Electronic Bank Fraud: The need for Banks to strengthen digital security features and how Banks and customers can mitigate risk
By Julius Nabimanya
Research indicates that the increase of electronic banking has led to increase of fraud resulting in financial losses. For example, it is estimated that in 2009 to 2010 there was 93% increase in electronic banking fraud and a 30% increase in 2012 to 2013.According to a study by retail banking researchers conducted in 2011, electronic-bank fraud costs 8.6 billion US Dollars annually. This was anticipated to increase in the following years.
Additionally, a report by Bank of Uganda revealed specifically for Centenary Bank, that the total customer base of the bank declined by 11.4%, its customer deposits declined by 7%, its total credit slowed down by 12% and customer complaints due to electronic fraud increased by 6.3%.
Another 2012 survey by Deloitte indicated that Ugandan banks lose up to sh12b annually to electronic fraud while UGS118b was lost by banks in the East African region. Despite the above, the use of digital payment systems continued to grow strongly, both for mobile money and in commercial banks. According to the Bank of Uganda Quarterly Financial Stability Report published in March 2022, demand for digital payment services was mainly driven by a favorable policy environment, evolving consumer behavior/needs, and recovery in economic activity.
The report indicates that the value of debit card transactions increased by 23.9% to Ugshs. 1.2 trillion during the year ended March 2022, while the value of internet and mobile banking fund transfers rose significantly by 82.8% and 146.1%respectivelytoUgsh. 145.6 trillion for the year ended March 2022. The above report indeed shows that electronic and mobile banking continues to grow as more people continue to interest themselves in digital banking services. That means, without doubt, that the more the digital banking sector grows, the more financial risks it is prone to face, particularly the dangerous vice of electronic bank fraud. As banks and other regulatory authorities continue to put in place measures to mitigate loss, fraudsters, on the other hand, continue to come up with novel and more lethal methods of digging and depriving customers and banks of their money. Indeed cases have become so rampant today where customers continue to accuse banks of negligence and breach of their fiduciary duty, commonly known as the banker-customer relationship. Although Courts have held in some cases that banks will not be liable for financial loss caused by fraudsters on a customer’s account, if there is evidence to prove that the bank in question used commercially viable security features to prevent theloss,4Iopine that the issue of digital fraud is not an easy one to approach and therefore, even a Court faced with such a case, ought to take sufficient caution, both in the manner of admitting and evaluating evidence present before it, before it makes a conclusion. Digital fraud takes various peculiar forms and in some cases, it may be very difficult to tell whether the fraud was occasioned by the Bank or the customer’s negligence. However, this article makes an attempt to provide some basic forms of electronic fraud, how they happen and how they can be avoided or at least mitigated, and perhaps the nature of facts and evidence that Courts might normally interest themselves in while faced with such cases. Whereas it is truly difficult to avoid being victim of digital fraud, this article discusses how a bank and a customer can shield themselves against financial loss caused by digital fraud.
Meaning and Scope of Electronic Banking
The term electronic banking (e-banking) may be defined as the automated delivery of new and traditional banking products and services directly to customers through electronic, interactive communication channels (Buchanan, 2010). E-banking includes but is not limited to; the systems that enable financial transactions, modes of payment used by customers, individuals or businesses, to access accounts, transact business, or obtain information on financial products and services through a public or private network, including the Automated Teller Machines(ATMs)used alongside the Personal Identification Number (PIN), Internet banking and Mobile Banking.5 There are five basic services associated with e-banking and these include: viewing account balances and transaction histories; paying bills; transferring funds between accounts; requesting credit card advances; and ordering cheques for more faster services that can be provided by domestic and foreign banks.
The forms of electronic banking
E-banking is majorly comprised of internet and mobile banking. Internet banking involves conducting banking transactions such as account enquiry, printing of statements of account, funds transfer, payments for goods and services, etc, on the internet using electronic tools such as the computer or a smartphone without visiting the banking hall. E-commerce is greatly facilitated by internet banking and is mostly used to effect payment. Internet banking also uses the electronic card infrastructure for executing payment instructions and for final settlement of goods and service over the internet between the merchant and the customer. Currently the most common internet payments are for consumer bills and purchase of air tickets through websites of the merchants. In modern day banking, customers rely heavily on the internet for their banking business, which practice has orchestrated an increase in the number of electronic bank fraud. It has been argued that electronic banking continues to provide a huge opportunity to hackers and fraudsters to attack Banks and customers.
Further research even shows that the internet enables criminals to strategise as a network, supporting each other in their attacks. More particularly, fraudsters are interested in accessing customers’ bank accounts through the navigation of electronic systems by using security breaches. Some prevalent practices of illegitimately accessing Bank-customer data are done using a method termed as “phishing.” Phishing is where a hacker sends an e-mail from an allegedly credible source either to a bank or its customer, requesting for sensitive information such as the customers user name or password. As for mobile banking, this involves the use of a mobile phone to settle financial transactions. It is observed that mobile banking supports person to person transfers with immediate availability of funds for the beneficiary. Payments through mobile banking use the card infrastructure for movement of payment instructions as well as secure Short Message Service (SMS) messaging for confirmation of receipt to the beneficiary. It is further argued that mobile banking is meant for low value transactions where the speed of completing the transaction is key. The services covered under this product include account enquiry, funds transfer, recharge of phone accounts, changing of passwords and bill payments. In Uganda, the mobile money market has been a playground for fraudsters with an average of at least 100 mobile money users losing money every week. Indeed, a survey about Agent Network Accelerator in Uganda conducted by the Helix Institute of Digital Finance (2013) revealed that one of the biggest challenges of mobile financial services is the high risk of fraud. Mobile banking fraud may be categorized into: consumer driven fraud, agent driven fraud, business partner related fraud, mobile financial service provider fraud. Consumer driven fraud refers to fraud that is initiated by fraudsters posing as customers and is the most common type of mobile fraud; Agent driven fraud is perpetuated from within the agent network and it is initiated and operated by agents or their employees. Business partner driven fraud describes the fraudulent activities perpetrated by bank staff on the bank, bank staff on customers or bank staff on mobile money operator. It goes without saying that electronic banking is intended to offer a wide range of advantages and opportunities in the banking sector to ensure that work is carried out effectively and efficiently. It is argued that its adoption would improve three critical domains which are efficiency, quality, and transparency in any banking institution.
Forms of Digital/electronic Fraud
The more people spend longer online and continue to give out their personal data to various online sites, the more it makes them more susceptible to such scams.
Recently, impersonation scams, where hackers pretend to be from a trusted source, contact and trick victims into moving their money to that contact, are so common. Fraudsters impersonate organisations such as telecom service providers, banks, beverage and alcohol companies, government departments, among others, via phone calls, texts, emails, fake websites and social media posts to trick people into handing over their personal and financial information which is then used to convince Banks holding customers’ accounts to effect payments. There could also be fraudsters who use romance scams to lure their victims into thinking that their loved ones are in urgent need and thereby giving them access to their personal information or even some times innocently sending money to these (illegitimate)”lovers.” Some fraudsters will even befriend the victim in an effort to gain their unsuspicious trust.
Bank CEO Fraud. There is also fraud that has grown most recently and this is commonly termed as “CEO Fraud.” Here, a scammer normally sends an email, often to a business accounts department of the Bank, pretending to be from a senior staff member asking for an urgent payment to be made to a supplier, partner or customer. These are not yet very common here but are prevalent in developed jurisdictions.
Leveraging on trends in current promotions and other current affairs. It is important to note that Fraudsters often take leverage on current affairs to trick their victims into falling prey. For example, hackers always look out for periods when business entities are running promotional activities. Telecom companies like MTN and Airtel normally run promotions to give back to their customers, or to promote a particular service that is being brought to the market. In such promotions, customers will normally win monetary and non-monetary rewards. Scammers will therefore use such an opportunity to trick innocent people into providing their personal information which the scammers then use to make unauthorized transactions on a victim’s Bank account.
Number spoofing and overriding caller IDs. According to the United States Federal Communications Commission, Spoofing happens when a caller deliberately falsifies the information transmitted to your caller ID display to disguise their identity. Hackers often use neighbor spoofing so it appears that an incoming call is coming from a local number, or spoof a number from a company or a government agency that you may already know and trust. When you answer the call, they use scam scripts to try to steal your money or valuable personal information, which can be used in fraudulent activity. Apparently, a victim may not be able to immediately tell if an incoming call is spoofed, however it is advisable not to answer calls from unknown numbers or if one answers the call and the caller is weird, one should hang up immediately.
Sending malicious links. According to the Reserve Bank of India, pushing out a malicious link is one of the simplest methods that scammers use to access your personal information. They may create a fake website which looks like an existing genuine one, for instance a bank’s website or search engine, fake e-commerce websites or even fake social media accounts. The links are then circulated by fraudsters through text messages or via social media sites. The links are masked through seemingly authentic names of websites, but in reality, the customer gets redirected to a phishing website. When a customer enters his or her secure credentials on the website, the same are captured and used by fraudsters. Other forms may be sharing malicious mobile apps, where links are engineered in such a way that the customer is redirected to download an unknown application. Once the app is downloaded by the customer onto their phone, the fraudster gains complete access to the customer’s device, whereby the scammer is able to watch, control your phone to gain access to your financial credentials.
Take time to re-read a message. Fraudsters will try to make a customer move money quickly by pretending that his or her cash is at risk or that a customer is about to miss out on a once- in-a-lifetime opportunity. According to Paul Maskall, the fraud and cybercrime prevention manager at UK Finance, they create a sense of “urgency, authority and scarcity” to put pressure on victims. Their schemes often work because people are always distracted with daily life endeavors. If a customer feels under pressure to make a rapid decision, it is advisable that they take a moment to assess the situation and be able to carefully take action. Taking your time to reread a message can help you spot a potential scam. For instance, a fraudulent text may include spelling mistakes, while an email may be from a slightly different address to that of a legitimate person or company. Normally, banks will never call a customer asking them to move money into a new account, therefore a customer must be able to resist any form of pressure from a caller to do so. A more recent trend has been fraudsters pretending to be family members on WhatsApp and asking to borrow money or to be sent money “because they are in an emergency.” If a customer gets a message like this, instead of quickly transferring the cash, a customer can check whether such a message or request is genuine by taking time to contact the actual family member via another channel.
Ignore suspicious links given the advancement in technology, information moves faster on the internet and across communication and social media platforms than ever before. It is not advisable for a customer to click on links in texts or emails, even if the message appears to come from a company or person you trust. Opening links without a careful thought, can greatly expose your personal information to a hacker and thereby make it easy for the hacker to gain unauthorized access to your bank accounts. A customer should therefore ignore any messages sent to their phones or computers via text or email asking them to click on a link, even if it is not a scam they recognise, until they are sure it is legitimate. Some of the ways to be sure may include; calling back on an official phone number if a customer is unsure about a caller’s identity. If you were not expecting a call and cannot be concrete sure who you are speaking to, hang up immediately and find the official phone number to call the person back. Fraudsters can override caller ID, so even if a customer gets a call from a number they recognize, they should not necessarily trust such a call. Number spoofing also allows hackers to take over text chains or infiltrate an account command system with a victim’s bank. Similarly, if a third party that a customer has probably been dealing with asks a customer for money over text or email, or tells the customer that their payment details have changed, even if it is someone a customer knows, a prudent customer should call them on a trusted number before making any payments or commanding the Bank to do so.
Constantly keep a keen eye on your security settings If hackers access your emails or social media profiles, they can get personal information to help them convince you the scam is legitimate. These tactics are normally used by invoice scammers, who hack emails to intercept messages to a trusted party. They can then take over the email thread and mimic the style of writing to convince you to transfer a large sum of money to a new bank account or a new number, different from that you were used to. Make sure you’ve got strong passwords on your email and social media accounts, and do not use the same one on more than one account, to avoid them being compromised. Use a password manager if you struggle to remember passwords. It is advisable that one uses strong passwords on their email and social media accounts.
Make all attempts to ensure you are paying the right person. Additionally, if you have decided the person you are dealing with is legitimate, you should still be cautious before handing over any money or personal information. You could, for example, transfer a very small amount of money first and then call the (real) intended recipient to check whether it has reached their account. Whereas some banks will alert you if the account details you are sending money to do not match up with the information they have on file, which can help you avoid losing money, other banks may not have systems in place which can perform such key functions. It is therefore important that every Bank puts in place a modern and state of the art security system to cater for such risks. Most importantly, if you accidentally end up falling for a scam, it is advisable that you act with immediate effect. The faster you act, the more likely you are to get your money back. Call your bank immediately as it may be able to block money from leaving your account if the payment has not gone through yet. Banks can try to get your money back from the fraudulent account before the con artist moves it on. 5. Specific technical measures that Banks may adopt.
Build a VLAN for all internet banking servers with their access based on the principle of least privileges. According to Tech Target Inc., a Virtual Local Area Network (VLAN) is a logical overlay network that groups together a sub set of devices that share a physical LAN, isolating the traffic for each group. A Local Area Network is a group of computers or other devices in the same place, which share the same physical network.
If you are a banker operating electronic banking, it is highly recommended that you build a Virtual Local Area Network (VLAN) for all your internet banking servers with their access based on the principle of least privileges. The principle of least privilege, an important concept of computer security, is the practice of limiting access rights for users, accounts and computing processes to only those needed to do the job at hand. Regardless of how technically competent or trustworthy a user is, the principle of least authority can reduce cyber security risk and prevent data breaches. According to Forrester Researcher, 80%ofdata breaches involve privileged credentials. The principle of least privileges limits a user account or system functions to the set of privileges essential to perform their intended function. By strictly limiting who can access its critical systems, a Banker can reduce the risk of intentional data breaches and unintentional data leaks. The other important consideration for Bankers would be to adopt system logging methods that provide reasons or feedback whenever there is any issue with a transaction.
Adopt and improve Security Operations Centres (SOCs). Additionally, bankers should adopt and improve (for those that have) security operations centres (SOCs). A security operations centre is a centralized function within an organization employing people, processes and technology to continuously monitor and improve an organization’s security posture while preventing, detecting, analyzing, and responding to cyber security incidents. A SOC acts like the hub or central command post, taking in telemetry from across an organization’s IT infrastructure, including its networks, devices, appliances, and information stores, wherever those assets reside. The SOC is normally led by a SOC manager, and may include incident responders, SOC Analysts, threat hunters and incident response managers. With a SOC in place, any unauthorized log-ins into customers’ accounts can be fronted and at least prevented.
Exporting critical logs to an external log collector. If a Banker conducts electronic banking, it is prudent that it adopts this approach in its system. This enables the Banker to easily conduct a forensic audit in case of a security breach to ascertain the source of breach. A system without this unique approach stands risk of having all logs on its affected servers getting irrevocably cleared by a hacker. Some considerable choices may include security information and event management (SIEM) Or Security, Orchestration, Automation and Response (SOAR).
Adopt internet banking software that focuses more on security rather than user friendliness. Bankers must also adopt internet banking software that focuses more on security rather than being user friendly. If a software can achieve these two, the better. This kind of approach helps the Bank to increase its chances of control over its systems.
Provide sophisticated modes of making electronic payments to third parties In regard to digital payments, rather than requiring a customer to share their credit card number directly, the Banker may provide a merchant-specific encrypted token for every transaction requested by the customer. This is even safer where the customer is transacting with a third party, say for instance paying for an item online. In the event that the third party’s security suffers a data breach, a customer’s payment information may not be readily readable to hackers and thus their personal information kept with the bank would stay safe.
Other key considerations may include the following; Adopt remote log-ins to internet servers that require use of certificates rather than passwords. It is proved that certificates are less susceptible to brute force attacks unless keys are shared or stolen. Bankers should also adopt system approaches that restrict customers to do mobile banking with only one number provided by the customer to the bank and not any other. In case a transaction command is to pay a different person, not the customer himself or herself, then by all means, let the money be first transferred to the customer’s mobile phone account.
Given the major concerns that customers continue to express constantly losing their money through unknown transactions on their bank accounts, banks and other micro-finance institutions need to strengthen their security posture with state of the art security features that can help mitigate the frequency and severity of data breaches. By investing in advanced technologies, banks can capitalize on customers’ growing interests in digital banking right now and more importantly, keep their customer base for long. Therefore, considering security systems built on highly secure and trusted identities of data and payments should be every Banker’s area of priority, moving forward.
Finally, it is without doubt that a bank owes a fiduciary duty of care to their customer, at all times whenever transacting with them. Therefore, it is important that Banks take an extra step to not only provide information but also educate their customers. Although a customer does not need to know the complex and technical aspects of their Banker’s security systems, the Banker still owes them a great duty to avail them with all necessary and helpful education about its institutional security mechanisms aimed at protecting their accounts and how best they can benefit from it. Do not just teach the customer on basic security tactics like user name and password, security questions, two-factor authentication and fingerprint recognition, but go an extra mile to educate them on advanced security features like biometric authentication methods, among others. In any event where fraud has transpired and the money has been lost, then a customer may initiate a formal complaint procedure to their bank and if the Bank does not help, the customer may resort to Court and sue the Bank for breach of fiduciary duty. Of course, the success of the suit will largely depend on the circumstances of each case.
Julius Nabimanya is an electronic fraud expert and can be reached via email@example.com