Advisers: the cybercrime onslaught is just beginning
The near three-times surge in cybercrime activity post-pandemic demands that all businesses and individuals pay close attention to the personal information in their possession, whether it is their own or belongs to a data subject as defined by South Africa’s Protection of Personal Information Act (POPIA). A chilling presentation to the 2023 Fiduciary Institute of South Africa (FISA) Annual Conference revealed that criminals and criminal syndicates will stop at nothing to obtain personal data, and use the data so gained to commit fraud.
Deceased estate fraud on the rise
Steven Powell, a director at ENS Africa, offered countless examples of the techniques used by 21st Century fraudsters and cybercriminals. His presentation, titled ‘Abuse of personal information: managing on-line fraud and data breach risks’ kicked off with a warning to executors of deceased estates and his FISA peers that deceased estate fraud was rife domestically.
“The threat is very real,” he said, citing ongoing investigations into rising incidences of documents being leaked from Offices of the Master countrywide. Powell noted that organised crime systems were targeting estate ‘lanes’ by changing letters of executorship; creating new bank accounts for compromised estates; and then doing their best to redeem funds out of those estates.
Meanwhile, an article in The Citizen in March 2023 revealed that South Africa loses around R2.2 billion per year to cybercrime, and that the country has the third highest number of cybercrime victims worldwide. “The cyber threat landscape is vast, and no business is immune,” Powell said. And individuals are under fire too.
Per the presentation, there are at least 11 techniques that cybercriminals use to attack or compromise individuals’ personal information and / or commit fraud. Cybercriminals favour email for their online crimes with 73% of global respondents to the 2023 Mimecast State of Email Security Report noting an increase in email-based threats.
The ‘terrible trio’ of global cybercrime
Phishing, ransomware and spoofing are recognised as the ‘terrible trio’ of global cybersecurity threat, with an estimated 225 million phishing attacks in 2022. Phishing involves an attempt to trick unsuspecting individuals into clicking on a malicious URL or email attachment, and subsequently obtaining login details to compromise a victim’s online accounts.
Financial services professionals were told to familiarise themselves with all 11 of the aforementioned methods… In addition to the ‘terrible trio’, you may also encounter 419 scams; advance fee fraud; identify theft; man-in-the-middle attacks; pharming; romance scams; smishing; social engineering; and vishing. Some of the cybercrime methodologies shared by Powell will give financial and investment advisers sleepless nights. A syndicate will, for example, infiltrate a client’s email inbox, and create authentic-looking email instructions to an asset manager or financial or risk advice practice to redeem the client’s investments to a fraudulent bank account.
“Nearly all State of Email Security respondents were aware of attempts to misappropriate their email domains, and close to half saw increases in this activity in 2022,” Powell said, before warning the audience of the dangers of social engineering. “You have to be very cautious about what you share, and who you agree to accept as a contact on LinkedIn or friend on Facebook; you could be speaking to a syndicate member,” he said.
Spoofing on the rise
Identity theft, often called spoofing, is on the rise in South Africa too. This tactic centres on a fraudster obtaining your personal information by convincing you that they are a customer service representative of your bank or other third-party account.
Their goal is to get enough information to transact in your name by claiming a tax refund; incurring credit; or redeeming an investment, always into a false bank account. Be warned: “a lot of this type of fraud is done with collusion by internal employees,” Powell said. It is also, apparently, common for criminal syndicates to identify business targets, attempt to register false directors at the Companies and Intellectual Property Commission (CIPC), and if successful, to use those details to open bank accounts for the sole purpose of committing fraud.
The compromise or theft of personal data is problematic because POPIA stipulates a range of obligations on firms to protect the personal information of data subjects. Powell explained that the Act requires you to notify the data subject and report to the information regulator “the moment you have reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person”. The information regulator will demand details of what took place and how you went about remediating the incident. “The losses that flow from a data breach are direct fraud costs [as well as] potential regulatory penalties and the cost of remedial work that needs to be done,” he said.
Most if not all identity theft related fraud depends on the victim paying money into an incorrect bank account. “Fort his reason, the [most important] preventative measure is to make sure that you do the validation and verification with the bank of the owner of the account you are remitting to … if you complete that check, you often find that the name attached to the bank account that you have been given is not consistent with the bank’s records of the accountholder,” Powell said.
Lock up that personal data, securely
The audience was encouraged to make data hard to access by ensuring that online accounts had strong passwords; by resisting responding to questionable emails; and by exercising caution when going online over public Wi-fi. Powell urged firms to complete cybercrime risk assessment to identify and address potential vulnerabilities. It helps to build a human firewall too, by making all employees aware of cyber threats: you are only as strong as the weakest link in your team.
Corporate and individual identity theft and digital fraud are massive risks, and it is crucial that all firms protect the personal data they may hold. “Make sure that you have secure sites to store sensitive information,” Powell concluded. “You must perform a cybercrime risk assessment and make sure you have a response plan and team in place, and ensure that your staff receive appropriate training”. His final word: prevention is the best alternative; but in the event you do suffer a data breach or similar, a swift response is non-negotiable.
Writer’s thoughts:
You need only spend a few minutes scanning the internet to realise the extent of global cybercrime: not a day goes by without some or other mega-corporation getting hacked or held for ransom. Do you have insurance in place to assist your practice in the event of a cybercrime event? Please comment below, interact with us on Twitter at @fanews_online or email us your thoughts editor@fanews.co.za.
Comments