Caribbean Cybercrime Cost Scotiabank US$ 150Mn

2369
Scotiabank downtown Kingston lost over US$ 150mn in nine months due to debit and credit card fraud which continues to wreak havoc in the banking industry.

From annoying spam that clogs up your junk folder to phishing emails asking for personal details or spreading viruses, if you’ve used a computer in the last decade, chances are you’ve been a victim of cybercrime.

Cybercrime is unfortunately a part of the digital landscape, but its impact goes far beyond just a few tiresome junk emails. Hacking, identity theft, data theft and even the financing of terrorism — cybercrime is a pervasive and dangerous online threat that is causing concern in the Caribbean as digital criminals find and exploit gaps in the region’s technological capability.

What is Cybercrime?

Cybercrime is a wide topic. The term covers any criminal activity carried out through a computer and usually involving illegal access, manipulation or sharing of data. Every business that uses the internet is at risk, but the threat is especially concerning to two of the Caribbean’s biggest industries: tourism and financial services. 

Companies working in both these sectors deal with large volumes of data flowing across borders and networks. They rely on their ability to offer clients security and privacy and stand to lose millions from a breach in their systems, not to mention the ongoing reputational cost of a high-profile incident. In one of the most grievous examples, debit and credit card fraud cost Scotiabank Jamaica US$ 150mn in 2014.

Governments too should be concerned. Public bodies keep a large volume of personal data on file while revenue-collecting agencies handle significant financial transactions daily. And with the recent drive to increase efficiencies in the public sector through greater uptake of technology, the risks and vulnerabilities are increasing. In 2015 a Tunisian Islamist activist group hacked into two ministry of tourism websites in the Bahamas and, that same year, the government website of St Vincent and the Grenadines was hacked by a group claiming allegiance with the Islamic State.

The exposure these cases received in the media, compounded by higher incidences of phishing as that technology becomes increasingly advanced, has left businesses in Saint Lucia wary, according to the ICT Association of Saint Lucia (SLICTA). “[There is] decreased confidence in broadening online activity,” says SLICTA Vice President Gerry George. “A significant breach or ransom demand can severely affect the finances of small to medium-sized firms. There is great risk to businesses since the levels of preparation tend to be lower in our region.”

The SLICTA says it is difficult to pinpoint patterns and monitor the success of cybercrime prevention because there is no clear and consistent reporting regime, nor enough data to build up a picture of the threat. The group notes, however, that email traffic in Saint Lucia follows international trends and is comprised of roughly 60% spam or junk mail, including phishing.

The Association warns of the need for “constant vigilance” among internet users and is committed to raising awareness of the threat through outreach activities such as information sessions and workshops. “The use of social media and the widespread forwarding of messages have weakened safety messages,” says George. “In this environment, hoax messages can spread much more easily. The quality of phishing messages has improved tremendously to the point where they look very authentic.”

Another area of concern is the rise of ‘hacking as a service’. Digital fraudsters can now employ the services of hackers for hire, who are selling their skills on online platforms. This allows amateur criminals to mount serious attacks that would otherwise be beyond their capabilities. Although available for some time through the dark web, this consumerisation of cybercrime is now becoming more mainstream.

How can the Caribbean protect itself?

At a recent tech forum held in Barbados, Ambassador Anthony Phillips-Spencer, Permanent Representative of Trinidad and Tobago to the Organization of American States, stressed the importance of a regional approach in combatting cybercrime, saying: “The sophisticated use of technology by highly incentivised criminal organisations has created unprecedented opportunities for transnational crime elements that no one region, country or entity can fight on its own. Inter-regional stakeholders must work together to safeguard the cyber landscape of our hemisphere.”

In 2016 government ministers, policymakers and cyber security experts from around the Caribbean met in Saint Lucia to discuss the escalating tide of cybercrime and the best regional response. The outcome of that conference was the Cyber Crime Action Plan. The strategy, which covers training, legislative and technical capacity and law enforcement, was drawn up following an assessment of security shortfalls in five Caribbean countries: Trinidad & Tobago, Grenada, Dominica, Antigua and Barbuda and Barbados.

The SLICTA is in favour of a Caribbean-wide strategy, and would like stakeholders to devise a type of early warning system whereby information can be disseminated quickly to warn others and prevent further incidents. George says: “A regional approach is critical and necessary to share and exchange information, and learn lessons from each other.”

In 2017 Saint Lucia’s government looked at the possibility of establishing a ‘cybercrime lab’ following circulation of pornographic material on social media networks. It was to be modelled on a similar concept in Jamaica but plans fizzled out.

The SLICTA would like to see more focus on cybercrime, and tougher action to deal with the threat. As George notes: “More should be done to improve crime-fighting capacity. Cybercrime is not a local or isolated issue. It must be addressed collaboratively rather than by individual companies, or by law enforcement alone. The threats, in terms of targets and sources, are global in nature and the incidents are usually not isolated.”