South Africa’s oldest bank, First National Bank (FNB), is warning customers about new and advanced phishing scams targeting digital wallets. These cybercriminals are not exploiting security flaws but instead using “phishing” and “smishing” tactics to deceive users into sharing sensitive information.
The criminals trick users into providing physical card details—like card number, expiry date, and CVV—to load onto digital wallets. FNB explained that loading a card onto digital wallets such as Apple Pay, Google Pay, Samsung Pay, and SwatchPay is similar to making an online payment. Both processes need card details and a one-time password (OTP) for confirmation.
Christopher Boxall, head of card transactions and fraud detection at FNB, pointed out that criminals take advantage of this similarity. They confuse users into providing information that allows fraudsters to link their own devices to the victims’ digital wallets.
Recently, there’s been an increase in attacks where users are tricked into sending an OTP as part of these schemes. Though the OTP for online transactions and digital wallets have different wording, users may miss this difference.
Once the OTP is exploited, the criminals load the victims’ cards onto their own digital wallets. Users then unknowingly use their biometrics to authenticate transactions on the compromised device.
Boxall emphasized the importance of keeping personal and private information secure to prevent these attacks. He noted that every payment technology requires some private information known only to the user, making vigilance crucial.
FNB reassured customers that virtual cards are not affected by this issue, even though they use similar technologies. Virtual cards are designed for enhanced security and privacy for online payments or subscriptions. In contrast, digital wallets can register both physical and virtual cards for payments using devices.