In early February 2021, a Korean company was approached by what appeared to be one of their trading partners requesting payment of a series of invoices. The bank details on the invoices, however, had been fraudulently changed. The company eventually transferred nearly US$7 million to the fraudster; money that was swiftly routed to bank accounts in Indonesia and Hong Kong, China.
At Fraud and Financial Crime Asia 2021 Conference, Carmen Chu, executive director (enforcement and AML) with the Hong Kong Monetary Authority, noted that the scale at which the online economy was developing has been matched only by the increasingly sophisticated attempts of criminal networks to exploit it.
“Both the scale and speed with which this has happened are breath-taking; fraudulent websites and spam emails targeting Government-led pandemic relief efforts, for example, often surfaced within hours of the initiatives being launched,” she added.
INTERPOL’s Operation HAECHI-I saw the mobilisation of more than 40 specialised law enforcement officers across the Asia Pacific region. The effort resulted in more than 1,000 individuals being arrested and the interception of nearly US$27 million in illicit funds, underlining the global threat of cyber-enabled financial crime.
For better and for worst digital convergence has transformed the marketplace.
Gerard McDonnell, regional solution director, fraud & security at SAS says digital fraud is not considered a single, distinctive crime but covers a range of illegal and illicit actions that are committed in cyberspace. Financial institutions are exposed to enormous reputational and financial threats.
“Over the years, not only has digital fraud in Asia become more rampant, but it has also become more sophisticated. Hackers are continually developing new strategies to find and attack systemic flaws. Malware, phishing, card not present, counterfeit card, and account takeover are some of the most common types of digital fraud,” he elaborated.
Rise of fraud unabated
Tim Dalgleish, senior director, global advisory with BioCatch acknowledged that in terms of where it is most prevalent, most of the fraud is perpetrated within the digital channels, with approximately now two-thirds being via mobile devices.
“There are several key factors that have influenced this, including the ease/speed of completing financial transactions online, the global pandemic accelerating digital adoption and company’s fraud prevention controls not keeping pace with the rapid evolution of fraud attack vectors,” he added.
McDonnell says digital fraud is common and growing across the region, as indeed across the world.
He opined that the premature digitisation of businesses due to Covid-19 has left a lot of gaps in the security framework of said businesses. “Frauds in the Southeast Asia region are still dominated by debit and credit card and payment through ATM, POS and eCommerce,” observed McDonnell.
Catalysts for the rise in fraud cases
Forrester says digital finance has become the norm in recent years in Asia with the proliferation of new digital commerce and payment methods. Analyst Meng Liu observed that transaction fraud has become significantly more frequent and sophisticated.
“New types of user-authorised fraud, such as promotion fraud and telecom fraud, and the increasing correlation between fraud and money laundering require more sophisticated fraud management models and strategies that respond in real-time, detect fraud before a transaction and are driven by data insights,” he continued.
For his part, McDonnell opined that pandemic has added huge impetus to this shift to online digital payments with phenomenal growth statistics, but it has also provided hackers with the opportunity to commit even more fraudulent activity, under the cover of the global crisis.
“Tactics include an array of phishing scams, stealing stimulus checks and unemployment benefits, or collecting payments for fake COVID-19 treatments,” he added.
Asked to cite other catalysts, Dalgleish suggested the rapid roll-out and adoption of digital services, the low barrier of entry for cyber-crime (e.g., fraud as a service), and delays in rolling out controls that are well suited to mitigating the new fraud threat paradigm.
To better manage the risks (and contain fraud cases) in 2022
McDonnell believes that regulators are asking financial institutions to enhance their defences to prevent, detect, and respond to fraud risks. He also believed that Risk Management in Technology (RMiT) policies must also be enhanced, to help financial institutions combat the rise in cybercrime. Automated fraud detection systems must also be deployed to monitor all financial transactions by leveraging heuristic behavioural analysis.
For Dalgleish, he suggested regulators think beyond controls that are solely focused on authentication and payment monitoring. Many of the fraud vectors easily defeat authentication controls such as SMS OTP using techniques like mobile malware, social engineering, and even tools such as OTP stealing bot rental services.
“From a financial services perspective, we would suggest that further investment in raising the fraud management capability within their businesses. This is not solely buying new generation technology but also investing in smart people, who will be empowered to drive the fraud prevention function within a business,” he added.
Advice to financial institutions in 2022
Digital fraud needs an approach with a faster response to new threats to reduce false positives for a better and more secure customer experience overall. McDonnell says using this approach, businesses would be making faster, better-informed risk-based decisions across the entire organisation.
“The flourishing of new payment methods has given attackers new channels to launch attacks and target vulnerabilities that we may not know to exist. Organisations need proactive and continuous protection. A centralised platform that leverages machine learning for real-time transaction monitoring and enables rapid decision making has become critical for fraud prevention,” McDonnell recommended.
For his part, Dalgleish suggested the starting point is baselining fraud risks to have an accurate and comprehensive starting point to make decisions. This would include benchmarking an organisation’s fraud control framework against peers, both domestic and international.
He argued that because fraud is a global challenge, there is an opportunity to learn about emerging threats and innovative management approaches from other markets. From a strategy perspective, he suggested investing in ‘above the line’ and ‘below the line’ fraud controls.
‘Below the line’ controls that are data-centric, and adaptable to the threat landscape. To protect your customers, you need to know them better than your adversary. If you are successful, then you have a sustainable competitive advantage.
Fraud prevention controls (e.g. SMS OTP) that are ‘above the line’ (i.e. customer-facing) in nature, are useful for baseline capability but are both challenging to implement and almost impossible to adapt as the attack vectors evolve.
“Finally, we would recommend hiring the best fraud management people you can afford – the ROI they will provide your business will be impressive,” concluded Dalgleish.
