7 min read

Evolving cybersecurity in banking without harming CX

Fraud and security
Cybersecurity in banking
Share to:

In this article:

  1. 5 types of banking fraud to watch out for in a digital world 
    1. Smishing attacks 
    2. Malware and spyware 
    3. SIM swap fraud and account takeover (ATO) 
    4.  SS7 vulnerabilities 
    5. Artificially Inflated Traffic (AIT) 
  2. Balancing digital CX and cybersecurity in banking 
    1. Mobile authentication: the backbone of data protection 
    2. How rich messaging channels make mobile communications more secure 
    3.  
    4. SIM farms and the data protection risk 
    5. Making digital banking easy and safe: The role of cloud communications
  3. Choosing a cloud communications partner you can bank on 

As more and more people move away from traditional banking to embrace digital channels, businesses in the industry are under more pressure than ever to accelerate digital transformation. 

To compete in a screen-based world and build lasting relationships with customers, the finance industry needs to keep up with customers’ increasingly high expectations for speed, convenience, service quality, and interactivity. Doing so means leveraging messaging channels and apps, but also AI and automation to create the personalized, seamless experiences we’ve all come to expect as customers. 

But the shift toward digital touchpoints also exposes financial services providers to increased data security and compliance challenges. So, how can banks create secure, seamless customer journeys in today’s digital landscape? 

In this blog post, we discuss the main fraud risks associated with mobile channels and strategies to improve cybersecurity in banking, prevent online banking fraud, protect customer data, and maintain trust. 

5 types of banking fraud to watch out for in a digital world 

Banking fraud types

  • Smishing attacks 

Cybercriminals often send fake emails and links that appear to be from a legitimate source, in an attempt to trick users into providing sensitive information or financial data — that’s called phishing. 

Smishing is a form of phishing that involves sending fake SMS to target mobile users. Smishing attacks represent a growing threat to the finance industry.   

  • Malware and spyware 

As mobile devices are increasingly used for banking and other financial transactions, they’re also becoming a target for malicious software like malware and spyware, which can be used to steal confidential information or conduct unauthorized transactions.  

It can be used to track a user's online activities and access sensitive data or financial information.  

  • SIM swap fraud and account takeover (ATO) 

SIM swapping is a type of hijacking that involves deactivating someone's SIM card and activating a new one, without the person’s consent, to take control of the phone number. 

Fraudsters often use social engineering techniques and convince the victim's mobile carrier to transfer the number to another SIM card. Most carriers have taken measures to prevent this, but the risk still exists.  

The attacker will then be able to bypass verification processes using this phone number, for instance two-factor authentication with SMS one-time passcodes (OTP). This means the attacker will get access to bank accounts, payment apps, and other sensitive accounts and information. 

In some markets, it’s possible to tackle this threat by blocking SMS OTPs to mobile devices where a new SIM card has recently been issued. 

  •  SS7 vulnerabilities 

Another type of hijacking is where cybercriminals use the signaling system to take over the victim’s phone. SS7 (Signaling System 7) is a network that allows mobile providers to exchange messages with each other. A successful attack on the signaling system of a mobile operator can give hackers access to its subscribers’ text messages, including SMS OTPs. They will then use the information to get access to bank accounts. 

Luckily, SS7 attacks are quite difficult to pull off and therefore relatively rare, and many mobile operators now have signaling firewalls in place to protect their networks from these attacks. 

  • Artificially Inflated Traffic (AIT) 

Artificially Inflated Traffic, also known as SMS traffic pumping, is a type of fraud where scammers collaborate with shady service providers to generate fake traffic. SMS OTP can be extremely vulnerable to this type of fraud. In practice, scammers request thousands of verification codes, links, or anything a business might send via SMS, and send them to random numbers to collect some of the revenue generated. This traffic mostly ends up as spam on real users’ devices or never gets delivered by the accomplice service provider, though they’ll still confirm the delivery.  

This can be a significant risk for enterprises since it means paying for lots of fake messages. For consumers, it often results in spam and potential identity theft.   

Balancing digital CX and cybersecurity in banking 

 

Mitigating the risks associated with digital banking and mobile messaging is a partnership between end-users, banks, their service providers, the ecosystem, and regulators.  

As a leading service provider, Sinch advocates for best practice to help build a safer ecosystem and provide the best services for businesses and end-users. 

In this section, we set out some best practices and solutions to help you prevent threats throughout the digital customer journey while delivering a seamless experience.  

 

Mobile authentication: the backbone of data protection 

The most common way to secure access to user accounts and apps is two-factor authentication (2FA), where customers are required to verify their identity using two of the following elements: 

  • Something they know, such as a password 

  • Something they have, such as access to their phone 

  • Something that’s inherently part of who they are, such as biometric information 

As you might already know, with the introduction of PSD2 and Strong Customer Authentication (SCA) in EU and EEA countries, 2FA is now the minimum legal requirement for payer-initiated transactions within these countries. The goal? Increasing the security of electronic payments. 

In banking, 2FA via SMS OTP is by far the most popular verification method for transaction approvals due to its simplicity and universal availability. While it prevents most automated attacks, this method can be subject to fraud, as previously explained. Financial institutions should ideally use a blend of verification methods to improve security.  

Banking customer verifying her identity using her mobile phone

Research shows that SMS 2FA can also be a source of customer friction. Blending multiple verification methods is a great way to enhance CX as it gives businesses the opportunity to choose the best method(s) for their specific use cases and customers.  

Data Verification and Flash Call Verification, for instance, are great alternatives — or complements — to SMS 2FA that ensure little to no disruption to the user experience. Bonus: They’re also significantly cheaper! 

No matter the authentication method financial services companies opt for, user experience, just like security, should always be a top priority. 

 

How rich messaging channels make mobile communications more secure 

Rich messaging channels like WhatsApp, ViberRCS messaging, or Apple Business Chat aren’t only great for creating engaging conversational banking experiences. They also offer better security with branded messages and verified sender IDs. 

While traditional SMS can be sent via unreliable routes, a.k.a. grey routes, WhatsApp, Viber, RCS and Apple messages are sent using internet data. Businesses using these channels also need to go through a strict verification process, which significantly reduces the risks of spam or smishing. In turn, it also helps increase customer trust. Watch the video below to learn more about how rich messaging channels help tackle corporate identity theft.

 

SIM farms and the data protection risk 

SIM farms, or SIM boxes, are banks of unauthorized SIM cards obtained legally or illegally and used by some mobile messaging providers to send business SMS at a more competitive price.  

Because they use unauthorized routes to deliver messages, SIM farms are in breach of mobile operators’ terms and conditions and are typically not compliant with data protection legislation like GDPR. SIM farms are also often associated with illegal activity and fraud, putting end consumers and businesses at risk. 

Businesses are legally responsible for their SMS delivery value chain; using SIM farms therefore exposes them to potential litigation and fines. 

That's why business SMS should only be sent via authorized mobile operator routes — and the only way to ensure this is by working with a trusted provider. 

 

Making digital banking easy and safe: The role of cloud communications

Securing digital customer experience in banking is no small task, but game-changing tools are now available to help businesses verify users and communicate smoothly and securely. 

Cloud communications platforms let you integrate messaging and verification capabilities into your existing tech stack quickly and easily thanks to flexible, powerful APIs, saving you time and money. 

Choosing a cloud communications partner you can bank on 

 

Going down a cheap route for mobile communications and verification can harm a business in many ways and will never ensure fundamental information security principles are met. Just like for many things in life, you usually get what you pay for... 

Ever heard of the CIA? No, not the Central Intelligence Agency. In cybersecurity, CIA stands for Confidentiality, Integrity, Availability and should be the foundation of any data protection policy:

  • Confidentiality focuses on preventing data leaks and ensuring that sensitive data is only accessible to authorized users 

  • Integrity means that data shouldn’t be altered in any way without authorization and should stay accurate at all times 

  • Availability is about making data available to authorized users when they need it 

The point is, when looking into technology partners, only consider those placing data and consumer protection at the heart of everything they do. 

Here are some of the most important boxes a trusted communications provider should tick: 

  • A tier-1 network and direct operator connections — for maximum reach, scalability, reliability, and availability 

  • A carrier-grade platform — for top-notch security and quality, and low latency 

  • High security standards and ethics, ensuring end-to-end security and data protection — think GDPR compliance, MEF Code of Conduct, and ISO27001 certification (the top certification for Information Security Management Systems, a.k.a. ISMS) 

  • A solid chain of trust for mobile verification 

  • A dedicated support team that’s committed to helping you succeed 

Want more details? We’ve put together a handy cheat sheet to help you choose a cloud communications partner with confidence.  

 

The ever-increasing sophistication of fraud attacks is forcing financial institutions to step up their security game. Mitigating the risks associated with digital banking without harming customer experience will require using the right blend of mobile channels and verification methods to let customers move through their journey with your brand securely and seamlessly.  

Getting there will also require finding the right technology partner to make it happen. One that goes beyond compliance when it comes to data protection and contributes to building a better communications ecosystem.  

And of course, it also means doing your part, by following best practices and educating your employees and customers about digital security threats. 

Need more insights on how to step up security without harming customer experience? Dive into the results of our global consumer research or click the button below to download our complete guide to financial services communications.

Financial services communications guide

 

Topic
Best Practices
View all blogs

More insights from Sinch