27/06/2023
The NBS warns citizens to pay attention if they receive SMS messages from unknown phone numbers (recently the area code +33), in which the sender presents himself as a provider of certain services (Netflix, Pošta Srbije, DHL, etc.) In such messages, users are usually required to make payments with a payment card, such as postal costs, subscriptions, etc., via the website, for which a link is given in the SMS message, and which visually resembles the original websites of credible companies, whereas in fact they are fake websites controlled by criminals. In the belief that they are paying certain small amounts (subscriptions, postage, etc.), users enter data from the card on the website. Then, already accustomed to the fact that a one-time password (code) must be entered when paying on the Internet, they automatically enter the password on the website, even though the SMS message in which the code was delivered to them by their bank clearly states that it is a code to activate a payment service (e.g. ApplePay), not to pay for the services they believe they are paying for. Also, users do not pay attention even when they receive an SMS message that they have successfully activated the payment application, although they still have enough time to block the card before it is misused. Once they place the card in their electronic mobile wallet, hackers then use it to make payments online and at physical points of sale, because those payment services work in such a way that no further authentication of individual transactions is required, allowing the use of one card on multiple devices. Users only realise something is up after the criminals have made a few transactions. The Law on Payment Services as well as the card rules of all card brands stipulate that in such cases the loss can be fully borne by the users due to disclosing the one-time password by gross negligence. In other words, users often have to bear the consequences of fraud themselves, especially in those cases where judged that it is not a highly sophisticated form of fraud.
Users should know that credible service providers deliver SMS messages to their users so that the user does not see the phone number from which the message is sent, but the name of the sender (see the SMS messages you received from your bank). Namely, the credible senders of these messages have verified with mobile operators special phone numbers for communication with users and thus practically made it impossible for those phone numbers to be misused. When users receive an SMS message from an unknown number (the phone number is visible instead of the sender's name, while the sender's name is in the message itself) from a sender who claims to be a bank, cable or internet provider, service provider in general, and who requires the user to do something (to access a website via the link sent in the message), there is a high degree of probability that it is a phishing scam.
Users need to know that the fact that the card is blocked after their card has been used to purchase certain products by criminals, and the fact that these funds are still "only" reserved does not mean that they can be "stopped" or returned to the user. In the case of card transactions, reserved funds cannot be returned to the payer at the will of the bank issuing the card, without the consent of the merchant and his bank, i.e. without the consent of the card scheme. Namely, there is no obligation of the merchant, and in some cases it is physically impossible (e.g. on the Internet), to check every time someone pays with a card whether the buyer is also the owner of the card. This is especially true in the case when the transaction is authorised with a one-time password, and therefore, in accordance with the rules of card schemes, it is not possible to start a complaint procedure at all and request a refund from the merchant and his bank.
So, if you get a message from an unknown phone number that gives you a link to access, be careful, it's probably phishing. When your service provider actually addresses you, you will not see the phone number, but his name. If you still access the link and enter the card data, read what is written in the SMS message you received from your bank, whether you authorise the payment of the service you want to pay for, or if it is something else (in that case, immediately contact the bank and block the card).
The strict and consistent application of the rules from the Law on Payment Services, which the NBS insists on, provides an extremely high level of protection to all payment card users who act with the care of a diligent owner, and those users can rest assured that in case of possible misuse, the funds will be returned to them. On the other hand, negligence does not excuse users who casually provide information from their card and do not read messages, in which case they bear the loss themselves.
The NBS, on its part, will try to raise users' awareness of this type of fraud, though banks as well must do more to educate users about the services they offer, especially if those services entail increased risk.
Governor's Office
