The past year has seen the number of digital fraud cases growing on an international level, with an increasing reliance on mobile transactions also marking a rise in the incidence of fraud on mobile channels.
While the number of Malaysians who adopted mobile or digital wallets as payment options increased from 8% in 2019 to 20% in 2022, according to a report from global data analytics provider LexisNexis Risk Solutions, there was also an increase from 23% to 31% in mobile fraud.
During that same period, Malaysians reportedly lost over RM1.6bil to online fraud, with the majority of cases being through online purchases (18,857 cases) and non-existent loans (15,546 cases) out of the 51,631 cases overall.
The report, titled '2022 True Cost Of Fraud APAC Study', found that with the loosening of Covid-19 restrictions and the reopening of economies in many parts of the world at the tail end of 2021, there has been a continued surge in fraudulent and scam attacks across multiple industries.
In the Asia Pacific region alone, there was a 135% increase in automated bot attacks across industries. This includes automated SMS and phone scams, along with fraudulent third-party mobile apps masquerading as legitimate ones.
All of this begs the question – how should we adapt as a region to combat this rise?
Challenges ahead
The report highlighted the risks posed by aspects of mobile and online banking, which include SMS One Time Passwords (OTPs) that can be intercepted by fake mobile apps, the issue of identity verification when it comes to newly created online or mobile banking accounts, and the need for identifying fraud attempts in near real-time.
“Malaysian authorities have been more active in recent years in addressing digital fraud. The existing regulatory frameworks focus on cybercrime and financial fraud in general.
“However, more specific requirements have been published or proposed, for instance, in the areas of electronic Know Your Customer and SMS One Time Password (OTP) authentication,” said Thanh Tai Vo, LexisNexis Risk Solutions’ director of fraud and identity, Asia Pacific.
“In addition, public initiatives have been set up, such as Commercial Crime Investigation Department in Malaysia (superseded by the National Scam Response Centre), to educate consumers on the risk of digital fraud and scams,” he added.
As highlighted by Vo, the matter has been addressed by Bank Negara Malaysia (BNM), which issued a notice on fraud preventative measures to local banks.
This includes transitioning away from SMS (OTPs), introducing a cooling-off period for newly registered customers on mobile and web-based accounts, limiting transaction approvals to a single device, as well as stricter monitoring and due diligence practices to detect suspicious transactions and compromised user accounts.
For the most part, banks have been acting on the advice and have already started moving towards app-based transaction approvals instead of OTPs, with some even going the extra mile of running their own public service announcements warning customers on the dangers of installing unverified third-party applications, including malicious ones that pretend to offer home cleaning services, for example.
But a major topic on the subject of cyberfraud that will likely be discussed in 2023 will relate to the issue of “authorised push payment” (APP) scams – or more specifically, should victims receive compensation should they be ensnared.
An APP scam refers to a specific form of attack where fraudsters trick victims into making an authorised payment for a service or item that they will never receive. This type of scam includes investment and impersonation scams as well.
Most recently, the UK’s Payment Systems Regulator (PSR) pushed for mandatory reimbursement for APP victims by banks should the amount lost exceed £100 (RM541).
The Swedish supreme court has also ruled in favour of scam victims, and the US Consumer Financial Protection Bureau has also made statements on plans to protect victims of scams on money-transfer services.
“The public debate around compensation to fraud victims is ongoing. The current, general direction only addresses unauthorised transactions.
“However, when it relates to authorised push payment fraud, such as in investment or romance scams, or other types of third-party fraud whereby individuals click on malicious phishing links, the direction is less straightforward,” said Vo.