“Cyber is not something you can separate from the core business. All of our businesses are digitally dependent now, and all of them deal with digital threats.”
David Ferbrache, Technical Director for cybersecurity at KPMG U.K. (2017)
This week we continue to share lessons learnt from the Bank of Ghana Fraud Report of 2019 and 2020. We shall concentrate on correspondent banking and e-money frauds today. Once again, here are some extracts from the report:
Correspondent Banking Fraud
“The significant increment in reported values is as a result of increased 49% – 51% Staff Involvement-Jan-Dec 2019, and 56% – 44% Staff Involvement- Jan – Dec 2020 values in attempted correspondent banking fraud. In some instances, single incidents reported values as high as €100,000,000. Even though attempted fraud values increased significantly, loss incurred through fraud reduced by 24.0%.”
“E-Money fraud recorded 14 cases in 2019 and 126 cases in 2020 showing a year-on-year increase of 800.0%. E-Money Fraud recorded a loss value of GH¢ 1.04 million for 2020, as compared to a loss value of GH¢ 0.37 million for the same period in 2019. Banks recorded the highest loss values for E-money Fraud. Banks lost GH¢604,755.65, representing 57.7% of total E-money related fraud recorded in 2020. Rural and community banks followed with a loss of GH¢ 398,883.59 representing 38.1% of total E-Money related losses reported in 2020.”
“Even though Savings and loans companies recorded negligible E-Money related losses, the sector recorded a 100.0% success rate of E-Money related fraud. This may be an indication of the absence of security systems in the sector to forestall E-Money related losses.”
“Microfinance companies follow closely with 83.09% success rate in E-Money related fraud. This is followed by rural and community banks with success rate of 75.9% and 44.8% respectively. The data indicates that sectors with less stringent security measures record higher success rate of E-Money related fraud.”
Cause for concern
The above extracts from the 2020 report gave me much concern. The main reason is that while Bank of Ghana is doing its best to encourage the public especially small- scale entrepreneurs to go cash-lite and use the banking system in their foreign transactions, the fraudsters are also taking advantage of system and human lapses to negate these efforts.
Through correspondent banking relationships, banks can access financial services in different jurisdictions and provide cross-border payment services to their customers, supporting international trade and financial inclusion. E-money has also come to stay to reduce physical interaction, time and resources in financial transactions, while making payments for goods and services hassle-free.
Cybercrime is a major concern for banks around the world. Until recently, the focus of attacks has tended to be on banks’ customers through card and account detail compromises. But as criminals have become more sophisticated, they have raised their ambitions, and in a change of focus are now directly targeting banks themselves.
In light of these threats, what steps can financial institutions take to protect themselves from cyberattacks, detect suspicious activity more readily, and improve their chances of recovering quickly from any cybercrime attacks? As a layman on this subject, I intend to share more of the awareness and preventive parts, which can help reduce the impact on our banking systems as well as the customers’ businesses.
Sophisticated fraudsters are now mounting focused high-end attacks. Organized crime groups have begun directly targeting bank systems. Unlimited cash-out attacks, for example, have seen criminals compromise the networks of card-issuing banks, enabling them to modify withdrawal limits and clean out groups of ATMs in coordinated assaults.
In 2016 an attack on the Bank of Bangladesh, resulted in the loss of $81 million. This is of particular concern to correspondent banks. Can you imagine that while the attack itself took place in early February 2016, the ultimate beneficiary accounts in the Philippines had allegedly been opened a year earlier, which is likely to have been when the attackers began their initial reconnaissance.
Software on the bank’s interface server was modified, not only to enter fraudulent payment requests, but also to conceal this activity so that fraudulent transactions would not appear on daily logs. If this happens to a bank in Ghana, you can imagine the effect on our banking system?
Education and Awareness for both Staff and Customers
A word to the wise is enough. Bankers and customers alike are prone to cyber crime, and the effect on correspondent banking and e-fraud is massive. Fraudsters typically start with commoditized attacks, whereby organized crime groups send millions of emails containing phishing links to malware. Customers and staff should continue to be re-educated and reminded not to click on strange emails that can result in the system being compromised and the potential for money to be extorted by ransomware demands.
- Using the banks email for personal correspondence should always be a no, no.
- Banks “SME Clinics” to create awareness, should highlight the following:
- Education about the fact that compromising the customer’s environment, introducing malware using techniques such as phishing or email compromise scams.
- Capturing valid operator credentials, typically through access to password files or by putting keyloggers in place to capture password details, and thereby gaining an understanding of the payment environment and associated behaviours.
- Regular caution to both staff and customers not to share passwords. The temporary “convenience” in doing that can lead to a catastrophe for both businesses and banks.
- Knowledge of fraudulent credentials which can be used to attack the back office; for example, by sending fraudulent MT 103 payment messages.
- Fraudsters can hide transaction activity. For example, by removing payment information from local databases, and thereby delaying the discovery of the attack and increasingly the likelihood that funds will be settled.
- Customers should not sign blank forms for foreign currency transfers. Some unscrupulous Relationship Managers have been sanctioned for altering the amounts that their customers’ originally meant to transfer.
There are other actions financial institutions can take, to detect fraud more readily and respond more effectively to any threats. These include:
- Timely reconciliation of accounts, provide payment confirmation and have policies in place around payment amendments.
- Institutions should also know how to cancel payments rapidly, should the need arise.
- Require counterparts to send confirmation messages. While these messages are not currently mandatory, they provide additional transparency between counterparties.
- Review the MT 940/MT 950 statement messages that they receive in order to check that the amounts and balances recorded on their statements match their own records of transaction activity.
- Monitoring Transaction Data to detect any concealment of identity both to prevent fraud and to detect attacks that do take place.
- Activity monitoring: By obtaining an aggregated record of daily activity, banks can gain a clearer understanding of their payment activity and identify any significant changes in activity.
- Risk monitoring: By monitoring risk in their transaction environments, banks can counteract fraudsters’ efforts to hide their transaction activity, as well as identifying unusual single or aggregated transactions.
- Institutions should source and store such information separately to ensure that it cannot be compromised in an attack that disables or damages their own payment systems and records.
Response and Recovery
It is also important to have robust processes in place so that financial institutions can respond quickly and effectively if they detect a cyberattack. This may involve canceling fraudulent messages or taking steps to facilitate business continuity if transactions cannot be canceled.
Disaster Recovery/Business Continuity
As the final stage of defense, financial institutions need to have measures in place that enable them to respond appropriately to cyberattacks and restore usual business operations as quickly as possible. This requires a strong link between cybersecurity and business continuity/disaster recovery, as well as an understanding that cybersecurity is intrinsically connected to the core business.
They also need to have a plan in place stating how they will bring the business back online quickly and securely.
To conclude this session, let me quote from Tony Wicks, head of AML initiatives, SWIFT, London, UK. in an article in ACAMS TODAY, “Combating Cyber Fraud in Correspondent Banking”:
“As cybercriminals turn their attention deeper into the banking world, it is imperative that financial institutions take appropriate steps to secure their environments. There are a number of areas in which actions can be taken both to prevent attacks, as well as to increase the likelihood of an attack being detected in time. Last but not least, institutions need to have a clear business continuity plan in place covering the steps to take in the event of a successful attack”.
TO BE CONTINUED
ABOUT THE AUTHOR
Alberta Quarcoopome is a Fellow of the Institute of Bankers, and CEO of ALKAN Business Consult Ltd. She is the Author of Three books: “The 21st Century Bank Teller: A Strategic Partner” and “My Front Desk Experience: A Young Banker’s Story” and “The Modern Branch Manager’s Companion”. She uses her experience and practical case studies, training young bankers in operational risk management, sales, customer service, banking operations and fraud.