SA sees alarming rise in digital banking fraud

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 04 Oct 2023
Social engineering techniques played a pivotal role in the perpetration of digital banking fraud throughout 2022, says Sabric.
Social engineering techniques played a pivotal role in the perpetration of digital banking fraud throughout 2022, says Sabric.

Cyber criminals stole over R740 million from unsuspecting users through digital banking fraud in 2022.

This is according to the latest banking fraud statistics from the South African Banking Risk Information Centre (Sabric).

Sabric yesterday published its Annual Crime Stats 2022, revealing the year saw a surge in reported incidents of digital banking fraud, with an increase of 24% compared to the previous year.

It explains this was primarily attributed to the growing number of fraud cases related to banking applications and internet banking.

The stats come as most banks report significant increases in clients’ use of digital banking platforms.

For example, in its financial results for the year ending 30 June, FNB said its active digital customers increased by 5% to 11.49 million during the period.

Nedbank Money app active clients reached 2.2 million in H1 2023, up 23% year-on-year. During the first half of the year, Absa reported its digitally active customers increased 10% to 3.5 million.

Standard Bank’s digital transactional volumes increased by 15%, as the business focused on driving digital adoption across the portfolio. The bank’s South African franchise recorded 100 million mobile app logins on average per month in 2023.

Sabric notes cyber criminals took advantage of banking clients’ utilisation of these platforms to engage in unlawful actions, resulting in a substantial impact on the financial industry.

Alongside the rise in incidents, it adds, the financial losses associated with digital banking fraud saw a large increase.

Gross losses escalated from R440 million in 2021 to R740.8 million in 2022, reflecting a 68% rise in financial impact.

Manipulating mules

Social engineering techniques played a pivotal role in the perpetration of digital banking fraud throughout 2022, says Sabric.

“Cyber criminals relied on various methods, such as spear phishing, whaling, smishing [SMS phishing], business e-mail compromise, vishing, pretexting and angler phishing. These techniques were often employed individually or in combination, forming part of broader fraudulent schemes,” Sabric notes.

“Cyber criminals enlisted unsuspecting individuals to serve as intermediaries or ‘mules’ in their illicit activities. These individuals are typically enticed with promises of easy money or job opportunities, often through online advertisements or phishing schemes. Once recruited, the mules are instructed to open bank accounts under their own names.”

Describing the money-laundering techniques commonly used in digital banking crimes, Sabric says criminals conceal the illicit origins of funds using complex transactions and movements of funds through multiple accounts or financial institutions to obscure the money trail and make it difficult to trace the source of the money.

In some instances, cyber criminals use crypto-currency to launder money due to the perceived anonymity digital currency offers.

Fraudsters also utilise virtual assets, online platforms, or marketplace platforms to conduct money-laundering activities. Criminals may use these platforms to convert illicit funds into goods, services, or digital assets, making the money appear legitimate, Sabric notes.

App attacks

It adds that in 2022, reported incidents of fraud on banking apps saw a major rise of 36%, with the number of cases increasing from 12 254 in 2021 to 16 638.

Associated gross losses increased by 68% from R219 million to R363 million. This segment accounted for 46% of digital banking crimes, making it the most targeted area.

“Consequently, it also experienced the highest proportion of financial losses, at 49%. The surge in fraud and associated losses can be attributed to the growing number of banking application users. On average, the financial loss per incident rose from R17 647 in 2021 to R21 836 in 2022, reflecting a 24% increase,” the organisation says.

According to Sabric, fraudsters employed various social engineering tactics to obtain their victims’ private information, exploited vulnerabilities in the management of critical data and managed to source usernames and passwords saved on multiple devices or applications.

It explains that one prevalent method used by scammers was vishing, where they would call victims, posing as bank officials or service providers. Using social engineering skills, it adds, they manipulated victims into disclosing confidential information, which was then used for fraudulent activities.

An integral part of their modus operandi (MO) involved intercepting transactional verification tokens, such as one-time PINs, random verification numbers and transaction approval requests.

This was achieved through fraudsters manipulating victims into approving transactions or providing verification numbers during the call.

Incidents involving SIM swaps decreased significantly, from 4 508 cases in 2021 to 71 reported incidents in 2022.

Sabric also notes there has been a rise in incidents involving the kidnapping or hijacking of individuals with the purpose of gaining unauthorised access to their banking applications under duress.

“This criminal activity is a concerning development, as it involves threats or physical force to coerce victims into opening their banking applications and initiating money transfers. It is important to note, however, that no confirmed compromise of banking applications has been reported to date.”

Although online banking fraud accounted for only 26% of reported incidents of digital banking crime, it resulted in the second-highest proportion of gross losses, reaching 47%.

Between 2021 and 2022, there was a 9% increase in financial losses per incident. The average value per incident in 2021 was R33 760, while in 2022, it rose to R36 824, Sabric says.

Phishing and vishing continued to be preferred methods used by fraudsters to gain access to banking login details.

Mobile banking silver lining

Fraudulent incidents reported for the mobile banking channel saw a 9% decrease between 2021 and 2022. In 2021, there was a total of 11 040 reported incidents, which decreased to 10 077 in 2022, says Sabric.

It adds that mobile banking fraud accounts for 28% of reported digital banking crimes, making it the second largest segment.

However, it points out that mobile banking fraud has the lowest proportion of gross losses at only 4%, as a result of enhanced detection measures by banks to curb these losses.

“Fraudsters primarily employ smishing as their preferred method to acquire confidential information through mobile banking channels. These messages typically request that victims call a specified number or click on a provided link, which deceives them into revealing their confidential banking information.”

Like banking applications and online banking fraud, Sabric notes that perpetrating mobile banking fraud may also require a SIM swap through the victim’s mobile service provider.

In 87% (9 585) of the mobile banking fraud incidents reported in 2021, SIM swaps were a part of the MO. However, this percentage decreased to 76% (7 657) in 2022.