Don’t be a victim of investment fraud - be vigilant all the time

Laura du Preez | 20 December 2023

Laura du Preez has been writing about personal finance topics for more than 20 years, including eight years as personal finance editor for two leading media houses.

South African investors lost almost R24 million last year due to fraudulent withdrawals and disinvestments from investment platforms, collective investment schemes and retirement funds.

Fraudsters’ attempts to steal another R182 million last year were thwarted, according to the most recent fraud statistics for the life and investment industry released by the Association for Savings and Investment South Africa (ASISA).

The industry detected 709 such incidents last year indicating a need for investors to be hyper-vigilant, Jean van Niekerk, the convenor of ASISA’s Forensic Standing Committee, says.

It starts with identity theft

In many cases fraud begins with identity theft. Data breaches at major credit bureaus have compromised the identities of most credit-active South Africans over the past three years, Van Niekerk says. Read more: Who is doing credit checks on me?

In more sophisticated attacks, fraudsters open up accounts at certain financial institutions in your name and using your ID number and then attempt to transfer funds from existing investments, he says.

More commonly, however, withdrawal and disinvestment fraud occurs when fraudsters either hack your email or your adviser or investment provider’s email and access instructions you have sent to your investment house or financial adviser in the past, Van Niekerk says.

Fraud also occurs when your personal information is accessed illicitly or because it was not properly destroyed.

Van Niekerk says this technique known as dumpster diving can occur when a physical file containing your information is left lying around, or you throw your bank statement in the bin, or your statements are stolen in a burglary and sold to a syndicate.

Social engineering

Once fraudsters have the details of your investment they typically engage in social engineering - mimicking your writing style and your signature to convince a financial institution to change your banking details to that of an account used by the fraudster.

In the final step, the fraudster submits a withdrawal or disinvestment instruction and if you are lucky your financial institution will detect the forgery, Van Niekerk says.

If the fraudster has hacked your financial adviser’s email, he or she will impersonate your adviser or pretend to be contacting you from your financial services company by spoofing it’s email account. This is known as man-in-the-middle fraud.

In this case, the fraudster is likely to attempt to convince you that the investment house has changed its bank account.

Nazia Karrim, head of product development at the not-for-profit South African Fraud Prevention Service, says the impersonation of institutions and their employees, usually via phishing, vishing or remote access type scams, is common.

Fraudsters try to get you to provide them with one-time pins (OTPs) to access your investment on an online platform or release a transaction, she says.

The losses are typically yours

If a fraudster does access your investment or retirement savings, and you were tricked into providing the PIN or your device was compromised, then you will bear the loss, Karrim says.

If it can be proven that the fraud arose as a result of compromise within an investment provider or adviser, then they will need to reimburse you, however this is a very unlikely scenario, she says.

Van Niekerk says common checks that financial institutions perform are calling you back to verify the instruction, verifying the account with the bank to ensure it is in your name and using your ID and for how long it has been open, verifying your signature and checking for alterations on the withdrawal or disinvestment application.

Van Niekerk says your transactions are also monitored to identify anomalies, outliers or activity that is not within the normal bounds of what you do with your account.

The financial services industry is also sharing information about fraud and working with banks in line with anti-money laundering legislation to stop money that is stolen from moving out of the banking system, he says.

How to stay safe

Hackers very often rely on the human failure point because it's the easiest point to compromise – easier than infiltrating sophisticated databases, firewalls and cyber security controls at financial institutions, Jean van Niekerk says.

So the best way to stay safe, is to guard your information carefully.

  • Use a secure email and strong passwords: Too many South Africans are using Gmail, Hotmail or other public domain email addresses without using strong passwords, Van Niekerk says. Many people use the same password – or slight variations of it - across social media and investment and banking platforms. If one of these platforms is hacked, all the passwords are compromised, Van Niekerk says. Rather use a credible password manager, he says.

    Never allow your browser to save your password, Werner Lunow, IT Manager at Allan Gray, says rather write your password down or store it in a password vault and keep your device secure with a pin or password.

  • Be careful what links you click on: Be very careful of links and accidentally divulging your details or installing malware or viruses onto your device, Van Niekerk says.

Hover over any link to check the true destination and don’t click if you have any doubts.

Do not use the same devices as your young children use to do your investing and banking. Children may not understand that they are on an unsafe site or downloading malicious files, Van Niekerk says.

  • Use two-factor authentication: Two-factor authentication – when you have to use a code sent to your email or cell phone to verify it is you logging in - adds another layer of protection. It is astonishing how many people are happy to keep a lot of personal information behind just a login and password, Van Niekerk says.

  • Don’t use paper forms: If your investment provider offers a secure online account use it to transact rather than submitting scans of paper forms that can be manipulated, Lunow says. Check the validity of your online account by clicking the padlock icon next to the website address and log out when you are finished transacting, he says.

Keep an eye on your credit report: Check your credit report regularly or pay for a service that alerts you to changes in your credit profile, Van Niekerk suggests. Read more: What is my credit report?

If you are a victim of identity theft, report this to the South African Fraud Prevention Services (SAFPS).

This not-for-profit organisation maintains a database of those whose identity has been compromised and financial institutions check it.

The SAFPS launched a Secure Citizen app earlier this year where you can register for a unique identifier to be used when you apply for credit and ensure financial institutions can confirm your identity prior to completing any application, such as that for credit.

  • Keep your email clean: Delete emails with copies of sensitive documents such as your payslip or bank statement that you may have sent to open an account or apply for credit, Van Niekerk says.

  • Check your investment statements: Check your statements – even those tied up for fixed terms – often, Van Niekerk suggests.

  • Let contributions be collected: If your investment provider can collect money from your bank account for investments use this service to avoid paying into the wrong account, Lunow says.

  • Don’t use public Wi-Fi services or charging stations: Public Wi-Fi services can be hacked and when you use your cable in a public charging station you may allow data to be transferred from your device, Van Niekerk says.

  • Dispose of electronic devices safely: Dispose of old devices, hard drives, USB drives, memory cards, etc through reputable electronic waste disposal companies.

  • Be sure those you engage with are legitimate: If anyone contacts you by phone, email or WhatsApp and it’s not related to something you initiated, do not engage.

    Drop the conversation and contact the institution directly yourself using the numbers you know are legitimate. Financial institutions will only call you from their published number not from a cell phone number or via social media, Van Niekerk says.

    Always check the email address matches the investment house’s email domain, for example, for Allan Gray, Lunow says. Check the address has not been spoofed by hovering over any email address. 

  • Anti-virus software: Use a reputable antivirus software and anti-spyware and keep it up-to-date, Lunow says. Install the latest security upgrades to your device’s operating system, applications and browser. Install a personal firewall that restricts external devices from accessing your device, he says.