The relentless rise of financial cybercrime

Cyber attacks on companies are soaring. Executives must upgrade their tech skills to understand the threat.

In recent years, political cybercrime has repeatedly made headlines. Yet amid a series of sensational stories stemming from alleged Russian hacking during the 2016 US presidential election, the media has largely overlooked a simultaneous surge in a potentially far more damaging global threat: financial cybercrime.

Globally, the average cost of cybercrime for financial services companies increased by more than 40 per cent between 2014 and 2017 to $18.3 million (£14.2 million) per affected firm, according to a 2018 survey by Accenture and the Ponemon Institute technology research group. In the UK, the latest annual Crime Survey for England & Wales recorded 515,000 reported cybercrimes in the year to July 2018 involving “unauthorised access to personal information”. The total number of attacks may well be substantially higher, given the under-reporting of cybercrime by victims who are often too embarrassed to go to the police.

Businesses and the wider public have not woken up to the danger posed by financial cybercrime because “we aren’t very good at understanding risks we can’t visualise”, says Joe Hancock, head of Mishcon de Reya’s cyber-security consulting team. “Unlike a disaster, people find it hard to conjure up the image of a cyber attack on their computer.” Meanwhile, financial cybercriminals benefit from two common misperceptions about them that bolster the illusion of many smaller companies and individuals believing they are not tempting targets for an attack.

Firstly, it is not true that cybercriminals primarily focus on large multinational companies. In fact, estate agents, convenience stores and a host of other high-street businesses with high transaction volumes are tempting targets for hackers, as is anyone who shops on the internet or does their banking online. “A popular example of small businesses and their customer base being targeted is the advent of credit card skimmers at places like outdoor ATMs and petrol stations,” says Jason Davison, Vice President of IT Service & Security at KLDiscovery, a data protection software and services company. “They look like a legitimate ‘portion’ of the host system but are actually smaller systems that clone copies of the customer’s data without their knowledge.”

Secondly, it is equally untrue that most cybercriminals are highly sophisticated tech wizards who know how to break down or bypass state-of-the-art corporate security software. It is easy for a crook to buy do-it-yourself cybercrime toolkits from an international underworld economy that services a booming market. “Access to software packages that allow criminals to penetrate corporate networks is readily available on the internet,” says Davison. “The emergence of “darkweb” malware market places and cybercrime-as-a-service (CaaS) offerings have greatly increased the ability of even novice hackers to gain access to cybercrime tools.”

In some cases, cybercriminals need little more than nerve and a plausible phone manner to steal confidential financial data from individuals and businesses. The case of Feezan Hameed, a Glasgow-based criminal jailed for 11 years in 2016, illustrates how a major financial cyber scam is often the sum of multiple everyday swindles. Hameed and his associates duped hundreds of businesses and individuals into revealing their bank details, simply by convincing them on the phone that they were speaking to the bank’s anti-fraud department.

Chasing the money is often an impossible task for overstretched and under-resourced national police forces because of the borderless nature of data. A cybercrime committed in the UK can involve transferring the money online to another country, where it is laundered, and then on to a bank account in another country. Within seconds, the original theft can span three national jurisdictions with different regulatory regimes.

Furthermore, rogue governments are increasingly involved in financial and commercial cybercrimes, blurring the distinction with more overtly “political” attacks. For instance, last September the US charged Park Jin Hyok, a North Korean hacker, with directing a series of cyber attacks approved by the regime. These ranged from the fraudulent transfer of $81 million (£63 million) in February 2016 from the Bangladesh Central Bank to a failed attempt to penetrate the internal systems of the US defence contractor Lockheed Martin. Responding to the charges, Pyongyang denied that Park even exists as a person.

Yet such state-sponsored attacks bear no relation to the general run of cyber frauds and thefts committed by professional criminals. For individuals, the rules of defence against cyber attacks are straightforward: devise obscure passwords, change them frequently and hang up if a caller pretends to be a bank’s anti-fraud officer. For companies, the challenge is more complicated. It is not just that routine tasks such as changing unique passwords are often not performed properly when repeated across multiple departments and databases.

“Many senior executives I meet need to upgrade their tech skills in order to understand the threat their businesses face from financial cybercrime,” says Hancock. “Companies can’t hold their tech departments to account when an attack occurs if they don’t know the right questions to ask.”

The lesson for companies is that cybercriminals exploit human weakness in the boardroom as much as in the home.

This article first appeared on

Keep reading

C5 – 18th Edition Fraud, Asset Tracing & Recovery – Geneva – March 14-15, 2024
We are excited to announce that we are a media partner for American Conference Institute’s Fraud, Asset Tracing & Recovery Geneva conference that is taking place on March 14-15, 2024, in Geneva! Deemed as the foremost, can’t-miss event each year, the 2023 agenda will be fully revamped, and you don’t want to miss out on
IFG Conference in Hong Kong on 25th April 2024!
We are very excited to announce that we shall be hosting the International Fraud Group’s bi-annual conference in Hong Kong this spring, organised by Karas So LLP in association with Mishcon de Reya on Thursday 25th April 2024. This is a great opportunity for you to engage with international lawyers, forensic accountants, restructuring and insolvency experts,
OffshoreAlert is going to Bangkok!
We are delighted to be supporting event partner for Offshore’s first Asia-Pacific Conference. OffshoreAlert Bangkok! February 28 – 29, 2024 at the Siam Kempinski Hotel Bangkok 991/9 Rama I Rd, Pathum Wan, Bangkok, Thailand OffshoreAlert Bangkok is our first conference in the Asia-Pacific region and is designed to be a destination event to which attendees
Stop the Traffik “Big Give”
The IFG recently match funded our sponsor STOP THE TRAFFIK Group Big Give Christmas Challenge assisting Stop the Traffik in raising critical funds which will bolster their fight to create a world where no person is bought or sold. This would not have been possible without our incredible support. Watch this space for further updates