South African banks increasingly concerned with APP fraud and vishing

  • Professionals from nine of South Africa’s top banks have cited APP fraud and vishing as growing security concerns.
  • The professionals were surveyed during a recent industry forum hosted by Entersekt.
  • Entersekt CTO, Gerhard Oosthuizen, believes a focus should be placed on the nature of transactions, as well as who is transacting, to address new security concerns.

While South Africa has one of the most sophisticated and mature banking sectors in the world, it is still susceptible to many of the security issues that other industries in the country are. Social engineering and similar tactics still prove successful methods for cybercriminals to threaten local banks.

In fact, during a recent industry forum hosted by Entersekt, the financial authentication company surveyed 29 banking professionals in order to find out what types of security threats they are most concerned with.

While 29 might seem like a small number, they came from nine of the country’s largest financial institutions, therefore going a wide enough gamut to add credence to the responses. The types of fraud that are causing the most concern are APP fraud and vishing (voice phishing) at 52 percent each, phishing/SMSes at 48 percent, and sim swap fraud at 35 percent.

“Most banks are still fighting fraud focused on transaction silo’s such as Card Not Present fraud. Over the years they have learnt to understand how to deal with it and manage fraud rates. There however is a universal concern around new threats such as APP fraud and social engineering, which is growing and constantly changing. Banks are realising that they have to collaborate and look across different transaction types and banks to detect and prevent these new fraud vectors,” highlighted Gerhard Oosthuizen (pictured below), Entersekt CTO. 

“The problem with this new form of social engineering is the payer manipulation – the victim plays an active role in the attack. How do banks stop a legitimate person from making socially engineered payments? Until recently banks have never had to deal with anything like this. As governments around the world take a restorative justice approach to banks with APP fraud, banking leaders are now forced to find ways to protect their account holders from making voluntary but ill-conceived payments from their own accounts,” he continued.

Here Oosthuizen pointed out that banks in the US and UK have been forced by regulators to reimburse customers who are victims of APP fraud. This is something local banks are looking for ways to minimise the impact of, as the rapidly rising threat could see similar regulations imposed here.

With this in mind, the Entersekt CTO advises a three-pronged approach:

The first is embracing a wider ecosystem, according to Oosthuizen, especially as fraud professionals need to keep an eye on cybercrime across banks in their region.

“While most banks already use risk-based authentication in their own organisations, they need to find a way to hook into a more extensive ecosystem or consortium for a wider perspective on fraud to spot patterns of attacks,” he explained.

Next is monitoring anomalies from the originating account. Here the CTO advocates for looking across a set of transactions, instead of only the account opening or the digital banking login, which many institutions do.

“There is an array of transactional data that needs to be analysed across the board. If you focus on one channel only, the threat could easily be missed,” he stressed.

Lastly is checking strange behaviour on the destination account. Oosthuizen said that banks should also be looking at suspicious or erratic behaviour on the destination account to pick up signs of manipulation.

“Enhanced signalling can help identify red flags and other inconsistencies. Both the receiving and sending banks are being held equally liable so looking at both accounts can help protect consumers,” he noted.

Along with the three-pronged approach, Oosthuizen was careful to state that all of the above needs to happen in a simple, seamless, and frictionless manner, as any hurdle to the customer experience can prove equally detrimental to the business of the banks.

“Banks simply can’t fight APP or any kind of social engineering fraud alone. They must look beyond their own data ecosystems for a wider perspective – especially for early warning signals as attackers are almost certainly attacking simultaneously across banking channels and targeting multiple banks at any given time. The answer lies in context-aware authentication and the power of consortiums,” he concluded.

[Image – Photo by Stephen Phillips on Unsplash]


About Author


Related News