Ashley Singh, Chief Information Officer at Sanlam Health and Employee Benefits

FraudGPT, a sophisticated AI-powered tool, allows cybercriminals to create convincing phishing emails, clone voices, and impersonate individuals to exploit online vulnerabilities. The two-pot retirement system and group medical schemes are prime targets for these criminals.

Ashley Singh, Chief Information Officer at Sanlam Health and Employee Benefits, warns that millions of people accessing their retirement funds or sensitive health information creates new vulnerabilities for many companies.

Singh says, “Cybercriminals are aware of the high value of this data, from retirement savings to sensitive medical information, and are constantly evolving their tactics to exploit any vulnerabilities they can find. Therefore, companies must take a holistic approach combining advanced technology, rigorous employee education, and industry collaboration to ensure their defences are robust, proactive, and always a step ahead of potential threats.”

Understanding cybercriminals and emerging threats

Singh explains that FraudGPT, sold on the dark web and Telegram, functions similarly to legitimate AI tools but without the built-in controls that prevent misuse. “This tool allows criminals to easily execute cyberattacks, including crafting convincing phishing emails and developing malicious code.”

He adds that the two-pot system and employee medical records are appealing targets because they allow quick and easy online access to retirement savings and sensitive health information without the usual bureaucratic hurdles. “Hackers can leverage hacking tools to exploit details like identity numbers, medical history, voice data, or even cell phone numbers.”

Singh offers this advice to help companies protect themselves and their employees.

Educate employees on social engineering and phishing

One of the key strategies to bolster cybersecurity is through employee education. Singh points out that the most significant vulnerability is often the individual, not the technology. “Hackers exploit the weakest link – the human – to access systems. Companies must, therefore, educate employees on recognising phishing emails, the risks of sharing personal information, and how social engineering can target their data.”

Singh advises running phishing simulations to highlight vulnerabilities and train staff. “This approach creates awareness and conditions employees to think twice before clicking suspicious links or sharing information.”

Companies should also provide frequent updates on emerging hacker tactics. A culture of vigilance against unsolicited communications is crucial to counter social engineering.

Strengthen authentication measures beyond OTPs

Traditional methods like One-Time Passwords (OTPs) are becoming easier for criminals to bypass, particularly with advances in voice cloning technologies. Singh stresses the importance of multi-layered authentication systems.

“Cybercriminals use voice cloning to bypass OTP verification, often impersonating users to change registered phone numbers and later commit fraud.”

To counter these threats, he recommends using biometric authentication and adaptive authentication systems to assess behaviour, location, and device characteristics.

Prioritise data privacy through tighter security controls

Strong data privacy isn’t just about encryption but also about controlling who can access certain sensitive information. Singh explains that businesses should restrict access and operate in a “zero trust” environment where users are verified at every stage.

“Implementing strong access controls and periodically reviewing who has access to financial and medical data can limit exposure and, as a result, minimise potential vulnerabilities.”

Build resilience against insider threats

Not all threats come from outside; internal threats also pose a significant risk. Singh emphasises that insider threats – accidental or malicious – can be just as damaging as any external attack.

That’s why it’s crucial that organisations monitor ‘insider threats’ from employees who may unintentionally compromise security by clicking on malicious links, sharing sensitive financial or medical information, or plugging unauthorised devices into company networks.

“Employee monitoring tools, periodic checks, and educational programmes are instrumental in reducing these risks. Those frequently falling for phishing simulations may need additional training to ensure they do not pose ongoing risks. Building this internal resilience is critical for reducing overall exposure to cyber threats and minimising the damage an insider mistake might cause.”

Leverage AI and advanced technology for defence

While AI like FraudGPT might be a tool for criminals, companies can harness the same AI capabilities that make these tools so dangerous to bolster their defences. These tools can provide 24/7 monitoring capabilities, unlike human teams that may be prone to fatigue or oversight. By analysing user behaviour and understanding what constitutes ‘normal’ activity, AI can help detect deviations that may indicate a threat. For example, AI can identify unusual login locations, rapid data downloads, or attempts to access restricted areas of the network—all potential red flags of malicious activity.

“Companies that invest in AI-powered monitoring tools can analyse patterns, detect anomalies, and flag unusual activities in real-time. This analytical capability can help companies spot and close vulnerabilities before cybercriminals can exploit them – essentially staying one step ahead of potential threats.”

The human factor in cyber risk

At the core of many security risks is the personal information that employees share online. As Singh highlights, most vulnerabilities stem from personal information shared online. He urges companies to educate employees on minimising their digital footprint. Adding that a company culture that promotes shared cybersecurity awareness reduces risks.

“This can include employees setting social media profiles to private and avoiding sharing details like phone numbers or upcoming personal activities.”

He says companies should encourage employees to treat their digital identity like physical property. “You wouldn’t leave your car unlocked on a public street. Similarly, you shouldn’t leave your digital life open to attack.

A multifaceted defence

The emergence of tools like FraudGPT highlights the importance of staying proactive. Businesses must recognise that threats are also internal, not just external, targeting the human vulnerabilities within the organisation. By investing in employee education, advanced authentication measures, robust access controls, and leveraging AI technologies, companies can build resilient defences against current and future threats.

“Companies should invest in people, technology, and processes to guard against threats effectively. By focusing on education, advanced monitoring, proactive measures, and industry collaboration, businesses can strengthen their defences and protect themselves and their employees’ financial and medical data from emerging threats,” Singh concludes.

ENDS