Ramp up security amid rise of financial fraud

Businesses must seriously consider implementing security measures at every checkpoint to prevent data leaks and financial fraud 


MALAYSIA is seeing a healthy rate of digitisation in almost all aspects of its people’s daily life following the Covid-19 outbreak. 

Today, despite having returned to normalcy in the endemic phase, Malaysians’ adoption of digitisation — especially in transactions — seems to be growing. 

However, on the downside, this has opened more opportunities for cybercriminals to explore even more sophisticated offences against unsuspecting online users. 

According to the Royal Malaysia Police’s (PDRM) Commercial Crime Investigation Department, the cumulative number of cybercrime cases of 51,631 with a total of RM1.61 billion in losses was recorded from 2019 to 2021, while there was an increase of 12,092 cases with RM414.8 million losses recorded until July 2022. 

In September 2022, Bank Negara Malaysia (BNM) announced five measures that it urged financial institutions to take to further strengthen safeguards against financial scams. 

The first measure is to migrate from the SMS One-Time Passwords (OTP) followed by further tightening fraud detection rules and triggers for blocking suspected scam transactions. 

Thirdly, BNM encouraged financial institutions to observe a cooling-off period for the first-time enrolment of online banking services or secure devices and restricting customers to one mobile or secure device for the authentication of online banking transactions and requiring financial institutions to set up dedicated hotlines for customers to report financial scam incidents. 

With online banking and e-commerce becoming more essential by the day, The Malaysian Reserve (TMR) reached out to several banks and cyber security experts to comment on the issue of financial fraud and how Malaysia could overcome it. 

Affin Bank Bhd said it is supportive of any additional security measures suggested by BNM to safeguard customers from financial scams. 

The bank previously undertook several key initiatives including high technology upgrades, advanced forward management systems, 24/7 customer service, as well as modernisation of security systems and fraud prevention technology. 

Similarly, AmBank Group in an earlier statement said that its online security features have been ramped up through migrating from SMSing OTPs to a more secure authentication method, which will be available on AmBank online banking channels by June 2023. 

AmBank Group CEO Datuk Sulaiman Mohd Tahir said AmBank had already restricted authentication of online banking transactions to only a single mobile device which has to be linked to an AmSecure token. 

“As part of the bank’s ongoing efforts to continuously enhance the security features, a cooling-off period will be introduced for first-time enrolment of AmOnline and any device change requests. During this period, customers will not be able to perform any financial transactions. This shall provide sufficient time for customers to verify and report any suspicious activities in their accounts. 

“We wish to advise our customers to activate the AmSecure token to facilitate all mobile banking activities,” he said in the statement. 

Commenting on the cyber security end, Sandeep Bhargava from Global Services and Solutions, Public Cloud Business Unit at Rackspace Technology believed that the sudden rise in financial fraud in Malaysia is the result of many organisations embracing digital transformation and the adoption of digital technologies. 

This includes multi-cloud and analytics to enable greater innovation for business operations in the face of competition from new digital entrants. 

“The rapid adoption of cloud-based online services during the pandemic makes it a lucrative target for cybercriminals. 

“Malicious actors are becoming more inventive in their attempts to deceive unsuspecting consumers or employees via email phishing and spoof campaigns that cleverly use social engineering tactics to impersonate legitimate users,” he told TMR. 

In addition, he said that businesses must seriously consider implementing security measures at every checkpoint to prevent data leaks and financial fraud, which he believed is exacerbated by a lack of cyber security talent, hence undermining Malaysian organisations’ security posture. 

According to Rackspace Technology’s Managing IT in Challenging Economic Times survey, 54% of technology leaders confirmed that dealing with difficulties in hiring and retaining IT talent remains a major challenge. 

Therefore, Sandeep believed that businesses require a partner who can combine threat intelligence, security analytics, alerts and response services into a solution that can be easily deployed and managed across multiple cloud environments. 

“As a result of adopting cloud technologies during the pandemic, organisations must prioritise cloud security, which entails continuously monitoring a cloud environment to detect security vulnerabilities and threats around the clock, particularly if they are operating in hybrid or multi-cloud environments,” he said. 

He also noted that humans are frequently the weakest link in financial fraud activities, causing victims to fall prey to malicious actors. 

“The authorities have been issuing advisories which include not clicking dubious Uniform Resource Locator (URL) links provided in unsolicited text messages. 

“Consumers should always verify the authenticity of claims of problems with their bank account with official sources and never disclose personal or Internet banking details and OTPs to anyone,” he added. 

On the proactive measures that banks should take or have in place to protect customers from scam threats, Sandeep agreed with the implementation of BNM’s five key pillars to combat financial scams and fraud. 

From a cyber security perspective, he also highlighted several proactive steps that banks can take to strengthen their security posture. 

“Banks can implement ‘Know Your Customer’ (KYC) initiatives to ensure that phishing frauds, fraudulent account access and money laundering activities are identified and remedied as soon as possible. 

“Banks are advised to have a Zero Trust framework that is constantly evolving to protect an organisation’s sensitive data through constantly verifying systems and applications within an IT environment by assuming breach,” he said. 

Sandeep added that banks may also collaborate with third-party solution providers. “Many IT teams struggle with being stuck in an ongoing cycle of ‘reactive mode’, which limits the team’s ability to plan ahead of time. 

“With a variety of security services available on the market from such providers, organisations can monitor and manage the entire attack surface uniformly and effectively,” he said. 

Meanwhile, Palo Alto Networks revealed in its 2022 Unit 42 Incident Response Report that the heavy use of software vulnerabilities corresponds to the opportunistic behaviour of threat actors that comb the Internet for vulnerabilities and weak points on which to focus. 

According to the report, the top three initial access routes employed by threat actors were phishing, exploitation of known software vulnerabilities and brute-force credential attacks centred mostly on a remote desktop protocol (RDP). These attack vectors account for 77% of the probable root causes of incursions. 

Over the past year, ransomware and business email compromise (BEC) were the most common event categories, accounting for over 70% of incident response cases. 

Palo Alto Networks senior VP and head of Unit 42 Wendi Whitmore said BEC is a type of wire fraud that includes social engineering techniques such as phishing. 

It provides hackers with a simple and low-cost technique to get clandestine access while avoiding detection. 

“In many BEC situations, fraudsters simply ask their unwary prey for their credentials and then steal them. 

“According to the research, the median dwell time for BEC attacks was 38 days and the average amount stolen was US$286,000 once they gained access,” she said. 

Similarly, in Malaysia, fraud continues to be the most common and rapidly expanding occurrence, followed by malware and intrusion, which accounted for 95% of cyber incidents in the first half of 2022 (1H22). 

Notably, malware incidents increased by more than 300% compared to 1H22 (3.56% in 1H20; 14.67% in 1H22). 

The report also highlighted several statistics from incident response (IR) cases to assist Chief Information Security Officers (CISOs) and security teams in understanding the most significant security threats they face and where to prioritise resources to mitigate them. 

In half of all IR cases, organisations lacked multi-factor authentication on essential internet-facing systems, such as corporate webmail, virtual private network (VPN) solutions, or other remote access solutions; in 13% of cases, organisations had no mitigations in place to ensure account lock-out for brute-force credential attacks while 28% of cases were poor patch management processes contributed to threat actor success. 

Furthermore, in 44% of cases, organisations did not have an endpoint detection and response (EDR) or extended detection and response (XDR) security solution to identify and respond to malicious activity, or it was not completely deployed on the first impacted systems and 75% of insider threat cases involved a former employee. 

Separately, in its 2022 State of Cyber-security Report, Palo Alto Networks stated that 92% of Asean organisations think that cyber security is one of the top concerns for business leaders as a result of the disruptions caused by Covid-19. 

According to the report, among all industries surveyed, 45% of financial services and 42% of fintech perceive themselves to be the most vulnerable to cyber-attacks. Malware attacks were regarded as a major source of worry. 

Its Malaysia country manager Lim Suk Hua said however, these two industries are also the most confident in the cyber security procedures they have implemented to protect themselves from assaults. 

“This confidence could be attributed to a greater emphasis on cyber security expressed by business leaders in financial services (79%) and fintech (76%), compared to the average of 74%. 

“Cyber security budgets have also climbed the most for financial services organisations (81%), followed by fintech (75%), compared to the 68% average,” Lim commented. 

Asean organisations estimated that cyber-attacks will damage people’s personal safety in 2022, with Malaysian organisations accelerating remote workforce (68%), expanding investment in mobile applications (58%), cloud adoption (52%) and 5G (39%). 

In Malaysia, the usage of Threat Detection and Change Correlation systems and cloud security are two critical steps that organisations must implement, followed by obtaining Internet of Things (IoT)/OT, identity and access management as well as Secure Access Service Edge (SASE) strategy. 

Concurrently, Lim highlighted several practises and recommendations for organisations to stay ahead of cyber security threats, including conducting a cyber security assessment to better understand, control and mitigate risks. 

This includes adopting the Zero Trust framework and design architecture with an “assume-breach” mindset and selecting a good cyber security partner. 

BNM urged victims of cyber fraud to contact the National Scam Response Centre (NSRC) immediately at 997 for further action to be taken. 

The 997 line is an alternative for the public to contact other than the bank’s dedicated line, which would operate 24 hours daily, including public holidays. 

The NSRC was announced last year during the presentation of the Budget 2023 as one of the initiatives to deal with cyber fraud criminal cases effectively. 

The NSRC is a local response centre which brings together resources and expertise from the National Financial Crime Prevention Centre (NFCC), PDRM, BNM and the Malaysian Communications and Multimedia Commission (MCMC).

  • This article first appeared in The Malaysian Reserve weekly print edition