Central Bank identifies cybercrime’s growing threats to SA’s banking sector

  • The South African Reserve Bank has identified cybercrime and emerging technologies as growing threats to South Africa’s banking sector
  • Phishing remains one of the most prevalent scam techniques
  • President Cyril Ramaphosa signed the Cybercrimes and Cybersecurity Act in 2021. This law mandates electronic communication service providers and financial institutions to act when their systems suffer a cybersecurity attack or breach

The last two decades have witnessed increased technology adoption in Africa. According to Forbes, there are more than 600 million total internet users in Africa.

Analysis by the IFC and Google finds that Africa’s internet economy has the potential to reach US$180bn by 2025, accounting for 5.2 per cent of the continent’s GDP. By 2050, the projected potential contribution could reach US$712bn, 8.5 per cent of the continent’s GDP.

But the rise of the internet also has a dark side, with the growing risk of private citizens, businesses, and governments falling victim to cybercrime.

The South African Reserve Bank (SARB) has identified cybercrime and emerging technologies as growing threats to South Africa’s banking sector. In its report, the reserve bank said threats including internet and mobile banking platforms, may be exploited to facilitate money-laundering and fund terrorism.

South Africa is ranked among the top ten countries in the world in terms of cybercrime.

The country is also ranked seventh out of sixteen countries polled for the highest cost of a cyber breach.

The report notes over 90 per cent of the banking sector offers online banking services, and mobile application banking, except for one mutual bank.

“Although online banking offers faster transactions and more convenient options for banking, these features are also attractive to criminals. Online features can hide the true identity of clients (which in-branch visits would have detected), and these features can also hide the true destination and beneficiaries of funds,” says the SARB report.

Southern African Fraud Prevention Service (SAFPS) CEO, Manie van Schalkwyk says consumers must try by all means to make sure that their data is always secured.

According to SABC News, Phishing remains one of the most prevalent scam techniques. The South African Banking Risk Information Centre (Sabric) estimates that SA businesses suffer a total of about R250 million in losses each year due to phishing attacks and internet fraud.

However, according to an article by African Business published on August 8, 2022, Kaspersky, a Russian firm that provides anti-virus software, in their analysis revealed that attacks related to data loss threats including phishing, scams, and social engineering increased significantly in Africa in Q2 2022 in comparison with the previous quarter.

The company detected 10,722,886 phishing attacks in Africa in Q2. Kenyan users were influenced the most by this type of threat: there were 5,098,534 phishing attacks detected in 3 months – a growth of 438 per cent when compared with the previous quarter. Kenya was followed by South Africa (4,578,216 detections and a growth of 144 per cent) and Nigeria (1,046,136 detections and a growth of 174 per cent).

Spam constituted almost 30 per cent of email traffic in South Africa in H1 2021. The number of phishing attacks recorded in South Africa for the first half of 2021 exceeded one million at 1,031,006. (Photo/ Business Tech)

The Guardian in an article published August 3, 2022, reported Kaspersky saying social engineering, “human hacking” scams, are used in many ways, and for different purposes, to lure unwary users to the site and trick them into entering personal information. It stressed that the latter often includes financial credentials such as bank account passwords or payment card details, or login details for social media accounts.

According to the security firm, phishing is a strong attack method because it is done on a large scale. It stressed that by sending massive waves of emails under the name of legitimate institutions or promoting fake pages, malicious users increase their chances of success in their hunt for innocent people’s credentials.

The article explained that phishers deploy a variety of tricks to bypass email blocking and lure as many users as possible to their fraudulent sites, adding that a common technique is HTML attachments with partially or fully obfuscated code. It stressed that HTML files allow attackers to use scripts, and obfuscate malicious content to make it harder to detect and send phishing pages as attachments instead of links.

According to a recent Interpol report, about 90 per cent of African businesses are operating without the necessary cybersecurity protocols and, therefore, are exposed to cyberattacks. The report also noted that there were more than 700 million threat detections in Africa within one year.

Read: Cybercrime Levels in Africa: A Cause for Concern

Over the years, there have been efforts from different African countries to address the cybersecurity challenge.

According to an article by Forbes published on August 2, 2022, in South Africa, President Cyril Ramaphosa signed the Cybercrimes and Cybersecurity Act in 2021. This law mandates electronic communication service providers and financial institutions to act when their systems suffer a cybersecurity attack or breach. South Africa had previously signed the Protection of Personal Information Act No. 4 of 2013 Act into law.

At the continental level, the African Union (AU) adopted the Convention on Cyber Security and Personal Data Protection, also known as the Malabo Convention, in 2014. This was followed by the release of the Personal Data Protection Guidelines for Africa, a collaborative measure between the Internet Society and the AU, in 2018. According to the United Nations Conference on Trade and Development (UNCTAD), out of the 54 countries in Africa, only 33 (61 per cent) have a data protection law in place.

Read: Kenya ranked third best in Africa in fight cybercrime

Meanwhile, Business Tech in an article dated July 8, 2022, said the Department of Police gazetted its draft search and seizure rules for cybercrimes committed in South Africa.

The Gazette, which is currently open for public comment, falls under the Cybercrimes Act which was partly introduced by President Cyril Ramaphosa at the end of 2021.

“The Cybercrimes Act provides a new legal mechanism for addressing cybercrime in South Africa, as well as creating a range of new cybercrime offences,” the department said.

“It also provides for mechanisms to preserve electronic evidence in the cyber domain, to conduct the search, access, and seizure operations in respect of an article as defined in the CCA, and the gathering of data connected to both cyber and other crimes that are committed by means of or facilitated through the use of an article.”

The draft rules also noted that an individual’s right to privacy, as well as other fundamental rights, must always be respected, and any infringement of these rights may only be justified in terms of the law.

“The right to a fair trial is paramount, and the responsibility of the investigation and prosecution team in terms of gathering, preserving, and presenting evidence to a court fairly and objectively, remain of utmost importance.”

Without serious cybersecurity efforts, opportunistic criminals around the world stand poised to reap the benefits of Africa’s internet growth story.

Read: Zambian regulator deactivates 2.1 million fraudulent SIM cards

Albert is a Chemical Technologist and Author. He is passionate about mining, stock market investing, Fintech and Edutech.

Leave A Reply