How to protect your personal data from fraudsters

In 2024, fraud became the most common crime in Kazakhstan. New schemes are constantly emerging, often leading people to unknowingly share their banking information with scammers and lose their savings. Factcheck.kz spoke with experts about the steps everyone can take to protect themselves from such risks.

Fraud in the Digital Age

Financial literacy expert Zhanar Talanova says it's difficult to remain virtually invisible in the digital age.

"We either share our data one way or another, or our information is in the hands of government agencies, financial institutions, or anywhere else where there is a risk of information leakage," says Zhanar Talanova.

In July of this year, a massive personal data breach was reported, affecting approximately 16 million Kazakhstanis. Such incidents allow scammers to be especially persuasive: when someone knows your full name, address, and even your IIN, it's hard not to trust them.

Moreover, fraudsters actively use social engineering. According to digital, civil, and corporate lawyer Yelzhan Kabyshev, this is the most common method of stealing financial data.

Among the most common techniques used by scammers, the expert highlights:

- phishing: calls allegedly “from the bank”, “from law enforcement agencies” (and other government agencies);

- fake websites and forms where the victim is persuaded to enter card details or confirmation codes.

However, there are a number of basic recommendations that, if followed, can reduce the risk of losing money.

6 tips for protecting your personal data

Tip #1: Don't share your information with strangers

This is perhaps the most important recommendation. Fraudsters, in most cases, achieve their goals because their victims voluntarily provide them with their information and sometimes even send them money, naturally, unknowingly. Therefore, it's important to adhere to the following rules.

1. Don't tell strangers your passwords and one-time codes.

When you receive calls claiming to be from your bank, end the conversation and call back the number on your card. This will help ensure you're actually speaking with the bank and not a scammer. If you receive a call claiming to be from a mobile operator and asked for a code sent to your phone, follow the same procedure: call back the official customer support number for your operator.

2. Do not give your bank cards or details to strangers.

This will help protect you not only from losing money but also from participating in dropshipping. Factcheck.kz has already reported that transferring, even unknowingly, your personal accounts for the withdrawal of stolen funds or their transfer to others entails criminal liability under Article 232-1 of the Criminal Code of the Republic of Kazakhstan.

3. Do not click on suspicious links in SMS, instant messengers, social networks, etc.

The internet is full of various advertisements offering users a product or service for a small fee, participation in a promotion, and so on. It's important to always double-check the information with the official sources of the companies advertising before clicking on a link.

4. Do not install applications on your phone or computer at the request of strangers.

Zhanar Talanova recommends not opening suspicious or incomprehensible files received via WhatsApp, Telegram, other messaging apps, or email, especially if they come from unknown senders. Such files may contain viruses, Trojans, and other malware that can even intercept your messages.

The expert also warns of the risks of downloading remote access apps. Such apps allow someone to control someone else's computer or smartphone remotely.

It's important to understand that scammers can resort to a wide variety of manipulations to extort personal information and money. However, the rules listed above remain the same.

5. Do not transfer all data unless necessary.

According to Yelzhan Kabyshev, many people mistakenly believe that when contacting government agencies or commercial organizations, they are required to disclose all their personal information. However, the law requires that only the information required to provide the service or fulfill the request be requested.

"Keep control of your personal data. The law obliges owners/operators of personal data to implement security measures and process only the 'necessary and sufficient' volume—demand compliance," says Yelzhan Kabyshev.

Tip #2: Control access to banking data

Kabyshev notes that fraudsters also use offline methods, such as skimming (copying card data using special devices) and PIN code snooping at ATMs or POS terminals.

"The Agency for Regulation and Development of the Financial Market (ARFMR) recommends using ATMs inside banks and covering the keyboard with your hand—this is a basic but effective measure," says Yelzhan Kabyshev.

Secondly, experts recommend carefully managing your online banking settings. If your bank's mobile app has a "hide card" option, use it to prevent other cards from appearing on the screen.

It's not recommended to make bank transfers using public Wi-Fi networks, as they tend to be poorly secured. This could allow attackers to intercept your bank card details and access your funds.

Also recommended:

- set limits on amounts and number of transactions;

- allow transfers only to verified recipients;

- reduce limits on online payments.

The most reliable option would be to get a separate card specifically for online purchases and top it up only when necessary.

Tip #3: Complex passwords aren't the limit

One of the basic rules of digital hygiene is using unique and complex passwords. It's recommended not to repeat the same password for different accounts and avoid simple combinations.

But complex passwords alone aren't enough these days. Enable two-factor authentication for additional security. Even if your password is hacked, an attacker will have a much lower chance of accessing your account. When choosing an authentication method, it's best to choose an authenticator app. Sending codes to a phone number or email is considered less secure, as email can be compromised and SMS messages can be intercepted.

But there's an alternative to traditional passwords that's widely recommended by cybersecurity experts today: passkeys. This is a form of multifactor authentication that uses public-key cryptography combined with biometric data (fingerprint, Face ID) or a device PIN. The advantage of passkeys over passwords is that they're stored only on your devices and are unique to each person. Therefore, they offer greater protection against phishing and other threats. You can read more about them here.

Tip #4: Regularly update the operating system and applications on your devices

OS and app developers release updates, among other things, to patch discovered vulnerabilities that could be exploited by attackers. By updating your software, you ensure the security of your devices. This is especially important for banking apps.

Tip #5: Keep your digital signature in a safe place

Particular attention should be paid to protecting entry points to government and financial services. As Yelzhan Kabyshev explains, an electronic digital signature (EDS) has full legal force and effectively replaces a personal signature.

For this reason, he recommends storing digital signatures only in the eGov Mobile app. It implements biometric login and has a more stringent key issuance procedure, reducing the risk of unauthorized access.

It's equally important to remember to protect your biometric identifiers—Face ID and Touch ID. If your unlocked smartphone falls into the hands of third parties, this creates a direct opportunity for them to apply for services, applications, or even loans in your name.

Tip #6: Use the "stop-credit" service

Experts recommend activating the "Stop Credit" service not only for yourself but also for your loved ones. It allows you to block loans from being issued in your name. Even if you don't know whether your data has been leaked, this measure can (and is) be used proactively.

This service is voluntary and can be installed and canceled through the e-government portal eGov.kz. To do this, you need to:

- log in to the portal and click the “Order a service online” button;

- fill in all required fields;

- sign the application with an electronic digital signature (EDS).

It’s even easier to connect the service via phone call:

- call 1414;

- say the phrase: “Ban on lending”;

- enter your IIN and confirm the action with an SMS code.

You can also check the status of the ban or, if necessary, cancel it by calling.

According to First Credit Bureau JSC, more than 2.7 million Kazakhstanis have already taken advantage of this opportunity.

"If the ban is active, but the loan was actually issued to fraudsters, the bank or microfinance organization is obligated to write it off. The service can be enabled and disabled in a couple of clicks," said Yelzhan Kabyshev.

You can check whether a loan has been taken out in your name by requesting your credit history:

- via the First Credit Bureau website or the 1CB.kz mobile app (electronic signature required);

- via the online service on the eGov.kz website. Complete the application, sign it with an electronic digital signature, and view the results in your "Personal Account."

How to check if your data has been leaked

Today, Kazakhstanis also have the opportunity to check their data for leaks. The Nomad Guard service is available in the eGov Mobile app, allowing you to:

- check whether your data has been leaked (for example, databases with logins, passwords, IIN);

- assess the safety of links to phishing or fraudulent sites.

Among the independent services is haveibeenpwned, which can be used to check whether your personal email address has been found in any leaked databases.

Read the article on the Factcheck.kz website by following this link.