How smishing and vishing fraudsters empty bank accounts
About 12 customers of National Commercial Bank Jamaica (NCB) have lost approximately $18 million in a smishing and vishing fraud attack over the last 10 days.
Dane Nicholson, NCB’s manager of special investigations in its Fraud Prevention Unit, explains how fraudsters target customers.
He says the internal systems of the country’s largest commercial bank are safe.
What’s the latest on the smishing and vishing situation?
Over the last 10 days or so, we have seen a significant increase in the number of customers falling victim to smishing and vishing attacks. So far, customers have suffered a little over $17 million in losses. A smishing attack is when a fraudster would send customers SMS messages purporting to be coming from an official source in this case from NCB asking the customer to click on a link either because their account is restricted due to suspicious activities, password is about to expire, or something along that line.
There is always some sense of urgency why the customer needs to click on these links to regain access to their accounts.
When the customers click on these links, it takes them to a landing page which is similar to that of ours at NCB. It will ask the customer for their user name, password. Sometimes once the customer clicks ‘next’ or ‘continue’, they receive an error message. There are other instances where these smishing messages will take them to another page where it asks them to put their credit card number, full 16 digits, and expiry date. After they click and continue, then they will receive the error message.
In the smishing attack, the fraudster would get the user name and password, then log into their profile and get sufficient information to call the customer to now pretend to be an employee of the bank. We have also seen where the fraudsters are calling customers pretending to be [someone else], telling the customers they see suspicious activity, or other members of the organisation telling the customers that they have noted suspicious transactions on their account.
They’ll say in order to stop the fraud, they need the token code to stop the suspicious activity. Now remember, they would already have the user name and password from the smishing attack. Now the vishing attack is what they use to get the token code in order to add a beneficiary to the customer profile to transfer the available funds that are on the account.
So what we want customers to be aware of is that at NCB, we have a ‘no-click, no-link’ policy. Once they receive an email or an SMS message with any link asking them to take certain action, stop and think. It is a fraud because we don’t send customers messages asking anyone to click on a link. Also, if they receive phone calls from anyone – no matter who the person says they are – we do not ask customers for user name, password PIN, or token codes. We don’t need those information in order to stop any fraud in motion.
How many customers are affected?
Approximately 10 or 12 customers would have suffered the losses. There could be others. Several other persons might have responded to the attack and not suffered any loss as yet, so we are asking persons, if you had clicked on the link, make contact with the bank so that we can take the necessary precaution to protect your account.
Is there a sense that these customers are particularly selected? Is there any method you have detected why they are targeting the customers?
Vishing and smishing are not new. Fraudsters would send customers random messages. We have seen where our customers would receive a smishing message from another financial institution. So it is not necessarily a targeted approach; it’s just randomly selecting customers. Anybody who responds would get information to target them at that point in time. So even if the customer receives the SMS or email with the link and takes no action, the fraudster can go no further.
Have you notified these customers how they will get back their money?
That is currently under investigation. The bank’s system has not been compromised. The customer would have unwittingly volunteered their information through the smishing and vishing attacks, so we are collaborating on different levels. Some of the funds would have gone to other financial institutions. We are also in the process of reporting the matter to the police so the beneficiaries of the fraudulent funds can be brought to book.
When did the report first come to NCB?
We have seen it since last week Monday thereabouts. Customers have been reporting it, but we have been experiencing different peaks and troughs as it relates to smishing, but this is a concentrated traction we are seeing. We have never suffered such heavy losses as it relates to smishing in such a short period.
Can customers trust your system? Can people trust that their money is safe?
Definitely, the money is safe. Remember, it is like somebody calls you on the phone and you volunteer your user name and password.
Remember, we tell you, don’t click on any link. Once you click on the link and the user name and password, the fraudster calls you and asks you for the token code. Without those information, they can’t take over the account independently of you providing them with the user name password and token code.
What’s the scale of attacks on your system?
Fraud is an evolving landscape and we have implemented the latest software and antifraud technology that is out there. The main issue that we face is smishing and vishing and also loaner pages and Instagram. Fraudsters have created fake loaner pages that they can loan accounts on behalf of customers and have a link in the bank who will loan the funds and erase the audit trail. The fraudsters ask the customer to provide their user name, password, and token, so this is where again customers collude with the guys and they would take out a fast-cash facility.
These facilities range from $100,000 to $300,000, then they would come to the bank to report their card lost or stolen, and that they don’t know nothing about it. There is a loan on the account in all instances and we have proved where the customers are colluding with these guys.

