Banks face escalating battle in fight against digital fraud

• The recent SMS phishing scam at OCBC Bank accentuate the need for banks to do more than just strengthening infrastructure security measures
• High adoption of real-time and instant payments will make it more difficult to prevent digital frauds in future
• MAS' new loss-sharing framework provides innovative settlement mechanism but it will be a challenge to determine the ‘extent and ownership of responsibility’.

The frequency and magnitude of digital fraud continue to increase as fraudsters become more sophisticated in their attacks. While financial institutions (FIs) have taken efforts to minimise clients’ vulnerability by increasing communication through security advisories and alerts as well as deploying innovative fraud prevention methods such as two-factor authentication (2FA), one-time passwords (OTP) and use of digital identity and biometric authentication, consumers are still losing funds from their accounts. In the past two months alone, about 790 customers of OCBC Bank lost $10.18 million (SGD 13.7 million) in a series of short message service (SMS) phishing scams. In the Philippines, in mid-December, around 700 customers of BDO Unibank reported unauthorised fund transfers from their accounts. Perpetrators using phishing emails were able to intercept OTPs to bypass the bank’s security infrastructure. 

In the last two years, around 4,200 companies, organisations and government institutions fell victim to ransomware attacks according to an estimate by cloud-based cyber security firm, Abnormal. In the United Kingdom (UK), an average of $5.4 million was stolen every day during the first half of 2021. Total losses from push payment scams rose by 71% to reach $480.6 million in 2021 alone.

Digital frauds are not just restricted to consumer payments. Corporate payments are just as vulnerable because large amounts of money are moved between systems, departments and banks. Wire frauds may be perpetrated within or outside of organisations.  About one out of every three incidences of fraud is committed by insiders. As businesses digitalise more of their transactions, the movement from the physical to online world has created an environment conducive for fraud to thrive.

The $81 million siphoned off the Bangladesh Central Bank in 2016 when a software tied to SWIFT interbank messaging system was compromised is a notable example of corporate governance failure.

The speed at which payments are made also make it more difficult for banks to detect and prevent fraud. Back when it took between six and seven days for payments to reach beneficiaries, banks had ample time to return funds if a transaction was found to be unauthorised. Today, instant payments allow transactions to be settled within a matter of seconds, leaving banks with a limited window to detect and prevent fraud.

That said, most banks and FIs still struggle to ensure safety of customers’ assets, data, and transactions despite more sophisticated security controls and intensified fraud mitigation efforts. The fraudsters’ strategy can be compared to a game of whack-a-mole, where one fraud area is addressed, but perpetrators find a new or different point of vulnerability. Technologies such as artificial intelligence (AI) and machine learning (ML) certainly help to detect suspicious activities and transactions in real-time but they are far from totally eliminating them.

It therefore requires a collaborative effort from banks and regulators to strengthen the security of digital banking. In addition to the implementation of robust measures to prevent and detect scams, frameworks that determine the appropriate sharing of losses between customers and banks are needed. The Monetary Authority of Singapore (MAS) has been working on one that aims to provide a fair sharing of losses from scams between consumers and FIs. Under the framework set to be finalised for public consultation in the next three months, “the proportion of losses each party bears will depend on whether and how the party has fallen short of its responsibilities.” Only time and the severity of the next payment fraud will tell how this resolution will pan out.

To find out more about the MAS framework for equitable sharing of scam losses, click here