In February 2016, hackers targeted the central bank of Bangladesh and exploited vulnerabilities in SWIFT, the global financial system’s main electronic payment messaging system, trying to steal $1 billion. While most transactions were blocked, $101 million still disappeared. The heist was a wake-up call for the finance world that systemic cyber risks in the financial system had been severely underestimated.
Today, the assessment that a major cyberattack poses a threat to financial stability is axiomatic— not a question of if, but when. Yet the world’s governments and companies continue to struggle to contain the threat because it remains unclear who is responsible for protecting the system. Increasingly concerned, key voices are sounding the alarm.
Financial crime is increasingly being committed over cyberspace, and cybercriminals are using a combination of hacking and social engineering techniques which are bypassing current financial and corporate institution security. With this comes a new umbrella term to capture the evolving landscape which is financial cybercrime. It is a combination of financial crime, hacking, and social engineering committed over cyberspace for the sole purpose of illegal economic gain.
Identifying financial cybercrime-related activities is a hard problem, for example, a highly restrictive algorithm may block all suspicious activity obstructing genuine customer business. Navigating and identifying legitimate illicit transactions is not the only issue faced by financial institutions, there is a growing demand of transparency, fairness, and privacy from customers and regulators, which imposes unique constraints on the application of artificial intelligence methods to detect fraud-related activities.
Modus Operandi of Cybercriminals
While various names have been given to diverse types of frauds, the general modus operandi of a fraudster is any one of the following:
(a) convincing the victim to send money, either by impersonation (fake WhatsApp/FB/Insta, social media profiles) or by giving them a false promise of greater return (investment, crypto, held up custom package etc.)
(b) by taking credentials such as Unified Payments Interface ID (UPI), Personal Identification Number (PIN), One-Time Password (OTP) or Internet banking ID/password from the victim and then using the same on other apps/websites and transferring money without the knowledge of the victim. For this the customer will either be given a fake link which looks exactly like a UPI app screen/banking website or the victim will be conned into installing a screen sharing app. The scammers can also convince the victims over phone to give out those details. When these details are used on official banking apps this gives the fraudsters access to even the Fixed Deposits/Recurring Deposits which are also siphoned out in most cases.
(c) by taking card details and convincing the victim to share OTP. After a fraudster empties a victim’s bank account, the money undergoes a series of circulations in broadly three stages. The first stage is a temporary account into which the fraudsters transfer victims’ money. This account will be used to receive money from various other victims as well. From here, the money is then transferred into a second stage account. The second category of accounts are a group of accounts among which money is circulated. There are a lot of middlemen who are money circulators. Their task is only to receive money from first level bank accounts for a nominal cut. The victim’s money is then split into small parts and then circulated within these accounts, by a person who is sitting in a different corner of the country. After sufficient churning, the money is then transferred into a third stage account which is a sink account. This can be a bank account, an e-wallet etc. Here, the total defrauded amount from a group of victims is re-collected. The money is then withdrawn in a large chunk through conventional methods of either ATMs/cheques or e-wallet cash outlets such as an e-wallet payments bank.
Why Do Cybercriminals Target the Financial Sector?
Monetary gain is one of the biggest reasons the financial sector is often targeted, as is with most cyber attacks throughout all sectors. Because financial data is the core of the finance sector, any attack on the system can cripple any business and cause customers to lose trust in the company. Ransomware attackers also seek out companies that are most likely to pay ransoms to get their data back and seek out companies that have the most valuable data they can sell on the dark web or black market. The financial sector includes banks, insurance firms, mortgage lenders, investment organizations, and other financial institutions that use data to provide better client products and services. This data, however, is frequently sensitive or personal data, such as personally identifiable information (PII), attracting the attention of cybercriminals. Insurance companies, for example, typically collect and process large amounts of personal data to understand the needs of their clients and to provide customized products according to their lifestyles, demographics, risks, and other factors. A supply chain attack on the financial services sector can cause massive disruption since it forms a key part of the nation’s critical infrastructure. Other attacks, such as a distributed denial of service (DDoS) attack on a major banking sector organization, can cause severe disruption, impacting logistics, manufacturing, retail, and other daily services. Denying access to payment methods not only erodes public confidence, which can cause reputational damage, but it also affects private and government organizations by rendering them unable to operate normally.
How can frauds be prevented
As a first, just as how Google accounts do not allow logging in from a new device unless permission is granted by the former, financial institutions must be mandated to replicate this feature in their apps. As soon as a UPI ID, password or OTP is entered in a different device, an alert must be generated in a previous device with no further action being allowed until it is approved by the person. Secondly, the screen share facility must be disabled. Banking and financial apps must disable screen-sharing to run on top of them. And finally, in the bank statement, all banks/NBFCs/SEs must be mandated to provide comprehensible data. Currently only partly printed numbers are shown which even knowledgable customers are unable to understand. The transaction description must contain the receiver’s account/mobile or any other identifying number irrespective of it being within the same bank or to an outside bank.
The Road Ahead
The Bharatiya Nagarik Suraksha Sanhita 2023 which is set to replace the Indian Penal Code of 1861, recognises ‘organised crime’ as a “continuous unlawful activity”. Digital financial frauds are very much covered in this definition. Law enforcement agencies face a lot of difficulties in conducting interstate raids and arrests. It requires a large team and coordinated effort. Interstate digital financial fraud networks must be recognised as a serious crime and bail may be restricted by the Courts. Additionally, digital frauds create a considerable amount of black money when seen from a macro-economic perspective. In conclusion, cybercrime being a subset of crime in general can be dealt like conventional offences, albeit with a different set of tools. Instead of a specialised unit, if the fintech and telecom industries are mandated to take certain preventive steps in their technology and provide data in a manner which enables speedier investigation, the prevention, detection, recovery and conviction will be much more effective. Faster availability of data will make it easier to identify and convict pan-Indian gangs.
Dr.S.Krishnan is an Associate Professor in Seedling School of Law and Governance, Jaipur National University, Jaipur. Ms. Shobha Chauhan did her LLM from NIMS University, Jaipur.
