Be very careful of virtual bank cards and rogue SMSs
The mandate is to link the device, not to make payments indefinitely without further notification
What do Reverend Peter Langerman of Durbanville and “Deborah P” have in common? They are both FNB customers, and both were defrauded via virtual card, just a day apart, with their money flowing to or through the same company based in the United Arab Emirates (UAE).
Langerman wrote to me about his experience recently, after FNB rejected his claim for a refund. On April 5 several fraudulent virtual card transactions saw a total of R12,225 flow out of his account and into that of a company listed as Al Hadaf Opticals of the UAE. It was when I did a Google Maps search to check out that retail outlet that I spotted a Hellopeter complaint from a woman identified only as “Deborah P”, whose money — two transactions totalling about R1,500 — had landed up in the same UAE bank account the day before Langerman’s transactions.
Both had been under the impression that transacting via virtual card reduced their risk of being defrauded. “I was defrauded on my cheque account last November,” Deborah wrote in her Hellopeter post. “It was suggested that I use my virtual cards to make internet purchases, as the CVV number changes after each transaction, but unfortunately I have been defrauded again; again by a foreign company and again FNB did not send me approval requests.”
In its rejection letter to Langerman, the bank said they had found “no involvement of any bank employee or failure of the bank’s systems or processes”.
“The FNB Digital Wallet is a smart device-based payment service that allows you to make purchases by using the contactless card functionality through your registered/linked device. Regrettably, FNB does not accept liability for the transactions which were completed from a registered/linked device and behind secure login.”
Langerman said on the day he was defrauded, he had just received his new Samsung cellphone. “I transferred my SIM card from my old phone to my new one and did a smart switch. After I left home, I received the notifications about the transactions going off my account.
“My phone was in my possession, and all my other devices were locked at home, so how there was access from one of my FNB-registered devices is a complete mystery to me.”
I suggested to him that he may have got the fraudster-generated linkage SMS on the day he got his new phone, and approved it, thinking it was to do with his new phone. Nine months ago, Reana Steyn, then the Ombudsman for Banking Services (OBS) — and recently appointed as the newly formed National Financial Ombudsman Scheme’s head ombud — revealed that her office had raised the alarm about virtual card fraud.
Commenting on the spike in virtual card-related complaints to her office, she said fraudsters only had to dupe their victims once — approving a link sent by their bank to link the fraudster’s device to their (the victim’s) credit card account — before being able to embark on a spending spree at their expense. The “linking” SMS notification that banks sent their customers didn’t sufficiently alert them to the potential fraud risk, Steyn said, and victims got no further warnings or notifications as the fraudster started spending on their account.
“The mandate is to link the device, not to make payments willy-nilly indefinitely without further notification.”
There ought to be a layer of security for every payment made via digital wallet, Steyn said, as was the case with traditional credit card purchases. And until that happened, her office would be finding in favour of the victims in every virtual card fraud case.
On checking with the office of the OBS this week, I was told that complaints about virtual card fraud had since fallen off a cliff — they’ve only opened five such cases in 2024, spread across the banks.
"The banks have indicated that they have implemented additional measures in respect of the linking of cards to device wallets,” said the OBS’ adjudication manager Nerosha Maseti.
I raised both cases with FNB, asking, among other things, what extra security measures the bank had put in place since the ombud highlighted the issue in 2023 and how many other fraudulent transactions had been done via digital wallet with that UAE store as the vendor. FNB Card CEO Senzo Nsibande confirmed that the fraud incidents were “as a result of ‘phishing’ and were authenticated for wallet registration”.
“That the fraud occurred at the same merchant likely means the customers were compromised by the same individual or modus operandi,” he said. “We monitor merchant fraud levels, which could lead to blocking by acquirers or issuers.” The customers in question have been contacted by the bank and their issues “resolved accordingly”, he said.
Happily for Langerman, that meant a full refund of his loss. “I was told that my case had been reinvestigated and with no admission of culpability, they had decided to refund me as a gesture of goodwill,” he told me. I don’t have Deborah’s contact details but I’m hoping she got similar good news.
No answers to the rest of my questions were forthcoming from FNB, just this advice: “We strongly encourage customers to remain vigilant of scammers who pretend to be representatives of various organisations, requiring sensitive information like card numbers, pins and online banking details.”