all at much greater risk of being scammed or conned. However watchful we are, cybercriminals devise new ways of fooling us before we can figure out how to thwart them. How can you keep yourself safe from cybercrime? We look at emerging cybercrimes and what you can do to protect yourself from them.
Types of cybercrime
Cybercrime refers to criminal activities conducted through the internet or other digital platforms. If you run a business, malware and ransomware attacks and data breaches are likely of concern to you. You probably have a skilled IT and cybersecurity team constantly scanning the virtual horizon for intruders. But if you are a private individual, as many of our clients are, you need to be aware of the key crimes targeting unsuspecting ordinary citizens. Identity theft, financial fraud and phishing attacks are your biggest worry. Data breaches in the corporate world also affect you, as your personal information may be compromised in a data breach. If this happens to you, at the very least you will need to change your passwords associated with that organisation. You should still monitor your financial and social media accounts for suspicious activity and be extra wary of phishing attempts.
Financial fraud
Unfortunately, new crimes are emerging…or rather, new ways of committing old crimes are on the rise. Whether your bank card is stolen and used fraudulently, or your online banking password is breached and your account accessed digitally, financial fraud has been committed. If your cell phone is stolen, your biggest concern now is the misuse of the bank and credit cards you have stored in your e-wallet. Organised syndicates extract banking or payment information from the device, and they profit much more handsomely than they would by simply fencing your phone. They can clean out your bank accounts or max out your credit card within a few hours.
The tips for preventing cell phone theft are the same as they always were. Don’t walk down the street with your phone in your hand, etc. But if your cell phone is stolen, to prevent financial fraud the first phone call you make should be not to your network provider but to your bank to stop all cards and online banking activity. Next, call the network and block the sim card. Then change all your banking and payment passwords (and any other passwords for important apps on your phone).
Phishing
Phishing is a well-known tactic. Fraudulent messages sent by email or, increasingly, SMS or WhatsApp, trick recipients into providing sensitive information or transferring money. There are many permutations. Most people are now familiar with the email that purports to come from your bank, inviting you to click a link that takes you to a mirror site where you are instructed to update your details, which are then greedily swept up by the cybercriminal. A more recent scam is the delivery SMS. You receive an SMS or an email telling you a package is waiting for you, but the address is missing, or there is a customs charge to pay, or you need to reschedule delivery. Whatever the obstacle, you can resolve it by clicking on the link. It looks something like this:
Often there is a fee to pay to complete the delivery. The SMS or email comes from a source you don’t recognise and the email is often from a gmail address, not a corporate email domain. It’s tempting to think you may have been sent a surprise, but if you have not placed an order for goods recently, ignore it. Like most South Africans, you may regularly receive deliveries (the scammers are counting on this). Reputable couriers send a professional communication of your delivery with a tracking facility and – critically – your order number. Any communication that does not look legitimate is not legitimate. If in doubt, contact the courier company separately – do not reply to the message.
Another phishing technique is the “change of bank details” scam. This is more common in a commercial context but private customers are also targeted. An organisation you regularly do business with emails to say they have changed their banking details. You dutifully change your beneficiary information on your banking app and, the next time you make a payment to this company, the criminals receive your money. Always call the company and speak to the finance department. They will thank you and you will protect yourself from theft. Don’t email the company. The phish is evidence of a compromised email account.
AI and deepfakes
One of the most chilling developments in cybercrime is the use of “deepfakes”. You may have heard the news of the finance worker in Hong Kong who was tricked into transferring $25m, after a video conference with his team in London. Initially suspicious of the email from the CFO, which talked about the need for secrecy, he was reassured of the transaction’s legitimacy by the Zoom meeting with senior management, ostensibly all in London. The catch was that none of them were real. This scam has also been perpetrated on private individuals. A woman in the UK was tricked into an investment, after an online meeting with her financial adviser, whom she could reasonably expect to trust…except it wasn’t him. Well-known figures like Elon Musk have been impersonated, encouraging investment in an opportunity that has nothing to do with any of his businesses. But because he is a recognised global figure, people assume the offer is real. It is not. The New York Times reported: “The scammers had edited a genuine interview with Mr. Musk, replacing his voice with a replica using AI tools. The AI was sophisticated enough that it could alter minute mouth movements to match the new script they had written for the digital fake. To a casual viewer, the manipulation might have been imperceptible.” An 82-year-old man lost his entire retirement savings of $690,000.
The simplest way to avoid deepfake fraud is to go analogue – meet your financial adviser in person. Call them on their office landline (if they still have one). If you are contacted by a professional you have not met, and there is any suggestion of investing in an opportunity, moving savings accounts for a better interest rate (another common con), or engaging in any financial transaction, end the call and call the organisation they claim to be from. If meeting in person is not possible and you meet virtually, a simple trick is to ask everyone on the call to stand up and turn around. A deepfake won’t be able to do that.
Unfortunately, the world we live in requires a “zero trust” approach, in the words of Phokeng Mogase, Chief Information Officer at the FCSA. In an era of virtual communications and AI, we can no longer assume that people are who they say they are.
Legal framework
South African law offers several protective measures against cybercrime. Unfortunately, cybercriminals are hard to apprehend. It’s highly likely they are not even operating within South Africa. The thief who steals your cell phone on the street is a small operative in a long chain. Cybercrime is global and national borders are porous. For this reason there is international cooperation around regulation of AI and cybercrime. However, the law does provide some protection and recourse. For example, if you are defrauded you may be able to seek compensation from your bank. Prevention is better than cure, but cybercriminals are cunning. If you are a victim of cybercrime, don’t blame yourself. Scam victims have reported serious mental health issues, such as anxiety, depression, and low self-esteem as a result of the fraud. They feel vulnerable and ashamed. But crime is never the victim’s fault.
Key South African laws governing cybercrime include:
1. Cybercrimes Act (2020). This is the main legislative measure addressing cybercrime. The Act criminalises numerous activities, such as hacking, data interception, and cyber extortion. It includes:
- Penalties for harmful data messages, including revenge pornography, threats, and unlawful image distribution
- Clear definitions and penalties for offences like ransomware, hacking, and identity theft
- Obligations for businesses to report cybercrimes and preserve evidence if an incident affects their digital infrastructure
2. Protection of Personal Information Act (POPIA). POPIA regulates the collection, storage, and processing of personal information. Organisations must ensure stringent security measures are in place to protect personal data from unauthorised access. Non-compliance can result in penalties and legal action from affected individuals.
3. Electronic Communications and Transactions Act (ECTA) (2002). One of South Africa’s earliest pieces of cybersecurity legislation, the ECTA governs electronic transactions and includes cybersecurity requirements and penalties for offences such as unauthorised data access.
4. Financial Sector Conduct Authority (FSCA) Guidelines. In the financial sector, the FSCA provides cybersecurity guidelines for financial institutions, emphasising consumer data protection and robust cyber resilience strategies to protect against cyber incidents.
If a crime has been committed
If you are impacted by cybercrime, there are several legal avenues you can pursue.
- Report the crime to the South African Police Service (SAPS). Reporting is essential for initiating an investigation and securing evidence. Reporting a crime also ensures that law enforcement has an accurate picture of the extent of cybercrime in the country.
- Seek financial compensation. If you experience financial fraud, such as unauthorised bank transactions, seek assistance from your bank. This is why it is critical you notify them immediately your card/phone/identify is stolen. If you delay, the bank may refuse to reimburse you or may only refund a portion. Furthermore, the sooner you notify the bank, the sooner it can stop your card or account being used, thus minimising losses. If you are not satisfied with your bank’s response, the Financial Services Ombudsman can help resolve disputes with financial institutions over cyber-related issues.
- Civil litigation. You can file a civil claim for damages incurred as a result of financial loss or emotional distress due to cybercrime. For example, if a business fails to protect customer data as required by POPIA, you may be entitled to compensation.
Let SD Law help
If you have questions about cybercrime, the Cybercrimes Act, or any other legal matter, give Cape Town attorney Simon Dippenaar a call on 086 099 5146 or email sdippenaar@sdlaw.co.za.
Further reading:
- Cybercrime – Court Reaffirms Who Bears Responsibility For Payment Where Email System Is Spoofed!!
- Cyber extortion
Some resources:
- https://edition.cnn.com/2024/02/04/asia/deepfake-cfo-scam-hong-kong-intl-hnk/index.html
- https://www.nytimes.com/interactive/2024/08/14/technology/elon-musk-ai-deepfake-scam.html
- https://www.theguardian.com/society/2024/oct/23/secret-health-hell-being-scammed-felt-mind-disintegrating
The information on this website is provided to assist the reader with a general understanding of the law. While we believe the information to be factually accurate, and have taken care in our preparation of these pages, these articles cannot and do not take individual circumstances into account and are not a substitute for personal legal advice. If you have a legal matter that concerns you, please consult a qualified attorney. Simon Dippenaar & Associates takes no responsibility for any action you may take as a result of reading the information contained herein (or the consequences thereof), in the absence of professional legal advice.