While the two-pot retirement system gives people early access to their retirement funds, it also opens the door to cybercriminals looking for weak points, and with the rise of an AI-driven hacker tool dubbed “FraudGPT”, getting a foot in their door has become so much easier for criminals.
In a recent blog, David Luyt, a law-of-technology attorney at Michalsons Attornies, underscores the substantial cybersecurity risks associated with the two-pot retirement system. He notes that retirement funds are already an enticing target for criminals.
“Now, with the two-pot system, it’s even more attractive. The system allows millions of people to access large amounts of money simultaneously, creating new opportunities for fraudsters. They know that many requests to access funds and update banking details will overload the system, exposing it to attacks.”
Luyt argues that the quick introduction of the two-pot system has hindered retirement funds from adequately updating their cybersecurity measures.
“Many organisations haven’t had enough time to test and improve their defences, which creates opportunities for hackers to find gaps in the system and take advantage of them. The rushed introduction makes it more likely that mistakes or oversights in security will occur, putting people’s savings at risk.”
He warns that criminals are likely to attempt to deceive individuals through phishing emails and phone calls, posing as retirement fund administrators or even as the members themselves. These scams aim to steal personal information or persuade individuals to change their banking details.
“Older members or those unfamiliar with online processes are especially vulnerable to these scams. As these scams become more advanced, fund administrators must be extra cautious when handling requests to update account details or process withdrawals.”
Since the launch of the two-pot system on September 1, call centres and customer support services have been overwhelmed as more individuals seek access to their funds.
Read: Massive interest in two-pot withdrawals puts administrators to the test
Luyt cautions that this influx could result in rushed security checks or missed verification steps, making it easier for fraudsters to infiltrate the system.
“Attackers may use this opportunity to push through fake requests while the system is under pressure.”
Bad news for retirees
Designed to assist hackers in their malicious activities, FraudGPT has been lurking in the depths of the Dark Web since July last year. Similar to ChatGPT, this AI tool is powered by models trained on vast datasets, allowing it to generate human-like text from user input. FraudGPT enables aspiring cybercriminals to craft sophisticated phishing emails, develop hacking tools, and identify vulnerabilities in IT systems.
Actuary and damages expert Gregory Whittaker describes the emergence of FraudGPT as particularly bad news for retirees, who are already at significant risk of losing their retirement savings to cybercriminals.
In a prize-winning essay recently published by the US-based Society of Actuaries Research Institute in a publication titled “The Impact of Artificial Intelligence on Retirement Professionals and Retirees: A Collection of Essays”, Whittaker describes FraudGPT as “the beginning of a new era of cybercriminal at scale”.
According to Whittaker, “it is likely that we will soon see the end of badly punctuated, misspelt, misdirected and factually inaccurate phishing emails”, making it much harder to distinguish between honest communication from financial services providers and fraudulent approaches from criminals.
The US Federal Bureau of Investigation (FBI) Internet Crime Report 2023, released in March this year, shows that the majority of cybercrime victims were older than 60, having suffered losses in excess of $3.4 billion in 2023. Whittaker says that while similar research does not exist for South Africa, it is safe to assume that retirees in this country are just as vulnerable.
According to Whittaker, cybercriminals frequently target retirees because they are likely to have access to capital through retirement savings. The increasing complexity of financial products, more retirees using computers and smartphones, and scammers aided by AI create significant risks for retirees, he adds.
He says it is critically important to educate pensioners about the types of scams and also provide them with practical risk mitigation strategies that can be used to avoid cyber scams.
He recommends that employers implement social media literacy programmes and cybersecurity training for older employees in preparation for retirement.
“An important consideration is to investigate how retirement changes the social life and social network of retirees. If they have a greater propensity to turn to social media to fill the void created by no longer interacting with colleagues in the workplace, there is the potential that more personalised information will become available to scammers to harvest,” he says.
Top three scams targeting consumers
While there are many scams targeting consumers, Whittaker advises that all retirees should in particular be made aware of phishing and its more advanced version, known as spearfishing; Deepfakes and Grandparent scam (voice cloning).
He says most consumers who bank online have encountered warnings about phishing attempts, whereby criminals try to solicit information such as passwords via emails or text messages that appear to come from a reputable company. While phishing attempts are sent out widely and randomly, with the senders hoping that someone will fall for the scam, spearfishing is more targeted.
Whittaker explains that with the help of AI tools such as FraudGPT, criminals can review large volumes of data to identify potential victims and tailor messages that capture the retiree’s unique circumstances. This makes the approach even more believable for the targeted retiree, increasing the chances that confidential personal information will be shared with the criminal. He says this is an area of emerging risk for retirees.
A common deepfake scam uses images of celebrities or trusted public figures claiming on social media, Telegram, or WhatsApp to have made large profits from online trading. Retirees hoping to increase their retirement savings are tricked into signing up and parting with their money. However, when an attempt is made to withdraw “invested” funds, the accounts are locked, and the bogus investment company is gone.
In the Grandparent scam, criminals clone a younger relative’s voice using AI tools and then call the retiree, reporting an emergency like a car accident or an arrest and asking for money. He explains that in most cases, the caller requests that the call be kept secret and pressures the grandparent for immediate access to the money.
Whittaker says that while it is difficult to remain calm and think clearly when a family member calls in distress, any suspicious behaviour should prompt the grandparent to end the call and either call another family member for guidance or return the call on the number known to be genuine. Families may also want to put in place safe words for all family members to help establish that the caller is authentic.
How to reduce cybersecurity risks in the two-pot retirement system
Luyt says there are steps that both retirement funds and members can take to stay protected:
- Improve system security: Retirement funds should strengthen their defences by separating critical systems from those connected to the internet. They should also introduce multi-step verification for large withdrawals, requiring multiple approvals and short waiting periods.
- Train customer service staff: Customer service teams need better training to spot scams. Instead of focusing on speed, staff should be rewarded for careful, thorough checks to ensure they catch any fraudulent requests.
- Educate members: Members should learn about the risks of withdrawing their retirement funds and how to protect themselves from fraud. Retirement funds need to provide clear instructions on how to verify who they are dealing with, especially for older or less tech-savvy members.
- Monitor and detect threats: Retirement funds should use advanced monitoring systems to spot unusual patterns or warning signs of cyber-attacks. These systems must be updated regularly to keep up with evolving threats.
- Work together as an industry: Retirement funds should collaborate to share information about potential threats. By working together, they can strengthen their collective defences against cybercrime.
Whittaker encourages all consumers to never share sensitive information over the phone, via email or via social media, no matter what.
“Instead of asking on social media whether something or someone is legitimate, rather call the company you believe you are dealing with, check in with your financial adviser, or call the Financial Sector Conduct Authority (FSCA) to check whether the company or individual is registered,” he says.
Luyt warns that the risks from the two-pot system won’t end after the initial withdrawals.
“As these funds grow over time, they will continue to attract criminals. Retirement funds must keep improving their security, updating their systems regularly, and educating members to avoid potential threats.”