How can Africa guard against cybercrime?

It is perhaps not surprising that that the theme for last October’s international Cyber Security Awareness Month (CSAM), observed in many countries around the world, was “It’s easy to stay safe online“. However, while the message may be designed to reassure, the reality is that it is anything but easy to stay safe online.

The annual initiative was launched in 2004 by the US Department of Homeland Security and the National Cyber Security Alliance – a collaboration between government and the private sector “to raise awareness about digital security and empower everyone to protect their personal data from digital forms of crime.”

This collaboration has since then incorporated other regions including Europe, Asia, Latin America and Africa, bringing together a range of stakeholders spanning government agencies, regulators, UN and international agencies, tech giants and cybersecurity providers. The message is clear – cybersecurity is a shared responsibility.

But in a world preoccupied by the sheer scale and pace of technological innovations in artificial intelligence, metaverse and blockchain, this collaboration is inevitably fragmented given the disparate back stories of different economies, payment systems and anti-cybercrime strategies.

According to Belgium-based SWIFT, the world’s leading provider of secure financial messaging services, “not all jurisdictions use the same terminology, or have the same classifications when defining fraud and cybercrime. This can lead to fragmentation in an understanding of the data and statistics because they’re not always comparable.”

This is compounded by the apathy of the tech giants, which after all are the technological “facilitators”, albeit unintended, of online fraud and scams; and the shortcomings of regulators who are always a step or two behind the innovators and increasingly sophisticated cybercriminals.

Read more about cybersecurity in Africa

• Africa’s cybersecurity threat 
• Growing cybercrime demands firm African response 
• Cybersecurity: Africans fight back against the hackers 

The CSAM message is both a reminder of the burgeoning global threat of cybercrime and online fraud, and a reassurance to internet users that there are plenty of ways to keep personal information and private data secure when browsing and using the internet.

Fraud is more than simply a cybersecurity concern. Given the epidemic of scams, the socio-economic costs span financial loss for consumers and banks, reputational damage for banks subject to a cyber incident or for failing to refund fraud victims, and liability risk for banks in several jurisdictions. The psychological impact on victims can be hugely damaging.

For banks, cybersecurity is now one of their key areas of focus as increasing numbers of their customers fall victim to more sophisticated scams relying on cyber techniques and using advanced social engineering and manipulation techniques. The South African Reserve Bank (SARB) for instance has identified over 25 different types of cybercrimes and online scams.

The data, according to recent reports, is as revealing as it is disturbing, with no country spared and the financial services sector now an enhanced target of criminals. According to the Cybercrime Report 2022 from Cybersecurity Ventures, the phenomenon is growing exponentially, with the global annual cost projected at $8trn in 2023. Compounding this is the rising cost of damages resulting from cybercrime, expected to be $10.5trn by 2025.

Sober reading for African countries

For countries in sub-Saharan Africa, with their historical connections to the City of London, trade and investment links and “kith and kin” cultural, sporting and tourism ties with the UK, the latest Annual Fraud Report by UK Finance, the professional body of the British banking industry, makes for sober reading. In the UK in 2022, some £1.2bn was stolen by criminals through authorised and unauthorised financial fraud, equivalent to over £2,300 every minute, and the same amount in attempted fraud was further prevented by the financial industry through counter-measures.

The report shows that 78% of authorised push payment fraud cases (where someone is tricked into sending money to a fraudster) originated online, especially via social media platforms, and another 18% via telecoms. To protect the reputation of London as the premier global financial centre, the UK government is finalising the Online Safety Bill and the Economic Crime and Corporate Transparency Bill, which, says David Postings, CEO of UK Finance, “for the first time will require technology and social media companies to remove scam adverts from their platforms.

“Online platforms and telcos need to work harder at closing down the opportunities for fraudsters to use their systems. The government’s recent fraud strategy rightly says we need to focus on stopping fraud at source and that it is other industries, especially online technology giants, that should do more to stop criminals exploiting their services,” he argues.

African nations feature prominently in cybersecurity protection firm Kaspersky’s latest Global Top 100 Countries for Online Threats ranking. Kenya is ranked at 35, Nigeria at 50 and South Africa at 82.

Dr Amin Hasbini, Head of Global Research and Analytics at Kaspersky, says that “criminal attacks are mainly driven by the pursuit of financial profit, whereas advanced attacks indicate how cyberthreat actors continually adapt their tactics and tools to breach security measures.

“A significant portion of the attacks witnessed across Africa are shaped by the rapidly changing geopolitical landscape. However, a growing concern is that cyber-criminals are learning to refine their craft from successful advanced attacks.”

In Q1 2023, Kaspersky reported a surge in backdoor and spyware attacks, exploits and the use of zombie machines in Kenya, Nigeria and South Africa.

Digital banking fraud, says the South African Banking Risk Information Centre (SABRIC), saw an 18% decrease in reported incidents in 2021/22, which was mainly attributed to a reduction in mobile banking fraud incidents. But there was a rise in banking application fraud and losses due to the increased number of users.

However, despite the decline in incidents, there was a significant increase of 45% in gross losses, from R310.5m ($17.16m) in 2020 to R438.3m ($24.22m) in 2021. Although online banking fraud makes up the smallest portion of incidents of digital banking crime (20% of the number recorded), it accounts for the second highest portion of gross losses at 45%.

Criminals targeting Android phones

Some SSA countries seem to be victims of their own success. One of the less expected consequences of the Covid-19 pandemic was a global acceleration towards digitisation, especially in fintech, online banking, e-commerce and payment solutions.

In SSA, mobile money has become big business for telecom providers, with over 144 mobile money providers operating, and M-Pesa, MoMo and Orange Money dominating the market. According to the GSMA State of the Industry Report on Mobile Money 2023, registered mobile money accounts grew by 13% year on year, from 1.4bn in 2021 to 1.6bn in 2022. The number of mobile money agents grew from 12m in 2021 to around 17m in 2022 – a 41% year-on-year increase. Total transaction value grew by 22% between 2021 and 2022, from $1trn to circa $1.26trn, and $832bn of that came from SSA, with the African growth rate the same as the global average of 22%.

Not surprisingly, cybercriminals are targeting Android phone users in the Middle East, Turkey and Africa (META) region. According to Kaspersky’s Advanced Persistent Threat (APT) Q1 2023 Activity Report, Android phones hold a dominant 75% market share in the META region, which accounted for 14% of installs of potentially unwanted mobile financial apps.

“Cyberthreats for this mobile system,” warns Igor Golovin, Malware Analyst at Kaspersky, “remain persistent. Certain mobile financial apps offer seemingly legitimate microlending services, but were found to engage in scams and collect personal data from users’ phones. These apps request access to text messages, contacts and photos/videos before a loan can be provided. Where the user delays a debt payment, app operators may use the data collected from the phone for blackmail and to force the user to return the debt.

“The threat landscape evolves, and mobile financial cyberthreats become more sophisticated and pervasive,” he says. “While downloading smartphone apps from official app stores is less risky, apps can still request the user to give access to different types of personal data that could then be misused.

“As smartphones are used to store an increasing amount of personal data, granting access to it raises security concerns and places additional demand on the security of mobile devices and privacy-preserving ways of storing the data.”

SMEs are also a growing target for online fraudsters, which for developing countries is a major concern. According to the UN, SMEs comprise 90% of all businesses globally and contribute to 50% of global GDP. Research by Kaspersky shows that during the first five months of 2023, there were 764,015 detections of malicious files aimed at SMEs including the use of “smishing” – a clever combination of SMS and phishing.

So, while the Cyber Security Awareness Month rolls on and attention is once again focused on just how vulnerable most of us are to the wiles of cybercriminals, one expects specialised detection and apprehending organisations – state or private – to up their game and hopefully nip cyber-mischief in the bud.