Imagine receiving a text from your bank urging you to verify your account details due to suspicious activity. You click the link, enter your information, and just like that, you’ve fallen victim to a social engineering attack through a text link phishing scam. These cunning cybercrimes are skyrocketing across Africa, targeting both individuals and businesses by exploiting human psychology rather than technical vulnerabilities. Digital tricksters are manipulating and abusing our cognitive abilities with increasing sophistication.

Smishing (SMS Phishing): This involves sending fraudulent text messages to lure victims into clicking malicious links or providing personal information. These messages often create a sense of urgency or alarm, pushing recipients to act impulsively. Examples include:

1. Fake Lottery Winnings: Scammers send texts claiming you’ve won a lottery, prompting you to click a link or call a number to claim your prize. This leads to requests for personal information or fees, often resulting in financial loss and identity theft.
2. Bank Account Alerts: Fraudulent messages appear to be from local banks, warning that your account is compromised. They direct you to click a link to verify your details, which leads to a fake site designed to steal your information.
3. Package Delivery Notifications: Messages from supposed courier services like DHL or FedEx claim a package is awaiting delivery. The included link leads to a malicious site, or you are asked to pay a seemingly small amount, such as R19 or $2. However, when the OTP (one-time password) message pops up, the amount has been changed to R1,900 or $200. By the time you notice, your money is gone—your cognitive efficiency has been exploited.
4. One-Time Password (OTP) Phishing: Attackers trick victims into providing OTPs used for two-factor authentication. For instance, an attacker might call pretending to be from your bank, claiming there is suspicious activity on your account. They then ask you to provide the OTP sent to your phone to “verify” your identity, but instead, they use it to access your account and transfer money.
5. Business Email Compromise (BEC): Fraudsters spoof or compromise business email accounts to deceive employees into transferring money or revealing sensitive information. They often pose as high-ranking executives or trusted partners, sending urgent requests for wire transfers or confidential data. These emails are meticulously crafted to appear authentic, making them difficult to detect.
6. Whaling: This tactic targets high-profile individuals, such as executives or senior managers, with highly personalized phishing attacks. These messages often involve significant financial transactions or sensitive information. For example, an attacker might send an email to a company’s CEO, pretending to be a trusted partner and requesting a large wire transfer. The high stakes and personalized nature of these attacks make them particularly dangerous.

Why Do Banks Often Deny Claims Related to Social Engineering Attacks?
Investigating cybercrimes committed through social engineering is challenging and often requires collaboration among various domestic, regional, and international law enforcement agencies, such as the FBI, AFRIPOL, the US Secret Service, and INTERPOL. In most cases, the stolen money is not recovered.

If banks were to accept every claim of a cyberattack, they would face unsustainable financial losses. As a result, banks and financial institutions frequently refuse to honor claims related to social engineering attacks for the following key reasons:

1. Due Diligence and Responsibility: Banks expect customers to protect their accounts and personal information by verifying unusual requests and following security protocols.
2. Contractual Obligations: Many banks’ terms and conditions place the responsibility for safeguarding account information on the account holder. If a breach occurs due to negligence, the bank may not be held liable.
3. Fraud Prevention Policies: Banks enforce strict fraud prevention policies. If customers fail to adhere to these policies, such as neglecting to verify suspicious emails or phone calls, the bank may deny their claims.
4. Insurance and Coverage Limits: While some financial losses due to fraud may be covered by insurance, these often come with limits and exclusions. Losses from social engineering attacks might not be covered if recommended security practices were not followed.

These measures aim to encourage customers to maintain strong security practices and help manage risk effectively.

Protecting Yourself from Social Engineering Attacks
To guard against these threats, individuals and businesses should:

1. Verify Requests: Always verify unusual requests for money or information, especially if they come via email or phone.
2. Be Skeptical: Stay cautious of unsolicited messages, even if they appear to come from known contacts.

By understanding the tactics used in social engineering attacks and taking proactive measures, you can better protect yourself from these deceptive threats. Stay vigilant and stay safe!