Cops believe black-sheep bank workers may be in cahoots with scammers
PETALING JAYA: Scammers posing as bank officials seem to have access to sensitive information, which raises the question: are they in cahoots with black sheep within financial institutions?These scammers seemed to be aware of the personal and financial information of people they target, using it to convince victims into buying into the ruse and parting with their funds.
Victims in several reported cases said the scammers appeared to be aware of details of their account balance and other data that was only known by their financial institutions.
Bukit Aman Commercial Crimes Investigations Department (CCID) director Comm Datuk Seri Ramli Mohamed Yoosuf said while scammers usually “fish” for information and adopt various deceptive tactics to hoodwink their victims into sharing information about themselves, police do not rule out the possibility of bank employees colluding with syndicates and feeding them such confidential data.
“We do not discount the possibility and probabilities of such complicity occurring. It can happen in any organisation, even in the police force or other enforcement or government agencies.
“There is probably no organisation that is pristine. There are bound to be bad apples among employees. However, we need solid evidence to prove this,” he told The Star.
ALSO READ : Calls for banks to bolster cyberdefences
Comm Ramli advised the public to regularly keep tabs on their accounts and promptly raise the alarm with the relevant authorities if they discover any discrepancies.
The same scrutiny should be applied by those who own assets such as land or other immovable property, he added.
In November last year, retiree SA Nathan received a call from a scammer who posed as a bank officer, just an hour after he called his bank to enquire about his credit card statement.
Thinking it was a genuine call from the bank, the 95-year-old divulged some banking information and ended up losing RM18,000 that was siphoned off from his credit card.
ALSO READ : Banking industry working with regulators, agencies to enhance customer security
Confused by the whole episode and in an attempt to seek clarification, the nonagenarian referred the scammer to his daughter, Getrude Nathan, 56.
The housewife received a call from the same scammer and was coaxed into revealing sensitive data. She lost RM20,000 that was charged to her credit card.
Depressed and overcome by their losses, Nathan who was in ill health at the time, passed away weeks later when his condition deteriorated.
In February, a 51-year-old man was puzzled as to how scammers found out about cash deposited into his bank account just days after he made a withdrawal from his Employees Provident Fund (EPF) account.
Fortunately, the man was suspicious and hung up.
ALSO READ : Bank Islam stops 1,632 fraudulent transactions, nearly RM11.7mil saved in four months
In March, two bank officers were arrested by Selangor police for allegedly aiding a scam syndicate in an online fraud. The duo allegedly supplied the scammers with dozens of mule bank accounts meant for moving funds from victims.
In 2014, a bank officer and her husband, both aged 34 at the time, were arrested and charged with fraudulently withdrawing almost RM78,000 from bank accounts belonging to three passengers and a crewmember of the ill-fated MH370 Beijing-bound flight that went missing on March 8 the same year.
Nur Shila Kanan, who was an employee of a bank at Lebuh Ampang, Kuala Lumpur, had transferred the funds to several other accounts before making withdrawals.
She was sentenced to six years’ jail while her mechanic husband Basheer Ahmad Maula Sahul Hameed received a four-year jail term and ordered to be whipped.
ALSO READ : What is vishing? New scam is making the rounds and you’re likely a target
The Association of Banks in Malaysia (ABM) said banks implement regular audits to examine transaction records and internal activity by employees while ensuring compliance with regulatory requirements.
ABM said these audits do not only identify potential security vulnerabilities but also ensure that bank staff observe statutory protocols.
It said upon employment, bank staff are bound by Section 133 of the Financial Services Act 2013 and Bank Negara Malaysia’s Management of Customer Information and Permitted Disclosures Policy Document. They are trained to uphold banking secrecy and possess knowledge on information security risk.
ABM also said access to personal customer information is strictly controlled and only limited to employees who require it in the course of performing their official duties.
It added that access is granted on a “need to know” and “need to use” basis to authorised personnel, who are subjected to strict authentication processes.
“Employees are granted access only to the specific systems and data needed to perform their job duties.
“Among the authentication procedures are the use of unique usernames and passwords to verify the identity of staff members.
“Comprehensive logging and monitoring systems can track and oversee when and who accessed sensitive or a specific data.
“These permissions are regularly reviewed and updated.
“Banks continuously monitor user activity within their systems, including tracking login attempts, accessed data and account modifications.
“All actions involving customer data are meticulously logged and recorded in audit trails, ensuring accountability. Such access to data is revoked when the bank staff is reassigned to other sections or leaves the organisation,” an ABM spokesman said.
It said banks also had whistleblower programmes where employees are encouraged and can anonymously report any suspicious activities or potential collusion with shady parties.
The spokesman said such reports are treated seriously and thoroughly investigated.
Calls for banks to bolster cyberdefences
PETALING JAYA: With rising cases of online fraud and unauthorised access of personal data, financial institutions should upgrade their security systems and engage cybersecurity experts to address such threats, said criminologist Datuk Dr P. Sundramoorthy.
He said apart from rogue bank officials complicit with scam syndicates, the other threat to sensitive data leakage are online hackers.
“Crime prevention initiatives and strategies do come with a cost. However, the mid-term and long-term benefits will eventually outweigh this cost.
“Banks must prioritise security and protect its customers by all means before more fall victim,” said Sundramoorthy, who is with Universiti Sains Malaysia’s Centre for Policy Research.
He said securing confidential information by having a comprehensive and multi-layered approach to cybersecurity and data protection is a primary security step banks should adopt.
He said there are several ways banks can help protect the personal financial data of their customers such as strong encryption, secure servers, firewalls and keeping software up to date to prevent data breaches.
Sundramoorthy told The Star that strict policies and regulations restricting access to customer data should be a bank’s priority.
He said banks should also limit which employees can access sensitive customer information and have strict data access policies in place.
“They must have a system using multi-factor authentication. There should be multiple steps to verify a user’s identity, such as a password plus a one-time code, making it harder for unauthorised access. There must also be frequent and consistent monitoring of transactions and accounts, alerting customers promptly if any suspicious activity is detected,” he stressed.
Sundramoorthy said banks should also constantly educate its clients on online security, to identify scams and other measures to protect their data and not solely rely on law enforcement to keep the public in the know.
Certified fraud examiner Raymon Ram, who specialises in financial forensics and fraud risk management, said the recent arrest of two bank officers who allegedly aided a scam syndicate underscores the importance of cybersecurity protocols.
The bank officers were nabbed in March for aiding a scam syndicate in online fraud.
Selangor police believe they supplied scammers with dozens of mule bank accounts meant for moving funds from victims.
Raymon said while banks in Malaysia had stringent security protocols to protect customer’s data, the case proved there were vulnerabilities that can be exploited through insider threats, corruption or online hacking.
“The risk of corruption and hackers exists and cannot be entirely discounted. Continuous improvements in cybersecurity protocols, adherence to standard operating procedures and rigorous enforcement of the Financial Services Act (FSA) 2013 are essential to mitigate these risks and maintain public trust in the financial system,” Raymon said.
He said the Personal Data Protection Act (PDPA) 2010, guidelines from Bank Negara and the FSA collectively provide a robust legal framework to safeguard customer data. He said the FSA mandates strict regulatory compliance, internal controls and oversight mechanisms to prevent misuse of information and ensure accountability within financial institutions.
Related stories:
Banking industry working with regulators, agencies to enhance customer security
Bank Islam stops 1,632 fraudulent transactions, nearly RM11.7mil saved in four months
What is vishing? New scam is making the rounds and you’re likely a target
Own a SME? Here’s 4 things you need to know about cybersecurity
‘Cyber security’ announcements to support AI framework
Cybersecurity reality check: How prepared are M’sian companies at warding off attacks?
Rightways 