KUWAIT: Zahra, a 37-year-old Indian housewife, fell victim to a cyber fraud incident resulting in the theft of KD 17,750 from her bank account. The funds were stolen through 18 transactions within minutes, wiping out her entire savings. Shocked and in disbelief, Zahra recounted the incident. A woman called her from a local Kuwaiti number, claiming to be a bank employee, and requested her personal bank account details, including her card number.
"She convinced me that she needed this information to update my bank account. I completely trusted her because she repeatedly asked me not to share my personal details with anyone except the bank, stressing their importance,” Zahra lamented. After sharing her information, Zahra received a one-time password (OTP) message from her bank, which she also shared with the woman as per her request. Immediately after, Zahra noticed multiple suspicious transactions of KD 1,000 each in her account, prompting her to end the call and contact the bank to deactivate her account. But, by the time she took action, the woman had already stolen all her money.
"For a week straight, I couldn’t sleep after that incident. This woman’s voice kept haunting me. I don’t know how she hypnotized me like that,” Zahra ruefully said. After one month of reporting this incident to the bank and the Electronic and Cybercrimes Department, Zahra’s case is still under investigation. Given the prevalence of such cyber fraud cases in Kuwait nowadays, Kuwait Times explored the nature of these crimes and the safety measures implemented to combat them through the perspective of a legal expert and a banking expert.
Lawyer Mohammed Al-Jassem noted that Zahra’s case is a type of social engineering attack known as "vishing,” where fraudsters call victims claiming to be from the bank’s technical support or from a trusted financial company and convince them to share OTP codes under the pretext of verifying their accounts or protecting them. He listed other popular means, which include:
Phishing: Fraudsters send emails or text messages that appear to be sent from trusted institutions, such as banks, asking users to click on a suspicious link, leading them to a fake page requesting their personal information and OTP codes.
Smishing: Similar to phishing, but without using links, scammers use text messages to send fake notifications that appear to be from a bank, asking users to confirm a transaction or update their account information by sending an OTP code.
Ransomware and malware: Scammers install malware on victims’ electronic devices to steal personal information and OTP codes whenever they are inserted on the device.
Fake websites: Scammers create websites that look similar to the official websites of banks or financial services, asking visitors to provide their personal data and OTP codes. In the case of filing a report facing any of these cases with the Electronic and Cybercrimes Department, it acts by collaborating with banks and telecom companies to trace the criminal’s IP address and personal information, Jassem explained.
However, Jassem noted that, due to the large number of complaints filed regarding these crimes, it often takes a long time for the authorities to resolve the issue. Unfortunately, he said that this prolonged duration not only increases the rates of committing such crimes but also gives the criminals the opportunity to flee the country, thereby making it more challenging to ever reach them. Due to this, he pointed out that the success rate of finding these scammers may only amount to two or three percent.
He stated that if individuals filing complaints don’t receive any official response after a prolonged period, they can take the following actions: Firstly, they could file a compensation claim against the Ministry of Justice and the Ministry of Interior for failing to comply with their duties. Alternatively, they could report a corruption complaint to Nazaha (the National Anti-Corruption Authority), alleging corruption in the handling of legal reports, as this action is deemed a violation of the constitution, which mandates the protection of citizens’ rights.
From the banking expert’s view, Mohammed Hegab, Supervisor at Authorization and Fraud Monitoring and Risk Management in one of the banks in Kuwait, stressed that people should never disclose their personal details over the phone under any circumstances, highlighting that no financial institution or legitimate company will ever call or send a message to request such information.
Additionally, he advised caution with online payments, urging users to verify website safety and payment gateways. While acknowledging the ongoing efforts of banks to implement rigorous security measures for client protection, he emphasized that the primary responsibility still lies with clients to remain vigilant and informed about potential scams. He also referred to a campaign initiated by the central bank and the Kuwait Banking Association, "Diraya” (let’s be aware), for more information regarding customers’ rights and financial literacy in dealing with banks.