The ATM Scam — an overdue reminder to be proactive?

As Sri Lanka celebrated 71 years of independence and sovereignty over the past weekend, her citizens were reduced to a state of confusion and panic over a message that spread wildly on social media and messaging apps regarding a massive ATM skimming scam.

The timing of the revelation was ironic. The country was commemorating its freedom from the foreign oppressor who plundered and ‘stole’ much of her resources, while the ATM scammers, who are reportedly a group of foreign nationals, stole large sums of money from a yet-to-be-disclosed number of Sri Lankans. Local media outlets report that fraudulent ATM withdrawals of up to Rs. 80,000 were carried out by the scammers over the weekend.

The paranoia regarding ATM usage is ongoing, with reports from unverified sources still doing the rounds on Whatsapp groups. The banking institutions have been mum about the whole fiasco, with no official communique being sent out to customers, although some people have been informed that their credit and debit cards have been deactivated due to ‘suspicious activity’. LankaClear published a statement on its Facebook page a day after the incidents came to light, warning the public to be vigilant and reassuring them that the LankaPay payment network was uncompromised.

How much do you know about the ‘skimming scam’?

Card skimmers are small devices placed in close proximity to an ATM’s card reader in order to steal debit/credit card information. When you insert your card, the device captures the details stored in the magnetic strip of the card. In order for the information to be useful to criminals, they also need to steal your PIN. This is easily done by installing a hidden camera or placing a fake keypad over the original. Here’s how it happened in Sri Lanka.

How can you protect yourself? Technically, the only way to completely protect yourself is to cancel all your cards and switch to using only cash. But that means long bank queues and other old school inconveniences that you simply don’t have time for.So what real options do you have? The most important thing you can do is to activate mobile banking alerts, so that you instantly receive a text message every time money is either deposited or withdrawn from your account. This means you can inform your bank as soon as you notice any unexpected account activity and mitigate the damage.

You should also take time to inspect the ATM closely before using it. Most often, a sharp eye and a few jabs and nudges can reveal tampering on a machine. Any part that may seem unfamiliar, or doesn’t seem to be firmly fitted to the machine probably has no business being there. Report it immediately to the authorities. Finally, always use your hand to shield your PIN from hidden cameras.

What do the authorities have to say?

This is not the first time that a scam of this nature has affected Sri Lanka, although the recent one appears to be the most coordinated and widespread. Back in 2013 Sri Lanka was one of 27 countries targeted in a global ATM heistwhere a shadowy criminal ring netted $45 million in a matter of hours, thanks to card skimmers. In 2016 Sri Lankan authorities busted a group of Chinesenationals who were planting skimming devices at local banks.

The Governor of the Central Bank of Sri Lanka (CBSL), Dr. Indrajit Coomaraswamy spoke to reporters in the wake of the incident and said that the scam primarily affected banks that have not employed EMV chip technology, although the CBSL had already issued guidelines to do so back in 2016. He said that the CBSL would now make EMV chip compliance mandatory for all banks. EMV chip technology is the global standard for chip-based debit and credit cards.

The whole debacle begs the question ‘why do we keep falling victim to these kinds of scams’, especially when it’s not the first time it’s happened. With technology increasingly playing a larger role in commercial and personal financial transactions, whose responsibility is it to be proactively aware of the possible security breaches? Are financial institutions too lax in updating security features and protecting customers? Are we, the public, too trusting of the technology we use?

Banks can definitely help the situation by engaging with both staff and customers in proactive prevention.

Staff Action: It is important that staff are continuously updated and trained on the possible threats to security, and more importantly on how to help affected customers. Nothing is more frustrating than speaking to a customer service representative who has no idea how to manage a potentially panic inducing situation.

Training for the sake of ticking a box on a HR to-do list won’t do. Staff need to be fully engaged for higher retention, which definitely helps in dealing with emergency situations. Providing staff with an optimized LMS solution such as LayUp, which offers rich interactive elements, can produce meaningful engagement with much higher retention levels than sitting in a classroom listening to an instructor drone on about the ‘five steps to deal with an emergency situation’!

Customer Action: Banks can also proactively educate customers with tips shared via SMS, through short videos on online interaction platforms or as signage at ATMs to reduce risks.

Let us know what you think about how the situation was handled by authorities in the comments below.