In conversation with Finextra, Beate Zwijnenberg, chief information security officer at ING, canvassed new trends in cybercrime and how the banking giant is working against phishing and scams for its customers.
Zwijnenberg has a background in fraud management in the Netherlands and Belgium, and now is responsible for cybersecurity at ING. She expresses that cybersecurity is one of the foundational capabilities at the bank, and that maintaining the trust of their customers is at the forefront of their priorities.
Fraudsters attempt to scare or help customers through scams, one of the techniques they use is what Zwijnenberg calls “social engineering”. The bank aims to educate customers about the different methods that scammers use so they can avoid them. Strategies that ING employs to combat fraud include allowing people to set limits for their transactions, establish strong customer onboarding and app enrollment processes, and other fraud detection measures.
Zwijnenberg remarks that there are always various peaks and trends behind causes of fraud, with one of the most prevalent causes of late being phishing: “Different types of phishing campaigns pop up depending on vulnerabilities in the market or environment. For instance, if you refer back to the pandemic, there were a lot of phishing campaigns centred around Covid-19, working from home, or going back to the office.”
Open banking has opened up new avenues for phishing scams and fraud; with the ease of embedded finance, accessible banking app services, and online banking comes greater need for people to be aware and conscious of the risk of being scammed. However, Zwijnenberg expresses that open banking is not the root of all fraud risk:
“I think risk and impact of scams have gone up, but I don't think that it's directly related to open banking. If you look to PSD2 [the second Payment Services Directive], there have already been a lot of discussions about what kind of additional measures companies (including ING) should take, and ensuring that those fraud risks were properly taken care of. I think digital transformation makes having proper fraud monitoring in place a little bit more complex and challenging, but it's not impossible.”
When asked how regulation has impacted efforts to combat fraud, Zwijnenberg observes that a motion for Europe to become harmonised in their regulations would make a significant difference. Especially for organisations which operate in multiple jurisdictions, having standardised compliance will benefit the effort put in to combatting fraud and cyberattacks.
“What helped for PSD2 was the enforcement of strong customer authentication. If standardisation is implemented it will be much clearer for everybody to comply with regulation, as there is a lot of differentiation of the levels compliance required in the Asian region compared to England, the Netherlands, or to Belgium, for instance.”
In the Netherlands specifically, there are a lot of digital channels in use. Zwijnenberg mentions a recent collaboration between many Netherlands-based banks to launch an awareness campaign for fraud so that customers can learn to recognise different patterns from scammers and avoid them.
Mitigating cybersecurity risk
New digital pathways and opening up of virtual platforms could also increase risks for customers and entities or companies that are, for example, switching to the cloud. Zwijnenberg notes that in doing so, they are “introducing new attack surfaces, and so there are more possibilities for threats. As entities become more dependent on digital services, the risk of threats increases.”
Zwijnenberg observes that new technologies have encouraged the use of advanced AI and machine learning models that can be applied to cybersecurity monitoring, making it more effective and able to protect workload based on data.
Zwijnenberg notes that addressing resilience from a customer-centric perspective is critical, and that current moves to improve operational resilience aims to be preventive, responsive, and detective. A key strategy for her team is to always attempt to attack themselves and circumvent their own security systems by placing themselves in the mindset of a hacker to pinpoint where they are failing.
“Humans make mistakes, so you need to make sure you have right quality assurance in place. That is why we are always testing - real time testing where we try attack and hack ourselves. If you look to upcoming legislation, DORA [the Digital Operational Resilience Act] or TIBER-EU, resilience testing, is going to have such an ,explicit role so it’s crucial that we do this well.”
Zwijnenberg argues in favour of the move away from purely rule-based detection to advanced models and machine learning. She emphasises that rule-based detective measures simply do not scale and create too many false positives, whereas machine learning and AI models that are based on an amalgam of various sources and data, are much more effective indetecting incidents.
Zwijnenberg concludes that the small trends which have been occurring in recent years have focused on specific vulnerabilities in the market, and the influx of digital transformation has limited institutions’ protective capabilities: “There is a shortened time window between the moment that different vulnerabilities are discovered and when those vulnerabilities are exploited; so the timeframe in which an organisation can still apply mitigating measures is shrinking.”
She continues: “We see more criminals targeting public repositories for open source software. Fraudsters are adjusting their tactics to circumvent certain new technologies. What we do to adapt to these advanced tactics is implement new measures. It's a cat-and-mouse game; we build more protective barriers and they try to break in.”