TS: So this term, Authorised Push Payment is something that we've heard before, and it seems to be coming up a lot more in the past couple of weeks. Could you maybe talk about what that is exactly?
KH: Okay, your email account has already been hacked. They are already in your email account because you fell for a phishing email, or you're using the same username and password on multiple accounts. So the fraudsters have gotten in. You don't know that they're there. What then happens is you are receiving an invoice, you are receiving an instruction to pay funds, and what the fraudsters do is they intercept those emails and they change the bank details on the invoice, or the email, and then they send it on to you, and they spoof the sender's email address, so you think it's coming from the real sender. You think, “Okay, there's no problem, I'm expecting this invoice, I'm expecting these bank details to pay”, and you merrily just pay.
You end up paying the fraudsters because the bank details have been changed. It's called Authorised Push Payment because you are making the payment yourself, you are authorising that payment yourself. And so there's nothing the banks can do for you, because you, yourself, have sat behind the laptop, and put in those bank details yourself, and paid that money away yourself.
TS: That is really chilling Kevin. You're saying that there's a possibility that there are people that have managed to hack into my email account, that are reading every email that gets sent to me, and are able to actually alter the contents of that email before I see it?
KH: Hundred percent correct. So what they do is when they get access to your email account, it doesn't matter if it's Gmail, Afrihost, Yahoo, it's irrelevant, they will go into the filter settings - every single email account has a filter setting - what they do is they create rules.
They will create a rule that says @Investec.co.za. What does that filter rule mean? It says all emails that come from Investec.co.za or all emails be sent to Investec.co.za what must I do? And the rule says delete the email, right, and forward it to the hacker’s email address.
So essentially, all they actually change is either the bank details on the invoice, whether the invoice is PDFed or not is irrelevant, they can change it, or in the actual body of the email. Once that change has happened, they then forward that email on to you and they spoof the sender email address, and that's very easy to do. I literally, this morning, as part of developing some more training material, Googled how to spoof an email address, and it gave me a couple of websites that enable me, almost instantaneously, to be able to spoof a website.
So now the fraudsters spoof an email address, and they send it on to you. You think it's come from the original recipient, but the bank details have been changed because these filter settings in your email account have been altered.
It's called authorized push payment fraud for a reason. If you are making the payment yourself, you are literally authorizing that payment.
Now you may or may not be aware that the bank details have been changed. So number one the law says whoever makes the payment, if it's you, or if it's your bank, or if it's a third party - whoever is physically making that payment - if they do not verify the bank details and you pay fraudsters, you are liable, okay. So that's the first thing, lets address that, that's very important.
Number two. People assume, like in the old days, an EFT will take one or two days or three days. That is no longer the case. The payment system is getting faster, and faster, and faster and most EFTs normally, nowadays clear the banking system on the same day.
However, if you know that it's fraud and you contact us immediately, phone Investec, phone the CSC, and you tell us, listen I've made a fraudulent payment by accident, please can you help me. If that payment has not left our banking system -we could try and intervene and stop that payment.