Browsing his e-mails, Hussam finds a message supposedly from his bank advising him that his account has been blocked and requiring him to provide his online banking credentials urgently to rectify the issue. Maria gets a congratulatory SMS telling her that she has won a lottery and asking her to call a number with her bank account details to receive the funds.
Suresh gets a call from somebody impersonating his telecom provider indicating that his account is being upgraded and requesting his personal details to verify his identity.
Hussam, Maria and Suresh are all potential victims of phishing, smishing or vishing fraud attempts, a form of cybercrime that is growing globally led by rapid digitisation, rising affluence and as yet low customer awareness.
Broadly referred to as social engineering based cyber-attacks, scams such as the above aim to manipulate human weaknesses to reveal confidential personal identity information.
Typical details that are sought to be hacked are account or card details, email credentials, answers to common security questions such as date of birth or mother’s maiden name, one-time passwords sent by banks and other valuable personal information.
Fraudsters use fake websites that resemble those of well-known organisations, spoof telephone numbers to impersonate somebody and attempt to install malware on computers and mobile phones to steal identity related information. In most cases, no bank systems are compromised. However, the cyber-attacker gains access to legitimate customer credentials which are used to tap into accounts and steal funds.
Unfortunately there is a rising number of such attacks in the UAE.
A growing menace
Phishing and social engineering are part of a wider range of cyber-crimes that are together expected to put at risk, over the next five years, about $5 trillion (Dh18.3 trillion) of value globally — second to only drug trafficking — as per a study conducted by Accenture and Ponemon Institute. Technology, healthcare, automotive and banking are the sectors that are most impacted.
While malware continues to be the leading cause, people-based social engineering attacks are increasing the fastest with an estimated 150 million phishing mails being sent daily. Ransomware such as WannaCry and NotPetya are often spread through phishing emails that contain malicious attachments and the affected user has to pay a ransom, typically in crypto-currencies, to deactivate the virus.
Infiltrating systems to obtain illegal access to customer data, automated botnets that enable a hacker to take control of a computer and malicious or fake mobile apps are other forms of cyber-attacks commonly used. Availability of hacking toolkits for as little as a few hundred dollars on the “dark web” is making the spread of cybercrime difficult to control.
Collaborating to combat
Organisations, industry associations, regulators, law enforcement agencies, academia and the government have been coming together to jointly combat cybercrime. The Centre for Cybersecurity was established by the World Economic Forum in 2018 comprising banks, insurers and technology companies along with public partners to enhance cyber-security.
The Canadian Banks Association collaborates with police and security services to raise public awareness about internet safety. The Financial Sector Cyber Collaboration Centre was set up last year in the UK by a number of banks, insurers and security exchanges working closely with the national cyber security crime centre and the central bank to prevent cyber frauds.
In the UAE, Emirates NBD recently joined hands with Dubai Police to launch the #secureyouraccount campaign aimed at raising public awareness and education on cyber security, centred on a video designed to engage customers in a fun manner. The bank is also collaborating with peers, telecom companies and other industry stakeholders in implementing various initiatives to thwart cyber-fraud.
Improved identity and access management protocols, bio-metric technologies, fraud analytics to identify unusual account behaviour and two factor authentication requirements are initiatives that banks are putting in place to enhance cyber-security.
Self-help is the best help
While this is so, every individual needs to strengthen their awareness about this growing threat and take a number of simple, but effective, steps to minimise chances of fraud. Ensuring use of strong passwords and changing them regularly, keeping personal and private information away from social media, never sharing bank account or card details with a third-party, keeping computer and mobile phone software always updated and not using public Wi-Fi to share confidential data are some of the precautions that can help protect oneself.
We need to remain vigilant and alert against social engineering attacks: checking carefully to ensure that website addresses are correct, not being tricked by spoof phone calls and staying clear of lottery offers or similar scams that seem too good to be true.
Rapid growth of digitisation continues to scale up possibilities of cybercrime. There are an estimated four billion internet users today that is expected to double in the next 10 years, and over 1.5 billion websites currently. Cloud computing is expected to eradicate most physical data centres in the near future with most data stored and accessed remotely.
The internet of Things (IoT) universe is estimated to reach a staggering 200 billion devices and the number of passwords in use is expected to reach 300 billion globally in the next few years. With rising smartphone penetration, over 60 per cent of online fraud is accomplished through mobile platforms.
Technologies such as AI and machine learning are also being put to use by fraudsters, all of which increase cybercrime related risks. Cybercrime exploits the weakest links in the chain and a joint effort by businesses, government, law enforcement bodies as well as the general public is needed to build a strong defence against this multi-headed hydra.
Suvo Sarkar is Senior Executive Vice-President and Group Head — Retail Banking & Wealth Management at Emirates NBD.