This was published 1 year ago
Banks see thousands of attacks a minute. Here’s how they stop them
By Millie Muroi and Tim Biggs
Deep within the country’s banks sit rooms lined with flashing screens showing an avalanche of attacks coming in and layers upon layers of defence systems to fend them off.
Each month, hundreds of millions of cyberattacks come in from across the world. It’s a statistic that keeps bank executives awake at night, because it takes just one of those attacks breaking through to compromise one of Australia’s biggest industries.
The Reserve Bank has previously warned that if a cyberattack severely disrupted or destroyed a bank’s IT systems, it could put that institution into financial distress and have “systemic implications” for the wider economy.
Banks must stay several steps ahead of the “bad guys”, not only to fight system-wide threats, but also to protect customers being targeted with increasingly sophisticated scams.
More than $367 million has been lost in Australia to scams this year, the majority attributed to investment scams. Criminals impersonate companies asking for investment in upcoming sharemarket floats, Ponzi schemes spread through social media, and crypto scams promise their victims big returns.
Fighting against these threats is a never-ending battle, with major banks running around-the-clock efforts to fend off the wave of attacks.
The challenge, bank executives say, is more people are online and busier, making it easier for criminals to tap into the fear factor with messages purported to be from a trusted institution, designed to extract personal information.
Phishing, ransomware and malware are among the most common attacks, along with “denial of service” attacks where criminals bombard a website with traffic in an effort to bring the service down.
Banks have multiple layers of defence against cyberattacks so that if one fails, another will catch it.
However, NAB chief security officer Sandro Bucchianeri said cybercriminals were becoming more ambitious.
“They are organised, transnational gangs, often basing their operations in countries beyond the legal reach of their victims and law enforcement agencies,” he said.
By adding more hurdles for bad actors and therefore making attacks more expensive, banks hope cybercriminals will be directed away from them. To deflect attacks from the country more broadly, small-to-medium businesses with less resources must also be educated, Bucchianeri said.
“The SME [small and medium enterprise] sector is the backbone of our economy and particularly vulnerable, facing increasing costs of living, ongoing labour shortages and rising rates of cybercrime,” he said. “Last year, they were the number one victims of cybercrime.”
While artificial intelligence (AI) may be used by bad actors to advance and automate attacks, banks are also using it to improve the efficiency of their defences.
Instead of assigning a group of cyber analysts to look for threats amid the huge volume of information coming in – which can be like finding a needle in a haystack – some banks are using AI to look through data and pinpoint threats.
Banks say much of the solution also lies with telecommunications companies, which could filter more of the malicious traffic coming into organisations.
Scam crime wave
At the same time as banks try to fend off cybercriminals, they are also on the front line of the scam epidemic.
Australians’ estimated scam losses hit $3.1 billion last year, sparking pressure from regulators, politicians and consumer groups for banks to improve their systems for fighting the crime wave. Banks have recently reported some progress, but they say the threat from scammers is constantly evolving.
From April to September this year, ANZ has seen a 59 per cent reduction in customer losses and a 38 per cent increase in detected and prevented amounts, but is still seeing a high volume of scams.
Traditional scams including romance and investment scams persist, with investment and remote access scams the highest by both value and volume. But ANZ complex investigations lead Marc Broome said there was a re-emerging trend.
“The biggest one we’ve seen, certainly over the last 12 months, that comes and goes, is impersonation type activity, which has become a bit more complex,” he said. “Customers are receiving text messages, supposedly from their bank, they’re supplying some information, and they’re getting a follow-up phone call from somebody impersonating the bank and convincing them to move money.”
Australia’s largest bank, CBA, last month said its scam losses fell by a third. But the bank has recently seen criminals falsely advertise its products, laced with malware links, on social media, and has had prominent bankers recreated using deepfake technology in a bid to trick people into clicking these links.
Scammers often craft messages that tie into current events to steal money. It took less than a week for scams relating to the Israel-Hamas war to emerge, with scammers posing as victims or charities asking for donations. Other recent examples involve fake Taylor Swift ticket sales and offers to stream the World Cup final live, which asked victims to enter credit card numbers that were then stolen.
NAB investigations and fraud group executive Chris Sheehan said the bank was watching closely for emerging trends including investment scams, especially as people feel cost of living pressures. “We’re getting reports of term deposits promising lucrative returns,” he said.
In other cases, scammers create more specific messages, hoping to catch people by coincidence. This includes fake invoices that appear to be from tradespeople. Most potential victims will spot these as scams, but anyone who happens to have had home repairs done recently may pay without thinking.
It’s a cat-and-mouse game, Broome said, because the scam environment is continually changing. “As much as we put controls in place across the industry to slow things down, scammers shift really quickly,” he said.
“The people behind these impersonation scams tend to be very well-organised, and we suspect it’s being run out of the UK. We also suspect these criminal networks have people on the ground in capital cities in Australia, particularly to recruit individuals to receive and move the money on their behalf.”
ANZ head of customer protection Shaq Johnson said “scam recovery” scams were another concerning trend on the rise. “It’s a bit of double whammy for victims, where the same scammers will come and engage with the same victim, saying they can help you recover some of the funds,” he said.
As banks put guardrails in place, scammers have shifted their approach.
“We’ve seen a change in scammers’ behaviour from targeting crypto as a channel to move money, towards more traditional ways, including recruiting individuals to receive funds,” said Broome. “But they’re having to recruit a lot of mules to receive this money, and there’s obviously only a certain number of people willing to do it.”
Scammers use mules to move money around before sending it to their final destination, making it difficult for banks to recover lost money. “By the time that money ends up in the criminals’ hands, it’s probably bounced around 40 to 50 different accounts,” Broome said. “They’re creating layers and roadblocks for us to recover the money for customers.”
Banks use technology to fight back
One response from banks to the scam wave has been to insert “friction” into the payment process, by slowing down suspicious money transfers. Westpac, for example, in August introduced changes that will result in customers being asked extra questions when they try to make a high-risk payment.
“This is about helping customers spot potential red flags before any funds have actually been sent,” Westpac chief executive Peter King said at the time.
Using AI and machine learning, ANZ has developed mule detection capability aimed at starving criminals of the resources they rely on to move funds.
Banks are also using biometric capabilities across their digital channels, which identify when customers’ interactions with a digital platform seem out of character.
It’s an economy-wide problem involving many sectors. In March, Commonwealth Bank and Telstra partnered to pilot a scam detection and prevention tool based on a machine-learning model to detect high-risk scam situations in real time, allowing CBA to call on Telstra to check if a customer was on a phone call.
In August, the competition watchdog, acknowledging the need for a co-ordinated response, allowed the 20 members of the Australian Banking Association to collaborate on developing industry standards to combat scams.
Johnson said the controls being put in place by the banks, including introducing more friction and payment delays, were working. “We’ve become a lot more unpredictable to the scammers,” he said.
One challenge banks are facing is complaints from customers – sometimes coached by scammers. “I must admit, it’s a very hard balance to strike,” Johnson said.
Broome said in some cases, bank staff could hear the scammer in the background of a call with a customer.
Johnson said it was “absolutely necessary” to have guardrails to slow down suspicious payments but that the bank tried not to impact genuine payments.
“We’re using AI and machine learning to be able to distinguish between what looks normal and what doesn’t,” he said. “Where I think we can do better is to proactively talk to customers and let them know when certain payments will be delayed, so customers can expect it.”
Ultimately, Johnson said customers were the first line of defence and needed to be educated.
What customers can do
Scams often aim purely to collect people’s personal information, which is collated and used for identity fraud, or to enable more personalised scams. Phishing campaigns trick people into entering details such as phone numbers or document numbers into legitimate-looking websites, which can be sold to other criminals. Merely by interacting with a scam message, you may be verifying to crooks that the details they have are correct.
Many security experts advise a simple rule of thumb; never click on any links in text messages or emails. Several banks have removed all links from their messages, but many retailers include legitimate links in marketing messages, and scammers can craft messages that look legitimate and familiar. In almost all cases, you can open your browser and navigate to the site yourself.
For emails, you can often view the “from” address to make sure the message is coming from a domain you expect before you click any links (i.e. noreply@dhl.com is likely legitimate, while dhldelivery@gmail.com is definitely not). But crooks are resourceful and have a lot of tricks to help this pass the sniff test. The safest approach is to not click on email links.
Some other basic digital hygiene tips are to never give personal information to someone who calls you on the phone, even if they seem to know who you are, and to use a unique password for every online service. A password manager like Bitwarden, LastPass or the one that comes with your phone can help with that.
If you suspect you’ve been scammed, contact your bank as soon as possible. “The quicker the better because the money moves so fast,” Johnson said.
Ultimately, however, there’s no silver bullet or one-size-fits-all solution.
“We’re not going to have a fixed solution to a dynamic problem; it needs to constantly evolve,” said Johnson. “Scammers are relentless, and we’re definitely going to see different scam types emerge over time.”
Broome said it was often the method of contact which scammers changed in response to solutions. “If we do a lot of education in a particular area, you’ll see scammers move towards contacting people another way,” he said. “We’re now seeing them advertise to recruit people through TikTok.”
While AI has not yet been widely adopted by scammers, Johnson said tools such as ChatGPT were being used to enhance the quality of some scams, including phishing.
Johnson said Australia could learn from other countries such as Singapore, and that an economy-wide approach involving government and different sectors was important.
“In Singapore, there’s plenty of scam warning and campaigns, and things like the SMS registry which might be helpful,” he said. “It’s good to learn from other jurisdictions that have been on that journey earlier than we have.”
Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.