By Afifah Suhaimi
NOW is the best time for banking institutions and information technology (IT) businesses to work together to address vishing banking scams by strengthening bank’s current standard operating procedures (SOP) and cybersecurity measures.
In brief, a vishing banking scam is an attack that involves a call from someone who says they are from the victim’s bank or some other financial organisation.
In a world where consumers have infrequent physical contact with bank employees, “digital trust” has rapidly become an essential differentiator of customer service.
Basically, banks that deliver a smooth, safe and fast digital interface would positively affect their sales. In contrast, those that prefer the old way would potentially lose their business and value.
However, this technological revolution has made us (the consumer) more vulnerable to financial fraud and cyber threats, without us noticing it.
With Covid-19 turning the world upside down, fraudsters are leveraging on the uncertainty brought by the pandemic to carry out their dirty schemes.
Thus, it is crucial for banking institutions to strike the right balance between controlling and preventing fraud while keeping their role as one of the most critical components of trust in the modern economic world.
Recently, Malaysians were shocked by the Macau fraud case, better known as Macau Scam, where five individuals were arrested by the Malaysian Anti-Corruption Commission (MACC) on suspicion of being involved in the illegal activity and money laundering.
Since 40% of the victims were senior citizens and pensioners, it seems like they are susceptible to easily handing over the control of their finances due to cognitive disability, emotional fragility or merely a desperate need for a quick financial fix.
Or perhaps – just because they have money from their retirement savings or pensions, and more likely open to suggestions on how to handle these funds.
By looking at the victims’ losses, related agencies, especially banking institutions, need to step up their game in combating this crime. This offence is profound – not only it ruins the victims finances, it also puts them on emotional distress.
So, what can be done?
Firstly, related agencies need to provide reliable information which is easy to understand for the public, especially the senior generations, about potential threats and scams, including how to keep themselves safe.
Here is one scenario that looks simple and easy to avoid compared to other financial scams, yet perilous and becoming prevalent in Malaysia – what is known as the Transaction Authorisation Code (TAC) scam.
Shockingly, in 2018 alone, this scam has fleeced Malaysians of almost RM15 mil.
Usually, this scam works when the scammer gets a hold of the victim’s credit card details and attempts to perform a transaction using those stolen details.
To make the transaction successful, the scammer will call the victim and politely ask them to send the TAC number that the victim had received via SMS – claiming the respective businesses have sent the TAC number to the wrong phone number.
Technically, when the scammers obtain the TAC numbers, the transaction is considered “authorised” and successful.
Remember, while they may sound genuine, do not fall for it no matter what they may suggest, as TAC numbers cannot be sent incorrectly!
Talking about TAC numbers, has anyone heard about Secure2u?
Secure2u is a Maybank’s other payment authentication method which is believed to be more secure.
Technically, instead of sending the user a SMS to authorise transactions which could have been taken over (using SIM swap attacks) or stolen by mobile malware, the user will receive a six-digit TAC number or a Push Notification on the Maybank app.
In brief, this method allows the bank to implement additional protection on the communication, by leveraging end-to-end encryption.
Thus, it is vital for the other banking institutions to leverage on this technology too, by providing a software-based authenticator to their users – instead of relying on vulnerable channel such as SMS.
Secondly, as for law enforcement, the government is responsible for providing a well-trained response team with sufficient skills and knowledge to resolve crimes and ensure the perpetrators are brought to justice.
Perhaps, this response team must also be equipped with high-tech skills and utilising cutting-edge software – to deal with growing numbers of scamming.
As for banking institutions, transaction monitoring software should be implemented by integrating the systems with transaction screening tools.
This works by providing banks with the power to keep an eye on the recipient and sender of any financial transactions.
In brief, if the system catches a match (unusual/large amount of transaction) via the screening process, the software would raise an alarm to alert bank officers for further actions.
But worry not, with modern technology, the scanning process takes place within seconds, so the customer process is not delayed. Therefore, banking institutions can still maintain their image as an efficient service provider.
Another way is by deploying intelligent prevention strategies via Artificial Intelligence (AI) to predict fraud activities before the damage is done.
To foresee when risks will arise, banks need to redesign consumer and internal transactions and processes based on a constant evaluation of current cases of fraud, financial crime, and cyber-threats.
For instance, from the past historical data of Macau Scam, AI can analyse and learn how the scamming process was done, at what time, the potential victims, the contents of the call and so on.
Then, with the right system and predictive tools, any answered fraudulent call would be quickly analysed and if the call is deemed as fraud, the system would immediately shut down the conversation.
According to tech experts, this strategy could significantly prevent the scam from happening and boost both the bank and its customers’ security. – Oct 22, 2020
Afifah Suhaimi is research assistant at EMIR Research, an independent think tank focused on strategic policy recommendations based on rigorous research.
