October 22, 2021

Fraud and Cybersecurity in Digital Banking

Qinthara Fasya | 17 September 2021

Ryan James Murray, Director (APAC), HUMAN

Shares how companies can steer clear from frauds.

Increasing numbers of people are turning to digital banking to manage their finances in recent years. There have been four digital banking licenses awarded alone in Singapore. Due to the growing usage of digital banking, a number of issues have arisen, chief among them being fraud. The Asia-Pacific region continues to have the world’s highest rate of financial crimes, including identity theft and tax evasion. In addition, the epidemic has pushed the use of real-time payments, providing fraudsters with a new avenue for revenue. Indeed, 78% of APAC banks claim that the advent of such payment systems has increased fraud losses.

DigitalCFO Asia spoke with James Murray, Director (APAC) at HUMAN, on how companies can avoid digital fraud and abuse in the day and age of daily operations being done through the internet.


HUMAN is a cybersecurity company that protects enterprises from bot attacks to keep digital experiences human. We empower our customers with an advanced Human Verification Engine that protects applications, APIs and digital media from bot attacks, preventing losses and improving the digital experience for real humans. Today we verify the humanity of more than 10 trillion interactions per week for some of the largest companies and internet platforms in the world. As Director for Asia Pacific, James’ role is to lead brand awareness and business growth across strategic markets in the region. He is also responsible for all business disciplines with specific focus on aligning global strategy, marketing and sales regionally.

Findings from a study conducted by HUMAN

In the case study, a leading global financial institution initially opted to protect its customers from account takeover attacks by adding the bot mitigation feature offered by its Content Delivery Network (CDN) / Web Application Firewall (WAF) provider. However, the HUMAN BotGuard for Applications case study reveals that 14% of the customers traffic was actually made up of sophisticated bots that were impersonating humans. These bots were also passing through the CDN/WAF provider completely undetected. The findings revealed that 12k credentials were compromised and that these sophisticated bots were logging into user accounts using stolen username and passwords.

HUMAN’s study further revealed that most of the SIVT (Sophisticated Invalid Traffic) originated from China and Pakistan and were blocked by the WAF/CDN provider by default. The malicious traffic was bypassing the WAF/CDN’s rule-based permissions because the attackers were hiding behind US/Canadian IP addresses, enabling them to go completely undetected. 

Firewalls used by Banking Sites and other Financial Institutions

Firewalls alone are not enough to protect banks and their customers from today’s cyber threats. Sophisticated bots can target public-facing web applications with relative ease. It’s also worth noting that multi-factor authentication [MFA] and reCaptcha, while useful in many circumstances, are often defeated by determined attackers.

Fraud levels in Asia Pacific continue to be the highest in the world. Analytics firm FICO recently conducted a survey with banks in the region and found that 4 out of 5 banks (78 percent) have experienced an increase in fraud losses. There’s room for identity and authentication technology service improvements.  For customers, impacts can range from personal data scraping and personal information exploitation to actual fraudulent account transaction activity and other long-term issues. 

Institutions need to conduct regular reviews, especially as the types of cyberthreats evolve and at varying rates. 

Recent research from Kaspersky indicates that more than half of all fraud schemes in the financial industry were account takeover attacks.  At Human Security we often stop sophisticated bots arriving at a web and/or native application with intent to create fake accounts. The accounts, if successfully created, would often be used to test stolen credit cards, post fake user-generated content, or spread disinformation and spam. While these attacks might be ameliorated by password hygiene on the part of users, that’s not a perfect solution either. 

Data breaches aren’t going to stop, and it is incumbent on organizations with web portals to protect themselves against fraudsters to prevent being the next company in the headlines. 

Steering Clear from Frauds

Banks should make standard investment into ongoing employee cybersecurity education and upskilling across the entirety of the business.  Not only should employees be knowledgeable of potential attacks, the business and it’s specialised departments should have clear protocol for how to address attacks should they occur.  It is imperative for banks to have a recovery action plan and regularly perform safe secured data back-up. 

Institute cybersecurity as a corporate tenet if not already doing so.  Many businesses unfortunately underinvest and are understaffed and undertrained to address the severity of cyberattacks. That is one of the worst things to do.