The constantly increasing rate of fraud is becoming a menace in society, with fraudsters gaining access to mobile users’ online money accounts in various ways, including One-time passwords (OTP). OTP scams are a growing threat to businesses and consumers alike.
According to the Bank of Ghana’s 2023 fraud report, fraud typologies in services provided by banks, Specialized Deposit-Taking Institutions (SDIs), and Payment Service Providers (PSPs) increased to 15,865 in 2023, a 5% rise from 15,164 in 2022. The total loss value was approximately GH¢88 million in 2023, a 7% increase from GH¢82 million in 2022.
The report also highlighted the rise in fraudulent withdrawals, cyber/email fraud, and cash theft, and SIM swap-related fraud, where SIM numbers linked to banking accounts are fraudulently taken over and withdrawn. Although attempted fraud cases in the banking and SDI sectors declined by 59% in 2023, the total loss value was approximately GH¢72 million, a 29% increase from the previous year. The PSP sector also recorded a loss of GH¢16 million, involving 14,655 cases in 2023.
One-time passwords (OTPs) are a crucial security feature in our digital age by offering an extra layer of protection for online transactions and account logins. Unfortunately, though, scammers often try to hijack these codes for stealing sensitive information, money or both. In all these cases, OTP fraud contributed immensely to the loss.
What is OTP?
An OTP, or one-time password, is a security feature that adds an extra degree of protection to transactions for both online customers and service providers. It involves using an OTP that the service provider sends to the customer’s registered email address or mobile number to authenticate an online communication or transaction. This extra layer was added as digital financial transactions and activity increased in order to serve as a time-bound authentication method for the secure online transfer of private information and funds.
But scammers have developed new ways to perform OTP scams and abuse the feature to trick online users into committing financial fraud. Some of how they operate are:
Phishing scams: In this case, fraudsters send false emails or texts that seem to be from online merchants, social networking sites, credit unions, or banks. These notifications frequently ask you to enter your OTP on a phony website in order to validate your account or fix a problem.
Vishing (voice phishing): Scammers call victims in this scam posing as representatives of a respectable company, like a bank or government agency. Taking advantage of your trust and sense of urgency, they can say that there is suspicious activity on your account and ask for your OTP to secure it.
Man-in-the-middle attacks: This approach involves hackers intercepting conversations between you and a trustworthy service provider. An attacker intercepts your request for the OTP and uses it to access your account.
Social engineering: Scammers deceive you into disclosing your OTP by manipulating your mind. They may pretend to be friends, relatives, or coworkers to trick you into giving them the OTP for a justifiable reason.
Warning signs
Unexpected requests: Watch out for calls or unwanted messages requesting your OTP. Generally speaking, trustworthy companies won’t request your OTP until you’re actively completing a login or transaction.
Suspicious links: Before clicking on links in emails or texts, hover over them to view the full URL. Links that don’t match the official website of the organization they are allegedly from should be avoided.
Generic greetings and language: When scammers send out bulk emails, they sometimes use generic pleasantries like “Dear Customer.” Additionally, their missives frequently contain grammatical or spelling mistakes. Authentic communications are typically proofread, more individualized, and professional.
How to protect yourself
Never share your OTP. Treat your OTP like your password — never share it with anyone, even if they claim to be from a trusted organization.
Verify the source. If you receive a request for your OTP, verify the legitimacy of the request by contacting the organization directly using a known and trusted communication method.
Use multi-factor authentication (MFA). Whenever possible, enable MFA on your accounts. MFA typically involves a combination of something you know (password) and something you have (OTP), providing an additional layer of security.
Install security software. Use antivirus and anti-malware software on your devices to help detect and prevent phishing and other cyber threats.
Educate yourself and others. Stay informed about the latest scam tactics and share this knowledge with friends and family, especially those who may be less tech-savvy.
Keep an eye on emails and texts for OTPs, avoid downloading third-party apps with extra permissions, and use service providers’ contact information on legitimate websites for questions or accessing services.
Dispose of sensitive documents like passports, checkbooks, and Aadhar cards appropriately and avoid sharing photocopies with strangers.
If you encounter any issues, notify your service provider immediately and block your card to prevent further abuse.
How to take action
If you believe you’ve been scammed and/or have shared your OTP, take immediate action.
First, reset the passwords for all affected accounts and accounts with comparable login information. The host organization should then be notified that the account has been compromised. They can assist in protecting your account and offer advice on next actions you should take.
For the next several weeks and months, keep a careful check on your accounts, paying particular attention to your financial records and account activity to look for any illegal transactions. Lastly, submit a complaint to the consumer protection authorities in your community.
One-time password scams can be difficult to spot and wreak massive damage. By all means, protect yourself from falling victim.
