South African banks persist in combating social engineering, with over half of respondents in a recent industry survey citing APP fraud as their top concern.
Financial fraud stemming from social engineering scams remains a major worry for South African banks, with APP fraud and Vishing topping the list of threats that keep fraud professionals awake at night. As banking leaders explore new technologies to enhance security, long-term solutions also hinge on improved industry cooperation, a key focus of a recent industry forum hosted by Entersekt.
Concerning types of fraud
A survey of 29 banking fraud professionals from nine of South Africa’s leading banks, conducted during the event in Johannesburg, revealed that the most concerning types of fraud are APP fraud and Vishing (52%), followed by Phishing/SMS-ing (48%), and sim swap fraud (35%).
Many banks are still grappling with fraud concentrated on transaction silos like Card Not Present fraud. Over time, they have honed strategies to address and mitigate such fraud, managing fraud rates effectively.
Banks collaboration
CTO for Entersekt, Gerhard Oosthuizen
CTO for Entersekt, Gerhard Oosthuizen says “There however is a universal concern around new threats such as APP fraud and social engineering, which is growing and constantly changing. Banks are realising that they have to collaborate and look across different transaction types and banks to detect and prevent these new fraud vectors.”
The recent forum hosted by Entersekt for banking fraud specialists, which included guest speakers from risk-based analysis specialist Featurespace, enabled a candid discussion and the exchange of fraud concerns among senior banking professionals.
President for Featurespace EMEA, Juspal Manic says “It was fantastic to witness the banking innovation being driven in South Africa and the collaborative efforts among financial institutions. South Africa continues to impress with its approach to payments, but it’s clear that finding ways to combat the rapid rise in APP threats will require particular focus and collaborative effort if banks hope to comply with the growing onus on them to protect their customers.” 
How can technology overcome human impulses?
According to Oosthuizen, banks have constructed their authentication solutions primarily to verify if the person transacting is legitimate. However, modern fraud necessitates assessing whether it is prudent for that individual to carry out a specific transaction.
“The problem with this new form of social engineering is the payer manipulation – the victim plays an active role in the attack. How do banks stop a legitimate person from making socially engineered payments? Until recently banks have never had to deal with anything like this. As governments around the world take a restorative justice approach to banks with APP fraud, banking leaders are now forced to find ways to protect their account holders from making voluntary but ill-conceived payments from their own accounts.” says Oosthuizen
Payment providers in both the US and UK are now required to reimburse customers who fall victim to APP fraud, and Oosthuizen suggests that local banks are seeking methods to mitigate the impact of this rapidly growing threat before encountering similar regulations.
The solution is multifaceted and requires collective insight
Oosthuizen notes that fraudsters don’t target one bank at a time; rather, they cast a wide net, seeking vulnerable customers wherever they may be. For this reason, Entersekt has recommended a three-pronged approach:
1. Embrace a wider data ecosystem
Firstly, fraud professionals need to keep an eye on cybercrime across banks in their region. While most banks already use risk-based authentication in their own organisations, they need to find a way to hook into a more extensive ecosystem or consortium for a wider perspective on fraud to spot patterns of attacks.
2. Monitor anomalies on the origination account
The second is to look across a set of transactions. Oosthuizen warns that banks cannot just focus on the account opening or the digital banking login. They must keep track of all forms of money movement, including card transactions and push payment transactions. Attackers will get the victim to deposit money into a mule account. Their next challenge is then to ‘cash out’, by moving the money to another account where they can take it out or making a purchase using a card or withdrawing the funds. So there is an array of transactional data that needs to be analysed across the board. If you focus on one channel only, the threat could easily be missed.
Asking the right questions will help pick up anomalous behaviour. For instance, banks must watch for situations where digital activity does not match historic behaviour or account movement that’s erratic and ask questions such as: Is this transaction consistent with historic data from this account? Why is the account holder paying so much money into a low value account? Does the digital banking channel show signs of manipulation (such as being on a phone call while making the transaction). Once we see something is strange, we can then determine how to respond.  Can the transaction be delayed? Should we as the bank warn the client? And should we as the bank prevent the transaction?
3. Check strange behaviour on the destination account
Thirdly, banks should also be looking at suspicious or erratic behaviour on the destination account to pick up signs of manipulation. Insight such as whether the account was just opened right before receiving this push payment, or if the person accessing the account digitally tries to hide their location. Enhanced signalling can help identify red flags and other inconsistencies. Both the receiving and sending banks are being held equally liable so looking at both accounts can help protect consumers.
Finally, all of this needs to happen seamlessly in the background without creating unnecessary transactional friction.
“Banks simply can’t fight APP or any kind of social engineering fraud alone. They must look beyond their own data ecosystems for a wider perspective – especially for early warning signals as attackers are almost certainly attacking simultaneously across banking channels and targeting multiple banks at any given time. The answer lies in context aware authentication and the power of consortiums,” adds Oosthuizen
Both Entersekt and Featurespace believe that an essential component of a comprehensive fraud defense lies in the synergy of the broader security and authentication ecosystem collaborating.
“We have already benefited from hooking into the NuDetect consortium and working with other global consortiums. We are also in the process of building our own consortium which we believe will make a significant difference to our, and our banking partners’ ability to get ahead of risk trends,” concludes OosthuizenThe post SA Banks Worry About APP Fraud and Seek Help from Consortia first appeared on IT News Africa | Business Technology, Telecoms and Startup News.