The deluge of cyber fraud, which breaches the information technology systems, has become a major source of worry to all, especially banks who lose substantial amount of money to this criminal activity.
A 2020 research found three dimensions to electronic fraud in Nigeria, including internal fraud carried out by banking staff; external fraud carried out by ordinary Nigerians, and collaboration between fraudsters and banking staff.
Internal fraud is considered the biggest problem facing banking institutions with recent research by Temenos, putting their influence at 70 percent. The fraud is usually perpetrated by those with the highest levels of access to information technology (IT) systems, such as systems and database administrators.
Fraud-related transactions cost Nigerian banks N3.5billion in losses between July and September 2020. This represented a 534 percent increase in the same period in 2019 when it was N552million.
The financial sector’s on-going digital transformation and Covid-19-induced cloud reliance have caused the sector’s attack surface to grow exponentially, exposing organisations to increased levels of cyber threat activity.
Another key accelerator to this is the fact that the coronavirus pandemic is likely to cause a sharp wave of poverty, invariably leading to higher rates of cybercrime in the coming years.
Nigeria Inter-Bank Settlement System (NIBSS) in its latest Industry Fraud Report found that the highest number of fraudulent transactions (35.5 percent of the total) were committed on the web channel, that is, transactions that are done using a web browser. Transactions done over phones were responsible for a loss of N410 million at 11.7 percent of the entire loss value.
“There is, therefore, a need for constant and proactive measures around these channels,” the report noted.
It is usually safe to rely on Automated Teller Machines (ATMs) when they are regularly updated by vendors. However, many ATM machines are still running on outdated operating systems such as WindowsXP and require major security patches to be considered truly secure.
Meanwhile, attack groups leveraging ransomware (the weapon of choice for many threat actors) have already made a large profit last year. In 2020, an increasing number of small-medium banks and financial institutions across Africa, Asia, and Eastern Europe were prey to attacks from groups with expertise in vending RDP/VNC network access. The modesty of a small bank’s cybersecurity architecture has made them preferred targets for hacking groups.
According to the NIBSS, the trend from the beginning of 2020 has been that the web and mobile channels are viable mediums for exponential fraudulent gains.
With an alarming rise in vicious cyberattacks on financial institutions in 2020, it is now estimated that 10 percent of all data breaches were related to the financial industry.
There are reported breaches already at The U.S. Treasury Department and the New Zealand Central Bank. This, in our view, means 2021 does not look like it is off to a good start for the financial sector. If these hacks are any indication of what is to come –– it is critical for financial institutions to be prepared for the years ahead.
The Nigeria Deposit Insurance Commission (NDIC) said that in 2018, Nigerian banks lost over N15.5 billion ($41.6m) to fraud, a massive jump from what the industry recorded in the previous four years. The industry lost N12.30 billion to various frauds between 2014 and 2017. About 89 percent of all financial services fraud happened through electronic channels while only 11 percent was non-electronic.
In the case of Nigerian banks, the NIBSS report found that social engineering accounted for the most technique used in defrauding banks. It was responsible for 11,589 fraud activities. Social engineering, in the context of security, is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
Online fraud is a growing concern for investors in financial services. Since the Central Bank of Nigeria (CBN) in 2014 accelerated its effort to deepen cashless transactions, electronic banking fraud has grown too.
In the midst of all these, we believe that there are ways banks can moderate these cyber risks. It is important for banks to re-assess their cloud security. This implies regularly reviewing the cloud infrastructure to ensure it is up to date. Banks should assess the cloud security’s current state compared to security benchmarks, best practices and compliance standards.
Monitoring cloud security by using a vulnerability management tool to help automate threat detection and protect against potential threats before they become a problem is indispensable. There are many available solutions that help financial organisations to do this safely and effectively.
We believe too that, since internal fraud is the biggest factor promoting electronic fraud, establishing strict access management policies form a fundamental part of the fight against cyber fraud targeting banks. Adopting a zero-trust Privileged Access Management (PAM) policy can help banks to reduce their attack surface by preventing unauthorised access.
Furthermore, establishing a disaster recovery plan is another piece of the solutions jigsaw puzzle. Having a plan in place helps avoid data loss and allows an organisation to minimise downtime after a disruption. This only works if data is backed up regularly and often.
Finally, we advise that banks should encrypt all data. Encrypting data cryptographically, and protecting the cryptographic keys, ensures the most sensitive digital assets are always protected; even if the IT structure is critically compromised.
