Inside local banks’ cyber fraud woes

Cybersecurity experts have urged commercial banks to spare no effort in dealing with cyber threats after they collectively lost Shs5.9 billion to “outright fraud” in the last quarter of 2022 (October, November and December).

READ: How racket stole Shs6.5b from businessman’s Stanbic bank account

The experts believe that local banks are paying lip service to combating cyber fraud, with anecdotal evidence indicating that a vast bulk of money is lost to inside jobs.

“You need to consider the balance between what you are going to spend to safeguard your assets,” Mr Isheanesu Sithole, a cyber security expert with SBS Consultants, said at a cyber security meeting convened by the central bank this week, adding that “assets, which are accessible via the cyberspace, [that] are worth millions of dollars …can’t be [safeguarded by] spending $1,000 per year.”

SBS Consultants is a firm that provides specialist technology and cyber security services. It made a presentation at the cyber security meeting the central bank convened this week. Monitor was unable to establish whether commercial lenders on average spend $1,000 to set up cybercrime bulwarks.

Internal threats
The Bank of Uganda believes that while those bulwarks are important, some basic housekeeping can stand commercial lenders in good stead. 

Mr Tumubweine Twinemanzi, the executive director of supervision at the central bank, told journalists that “internal threats” that are besetting local banks are occasioned by “people” and “not necessarily the systems.”

“We are not badly off in terms of cyber threats from outside in, but we are doing badly on cyber threats from inside out,” Mr Twinemanzi said.

ALSO READ: Tropical Bank staff blame top managers over Shs1b fraud

Ms Sarah Arapta, the chairperson of Uganda Bankers’ Association, said commercial lenders can no longer continue to play the proverbial ostrich with its head in the sand. The Uganda Bankers’ Association (UBA) is an umbrella body of Uganda’s commercial banks.

“We need to come up with a framework supported by regulation,” she said, adding, “This framework will devise some of the penalties that will be instituted if employees are found to breach data privacy.”

Uganda relies on the colonial-era legal frameworks like the 1950 Penal Code Act and the 1950 Criminal Procedure Act to fight cybercrime. 

These are augmented by the 1996 Police Act. The standout legislation enacted in the digital era is the 2011 Computer Misuse Act that, among others, criminalises unlawful access, abuse or misuse of computers. 

ALSO READ: Court leaves clients on their own over bank account fraud

It also defines cybercrimes while also recommending related penalties and some procedural measures that law enforcement authorities can use in their fight against cybercrimes. Penalties for listed offences such as electronic fraud and unauthorised disclosure of access codes or information include a Shs4.8 million fine and 10 years of imprisonment. UBA has in the recent past been outspoken about the supervisory abilities of commercial lenders in the face of cyber threats. 

Speaking at another meeting that the central bank convened in February, Mr Wilbrod Humphreys Owor, the executive director of UBA, revealed the modus operandi of hackers. 

Mr Owor said hackers love to pounce on weekends or public holidays when the entities are fatally vulnerable to digital attacks.

“Electronic fraud is increasing by the day in terms of percentages. Most of the fraud [is carried out during] public holidays, and they take a lot of planning,” Mr Owor, who is also the chair of the technical committee on deposit protection at the Deposit Protection Fund, said, adding, “We must start working 24/7; not 8[am] to 5[pm], Monday to Friday.”

Growing problem
According to the annual police crime report, cases of corporate fraud, which include the “internal threats”,  dropped marginally to 82 in 2022. This was after the 100 cases mark was breached in 2021.

A recent report by Smile Identity on the State of Know-Your-Customer (KYC) in Africa (2022) shows that fraud rates rose to an all-time high of 28 percent in sub-Saharan Africa last year. 

One of the most common sophisticated attacks listed by the report involved fraudsters using fake identification documents. The report also indicates that the movement away to transacting from bricks and mortar to digital platforms accelerated by Covid-19 pandemic curbs festered cyber threats. 

Pre-pandemic, cyber fraud rates in sub-Saharan Africa stood at 17 percent.

Smile Identity is a leading provider of digital identity verification solutions for Africa. It generates the KYC report by using data from nearly 50 million so-called KYC checks from different industries.

“Fraud is complex. We should lobby and change laws so that the penalties are really stiff. When these fraudsters are caught, even if the judgment is against them, they pay a small fee,” Mr  Owor said back in February, adding that investigative processes from the police are not robust enough to reach a logical conclusion.

Security experts Monitor talked to say the retail payment system infrastructure within banks will continue to be susceptible to attacks tailored to enable fraudulent cash withdrawals. Sensitisation and public awareness will, one of them added, be key in reducing the mushrooming cases.

Survey
Fraudsters plying trade in East Africa have perfected the art of identity theft and loan stacking. 
A recent survey by TransUnion Africa, for instance, indicates that Kenyan banks annually lose $100 million. In Uganda, mobile money frauds have also grown in their frequency. 

A 2020 survey by PricewaterhouseCoopers Uganda listed customer fraud as the second most common economic crime in Uganda after bribery and corruption. The 52 Ugandan respondents surveyed reported a loss of Shs21.3 billion to unspecified economic crimes.