Why banks in South Africa will soon want a closer look at your accounts
South African banks continue to battle social engineering, with more than half of the respondents of a recent industry survey saying Authorised Push Payment (APP) fraud is their greatest cause for concern.
APP fraud is a type of fraud where victims are participants, manipulated or otherwise convinced to make real-time payments to fraudsters.
Banks are highly incentivised to fight back against this kind of fraud, because there is a global trend of authorities holding banks liable and making them reimburse victims. While this is not yet the case in South Africa, that may change.
Financial fraud resulting from social engineering scams remains one of the biggest concerns for South African banks, with APP fraud and Vishing topping the list of threats, according to data from financial authentication company, Entersekt.
According to a survey of 29 banking fraud professionals from nine of South Africa’s top banks, the types of fraud that are causing the most concern are APP fraud and Vishing (52%), Phishing/SMS-ing (48%), and SIM swap fraud (35%).
Most banks are still fighting fraud focused on transaction silos, such as Card Not Present fraud. Over the years, they have learnt to understand how to deal with it and manage fraud rates.
However, there is a universal concern around new threats, such as APP fraud and social engineering, which are growing and constantly changing.
“Banks are realising that they have to collaborate and look across different transaction types and banks to detect and prevent these new fraud vectors,” said Gerhard Oosthuizen, Entersekt’s CTO.
According to Oosthuizen, banks have built their authentication systems with the primary purpose of determining if it’s the right person transacting.
“Modern fraud requires them to also establish whether it’s wise for that person to be conducting that particular transaction,” Oosthuizen said, noting that human impulses are a risk to try to overcome.
“The problem with this new form of social engineering is the payer manipulation – the victim plays an active role in the attack. How do banks stop a legitimate person from making socially engineered payments“
“Until recently, banks have never had to deal with anything like this. As governments around the world take a restorative justice approach to banks with APP fraud, banking leaders are now forced to find ways to protect their account holders from making voluntary but ill-conceived payments from their own accounts.”
Payment providers in both the US and UK are now mandated to reimburse customers who are victims of APP fraud, and Oosthuizen said local banks are looking for ways to minimise the impact of this rapidly rising threat before they face similar regulations.
A closer look at your banking habits
Oosthuizen noted that fraudsters don’t focus on one bank at a time – they cast a wide net, looking for susceptible customers wherever they may find them.
He said that banks will have to take the same approach, casting a wider net on the fraud landscape to try and better determine the patterns of attack.
The second part of the fightback is to look across a set of transactions.
“Banks cannot just focus on the account opening or the digital banking login. They must keep track of all forms of money movement, including card transactions and push payment transactions,” he said.
Attackers will get the victim to deposit money into a mule account. Their next challenge is then to ‘cash out’, by moving the money to another account where they can take it out, or making a purchase using a card or withdrawing the funds.
“So there is an array of transactional data that needs to be analysed across the board. If you focus on one channel only, the threat could easily be missed,” he said.
Banks will also have to better pick up and track “anomalous behaviour”.
For instance, banks must watch for situations where digital activity does not match historic behaviour or account movement that’s erratic.
“(Banks must) ask questions such as: Is this transaction consistent with historic data from this account? Why is the account holder paying so much money into a low value account? Does the digital banking channel show signs of manipulation (such as being on a phone call while making the transaction).
“Once we see something is strange, we can then determine how to respond. Can the transaction be delayed? Should we as the bank warn the client? And should we as the bank prevent the transaction?”
The final focus area is the destination account, where banks should also be looking at suspicious or erratic behaviour on the account where funds are heading to pick up signs of manipulation.
“Insight such as whether the account was just opened right before receiving this push payment, or if the person accessing the account digitally tries to hide their location. Enhanced signalling can help identify red flags and other inconsistencies,” Oosthuizen said.
“Both the receiving and sending banks are being held equally liable, so looking at both accounts can help protect consumers.”
Oosthuizen said the challenge for banks is that this needs to happen seamlessly in the background without creating unnecessary “transactional friction” that impacts customers.
Read: Nedbank warns of new scams doing the rounds in South Africa