Financial fraud resulting from social engineering scams, remains one of the biggest concerns for South African banks, with authorised push payment (APP) fraud and vishing topping the list of threats keeping fraud professionals up at night.
As banking leaders look to new technologies to deliver tighter security, the longer-term solution also requires better industry cooperation, which was the focus of a recent industry forum hosted by Entersekt.
According to a survey of 29 banking fraud professionals from nine of South Africa’s top banks at the event held in Johannesburg, the types of fraud that are causing the most concern are APP fraud and vishing (52%), phishing/SMS-ing (48%), and SIM swop fraud (35%).
Most banks are still fighting fraud focused on transaction silo’s such as card not present fraud. Over the years they have learnt to understand how to deal with it and manage fraud rates.
“However, there is a universal concern around new threats such as APP fraud and social engineering, which is growing and constantly changing. Banks are realising that they have to collaborate and look across different transaction types and banks to detect and prevent these new fraud vectors,” says Gerhard Oosthuizen, chief technology officer of Entersekt.
The recent forum of banking fraud specialists hosted by Entersekt and featuring guest speakers from risk-based analysis specialist and partner, Featurespace, facilitated a frank discussion and sharing of fraud concerns from senior banking professionals.
“It was fantastic to witness the banking innovation being driven in South Africa and the collaborative efforts among financial institutions. South Africa continues to impress with its approach to payments, but it’s clear that finding ways to combat the rapid rise in APP threats will require particular focus and collaborative effort if banks hope to comply with the growing onus on them to protect their customers,” says Juspal Manic, Featurespace EMEA president.
According to Oosthuizen, banks have built their authentication solutions with the primary purpose of determining if it’s the right person transacting. Modern fraud requires them to also establish if it’s wise for that person to be conducting that particular transaction.
“The problem with this new form of social engineering is the payer manipulation – the victim plays an active role in the attack. How do banks stop a legitimate person from making socially engineered payments?” says Oosthuizen.
“Until recently banks have never had to deal with anything like this. As governments around the world take a restorative justice approach to banks with APP fraud, banking leaders are now forced to find ways to protect their account holders from making voluntary but ill-conceived payments from their own accounts.”
Payment providers in both the US and UK are now mandated to reimburse customers who are victims of APP fraud and Oosthuizen says local banks are looking for ways to minimise the impact of this rapidly rising threat before they face similar regulations.
He points out that fraudsters don’t focus on one bank at a time. They cast a wide net, looking for susceptible customers wherever they may find them. For this reason, Entersekt advises a three-pronged approach:
* Embrace a wider data ecosystem – Firstly, fraud professionals need to keep an eye on cybercrime across banks in their region. While most banks already use risk-based authentication in their own organisations, they need to find a way to hook into a more extensive ecosystem or consortium for a wider perspective on fraud to spot patterns of attacks.
* Monitor anomalies on the origination account – The second is to look across a set of transactions. Oosthuizen warns that banks cannot just focus on the account opening or the digital banking login. They must keep track of all forms of money movement, including card transactions and push payment transactions. Attackers will get the victim to deposit money into a mule account. Their next challenge is then to ‘cash out’, by moving the money to another account where they can take it out, or making a purchase using a card or withdrawing the funds. So there is an array of transactional data that needs to be analysed across the board. If you focus on one channel only, the threat could easily be missed.
* Asking the right questions will help pick up anomalous behaviour. For instance, banks must watch for situations where digital activity does not match historic behaviour or account movement that’s erratic and ask questions such as: Is this transaction consistent with historic data from this account? Why is the account holder paying so much money into a low value account? Does the digital banking channel show signs of manipulation (such as being on a phone call while making the transaction). Once we see something is strange, we can then determine how to respond. Can the transaction be delayed? Should we as the bank warn the client? And should we as the bank prevent the transaction?
* Check strange behaviour on the destination account – Thirdly, banks should also be looking at suspicious or erratic behaviour on the destination account to pick up signs of manipulation. Insight such as whether the account was just opened right before receiving this push payment, or if the person accessing the account digitally tries to hide their location. Enhanced signalling can help identify red flags and other inconsistencies. Both the receiving and sending banks are being held equally liable so looking at both accounts can help protect consumers.
Finally, all of this needs to happen seamlessly in the background without creating unnecessary transactional friction.
“Banks simply can’t fight APP or any kind of social engineering fraud alone. They must look beyond their own data ecosystems for a wider perspective – especially for early warning signals as attackers are almost certainly attacking simultaneously across banking channels and targeting multiple banks at any given time. The answer lies in context aware authentication and the power of consortiums,” Oosthuizen says.
Both Entersekt and Featurespace believe that a vital part of a comprehensive fraud defence lies in the power of the greater security and authentication ecosystem working together.