Views
5 years ago

Cyber security in banks — protecting email communications

-Reuters file photo
-Reuters file photo

Published :

Updated :

The role of artificial intelligence (AI) in curbing money laundering and financial fraud in banking and financial sector is giving rise to questions these days. Is there any guarantee that no fraud and money laundering activity will take place after introducing AI in the financial industry? Long ago, when SWIFT was introduced replacing traditional text-based telex system for remittance, it was expected that the risk of fraud associated with remitting money will be eliminated. Now, it is evident that fraud in huge volumes has taken place using SWIFT, and Bangladesh is one of the worst victims.

Many argue that it is the technological era, so we will have to learn to live with technology. One technology will become obsolete and new one will emerge to replace it, and we will have to learn to adopt it as early as possible.  

Technology can only be helpful when its proper use with adequate security is ensured-- a really challenging task.

EMAIL SCAM: No sooner had the stain caused by SWIFT fraud disappeared from people's minds, a new scam using email stirred the whole world. Email is regarded as the most effective and secured mode of official communication. All forms of business communication are now carried out through emails. From approval of credit facility to issuance of documentary credit, many important payment orders are passed through email. This mode of communication is quick, secured and well documented. Decisions once passed through an email cannot be declined even if the email is deleted from the user's mail box.

Although fraudulent activities and misappropriation of fund through email scam have been continuing for long, it was not known to the common people. According to an international media outlet, global losses have so far exceeded US$ 12 billion from about 83,000 companies of 150 countries since 2013. The report further reveals that many Hong Kong and Chinese banks have been identified as primary receivers of this fraud money.  

HOW EMAIL SCAM HAPPENS: An employee of an office receives an email from his/her senior management or executive or any other higher level official with especial authority or delegation advising to execute/pass urgent order regarding remitting money to some places or accounts. This type of emails is especially designed, so it apparently looks like an original email received from the relevant authority. The email may categorically mention that the said person has been especially selected for a delicate assignment that demands strict confidentiality and urgency. The objective of this email scam is to receive financial benefit. This does not happen suddenly; such orders/advices are not placed to the receiver in the first email.

Those who are engaged in such fraudulent activities are very smart with advanced technological skills. They target one particular company or financial institution and hack their business email addresses. They closely monitor email communications of different levels of employees and try to find out the pattern. At the same time, they try to understand what type of delegation or orders are usually passed. Based on their analysis and observations, they target some officers and executives in responsible positions. Then they start sending emails impersonating the sender as his/her boss or higher-level executive, and initially, they pass very insignificant and ordinary requests and then they go for financial delegations.

How does it happen? Imagine a situation that the email account of one chief financial officer (CFO) is hacked. The hackers start sending messages to overseas banks where there is Nostro (account with foreign bank). Initially, they start sending very simple requests like delaying one payment for a few hours, restricting payment and then withdrawing restriction, saying thanks for better service etc. Then one day, they send an email requesting to send money to a particular account. Once the money is transferred, it is quickly sent to various accounts from where money disappears.   

INSTANCES OF EMAIL SCAM: Internationally reputed car makers-- Ferrari NV and Arrow Electronics-- have been the worst victims losing millions of dollars through email scams.

In 2017, Ferrari's North American unit lost US$ 6.7 million because of email fraud. Soon after the fraud was detected, they sued in Hong Kong court to recover the lost money. Last July, the court issued an order asking one import-export company-- one of several recipients of the lost money-- to return US$ 3.30 million that the company received through email scam. The company never had any dealings with the car maker. The lawyer of Ferrari has, so far, been able to recover US$ 2.20 million of Ferrari's funds.

Another company, Arrow Electronics, lost US$ 23.40 million through email scam as one employee working at a subsidiary in Norway received and acted upon one email instruction wherein the sender impersonating himself as the CEO of Arrow Electronics advised to transfer the amount in nine instalments over five days in 2016. The company detected that fraud four days later and instantly ordered its Norwegian bank to recall that money. The bank was able to get US$ 5.97 million back. The remaining US$ 17.4 million had already been transferred to six HSBC Bank accounts in Hong Kong from where the recipient account holders transferred the money to somewhere else.

OUR BANKING NEEDS ENHANCED SECURITY: In our country, banking industry has also adopted email as the mode of official communication. It is not the only mode of communication as some traditional paper communication is still on. Yet, banks and other corporate organisations are using emails as their main mode of communication. This is a good sign, but its security needs to be tightened. Without proper security in place, email communication cannot be made safe and authentic and the institution may be exposed to the risk of fraud.

 Moreover, clear understanding and strict compliance of code of conduct in using email communication is another important aspect of securing bank's email communications. This writer is not sure whether every bank in Bangladesh has developed appropriate code of conduct applicable for e-communication and made it mandatory for each employee to comply with while communicating through bank's official email.

Our country has already been the victim of e-fraud and lost millions of dollars. So, there must not be any loophole in the communication mechanism. Since many companies across the world have already suffered from email scams, banks in Bangladesh and even the government offices and corporate bodies who have adopted e-communication, must enhance their security arrangement.

The banks must exercise extra care and make adequate security arrangements while communicating with correspondent banks. There must be written agreement with correspondent banks with regard to fund transfer where it must be clearly stated that no fund should be moved based on email requests if the respective bank so desires. Even the name of designated officers responsible for communicating with correspondent banks must be conveyed to the correspondent banks so that they can only act on emails received from those designated officers.

As part of enhanced security, banks must establish a team in their IT department and this team will closely monitor and audit all incoming and outgoing emails. Even, if possible, employees should be restricted from using all types of public emails -- e.g., Yahoo, Gmail etc. Email with attachment must be monitored and should not be dispatched to the recipient if attachment is found irrelevant. Officers should be strictly advised to refrain from responding to emails coming from unknown senders. There are many such do's and don'ts which eventually govern email communication. Emails received with mysterious content or suspicious sender address must not be responded to, instead these should be forwarded immediately to the IT department for their investigation. This type of email, if found serious in nature, should also be forwarded to the law enforcing agency for further investigation.

Nironjan Roy is a banker.

[email protected]

Share this news