While the pandemic might be behind us (mostly), it has left an epidemic of cyber fraud in its wake, the Fiduciary Institute of Southern Africa’s annual conference heard recently.

Speaking at the conference, Steven Powell, head of forensics at ENSafrica, says there has been a 300% increase in global cyber crime, with 75% of companies reporting an uptick in email-based threats.

“We’re currently seeing a high rate of what we call ‘man in the middle’ attacks, or business email compromise. Hackers are hacking into email accounts and intercepting communications. They then steal your cyber identity and send instructions to banks, asset managers and investment houses to redeem pensions and investments,” he says.

According to the Mimecast State of Email Security Report 2023, there were an estimated 255 million phishing attempts in 2022, a 61% jump from 2021. More than 70% of these emails were opened by the recipients.

Powell says cyber fraud is costing the South African economy an estimated R2-billion a year, which is why companies are spending millions on beefing up their cyber security.

The deepfake threat

The numerous apps that allow you to hold your phone to your face and see what you will look like in 40 years, or fuse your face with that of a friend or even your dog, may seem like harmless fun – until you hear about deepfake technology.

A deepfake is a video, visual or audio recording that has been distorted, manipulated or synthetically created using deep learning techniques to present an individual, or a hybrid of several people, saying or doing something that they did not say or do. 

These deepfakes are often used in digital injection attacks which are sophisticated, highly scalable and replicable cyber attacks that bypass the camera on a device or are injected into a data stream. 

Murray Collyer, chief operating officer of iiDENTIFii, says digital injection attacks present the highest threat to financial services, as the AI technology behind them is affordable, and the attacks are rapidly scalable. 

“A recent digital security report by our technology partner, iProov, illustrates how, in an indiscriminate attempt to bypass an organisation’s security systems, some 200 to 300 attacks were launched globally from the same location within a 24-hour period. 

“As more and more South Africans embrace digital banking, deepfake technology is a serious threat,” he warns.

As more South Africans set up digital accounts and do their banking online, financial crime and cyber crime have become more inextricably linked than ever before. Interpol states that financial and cyber crimes are the world’s leading crime threats and are projected to increase the most. 

Collyer adds, “Deepfake technology is one of the most rapidly growing threats within financial services, yet not all verification technologies are resilient to it. Password-based systems, for example, are highly susceptible to fraud. South Africa needs to strengthen their technology to outwit cyber criminals.” 

However, a growing percentage of face biometric technology incorporates some form of liveness checks – such as wink and blink – to verify and authenticate customers. 

Liveness detection uses biometric technology to determine whether the individual presenting is a real human being, not a presented artefact. This means this technology can detect a deepfake if it were to be played on a device and presented to the camera.

Types of cyber fraud

Powell listed the following types of cyber fraud:

Social engineering: Used by criminals to gain personal or confidential information from an unsuspecting victim. Examples would include the recent WhatsApp scams doing the rounds, where fraudsters send you a message that appears to be from a contact of yours, saying they accidentally sent you a six-digit PIN that they need and please can you forward it to them. The PIN then authorises them to access your WhatsApp account on their device, locking you out of your WhatsApp. This scam is less likely to occur if you have two-step verification activated on your WhatsApp account.

Identity theft: Where criminals obtain information about you and then use this information to convince a bank or a customer service representative that they’re you.

Spoofing: The criminal impersonates another individual or organisation, with the intent to gather personal or business information so that they can transact in your name.  

Phishing: Where criminals attempt to trick you into clicking on a malicious URL or email attachment to steal your login details which they can then use to gain unauthorised access to your financial accounts.

Vishing: When a fraudster phones you posing as a bank official or service provider and uses social engineering skills to manipulate you into disclosing confidential information.

Smishing: Short for SMS phishing, where criminals send an SMS often purporting to be from your bank requesting your personal or financial information such as your account or PIN. DM