OP-ED: Is Cyber Fraud Breaking Frontiers?

Cyber fraud has become an issue in Uganda and is prevalent amongst persons who use mobile-enabled and online financial services such as banking, transfers, and online purchases.

Sarah Lowman writes that the computer is one of the most important revolutionary discoveries in the development of the technical-technological civilization. In only 50 years many devices for storage and processing of massive data have been discovered and enhanced. But apart from all the advantages and benefits that the computer has brought about very soon, it has also become a device for misuse in the hands of individuals, groups, or even organizations.

Cyber fraud also known as electronic fraud, is an unfortunate concept born out of using computing power and other technologies to steal money and other resources of pecuniary value from unsuspecting navigators of online spaces. This has become an issue in Uganda and is prevalent amongst persons who use mobile-enabled and online financial services such as banking, transfers, and online purchases.

Indeed, according to a Financial Sector Deepening (FSD) Report on banking and the status of financial inclusion in Uganda: Insights from FinScope 2018 Survey, 12% of persons with back accounts prefer mobile banking as the channel of choice, and 2% preferred internet banking as the mode or channel used to access banking/financial services.

But again, the online domain has transformed retail and commerce. Digital marketplaces have made goods more accessible. Specialized websites and dedicated apps have quickly multiplied and have simplified access to all types of commodities and services. The transformation of legal commerce has also been reflected in the criminal domain.

We have also recently observed a couple of trends viz; synthetic identity fraud, the use of AI-based attack vectors, the rise in fraud-as-a-service, contactless fraud from contactless mobile payments, pig butchering where fraudsters search dating and social media sites for victims and create fake accounts to interact with them inter alia.

Effects:

The impacts of a single, successful cyber fraud attack can have far-reaching implications including financial losses and loss of consumer confidence and trust. The overall monetary impact of cyber fraud on society and government is estimated to be billions of dollars a year. It is no wonder statistics estimate that cyber fraud has grown to become a hundred billion industry globally and it is expected to triple by 2025. The most outstanding effect remains the jeopardisation of financial transaction integrity.

Response of the law:

Uganda has laws that govern online conduct, transactions etcetera. The most famous is the Computer Misuse Act Cap. 96. It defines electronic fraud under Section 19 to mean deception, deliberately performed intending to secure an unfair or unlawful gain where part of a communication is sent through a computer network or any other communication and another part through the action of the victim of the offense or the action is performed through a computer network or both.

I have previously expressed reservations over the depth of this definition’s coverage vis-à-vis modern cyber fraud. Also given that this is from over 13 years ago, its spirit didn’t foresee and is out of touch with the rate of sophistication in computing power, emerging technologies, and other variables that have made the modern threat landscape murky waters for the authorities and victims.

See also: President Museveni signs the Computer Misuse (Amendment) Act, 2022 into law

On to sophistication; the modes of cyber fraud have changed over the years to also include ransomware which has become rampant these days. In my unpublished undergraduate thesis from May 2021, I argue at the time that the internet, in particular, was a great tool for scammers and other miscreants, since it allowed them to ply their trade while hiding behind a shield of digital anonymity. This posed significant challenges to law enforcement agencies, regarding their ability to investigate complex crimes, occur in a virtual environment, incorporate multiple (often international) jurisdictions, and have a very low reporting rate.

… the internet, in particular, was a great tool for scammers and other miscreants, since it allowed them to ply their trade while hiding behind a shield of digital anonymity

Fraud stats - Courtsey/Times of India
Fraud stats – Courtesy/Times of India

I have since harbored a fresh perspective that differs from that position which is that emerging technologies such as general purpose and generative artificial intelligence have made it easier for rogue cyber actors to execute their attacks in ways that are so deceptive the victims will usually never see it coming.

What needs to be done:

We need to wake up to the reality that the Internet dominates commerce, communication, and access to information. The digital transformation of our economies, societies, and private lives is progressing fast and will continue to impact all aspects of life.

From the regulators’ perspective, the Bank of Uganda (BoU) needs to continuously issue risk management guidelines to the Supervised Financial Institutions (SFIs). They also should increase oversight surveillance capacity through new methodologies of risk-based supervision as well as financial innovations in development, deployment, and use.

Increased research into the modes, and the threat vulnerabilities that allow rogue cyber actors to prey in the unsuspecting victims. This will inform efforts for continuous policy development so that laws maintain their relevance in a contemporary setting. Incidentally, an amendment of Section 19 of the Computer Misuse Act Cap. 96 will ensure that we maintain the relevance of that very provision.

Relatedly, policymakers and regulators should guide policy discussions to focus on the regulation of financial innovations. Financial innovations are on the rise and ever-evolving, this means that the lacuna will always equally be evolving and this calls for the maintenance of a robust regulatory and supervisory framework. Such a framework should possess the capability to identify threats posed by the transition and provision of prompt alleviation actions.

Training and awareness campaigns are important for all in society. There is a need for a structured training and certification program/framework for cybersecurity-related careers in Uganda. Campaigns like Beera Steady targeting users will continue to play a great role in creating awareness and vigilance around cyber fraud-related issues. As the saying goes; educated consumers are empowered consumers.

Also read:

Awareness at critical levels enables and promotes the identification and reporting of cyber fraud attacks. Conducting cyber awareness amongst the employees of these financial institutions and the law enforcement agencies such as the cybercrimes division of police on electronic fraud, investigation and as I previously opined, inculcation of threat intelligence know-how to detect these threats as and when they are posed and to devise measures to counter these threats.

The government also has an important role to play in raising funding awareness among the public and other financial and ICT service providers. This means enhancing the capacity of staff to evaluate ICT risks and conduct ICT audits. Education/awareness will go a long way in enabling us to create and curate a database of all reported cases for predictive analysis and education of the authorities to have a meaningful implementation in the investigation as well as assessing the scale of damage and threat posed by the cyber fraud scourge.

As I take leave of the matter …

Digital financial services (DFS) promise to enable financial inclusion and thus help improve people’s lives. Due to the impact of technology in the banking sector, customers are moving away from using cash and checks and relying more on electronic banking to complete transactions.

We need a proactive approach to policing online fraud in the banking sector of Uganda. This will take a concerted effort from all parties along the value chain, those that develop these technologies, the financial institutions that roll out or deploy them, the regulator, and the users of these technologies.