Cybercriminals exploit identities across APAC finance

Deepfakes, phishing and stolen credentials are driving banks to overhaul authentication.

Identity security has emerged as the top cybersecurity priority for Asia-Pacific’s financial sector, as organisations face increasingly sophisticated threats targeting the weakest link in digital systems: the user.

Dominic Forrest, Chief Technology Officer at iProov, said the rapid digitisation of daily life has made identity verification central to trust, adding that companies and governments now operate in remote environments where “you very much need to know who it is you're dealing with.”

For criminals, online identity has become the easiest gateway to financial gain. Forrest warned that “the ability to create an account or take over an account, enables them to take over somebody's life, to steal and make a lot of money.” He described identity fraud as the most effective tactic, noting that “an identity theft, or the creation of fake identities is the most effective way to do this.”

Geoff Schomburgk, Regional Vice President for APJ at Yubico, said attackers no longer need to break into systems. “They simply log in by using our credentials, our identity,” he said. Schomburgk highlighted that “eight in 10 data breaches… [are] a result of those credentials, our login, username and password being compromised.”

Phishing remains the dominant identity-based attack, accelerated by artificial intelligence. Schomburgk added that AI-driven deepfakes are making scams more convincing, with “nine in 10 Singaporeans… concerned about the impact that AI will have on protecting their digital identity.”

Forrest said generative AI has transformed impersonation risks. “It’s enabled criminals to create deep fakes of humans… and actually appear as anyone they want to,” he said. He cited cases in Hong Kong and Singapore where criminals used deepfake video calls to trick CFOs into transferring large sums of money.

Schomburgk argued that legacy authentication is no longer sufficient. “Username and password… they're very easily compromised,” he said, pointing to passkeys as critical: “moving to these phishing resistant passkey methods is the best way to protect yourself from these cyber attacks.”