Get Focus insights straight to your inbox


Please complete all required fields before sending.

Thank you

We look forward to sharing out of the ordinary insights with you

Sorry there seems to be a technical issue

Listen to the podcast

Kevin Hogan, Investec's head of Fraud Risk, reiterates that should you fall victim to Authorised Push Payment fraud, it's highly unlikely you'll ever get your money back. So the best form of defence is to prevent being hacked. Here's how it's done. 

Read the full transcript of the podcast TS: Timothy Spira KH: Kevin Hogan

  • 01:26 What's driving the increase in cyber-crime and what types of crimes are being committed?

    TM: Kevin, has this been a busy time for you?

    KH: Yes, we have been extremely busy!

    TM: What's going on?  Is there something specific to this Covid situation and the fact that everybody's working from home? We're very reliant on digital means of communication, is this opening us up to fraudsters and hackers more than we normally are?

    KH: Honestly, my opinion is, probably yes, because you've now got a very large subset of the population that is now online all the time. You're spending six, seven, eight, nine hours a day in front of a screen. 

    TS: And what are the most common kinds of fraud that are being committed or attempted. 

    KH: What we're seeing is that the way that the most common frauds have been packaged, is now with this Covid-19 ribbon. It's the same fraud. They're just using Covid as the cover story now as opposed to a SARS payment or you've received a deposit from your bank. So the ribbon is just different, and it's the same stuff, phishing emails, what we call Authorised Push Payment (APP) fraud, or invoice interceptions things like that. It is the same stuff over and over and over again. Nothing has changed.

  • 02:11 Email is the portal enabling most common acts of fraud

    TS: So this term, Authorised Push Payment is something that we've heard before, and it seems to be coming up a lot more in the past couple of weeks. Could you maybe talk about what that is exactly?

    KH: Okay, your email account has already been hacked. They are already in your email account because you fell for a phishing email, or you're using the same username and password on multiple accounts. So the fraudsters have gotten in.  You don't know that they're there.  What then happens is you are receiving an invoice, you are receiving an instruction to pay funds, and what the fraudsters do is they intercept those emails and they change the bank details on the invoice, or the email, and then they send it on to you, and they spoof the sender's email address, so you think it's coming from the real sender.  You think, “Okay, there's no problem, I'm expecting this invoice, I'm expecting these bank details to pay”, and you merrily just pay. 

    You end up paying the fraudsters because the bank details have been changed. It's called Authorised Push Payment because you are making the payment yourself, you are authorising that payment yourself. And so there's nothing the banks can do for you, because you, yourself, have sat behind the laptop, and put in those bank details yourself, and paid that money away yourself.

    TS: That is really chilling Kevin. You're saying that there's a possibility that there are people that have managed to hack into my email account, that are reading every email that gets sent to me, and are able to actually alter the contents of that email before I see it?

    KH: Hundred percent correct. So what they do is when they get access to your email account, it doesn't matter if it's Gmail, Afrihost, Yahoo, it's irrelevant, they will go into the filter settings - every single email account has a filter setting - what they do is they create rules.

    They will create a rule that says What does that filter rule mean? It says all emails that come from or all emails be sent to what must I do?  And the rule says delete the email, right, and forward it to the hacker’s email address. 

    So essentially, all they actually change is either the bank details on the invoice, whether the invoice is PDFed or not is irrelevant, they can change it, or in the actual body of the email. Once that change has happened, they then forward that email on to you and they spoof the sender email address, and that's very easy to do. I literally, this morning, as part of developing some more training material, Googled how to spoof an email address, and it gave me a couple of websites that enable me, almost instantaneously, to be able to spoof a website. 

    So now the fraudsters spoof an email address, and they send it on to you. You think it's come from the original recipient, but the bank details have been changed because these filter settings in your email account have been altered.

    It's called authorized push payment fraud for a reason. If you are making the payment yourself, you are literally authorizing that payment. 

    Now you may or may not be aware that the bank details have been changed. So number one the law says whoever makes the payment, if it's you, or if it's your bank, or if it's a third party - whoever is physically making that payment -  if they do not verify the bank details and you pay fraudsters, you are liable, okay.  So that's the first thing, lets address that, that's very important. 

    Number two.  People assume, like in the old days, an EFT will take one or two days or three days.  That is no longer the case.  The payment system is getting faster, and faster, and faster and most EFTs normally, nowadays clear the banking system on the same day.

    However, if you know that it's fraud and you contact us immediately, phone Investec, phone the CSC, and you tell us, listen I've made a fraudulent payment by accident, please can you help me.  If that payment has not left our banking system -we could try and intervene and stop that payment. 

  • 06:09 Steps to take to avoid becoming a victim of Authorised Push Payment fraud

    TS: So, how on earth can we prevent something like this? It sounds like once somebody has hacked into your email, there's very little that you can do. I mean, are you expecting them to double-check every single email that comes in with an invoice, and I'm thinking for our small business clients or listeners this could be a very laborious process. 

    KH: So, unfortunately, the short answer is yes. The problem is, is that your email account can be absolutely perfect. You checked it this morning you check your filter settings. You have not been hacked.  The problem is the person sending you the email could be hacked. The fraud is possible in either direction.

    So, unfortunately, what you do need to do, as part of your process is you need to verify the bank details telephonically, directly with that person who sent you the invoice every single time.

    How do you get into this trouble?  It's the same story, phishing emails. You're clicking on links in emails that send you to screens, that require you to put in your email username and password, which you put in, and that screen harvests that information, or you are using the same username and password for multiple accounts.

    So for example, many people have a Gmail address.  They will use the Gmail email and password for everything.  They will use it for Facebook, they will use it for Instagram, they would use it for everything and the problem is one of those websites where they've used their password gets hacked. Now your actual Gmail username and password is in the open, the fraudsters have it.  

    So there are two things that you can do. Number one, there is a website you can go to called "have I been pwned" -  it's P W N E D - and what this website does is, you put in your email address and it'll tell you if that email address has ever been compromised in a hack, and it'll say, let’s say, for example, it was the 2016 Linkedin hack, it will say that these credentials were compromised in that hack.

    Okay, so now I know that my email address is compromised. There's a couple of things you need to do. So first of all, let's hypothetically say you've got Gmail, you need to go into your filter settings - every single email account has a filter setting - and go and check whether there have been filter rules put in there that you did not create. What the fraudsters do when you're going to filter settings, instead of naming it and you can see it,  it's clear, they put a little dot, and you can't see that dot it's tiny.  And if you click on it, it then opens to another screen that shows you all the filter rules that they created. What you've got to do is delete all those filter rules, okay?  And only then can you change your username and password.  That's the process you need to follow.

  • 8:37 How to protect your passwords

    TS: What about password services like OnePassword, or Lastpass, is that something you would recommend?

    KH: My personal view is the less sensitive stuff you can put online the better, but the reality is, is that we can't remember forty usernames and passwords. No one can do that. So I always encourage clients to do what's comfortable for them.

    So, for example, my mom has a little red leather-bound book, which she keeps on her, and she writes her passwords in the book.  I'm very happy for her to do that. She's not as technically savvy as other people maybe, and she likes the book thing, and it works for her.  Obviously, if she loses the book, she's going to be in trouble, but it's a great way to save passwords.

    The other thing you can do is create passphrases. They're much easier to remember. So for example, a passphrase could be "my eight-year-old son is the most energetic boy in the world," that whole sentence is the passphrase, and it's very easy to remember and it's very long.

    And lastly, you spoke about password managers... absolutely. For example, Lastpass. It is one of many password managers that can be found online, but I want to encourage you to do two things. Number one, don't use a free version. You are never going to get the same functionality from a free version as you would on a paid version, and number two, try and stick to the top-rated ones, of which LastPass is one of them.

    And essentially, it does a couple of things you can use LastPass as a vault where you can store all your passwords inside LastPass - it's got 256-bit encryption - and essentially all you need to do is remember one user name and password and LastPass will remember all the others that you input. You are far less likely to fall victim to hacking if you use a password manager, as opposed to using the same username and password on multiple accounts.

  • 10:22 Why Corona crisis makes us more vulnerable to fraud

    TS: You mentioned at the outset that people are using the Covid-19 crisis as a way of luring unsuspecting people into giving away their personal details. Are you able to share any examples of where you've seen that happen?

    KH: I'll literally read it to you. I'm going to change the names. but it says": Hello Frank. Thanks for your email. Please find below details and kindly send a faster payment as my family is going through a lot right now."

    And the basis of this email is that this family member is having some medical challenges, and this guy said well, he can help but he needs some money to help you, and he supplies bank details, and the amount that he wants paid. Meanwhile, this email has been intercepted and it's related to payments of you know, things that are happening with this family member in the hospital that are genuine, but this email has now been intercepted and the legitimate email bank details have now been changed. 

    TS: That's just diabolical I mean you're not even going to think twice when it comes to helping a loved one. And in fact, you're sending your money to a scammer.

    KH: So if you think about it, none of us know how long this is going to go on for, so at the moment, we're all trying to be quite wise with how we spend what money we do have, now you've paid this money to this medical facility  - or you assume it's them -  and it's been stolen, but the medical facility still doesn't have the money, that they need to help your family member. So either you've got to pay an additional amount, okay, because they haven't got the money, so they're not interested in what's happened to you, and it creates this snowball effect.

    This is a faceless crime. We have found, very often when you look at interviews with cyber hackers, and guys like this, there is no remorse for the crime that they're committing, and the question was asked, "Well why?  Why don't you feel bad?" and the guy is saying, "Well, think about it, I don't see my victim, I don't see the effect that what I'm doing has on them”.

  • 12:16 Illegitimate organisations posing as charities

    TS: There are a lot of very noble organisations at the moment that are putting out legitimate charitable requests, you know for people to donate money to causes to combat the Covid-19 virus and to alleviate suffering. Have you come across any examples of illegitimate organisations that are posing as legitimate?

    KH: So in the South African context, we haven't seen anything as yet. We have seen from UK counterparts that this is happening in Europe and all I can say is for example, if you want to donate to the Solidarity Fund absolutely do that.  Investec will either load them as a predetermined beneficiary on Investec online banking, or you need to phone the bank that holds that account and verify with them first before you pay any funds to anybody. So the same principle applies. If you are giving a donation, it doesn't matter if it's the Solidarity Fund or if it's another fund or even a, just your normal, you know, if you're the kind of person that makes donations on a regular basis, verify those bank accounts before you pay every single time.

  • 13:18 Human interaction remains the best form of defence

    TS: Kevin, you mentioned at the outset, that with people working from home with a lot of the activities that would normally be face-to-face now being mediated through digital channels, people are more vulnerable.  Another area where I guess people are spending a lot more time is social media. To what extent are hackers using your social media profile to assist them in their endeavours.

    KH: So all social media does, is replace email. So if I get a message via email, that's a form of communication.  Social media is exactly the same, even WhatsApp. We have seen an Investec WhatsApp scam doing the rounds out of Malawi, and we're about to send a mailer to all our clients. They're pretending to be Investec Wealth, exactly the same on social media.

    A lot of the investment scams that we've seen have been unsolicited through Facebook, through Linkedin, where these guys will reach out to random people to say this is who I am, this is what I can offer you, and they strike up a conversation, they send people to fake websites that look legitimate. It looks like the offer is too good to be true, people think, "Oh, wow, this is amazing".

    They chat over social media, they build confidence and the people start to transfer money into these fake investment scams and things like that. So we strongly encourage you to be extremely, extremely wary of unsolicited messages through social media.  WhatsApp, Facebook, LinkedIn.  If you are not reaching out to these people yourselves, then rather just give them a very, very wide berth.

    TS: Thanks. I think that's a great, great piece of advice. I guess a really good reminder that in these times where we are physically separated, it's all the more important that we retain that kind of direct human contact, and don't rely too much on the kinds of mediated communications that can be infiltrated by algorithms, so I guess human connectedness now is more important than it's ever been.

    KH: I couldn't agree more Tim. Absolutely.

    TS: Thanks a lot, Kevin.

Kevin Hogan, Investec head of Fraud Risk
Kevin Hogan, Investec head of Fraud Risk

You are far less likely to fall victim to hacking if you use a password manager, as opposed to using the same username and password on multiple accounts.