GEORGE NEWS - Cyber swindlers using social engineering techniques to harvest cellphone numbers - ostensibly to commit further fraud, scams and identity theft - have targeted a local businessman's client list, tainting the trust he had built over time and costing him business.

Clients have reportedly stopped taking his calls and business appointments have been cancelled, all because one or more fraudsters have attached the businessman's identity to another cellphone number (a clone account) they are using to commit further acts of cyber fraud via WhatsApp.

The businessman, who asked to remain anonymous, said it all started when an imposter contacted him via TikTok. After casual exchanges, the imposter asked for the businessman's cellphone number so that they could continue the chat on WhatsApp. Once on WhatsApp, the imposter informed the businessman he was participating in a competition to become a RE/MAX Real Estate Ambassador and needed his vote to win.

"The voting process is simple," the imposter explained in one of a series of WhatsApp messages seen by George Herald. "You will automatically receive an access code that will create the link to vote. All you need to do is to copy and send me the access code so that I can send it to my sponsor to activate the link."

A screenshot of the WhatsApp conversation that led to a cyber swindler accessing a local businessman's WhatsApp account. Photo: Supplied

Once the businessman had sent the 'access code' (the one-time Pin (OTP) that gave the imposter access to the businessman's WhatsApp contact list), he proceeded to ask for a selfie to verify the vote.

While the businessman was not locked out of his WhatsApp account, it appears a clone account was set up, using his full names and profile picture, but with a different cellphone number. The clone account has since been used all across town to rinse and repeat the real estate ambassador scam.

The scam is understood to be a spin-off of the of the old 'hey, I have a new WhatsApp number, by the way I'm in hospital, please send me some money' scam with which people are tricked into parting with their hard-earned cash. The OTP the target sends to the imposter is the two-factor authentication scammers need to log into their target's WhatsApp account and then either lock them out of it or harvest cellphone numbers from their WhatsApp contact list, which will at some point down the food chain be used for illicit financial gain.

News you can use: how to identify social engineering

In the shadowy world of cybercrime, harvesting people's cellphone numbers through social engineering is generally more about what the number can unlock than about the number itself.

Social engineering is the act of manipulating or deceiving people into revealing confidential information, giving access of performing certain actions that bring swindlers one step closer to committing fraud, identitying theft or launching a cyber attack. It's not a technical hack, but a psychological one. Phishing is but one technique in a social engineering mastermind's toolbox. The Cyber Crimes Act 19 of 2020 explicitly criminalises actions such as Sim swap fraud, identity theft, phishing and WhatsApp scams.

In the most recent crime statistics, released in May, George Police Station was flagged as a top 30 national hotspot for commercial crime (including cybercrime). In the light of the recent spate of cellphone harvesting incidents in George, we have compiled this brief summary of what scammers typically do with harvested cellphone numbers and how you can protect yourself.

Social engineering involves manipulating or deceiving people into revealing confidential information. Photo: Pexels/Mikhail Nilov 

Sim swap fraud gives scammers access to banking OTPs, two-factor authentication codes, your WhatsApp, email and other sensitive accounts. A fraudster can perform Sim swap fraud by simply gaining access to personal details - without ever laying his hands on a target's actual SIM card. In phishing and smishing (SMS phishing) scams, fraudsters send fake messages that appear trustworthy, claiming to be from banks, SARS and couriers. They usually ask you to click on a link, open an attachment or respond in some way. Once you, the unsuspecting victim, take any of these actions and scammers have your information, they access your banking or email accounts, perform Sim swaps to intercept OTPs or impersonate you to scam others in your network.

Then there is the dreaded WhatsApp takeover, aimed at locking you out of your account and then impersonating you to scam your contacts. Identity theft is all about stealing your identity or impersonating you. Your harvested cellphone number is combined with other personal data such as your name and ID number to open fraudulent accounts, take out loans or commit crimes using your identity. Finally, cellphone numbers are harvested for the purpose of spamming or selling data. Here your cellphone number is used for spam or mass messaging campaigns after being sold to third parties by scammers or shady marketers. Scammers may also use harvested numbers in mass messaging campaigns without selling them to third parties.

Protect yourself

• Never share your number in public groups.

• Never click on unknown links or reply to strange messages on SMS or WhatsApp.

• Use app-based two-factor authentication (2FA), not SMS-based 2FA.

• Enable port protection with your service provider.

Also read:

• WhatsApp account hacked? This is what you need and must do
• Man sentenced for housing scam in George
• Buying a car from a private seller? Here are some tips
• Beware of fraudulent calls impersonating George Municipality Officials
• Locals fall victim to investment scam

‘We bring you the latest Garden Route, Hessequa, Karoo news’