Electronic Bank Fraud: The need for Banks

to strengthen digital security features and

how Banks and customers can mitigate
risk.

By Nabimanya Julius
September 23, 2022

1. Brief Background.
Research indicates that the increase of electronic banking has led
to increase of fraud resulting in financial losses. For example, it is
estimated that in 2009 to 2010 there was 93% increase in
electronic banking fraud and a 30% increase in 2012 to 2013.
According to a study by retail banking researchers conducted in
2011, electronic-bank fraud costs 8.6 billion US Dollars annually.
This was anticipated to increase in the following years.1
Additionally, a report by Bank of Uganda revealed specifically for
Centenary Bank, that the total customer base of the bank declined
by 11.4%, its customer deposits declined by 7%, its total credit
slowed down by 12% and customer complaints due to electronic

1
Wisdom, K. (2012).The Impact of Electronic Banking on Service Delivery to Customers
of Ghana Commercial Bank.
 2
fraud increased by 6.3%.
Another 2012 survey by Deloitte indicated that Ugandan banks
lose up to sh12b annually to electronic fraud while UGS118b was
lost by banks in the East African region.
Despite the above, the use of digital payment systems continued
to grow strongly, both for mobile money and in commercial banks.
According to the Bank of Uganda Quarterly Financial Stability
Report published in March 2022, demand for digital payment
services was mainly driven by a favorable policy environment,
evolving consumer behavior/needs, and recovery in economic
activity.3
The report indicates that the value of debit card transactions
increased by 23.9% to Ugshs. 1.2 trillion during the year ended
March 2022, while the value of internet and mobile banking fund
transfers rose significantly by 82.8% and 146.1% respectively to
Ugsh. 145.6 trillion for the year ended March 2022.
The above report indeed shows that electronic and mobile
banking continues to grow as more people continue to interest
themselves in digital banking services. That means, without doubt,
that the more the digital banking sector grows, the more financial
risks it is prone to face, particularly the dangerous vice of
electronic bank fraud.
As banks and other regulatory authorities continue to put in place
measures to mitigate loss, fraudsters, on the other hand, continue
to come up with novel and more lethal methods of digging and
depriving customers and banks of their money. Indeed cases

2
The Bank of Uganda Financial Stability Report (2015-2016).
3
Bank of Uganda Quarterly Financial Stability Review, March 2022.
have become so rampant today where customers continue to
accuse banks of negligence and breach of their fiduciary duty,
commonly known as the banker-customer relationship.
Although Courts have held in some cases that banks will not be
liable for financial loss caused by fraudsters on a customer’s
account, if there is evidence to prove that the bank in question
used commercially viable security features to prevent the loss,4 I
opine that the issue of digital fraud is not an easy one to
approach and therefore, even a Court faced with such a case,
ought to take sufficient caution, both in the manner of admitting
and evaluating evidence present before it, before it makes a
conclusion. Digital fraud takes various peculiar forms and in
some cases, it may be very difficult to tell whether the fraud was
occasioned by the Bank or the customer’s negligence.
However, this article makes an attempt to provide some basic
forms of electronic fraud, how they happen and how they can be
avoided or at least mitigated, and perhaps the nature of facts and
evidence that Courts might normally interest themselves in while
faced with such cases.
Whereas it is truly difficult to avoid being victim of digital fraud,
this article discusses how a bank and a customer can shield
themselves against financial loss caused by digital fraud.
2. Introduction.

4
In Aida Atiku v Centenary Bank HCCS No. 0754 of 2020, the High Court of Uganda
observed that the party who is best placed to prevent a fraudulent activity will bear the
loss. That the defendant Bank had put in place commercially reasonable security
features which the account holder had jeorpardised.Although this judgement was rightly
made based on the evidence presented by both parties, it imposes an unfair and
commercially discriminatory advantage by financial institutions over customers. It is
therefore important that every case be approached based on its own unique facts.
  Meaning and Scope of Electronic Banking.
The term electronic banking (e-banking) may be defined as the
automated delivery of new and traditional banking products and
services directly to customers through electronic, interactive
communication channels (Buchanan, 2010). E-banking includes
but is not limited to; the systems that enable financial
transactions, modes of payment used by customers, individuals
or businesses, to access accounts, transact business, or obtain
information on financial products and services through a public or
private network, including the Automated Teller Machines (ATMs)
used alongside the Personal Identification Number (PIN), Internet
banking and Mobile Banking.5
There are five basic services associated with e-banking and these
include: viewing account balances and transaction histories;
paying bills; transferring funds between accounts; requesting
credit card advances; and ordering cheques for more faster
services that can be provided by domestic and foreign banks.
 The forms of electronic banking.
E-banking is majorly comprised of internet and mobile banking.
Internet banking involves conducting banking transactions such
as account enquiry, printing of statements of account, funds
transfer, payments for goods and services, etc, on the internet
using electronic tools such as the computer or a smartphone
without visiting the banking hall.
E-commerce is greatly facilitated by internet banking and is
mostly used to effect payment. Internet banking also uses the

5
Gates, T. and Jacob, K. (2009). Payments fraud: perception versus reality – a
conference summary. Economic Perspectives. Vol. 33 No. 1, pp. 7-15.
electronic card infrastructure for executing payment instructions
and for final settlement of goods and service over the internet
between the merchant and the customer. Currently the most
common internet payments are for consumer bills and purchase
of air tickets through websites of the merchants.6
In modern day banking, customers rely heavily on the internet for
their banking business, which practice has orchestrated an
increase in the number of electronic bank fraud. It has been
argued that electronic banking continues to provide a huge
opportunity to hackers and fraudsters to attack Banks and
customers.7
Further research even shows that the internet enables criminals
to strategise as a network, supporting each other in their attacks.
More particularly, fraudsters are interested in accessing
customers’ bank accounts through the navigation of electronic
systems by using security breaches. Some prevalent practices of
illegitimately accessing Bank-customer data are done using a
method termed as “phishing.” Phishing is where a hacker sends
an e-mail from an allegedly credible source either to a bank or its
customer, requesting for sensitive information such as the
customers user name or password.8
As for mobile banking, this involves the use of a mobile phone to
settle financial transactions. It is observed that mobile banking
supports person to person transfers with immediate availability of
6
Littler, D. and Melanthiou, D. (2006).Consumer perceptions of risk and uncertainty and
the implications for commercial banks.
7
Gates, T. and Jacob, K. (2009). Payments fraud: perception versus reality – a
conference summary. Economic Perspectives. Vol. 33 No. 1, pp. 7-15.
8
Ebiringa, O. T. (2010). Automated Teller Machine and Electronic Payment System in
Nigeria: A Synenthesis of the Critical Success Factors. Journal of Sustainable
Development in Africa, 12 (1): 71-86.
funds for the beneficiary. Payments through mobile banking use
the card infrastructure for movement of payment instructions as
well as secure Short Message Service (SMS) messaging for
confirmation of receipt to the beneficiary.
It is further argued that mobile banking is meant for low value
transactions where the speed of completing the transaction is key.
The services covered under this product include account enquiry,
funds transfer, recharge of phone accounts, changing of
passwords and bill payments.9
In Uganda, the mobile money market has been a playground for
fraudsters with an average of at least 100 mobile money users
losing money every week. Indeed, a survey about Agent Network
Accelerator in Uganda conducted by the Helix Institute of Digital
Finance (2013) revealed that one of the biggest challenges of
mobile financial services is the high risk of fraud.10
Mobile banking fraud may be categorized into: consumer driven
fraud, agent driven fraud, business partner related fraud, mobile
financial service provider fraud. Consumer driven fraud refers to
fraud that is initiated by fraudsters posing as customers and is
the most common type of mobile fraud;
Agent driven fraud is perpetuated from within the agent network
and it is initiated and operated by agents or their employees.
Business partner driven fraud describes the fraudulent activities
perpetrated by bank staff on the bank, bank staff on customers or

9
Sathye, M. (1999). Adoption of Internet banking by Australian consumer: An empirical
investigation. International.
10
A survey about Agent Network Accelerator in Uganda; Helix Institute of Digital
Finance (2013)
 11
bank staff on mobile money operator.
It goes without saying that electronic banking is intended to offer
a wide range of advantages and opportunities in the banking
sector to ensure that work is carried out effectively and efficiently.
It is argued that its adoption would improve three critical domains
which are efficiency, quality, and transparency in any banking
institution.
3. Forms of Digital/electronic Fraud.
The more people spend longer online and continue to give out
their personal data to various online sites, the more it makes
them more susceptible to such scams.
 Impersonation Scams.
Recently, impersonation scams, where hackers pretend to be
from a trusted source, contact and trick victims into moving their
money to that contact, are so common.
Fraudsters impersonate organisations such as telecom service
providers, banks, beverage and alcohol companies, government
departments, among others, via phone calls, texts, emails, fake
websites and social media posts to trick people into handing over
their personal and financial information which is then used to
convince Banks holding customers’ accounts to effect payments.
There could also be fraudsters who use romance scams to lure
their victims into thinking that their loved ones are in urgent need
and thereby giving them access to their personal information or

11
Mudiri, J. L. (2014). Fraud in Mobile Financial Services. Microsave Publications:
Kampala. Muhammad, A. K. (2009). An empirical study of automated teller machine
service quality and customer satisfaction in Pakistani banks. European Journal of Social
Sciences, Vol. 13 No.3, pp. 333-344.
even some times innocently sending money to these (illegitimate)
"lovers." Some fraudsters will even befriend the victim in an effort
12
to gain their unsuspicious trust.
 Bank CEO Fraud.
There is also fraud that has grown most recently and this is
commonly termed as “CEO Fraud.” Here, a scammer normally
sends an email, often to a business accounts department of the
Bank, pretending to be from a senior staff member asking for an
urgent payment to be made to a supplier, partner or customer.
These are not yet very common here but are prevalent in
developed jurisdictions.
 Leveraging on trends in current promotions and other
current affairs.
It is important to note that Fraudsters often take leverage on
current affairs to trick their victims into falling prey. For example,
hackers always look out for periods when business entities are
running promotional activities. Telecom companies like MTN and
Airtel normally run promotions to give back to their customers, or
to promote a particular service that is being brought to the market.
In such promotions, customers will normally win monetary and
non-monetary rewards. Scammers will therefore use such an
opportunity to trick innocent people into providing their personal
information which the scammers then use to make unauthorized
transactions on a victim’s Bank account.
 Number spoofing and overriding caller IDs.

12
https://www.theguardian.com/money/2022/jun/29/uk-victims-lost-13bn-in-2021-amid-surge-in-online-
new-data-shows
According to the United States Federal Communications
Commission, Spoofing happens when a caller deliberately
falsifies the information transmitted to your caller ID display to
disguise their identity. Hackers often use neighbor spoofing so it
appears that an incoming call is coming from a local number, or
spoof a number from a company or a government agency that
you may already know and trust.
When you answer the call, they use scam scripts to try to steal
your money or valuable personal information, which can be used
in fraudulent activity. Apparently, a victim may not be able to
immediately tell if an incoming call is spoofed, however it is
advisable not to answer calls from unknown numbers or if one
answers the call and the caller is weird, one should hang up
immediately.
 Sending malicious links.
According to the Reserve Bank of India, pushing out a malicious
link is one of the simplest methods that scammers use to access
your personal information. They may create a fake website which
looks like an existing genuine one, for instance a bank’s website
or search engine, fake e-commerce websites or even fake social
media accounts.
The links are then circulated by fraudsters through text messages
or via social media sites. The links are masked through seemingly
authentic names of websites, but in reality, the customer gets
redirected to a phishing website. When a customer enters his or
her secure credentials on the website, the same are captured and
used by fraudsters.
Other forms may be sharing malicious mobile apps, where links
are engineered in such a way that the customer is redirected to
download an unknown application. Once the app is downloaded
by the customer onto their phone, the fraudster gains complete
access to the customer’s device, whereby the scammer is able to
watch, control your phone to gain access to your financial
credentials.

4. Preventing/mitigating Risk.

 Take time to re-read a message.

Fraudsters will try to make a customer move money quickly by
pretending that his or her cash is at risk or that a customer is
about to miss out on a once- in-a-lifetime opportunity.
According to Paul Maskall, the fraud and cybercrime prevention
manager at UK Finance, they create a sense of “urgency, authority
and scarcity” to put pressure on victims. Their schemes often
work because people are always distracted with daily life
endeavors.
If a customer feels under pressure to make a rapid decision, it is
advisable that they take a moment to assess the situation and be
able to carefully take action.
Taking your time to reread a message can help you spot a
potential scam. For instance, a fraudulent text may include
spelling mistakes, while an email may be from a slightly different
address to that of a legitimate person or company.
Normally, banks will never call a customer asking them to move
money into a new account, therefore a customer must be able to
resist any form of pressure from a caller to do so.
A more recent trend has been fraudsters pretending to be family
members on WhatsApp and asking to borrow money or to be sent
money “because they are in an emergency.” If a customer gets a
message like this, instead of quickly transferring the cash, a
customer can check whether such a message or request is
genuine by taking time to contact the actual family member via
another channel.
 Ignore suspicious links
Given the advancement in technology, information moves faster
on the internet and across communication and social media
platforms than ever before. It is not advisable for a customer to
click on links in texts or emails, even if the message appears to
come from a company or person you trust. Opening links without
a careful thought, can greatly expose your personal information to
a hacker and thereby make it easy for the hacker to gain
unauthorized access to your bank accounts.
A customer should therefore ignore any messages sent to their
phones or computers via text or email asking them to click on a
link, even if it is not a scam they recognise, until they are sure it is
legitimate.
Some of the ways to be sure may include; calling back on an
official phone number if a customer is unsure about a caller’s
identity. If you were not expecting a call and cannot be concrete
sure who you are speaking to, hang up immediately and find the
official phone number to call the person back.
Fraudsters can override caller ID, so even if a customer gets a call
from a number they recognize, they should not necessarily trust
such a call. Number spoofing also allows hackers to take over
text chains or infiltrate an account command system with a
victim’s bank.
Similarly, if a third party that a customer has probably been
dealing with asks a customer for money over text or email, or tells
the customer that their payment details have changed, even if it is
someone a customer knows, a prudent customer should call
them on a trusted number before making any payments or
commanding the Bank to do so.

 Constantly keep a keen eye on your security settings

If hackers access your emails or social media profiles, they can
get personal information to help them convince you the scam is
legitimate. These tactics are normally used by invoice scammers,
who hack emails to intercept messages to a trusted party. They
can then take over the email thread and mimic the style of writing
to convince you to transfer a large sum of money to a new bank
account or a new number, different from that you were used to.
Make sure you’ve got strong passwords on your email and social
media accounts, and do not use the same one on more than one
account, to avoid them being compromised. Use a password
manager if you struggle to remember passwords. It is advisable
that one uses strong passwords on their email and social media
accounts.
 Make all attempts to ensure you are paying the right person.
Additionally, if you have decided the person you are dealing with is
legitimate, you should still be cautious before handing over any
money or personal information. You could, for example, transfer a
very small amount of money first and then call the (real) intended
recipient to check whether it has reached their account.
Whereas some banks will alert you if the account details you are
sending money to do not match up with the information they have
on file, which can help you avoid losing money, other banks may
not have systems in place which can perform such key functions.
It is therefore important that every Bank puts in place a modern
and state of the art security system to cater for such risks.
Most importantly, if you accidentally end up falling for a scam, it
is advisable that you act with immediate effect. The faster you act,
the more likely you are to get your money back.
Call your bank immediately as it may be able to block money from
leaving your account if the payment has not gone through yet.
Banks can try to get your money back from the fraudulent
account before the con artist moves it on.
5. Specific technical measures that Banks may adopt.

 Build a VLAN for all internet banking servers with their

access based on the principle of least privileges.
According to Tech Target Inc., a Virtual Local Area Network
(VLAN) is a logical overlay network that groups together a subset
of devices that share a physical LAN, isolating the traffic for each
group.
A Local Area Network is a group of computers or other devices in
the same place, that share the same physical network.
If you are a banker operating electronic banking, it is highly
recommended that you build a Virtual Local Area Network (VLAN)
for all your internet banking servers with their access based on
the principle of least privileges. The principle of least privilege, an
important concept of computer security, is the practice of limiting
access rights for users, accounts and computing processes to
only those needed to do the job at hand.
Regardless of how technically competent or trustworthy a user is,
the principle of least authority can reduce cybersecurity risk and
prevent data breaches. According to Forrester Researcher, 80% of
data breaches involve privileged credentials.
The principle of least privileges limits a user account or system
functions to the set of privileges essential to perform their
intended function. By strictly limiting who can access its critical
systems, a Banker can reduce the risk of intentional data
breaches and unintentional data leaks.
The other important consideration for Bankers would be to adopt
system logging methods that provide reasons or feedback
whenever there is any issue with a transaction.
 Adopt and improve Security Operations Centres (SOCs).
Additionally, bankers should adopt and improve (for those that
have) security operations centres (SOCs). A security operations
centre is a centralized function within an organization employing
people, processes and technology to continuously monitor and
improve an organization’s security posture while preventing,
detecting, analyzing, and responding to cybersecurity incidents.
A SOC acts like the hub or central command post, taking in
telemetry from across an organization’s IT infrastructure,
including its networks, devices, appliances, and information
stores, wherever those assets reside. The SOC is normally led by
a SOC manager, and may include incident responders, SOC
Analysts, threat hunters and incident response managers. With a
SOC in place, any unauthorized log-ins into customers’ accounts
can be fronted and at least prevented.13
 Exporting critical logs to an external log collector.
If a Banker conducts electronic banking, it is prudent that it
adopts this approach in its system. This enables the Banker to
easily conduct a forensic audit in case of a security breach to
ascertain the source of breach.
A system without this unique approach stands risk of having all
logs on its affected servers getting irrevocably cleared by a
hacker. Some considerable choices may include security
information and event management (SIEM) Or Security,
Orchestration, Automation and Response (SOAR).
 Adopt internet banking software that focuses more on
security rather than user friendliness.
Bankers must also adopt internet banking software that focuses
more on security rather than being user friendly. If a software can
achieve these two, the better. This kind of approach helps the
Bank to increase its chances of control over its systems.
 Provide sophisticated modes of making electronic
payments to third parties
In regard to digital payments, rather than requiring a customer to
share their credit card number directly, the Banker may provide
13
What is a Security Operations Centre (SOC) accessed on www.trellix.com on
Thursday September 22, 2022 at 12:35 pm
a merchant-specific encrypted token for every transaction
requested by the customer. This is even safer where the
customer is transacting with a third party, say for instance paying
for an item online. In the event that the third party’s security
suffers a data breach, a customer’s payment information may not
be readily readable to hackers and thus their personal information
kept with the bank would stay safe.

 Other key considerations may include the following;

Adopt remote log-ins to internet servers that require use of
certificates rather than passwords. It is proved that certificates
are less susceptible to brute force attacks unless keys are shared
or stolen.
Bankers should also adopt system approaches that restrict
customers to do mobile banking with only one number provided
by the customer to the bank and not any other. In case a
transaction command is to pay a different person, not the
customer himself or herself, then by all means, let the money be
first transferred to the customer’s mobile phone account.

6. Conclusions.
Given the major concerns that customers continue to express
constantly losing their money through unknown transactions on
their bank accounts, banks and other micro-finance institutions
need to strengthen their security posture with state of the art
security features that can help mitigate the frequency and severity
of data breaches.
By investing in advanced technologies, banks can capitalize on
customers’ growing interests in digital banking right now and
more importantly, keep their customer base for long. Therefore,
considering security systems built on highly secure and trusted
identities of data and payments should be every Banker’s area of
priority, moving forward.
Finally, it is without doubt that a bank owes a fiduciary duty of
care to their customer, at all times whenever transacting with
them. Therefore, it is important that Banks take an extra step to
not only provide information but also educate their customers.
Although a customer does not need to know the complex and
technical aspects of their Banker’s security systems, the Banker
still owes them a great duty to avail them with all necessary and
helpful education about its institutional security mechanisms
aimed at protecting their accounts and how best they can benefit
from it.
Do not just teach the customer on basic security tactics like
username and password, security questions, two-factor
authentication and fingerprint recognition, but go an extra mile to
educate them on advanced security features like biometric
authentication methods, among others.
In any event where fraud has transpired and the money has been
lost, then a customer may initiate a formal complaint procedure
to their bank and if the Bank does not help, the customer may
resort to Court and sue the Bank for breach of fiduciary duty. Of
course, the success of the suit will largely depend on the
circumstances of each case.
 -Cross references-
1) Wisdom, K. (2012).The Impact of Electronic Banking on Service
Delivery to Customers of Ghana Commercial Bank.
2) The Bank of Uganda Financial Stability Report (2015-2016).
3) Bank of Uganda Quarterly Financial Stability Review, March 2022.
4) Aida Atiku v Centenary Bank HCCS No. 0754 of 2020,
5) Gates, T. and Jacob, K. (2009). Payments fraud: perception versus
reality – a conference summary. Economic Perspectives. Vol. 33 No.
1, pp. 7-15
6) Littler, D. and Melanthiou, D. (2006).Consumer perceptions of risk
and uncertainty and the implications for commercial banks.
7) Gates, T. and Jacob, K. (2009). Payments fraud: perception versus
reality – a conference summary. Economic Perspectives. Vol. 33 No.
1, pp. 7-15.
8) Ebiringa, O. T. (2010). Automated Teller Machine and Electronic
Payment System in Nigeria: A Synenthesis of the Critical Success
Factors. Journal of Sustainable Development in Africa, 12 (1): 71-86.
9) Sathye, M. (1999). Adoption of Internet banking by Australian
consumer: An empirical investigation. International.
10) A survey about Agent Network Accelerator in Uganda; Helix
Institute of Digital Finance (2013)
11) Mudiri, J. L. (2014). Fraud in Mobile Financial Services.
Microsave Publications: Kampala. Muhammad, A. K. (2009).
12) An empirical study of automated teller machine service quality
and customer satisfaction in Pakistani banks. European Journal of
Social Sciences, Vol. 13 No.3, pp. 333-344.
13) https://www.theguardian.com/money/2022/jun/29/uk-victims-
lost-13bn-in-2021-amid-surge-in-online-new-data-shows
14) What is a Security Operations Centre (SOC) accessed on
www.trellix.com on Thursday September 22, 2022 at 12:35 pm