1 month ago
10
Director of Public Prosecutions Paula Llewellyn is calling on financial institutions in the Caribbean to establish an organisation and fraud-alert systems to address the problem of cybercrime on a regional level, which she says is fleecing the institutions of millions of dollars.
While acknowledging that Jamaica is doing better than its regional counterparts in tackling the problem, the longstanding chief prosecutor cited at least one ongoing case in Jamaica in which $60 million was stolen from a bank in a SIM swap scam.
Meanwhile scammers used fake email and WhatsApp accounts to grab a massive US$2.2 million from a bank in Trinidad & Tobago.
“Based on what I am seeing, the cyber threat is so terrible that turf tension and competition is going to have to give way to that collective responsibility to make sure that your systems are not compromised, because what will happen to one bank or one financial institution ... is going to reflect negatively on everybody else,” Llewellyn said, as a presenter at the annual anti-fraud seminar hosted by the Jamaica Bankers Association and the Jamaica Institute of Financial Services in Kingston last week.
She urged financial institutions to deal with the bad actors within their midst, and not to allow them to move on to other institutions to carry out similar criminal activities.
“If you allow people in the public domain to feel that you are petting or you are not properly dealing with potential bad actors who are embedded in your organization or that your systems are not strong enough to ferret them out, extract them, and to make sure that your clients are compensated in a short time, then in terms of reputation, you are going to be in trouble,” Llewellyn said.
The DPP said she was flabbergasted by recent cases, one in Trinidad & Tobago in which US$2.2 million was stolen from a bank, and another in Jamaica in which $60 million was taken.
The DPP quoted from an article by labour market researcher Dr C Justine Pierre on the case in T&T, in which scammers successfully executed a cyber impersonation of the chief executive officer of a bank resulting in the unauthorized transfer of TT$14.8 million or approximately US$2.2 million.
In that case perpetrators used email spoofing and WhatsApp impersonation tactics to deceive a managing director into believing they were communicating directly with the CEO and other high-level executives. According to local and regional investigations, the attackers executed a sophisticated attack that utilising compromised business email, blending traditional vishing techniques with social engineering over WhatsApp. Vishing is fraudulent impersonation using voice communication.
Meanwhile in the Jamaican case, the fraudsters used what is called a SIM swap to scam $60 million, a case that’s still before the courts.
“The complainant’s SIM cards were compromised and telephone numbers taken over by the accused men and women. Online banking profiles were then created using the victim’s phone number,” said Llewellyn.
“Utilising that phone number, they are able to utilize the bank’s two-factor authentication system by receiving the relevant keys or passwords to the now manipulated number, then accessing the victim’s bank accounts and transferring those funds from the victim’s accounts to accounts of their choosing,” she said.
Llewellyn made a number of suggestions to tackle the cyber scourge, including upgrading communication protocols, requiring two-factor authentication, identity verification across all internal digital channels, mandatory quarterly cyber fraud training for all staff handling financial approvals, the establishment of regional incident sharing platforms and Caricom-wide fraud alert system to track emerging threats.
She also urged financial institutions to collaborate directly with social media platforms, such as Facebook and WhatsApp, to enhance regional incident response capabilities and to create cyber fraud insurance pools offering institutional protection to mitigate losses and increase reporting incentives.
English (US) ·