In a discussion with Finextra, Beate Zwijnenberg, chief information security officer at ING, shared insights on emerging trends in cybercrime and the strategies the bank employs to combat phishing and scams affecting its customers.
With a background in fraud management in the Netherlands and Belgium, Zwijnenberg now oversees cybersecurity at ING. She emphasizes that cybersecurity is a core capability of the bank, with customer trust being a top priority.
Combating Fraud
Fraudsters utilize tactics that can either frighten or confuse customers, often employing what Zwijnenberg terms “social engineering.” The bank is committed to educating its customers on the various techniques scammers use to help them avoid falling victim to fraud. ING’s strategies against fraud include enabling transaction limits, implementing robust customer onboarding and app enrollment processes, and deploying additional fraud detection methods.
Zwijnenberg notes that fraud trends frequently fluctuate, with phishing being a particularly prominent issue. “Different types of phishing campaigns emerge based on market vulnerabilities. For example, during the pandemic, many phishing campaigns targeted topics related to Covid-19 and remote work,” she explains.
The rise of open banking has introduced new opportunities for phishing scams and fraud. While advancements in embedded finance and online banking services make customers more susceptible to scams, Zwijnenberg clarifies that open banking is not the sole source of increased fraud risks. She points out that regulations like PSD2 already prompt discussions on the additional measures companies, including ING, should take to mitigate fraud risks. Although digital transformation complicates the landscape for fraud monitoring, it remains manageable.
Regarding regulatory impact on fraud prevention efforts, Zwijnenberg believes that harmonizing regulations across Europe would significantly improve overall fraud combat measures, especially for organizations operating across different jurisdictions. Standardization of compliance would streamline the process, reducing disparities among various regions.
In the Netherlands, where numerous digital channels are in use, a recent initiative saw banks collaborate on a fraud awareness campaign to help customers recognize and evade common scams.
Mitigating Cybersecurity Risk
The advent of new digital pathways, such as adopting cloud-based services, may elevate risks for both customers and organizations. Zwijnenberg highlights that these shifts introduce new attack surfaces, increasing potential threats as reliance on digital services grows.
She points to advances in AI and machine learning that enhance cybersecurity monitoring, allowing for more effective protection based on data analysis. Addressing resilience from a customer-centric viewpoint is crucial, and ING’s efforts focus on being preventive, responsive, and detective. A key tactic for her team involves simulating attacks to identify weaknesses within their security systems.
Highlighting the human factor in security, Zwijnenberg notes, “Humans make mistakes, so quality assurance is essential. We conduct real-time testing to attack and hack our systems.” With upcoming regulations like DORA and TIBER-EU emphasizing resilience testing, she underscores the importance of performing these evaluations effectively.
Zwijnenberg advocates for transitioning from purely rule-based detection to advanced AI and machine learning models. She explains that traditional rule-based measures do not scale well and often generate excessive false positives, while more sophisticated models utilizing diverse data sources are significantly better at detecting incidents.
She concludes by pointing out that recent trends have targeted specific vulnerabilities in the market, with rapid digital transformation limiting institutions’ ability to protect themselves: “The window of opportunity to apply mitigating measures is shrinking as vulnerabilities are discovered and exploited faster than before.” Additionally, she observes, “Criminals are increasingly targeting public repositories for open source software, adapting their tactics to bypass new technologies. In response, we continually implement new measures. It’s a cat-and-mouse game where we build defenses, and they seek to breach them.”