Gone are the days of the Stander game where guys run into banks with guns and take cash. “People aren’t stealing money like that anymore. They’re stealing money from behind a laptop,” says Kevin Hogan of Investec Bank.
At the Investec Business Matters conference held recently, Hogan shared practical ways in which businesses could protect themselves from fraud risk. Referencing Gareth van Zyl’s Fin24 article, Hogan says that R5.8bn was lost to cybercrime in 2014.
Fraudsters can install software that lies dormant on devices and can bypass anti-virus measures. It takes about 200 days before an organisation detects an online breach of its systems. Using anti-virus against malware is like sending a mouse to fight a lion, says Hogan.
In 69% of cases, just by clicking a link victims download a virus to their device with malware or Trojans.
Cybercrime often takes place through email and telephone hacking. Fraudsters send billions of phishing emails randomly into cyberspace. These emails often contain links for the receiver to click or often require victims to submit their email accounts and passwords under the pretence of a bank or reputable company. This allows fraudsters to intercept future messages with important information, like banking details. In 69% of cases, just by clicking a link victims download a virus to their device with malware or Trojans.
“Hackers send us emails to move your money… In 2013 we lost R5.8m to one email hack,” says Hogan. He advises businesses that get instructions sent by email or telephonically to authenticate that it came from the actual client. Fraudsters will go as far as to send bank statements to prove client details. False documents are easy to pick up, but Hogan says that the risk comes in when there are bank employees who collude with fraudsters, giving them real statements.
In a case where a fraudster hacked a client’s account by telephone, the fraudster managed to bypass security questions by accessing personal information on the client’s Facebook account. Hogan says that people often repeat the details of their email accounts and passwords for other internet accounts (social media and online banking).
In collusion with “unscrupulous” cell phone service provider staff, fraudsters conduct SIM-swaps on phones, moving the client’s number to another SIM card. This allows them to intercept messages from banks with details about one-time passwords and USSD messages for online transactions, allowing fraudsters to bypass authentication measures.
As a result of telephone hacking, Hogan says that Investec has introduced voice biometrics to authenticate the client’s voice over the phone.
How to protect your business:
- Do not respond to any email asking for your email address and password, it is unlikely anyone wants it for legitimate reasons.
- Do not click on links if you are not 100% sure as to what you are clicking, especially if they come from friends or acquaintances.
- Make use of additional authorisation/authentication i.e. two-factor authentication is useful, in addition to accessing your email by password, a one-time pin is sent to your cell-phone for you to use.
- Proactively manage MUA accesses. Manage the access levels different staff have to authorise instructions and when staff members leave or resign, withdraw their authorisation privileges.
Hogan further explains the methods that Investec uses to protect client’s cash:
- Authentication before funds are transferred or when confidential client information is supplied. The company makes outbound phone calls to the client to confirm instructions by email.
- Proactive monitoring of online banking sessions to detect Trojans, malware and account takeovers.
- Recovery of funds. When your business falls prey to a scam, actions are taken to contact other banks to freeze accounts to secure funds and recover the money lost. Hogan says it is important for clients to inform the bank that they suspect they have been scammed. “The faster you let us know, the faster we can get your money back.”
- Update clients on new fraud trends and alerts. Protecting clients’ funds is a joint responsibility of the bank and the clients, so it is important to inform and educate clients on ways to protect themselves.
People should be taught to navigate the internet responsibly, says Hogan. There are a number of fake websites online, he advises people to type out the full URL when surfing the web, instead of just clicking a link to access a site. Additionally, people should not save passwords on their devices, as it gets stored on browsers which are vulnerable to malware that can record them. He also says that people should set up their computers to delete history every time it switches off, especially after conducting online transactions.
*This article was featured on Finweek.com.