The assessment of the impact of cyberfraud in the South African banking industry

Purpose – The purpose of this study is to assess the impact of cyberfraud in the South African banks with theaimto providerecommendations toeffectivelymitigateit. Design/methodology/approach – The study uses a qualitative approach involving the use of structured questionnaires. The questionnaires were made available to the staff of 17 licensed banks in South Africa who deal with management, operation, administration and banking services. Two hypotheses were formulated and non-parametric statistical analyses involving the use of Chi-square test, Fischer ’ s Exact test and Spearman ’ s correlation were carried out. The two hypotheses formulated were tested to draw a conclusion. Findings – The results obtained indicate that the impact of cyberfraud in the South African banking industry is highly signi ﬁ cant and has affected the reputation of some of the banks. This calls for the need to review the diverse ways of curbing cyberfraud to lessen their impact and that of associated fraud risks on the banking operation. Practical implications – This studyprovides an analysis on the relationship cyberfraud occurrences and the reputation of South African banks. The implementation of the recommendations may reinforce the existing securitymeasuresin the ﬁ ght against cyberfraud. Originality/value – The novelty of this study lies in the fact that the assessment of the impact of cyberfraud on the banking industry in South Africa has not been suf ﬁ ciently highlighted by the existing literature.


Introduction
Fraud is a critical problem of global concern (Gbegi and Adebisi, 2014, p. 234). It involves the use of occupation for personal benefit via a deliberate misuse or misappropriation of an organisation's resources [Association of Certified Fraud Examiners (ACFE), 2012, 2019].
The South Africa banking industry is managed and controlled by the South Africa Reserve Bank (SARB) as the regulatory authority over the banking industry and financial institutions, aiming to achieve a robust and efficient banking system in the interest of the customers and the economy in accordance with the Banks Act (No. 94 of 1990), or the Mutual Banks Act (No. 124 of 1993) (SARB, 2020). Information Technology (IT) is critical in achieving this aim and for performing the day-to-day operations for most organisations (Ali et al., 2017, p. 70). However, it can be said that IT has an adverse impact on the banking industry, too, where crimes such as phishing, hacking and forgery are committed (Ramadani et al., 2018, p. 341).
In South Africa, there are efforts carried out by the government in mitigating cybercrime such as the establishment of the South African Banking Risk Information Centre (SABRIC). The SABRIC is saddled with the responsibility of providing the banking institutions with the necessary information related to crime and risk management and to promote inter-bank synergy aimed at reducing the risk of bank and organised related crimes (Cassim, 2016, p. 131). In addition, the effort of the police is also perceived as a positive move in the quest to sustain the fight against cybercrime (Cassim, 2016, p. 131). It collaborates with the banking institution and the IT industry through the SABRIC to combat cybercrime and bring perpetrators to book (Cassim, 2016, p. 131). The Computer Security Incident Response Team (CSIRT) has also been established in South Africa to response swiftly to incidences of cybercrime.
However, despite these efforts put in place by the South African banking sector in mitigating cyberfraud, the impact of cyberfraud on the banks is still detrimental.
The report from the PwC Biennial Global Economic Crime Survey published in February 2018, revealed that South African businesses continued to recount the highest instances of economic crime in the world over the past decade (2008)(2009)(2010)(2011)(2012)(2013)(2014)(2015)(2016)(2017) (PwC, 2018, p. 6). Nevertheless, in 2020, the following report from the same source indicated that the rate of economic crime in South Africa dropped from 77% to 66% (PwC Report, 2020, p. 8). However, the percentage remains still higher than the global average rate of economic crime given as 47% in the same year (PwC Report, 2020, p. 8).
The purpose of this study is to assess the impact of cyberfraud on the South African banks with the aim to provide recommendations to effectively mitigate the impact of cyberfraud. The study objectives involve the statistical analysis of data obtained via a structured questionnaire, testing of hypotheses and drawing of conclusions from the results obtained. The motivation for this study is to expand research on the nature of cyberfraud affecting the South African banks with a view to propose sustainable approaches aimed at curbing the rising occurrence of cyberfraud in South Africa. The identified problem of an increasing cyberfraud rate in the South African banking sector has made customers lose confidence in the services provided by the sector.
To address this aim, two research questions were formulated as follows: RQ1. What is the nature of cyberfraud perpetrated in the South African banking industry?

RQ2.
What is the effect of the cyberfraud perpetration on the South African banking industry?
The novelty of this study lies in the fact that the assessment of the impact of cyberfraud on the banking industry in South Africa has not been sufficiently highlighted by the existing literature. Section 2 presents the literature review followed by the methodology used in this study in Section 3, while the succeeding sections present the results and their discussion in Section 4, JFC the conclusion drawn in Section 5 from the findings in relation to the study objectives as well as the recommendations and policy framework. Figure 1 presents the reported rate of economic crime in South Africa in comparison with the global average rate of economic crime in 2020 (PwC's Global Economic Crime Survey, 2020, p. 8). In the figure, South Africa was ranked in the third position in the ten top ranking of countries with the highest rate of reported economic crime in the world as compared to the first position in 2018 (PwC's Global Economic Crime Survey, 2020, p. 8;PwC's, 2018, p. 9). This implies a 17% decrease in the rate of economic crime between 2018 and 2020 reported globally. However, comparing these statistics with the global average rate of economic crime, it shows that the reported rate of economic crime in South Africa still exceeds the average global rate with by 13%. More worrisome is the fact that there is an increase in the rate of crime involving senior management from 20% in 2018 to 34% in 2020 as shown in Figure 2 (PwC's global Economic Crime Survey, 2020, p. 8). This implies that the percent rate of reported economic crime in South Africa decreased slightly between 2018 and 2020 when compared with other countries. The prevalent economic crime in South Africa has been identified as customer's fraud, bribery and corruption, financial statement fraud and cybercrime (PwC's Global Economic Crime Survey, 2020, p. 10). The PwC's Global Economic Crime Survey (2020, p. 12) categorised fraud perpetrators into three categories: external perpetrators, internal perpetrator as well as collusion between external and internal perpetrators. The internal perpetrators account for the highest percentage of the perpetrators accounting for (41%), followed by the external perpetrators (36%), while collusion between the internal and external perpetrators account for (21%) of the reported economic crime rate in South Africa (PwC's Global Economic Crime Survey, 2020, p. 12).

Impact of cyberfraud
The internal perpetrators were further classified into three management levels, namely, senior, middle and junior management levels, and the statistics of the economic crime attributed to these three management levels are presented in Figure 2.
In a bid to sustain this fight, the Promotion of Access to Information Act 2 of 2000 (PAIA) as well as the Electronic Communication and Transaction Act 25 of 2002 (ECT) were enacted with the aim to facilitate and regulate communications and transactions to protect the interest of financial institutions and the general public. Unfortunately, the criminal section of the ECT act has been criticised as relatively not being stringent enough (Cassim, 2016, p. 128). The non-stringent nature of the ECT act might not send enough warning signals to the perpetrators.
The South African Banking Risk Information Centre (SABRIC, 2019) reported that, in 2017, a total of 13 438 cybercrime cases involving mobile and banking apps as well as online reportedly banking costed the banking industry a gross sum of more than R250,000,000. Furthermore, the rate of cybercrime and economic crime is reportedly increasing in the South African financial institutions (Cassim, 2016, p. 130;PwC's, 2016, p. 10;Van Niekerk, 2017, p. 126).
The literature confirmed that cybercrime is still a threat to the South African banking sector, despite the efforts of the sector to mitigate its occurrences (Mbelli and Dwolatzky, 2016, p. 1;Van Niekerk, 2017, p. 126;PwC, 2020, p. 8;Akinbowale et al., 2022, p. 996). The literature also indicated that the rate of cybercrime is increasing globally with dire consequences on the customer's satisfaction, reputation and economic growth of financial institutions. Other losses include the indirect loss via loss of trust in the digital infrastructure, direct loss through fraud perpetration, as well as customer and stakeholder losses (Kraemer-Mbula et al., 2013, p. 544;Lagazio et al., 2014, p. 60).
In South Africa, information security challenges due to cyberattacks continues to pose a serious economic threat to financial institutions and the country as a whole (Mbelli and Dwolatzky, 2016, p. 1;PwC Report, 2020, p. 8). This has made many financial institutions to consider risk management as an important entity in their business model.

JFC
Van Niekerk (2017, p. 126) identified the leading perpetrators of cyberattacks as hackers and criminals in South Africa while the two major cyberattack impacts are data exposure and financial theft. The outcome of the review for this chapter indicates that the growing number of internet users coupled with the emerging technologies have increasingly exposed the information of many organisations to a variety of risks. Such attacks could be in the form of unauthorised access to the network or system with the intention to defraud or manipulate business operations (Tiwari et al., 2016, p. 46). Furthermore, it can be in the form of a data breach where sensitive data are stolen.
The increasing risk of cyberfraud and the potential impacts on the financial institutions is a major concern for the stakeholders. The studies also indicated that the increasing fraud risks have impacted negatively on the operation, reputation and economic development of financial institutions. It is based on this reviews that two alternative hypotheses are formulated as follows: H1. The impact of cyberfraud on the South African banking industry is significant.
H2. The occurrence of cyberfraud affects the South African banking industry.

Methodology
In this paper, the qualitative approach was used involving the gathering of different opinions and perspectives as well as the categorisation of the characteristics of the population about cyberfraud from the South African licensed banks. According to Mohajan (2018, p. 21), the qualitative approach boasts of the following merits: it can be used for the improvement of both the design and interpretation of traditional surveys; it can explore the research problem from the perspective of the actors involved, rather than explaining it from the outside; it can assist in the understanding of complex phenomena which are difficult to capture via quantitative research. In addition to these merits, the qualitative approach is reliable and objective, it simplifies a complex problem to a limited number of variables, investigates the relationships between variables, while establishing the cause and effect in highly controlled circumstances. It is also suitable for theories and hypothesis testing; it assumes sample which is representative of the population with reduction in the subjectivity of researcher although it is less detailed but simpler than the quantitative data (Ospina, 2004(Ospina, , p. 1279Mohajan, 2018, p. 21). Due to the sensitive nature of cyberfraud and confidentiality which characterise the process of fraud investigation and uncovering, the researchers opted for the qualitative approach in view of the merits.
However, the qualitative approach involving the use of structured questionnaire was used for this study due to the fact is suitable for data collection, hypothesis testing and provision of results that would reflect the situation under investigation with statistical precision.
This study uses a purposive sampling because it permits the selection of specific groups in the sample who possess the necessary experience to understand cyberfraud, and it makes it possible to obtain the valuable perceptions of the target group. The population of this study consists of all the 17 licensed commercial banks listed in South Africa (Bankscope, 2018). All these banks were considered in this study for an effective response rate because the response rate in any research is expected to fall between 70% and 80% which translates into an adequate representation (Fincham, 2008, p. 2).
All the 17 licensed banks were considered so that the outcome of the findings in this study can be a true representation of the prevailing situation in the South African banks.

Impact of cyberfraud
Using a structured questionnaire, a total number of 42 responses were obtained from all the 17 licensed banks in South Africa.
The research design used in this study is shown in Figure 3.
The study uses qualitative analysis with the use of structured questionnaire. The questionnaires were administered to the staff of the 17 licensed banks in South Africa who deals with management, operation, administration and banking services.
The variables used for the testing of H1 include the responses obtained for the forms of cyberfraud.
The variables used for the testing of H2 include reputation loss, revenue loss, productivity loss and shareholder's loss. This is because cyberfraud perpetration has been linked to the organisation's revenue losses, reputation, customer's loyalty and shareholder's confidence (Joyner, 2011;Dzomira, 2015, p. 13).
These hypotheses were tested in the SPSS environment (version 26) to draw a conclusion, using non-parametric statistical analyses: the Chi-square test and Fischer's Exact test for hypothesis testing; and Spearman's correlation for investigating the nature of the relationship between variables were carried out.
The rationale for using the Chi-square test lies in the fact that it is a non-parametric tool designed to analyse group differences when the variable is measured at a nominal (categorical) level (Mchugh, 2013, p. 143), and that it also allows for testing hypotheses as well as the relationship of two variables in a qualitative (categorical) data set (Abebe, 2019, p. 37;Rana and Singhal, 2015, p. 69). To determine the association between two categorical variables (whether they are independent or dependent with respect to each other), the Fisher's exact test was used. Unlike the Chi-Square test, it runs an exact analysis for a relatively small sized sample (Kim, 2017, p. 152). The Chi-square statistics were computed as well the p-values for the Chi-square and Fischer's exact tests. Where the p-value is less than 0.05, there is no enough evidence to accept the null hypothesis at 5% level of significance; hence, the alternative hypothesis is assumed to be true with the level of evidence presented in this study. Finally, Spearman's correlation analysis was chosen as a non-parametric analysis to measure the degree of association between two variables of ranked scores (Choi et al., 2010, p. 459). This is due to the fact that the effect of one variable may produce a direct or inverse effect on another variable once a common relationship exists between them. In this study, it was used for the determination of the degree of interdependence between the variables of cyberfraud and the effect of cyberfraud on organisation. According to Choi et al. (2010, p. 460), the Spearman's correlation coefficient (r) ranges from À1 to þ1 with þ1 denoting a perfect (correlation) between the variables and À1 implying a perfect negative correlation, while 0 means that there is no correlation between the variables. The choice of the non-parametric techniques (Chi-square statistical analyses, Fischer's exact test and Spearman's correlation non-parametric technique) for hypothesis testing and for establishing the association between the identified variables relating to cyberfraud stems from the fact that the data set used in this study is not normally distributed.

Results and discussions
The two formulated hypotheses underlying this study are tested as follows: H3. The impact of cyberfraud on the South African banking industry is significant.
The variables used for the testing of this hypothesis include the responses obtained for the forms of cyberfraud. The respondents to the survey questions identified eight common forms of cyberfraud that are prevalent in South Africa. These include phishing, spying, malware, data theft, spam e-mail, online theft, hacking and skimming. This findings agree substantially with some existing literature which indicated that some financial institutions still suffer cyberattack in the forms identified via the survey (Tiwari et al., 2016, pp. 47-50;Cassim, 2016, p. 131;Ali et al., 2017, pp. 72-73;Ramadani et al., 2018, p. 341). Table 1 presents the Chi-square and the Fischer's Exact tests for the forms of cyberfraud identified from the survey. In H1, the alternative hypothesis tested was therefore accepted. This is justified by the fact that the p-values of each of the variables is less than 0.05 for both the Chi-square and the Fischer's Exact tests. This implies that the impact of cyberfraud on the South African banking industry may be significant. Modugu and Anyaduba (2013, p. 282) explain that an employee of the organisation can take advantage of easy access to the banks and customer information as well as weak internal controls to commit fraud. On the other hand, people outside an organisation can also Source: Statistical analysis of the responses obtained from the field survey Impact of cyberfraud exploit the weak security and anti-fraud measures of financial institutions to commit fraud. Some take advantage of customers' ignorance to commit fraud (Modugu and Anyaduba, 2013, pp. 282-283). According to Hinde (2003, p. 664): It was estimated that 80% of the cyber security breaches result directly or indirectly (i.e. through collaboration with external bodies) by the people within the organisation. This can be traced to the fact that internal employees have direct access to information and have a better knowledge of the control architecture of the organisation. This knowledge can be leveraged to invent cover-up schemes that can promote the affinity for continuous crime perpetration.
In H1, the alternative hypothesis tested was therefore accepted. This is justified by the fact that the p-values of each of the variables is less than 0.05 for both the Chi-square and the Fischer's Exact tests. This implies that the impact of cyberfraud on the South African banking industry may be significant. These findings agree significantly with the report of the South African Banking Risk Information Centre (SABRIC, 2018) which reported that in 2017 there were 13,438 reported cases of cybercrime incidences which cost the banking industry over R250m in gross losses. SABRIC (2018) also indicated that the rate of cybercrime increased by 20% in 2018 causing an 8% increase in the gross losses. SABRIC (2019) also reported that there had been an exponential increase in cyberfraud related cases from January to August 2018, with an estimated increase by 64%. This has further resulted in a 7% increase in the gross losses when compared to the same period in 2017. Comparing the losses incurred between January to August 2017 with the same period in 2018, the losses incurred amounted to more than twice the original loss (gross losses of R39,322,237), with an increase of 44% (gross loss of R89,368,722) in online banking incidents (African Union Report on Cyber Security and Personal Data Protection, 2016). The losses were mostly attributed to the use of online and mobile banking platforms. In 2019, the number of incidences increased to 26,567 which reportedly cost the South African banking industry about R308m in gross losses while in 2020, 35,308 incidences were reported which reportedly cost the banking industry about R309m in gross losses (SABRIC, 2020).
The variables used for the testing of H2 include reputation loss, revenue loss, productivity loss and shareholder's loss.
Some of the identified indicators for measuring the impact of cybercrime on the financial institutions include customer and employee satisfaction, product innovation, organisation's growth and productivity, market share, and position in the stock market, financial losses, loss of customers and business partners or opportunities, loss of reputation and decrease in the organisation's market value (Dzomira, 2014, p. 23;Goel and Shawky, 2009, p. 404;Kraemer-Mbula et al., 2013, p. 544). Table 2 presents the Chi-square and Fischer's Exact tests for the effect of cyberfraud on the organisation. The alternative hypothesis tested was therefore accepted to be true as the  p-values (0.000) of each of the variables is less than 0.05 for both the Chi-square and the Fischer's Exact tests. This means that the occurrence of cyberfraud may affect the South African banking industry in terms of reputation loss, revenue loss, productivity loss and shareholder loss. This finding agrees significantly with the findings of Dzomira (2015, p. 13) and Joyner (2011) that cyberfraud perpetration has an adverse effect on the organisation's revenue losses, reputation, customer's loyalty, and shareholder's confidence. In South Africa, BusinessTech (2017, p. 2) reported that in 2017, "ABSA and Standard Bank clients have lost between R1 million and R 2 million to Internet banking or SIM swap fraud, hence, they want the banks to be held liable for fraudulent activity". BusinessTech (2017, p. 2) also explains that fraud can result from the loss of trust by stakeholders, thus leading to loss of credibility and a lack of confidence in the organisation amongst the public. Cyberfraud has been identified as one of the major challenges in the banking industry [PwC (2016), p. 22, South African Banking Risk Information Centre (SABRIC) (2018)]. If not effectively mitigated, it can have grave consequences on a business, trigger financial damage and destroy the reputation of the banking institution or the company's reputation. Wanemba (2010, p. 6) found that the financial institutions have consistently lost huge sums of money to cyberfraud or other forms of fraud. This has led to a negative impact on the organisation's profitability. Although the banking institutions decry that the impact is on increasing operational costs, loss of reputation and customer's dissatisfaction as well as revenue loss. Table 3 depicts the impact of cyberfraud incidents on the banking industry with respect to individual responses. The dimension of the responses gathered from the respondents indicated that the banking industry suffers different losses because of the occurrence of cyberfraud incidents as shown in Figure 4.
UK Finance (2018, p. 6) reported that, over the years, cybercriminals have deployed many means of manipulating financial institutions via phishing emails, impersonation and Source: Responses obtained from the field survey Impact of cyberfraud account hacking, thereby paving way for unauthorised access to sensitive information and the compromise of the financial institutions. Similarly, Dzomira (2014, p. 16) explained that the banking industry in Zimbabwe has also suffered cyberfraud different forms such as unauthorised intrusion into the banks' or personal information or accounts, credit/debit card fraud, money laundering, employee embezzlement, pharming, phishing, malware, hacking, virus, spam and advance fee fraud.
To mitigate cyberfraud occurrences, Akinbowale et al. (2020a, p. 945) suggested the need for the use of a real time an alert system capable of creating awareness for both the financial institutions and their customers whenever there is unauthorised access into the customers' account or the database of the financial institution. This will enhance a rapid response to block such intrusion before any unauthorised transaction takes place. Two simplified conceptual models for cyberfraud mitigation have also been reported by Akinbowale et al. (2020bAkinbowale et al. ( , p. 1253). The first model addressed the incorporation of forensic accounting into the organisation's structure while the second captured the detailed investigation and comprehensive data analysis processes of uncovering fraud. This will strengthen the organisation's control structure and aid the process of fraud investigation and mitigation. This is because the procedural steps for implementation of forensic accounting, namely, preliminary survey, detailed investigation, comprehensive data analysis, reporting and expert witness are captured in the model. Dzomira (2017, p. 143) suggested the need for the augmentation of cyberfraud alert systems and sensitisation of internet banking users about the nature of cyberfraud perpetrated by cyber attackers in South Africa. While there was access to information on fraud-related Internet banking on the websites of the South African banks, this study suggested improved sensitisation about the nature of cyberfraud perpetrated and how they were perpetrated. Dzomira (2017, p. 150) stated that the banking sector should relentlessly campaign against internet banking fraud in a manner that would benefit the clients and the diverse communities in South Africa.
Dlamini and Modise (2012, p. 1) explained that for the South African Banks to reduce cyberfraud incidences, the first line of defence was cybersecurity. In the absence of a  Using the cross tabulation function, the statistical analysis of the cross effect of pair of reputation loss and revenue loss was statistically significant at 95% confidence level, thus, indicating that a direct relationship may exist between two variables.
The magnitude of the Spearman's correlation coefficient (0.365) shows that the two variables are dependent. Fischer's Exact statistical value for the cross effect of reputation loss and revenue loss was 5.600 with a significance level (0.048 < 0.05) at one degree of freedom (Table 4). Table 4 shows the cross-tabulation for the pair of reputation loss and revenue loss, while Figure 5 indicates the number of counts for the relationship between reputation loss and revenue loss based on the outcome of survey. The variations between the number of counts and the expected number of counts in Table 5 shows that the variables are dependent. This further lends credence to the fact that a relationship may exist between two variables, namely, reputation loss and revenue loss.
These results imply that a loss of reputation due to cyberfraud occurrence can cause a decline in the revenue generated by the organisation due to a negative public image. Similarly, revenue loss due to cyberfraud occurrence could also impair the reputation of the organisation.

Conclusion and policy implications
The purpose of this study is to assess the impact of cyberfraud on the South African industry with the aim to provide recommendations to effectively mitigate the impact of cyberfraud. This was achieved using a qualitative approach involving the use of structured questionnaire. A total of 42 responses were obtained across selected participants in the 17 licensed banks in South Africa. The results obtained indicated that the impact of cyberfraud on the South African banking industry is significant and that the occurrence of cyberfraud affects the reputation of the South African banking industry in terms of reputation loss, revenue loss, productivity loss and shareholder loss. According to the results obtained, the prevalent forms of cyberfraud perpetrated in the South African banking industry include phishing, spying, malware, data theft, spam e-mail, online theft, hacking and skimming.
Hence, a holistic review of the internal control system of the banking structure is hereby recommended. Cyberfraud had been reported to have negative impact on an organisation's profitability, customers' satisfaction, public trust, organisation good will and risk management globally. This calls for the need to review the diverse ways of curbing cyberfraud to lessen its impact or associated fraud risks on the banking operation.
This study provides empirical findings that could assist the South African banking industry in the areas decision making or policy formulation geared towards of cyberfraud mitigation. This research notifies the South African banking industry about the nature of cyberfraud perpetrated. The understanding of the nature of cyberfraud perpetrated can assist the South African banking industry to formulate measures to mitigate them. The findings reported in this study is based on the views of the bank experts consulted as well as those of the organisations. Future works can consider the analysis of the level of effectiveness of the fraud control measures in the South African banking industry vis-a-vis the forms of cyberfraud identified.