The relentless rise of financial cybercrime

Cyber attacks on companies are soaring. Executives must upgrade their tech skills to understand the threat.

In recent years, political cybercrime has repeatedly made headlines. Yet amid a series of sensational stories stemming from alleged Russian hacking during the 2016 US presidential election, the media has largely overlooked a simultaneous surge in a potentially far more damaging global threat: financial cybercrime.

Globally, the average cost of cybercrime for financial services companies increased by more than 40 per cent between 2014 and 2017 to $18.3 million (£14.2 million) per affected firm, according to a 2018 survey by Accenture and the Ponemon Institute technology research group. In the UK, the latest annual Crime Survey for England & Wales recorded 515,000 reported cybercrimes in the year to July 2018 involving “unauthorised access to personal information”. The total number of attacks may well be substantially higher, given the under-reporting of cybercrime by victims who are often too embarrassed to go to the police.

Businesses and the wider public have not woken up to the danger posed by financial cybercrime because “we aren’t very good at understanding risks we can’t visualise”, says Joe Hancock, head of Mishcon de Reya’s cyber-security consulting team. “Unlike a disaster, people find it hard to conjure up the image of a cyber attack on their computer.” Meanwhile, financial cybercriminals benefit from two common misperceptions about them that bolster the illusion of many smaller companies and individuals believing they are not tempting targets for an attack.

Firstly, it is not true that cybercriminals primarily focus on large multinational companies. In fact, estate agents, convenience stores and a host of other high-street businesses with high transaction volumes are tempting targets for hackers, as is anyone who shops on the internet or does their banking online. “A popular example of small businesses and their customer base being targeted is the advent of credit card skimmers at places like outdoor ATMs and petrol stations,” says Jason Davison, Vice President of IT Service & Security at KLDiscovery, a data protection software and services company. “They look like a legitimate ‘portion’ of the host system but are actually smaller systems that clone copies of the customer’s data without their knowledge.”

Secondly, it is equally untrue that most cybercriminals are highly sophisticated tech wizards who know how to break down or bypass state-of-the-art corporate security software. It is easy for a crook to buy do-it-yourself cybercrime toolkits from an international underworld economy that services a booming market. “Access to software packages that allow criminals to penetrate corporate networks is readily available on the internet,” says Davison. “The emergence of “darkweb” malware market places and cybercrime-as-a-service (CaaS) offerings have greatly increased the ability of even novice hackers to gain access to cybercrime tools.”

In some cases, cybercriminals need little more than nerve and a plausible phone manner to steal confidential financial data from individuals and businesses. The case of Feezan Hameed, a Glasgow-based criminal jailed for 11 years in 2016, illustrates how a major financial cyber scam is often the sum of multiple everyday swindles. Hameed and his associates duped hundreds of businesses and individuals into revealing their bank details, simply by convincing them on the phone that they were speaking to the bank’s anti-fraud department.

Chasing the money is often an impossible task for overstretched and under-resourced national police forces because of the borderless nature of data. A cybercrime committed in the UK can involve transferring the money online to another country, where it is laundered, and then on to a bank account in another country. Within seconds, the original theft can span three national jurisdictions with different regulatory regimes.

Furthermore, rogue governments are increasingly involved in financial and commercial cybercrimes, blurring the distinction with more overtly “political” attacks. For instance, last September the US charged Park Jin Hyok, a North Korean hacker, with directing a series of cyber attacks approved by the regime. These ranged from the fraudulent transfer of $81 million (£63 million) in February 2016 from the Bangladesh Central Bank to a failed attempt to penetrate the internal systems of the US defence contractor Lockheed Martin. Responding to the charges, Pyongyang denied that Park even exists as a person.

Yet such state-sponsored attacks bear no relation to the general run of cyber frauds and thefts committed by professional criminals. For individuals, the rules of defence against cyber attacks are straightforward: devise obscure passwords, change them frequently and hang up if a caller pretends to be a bank’s anti-fraud officer. For companies, the challenge is more complicated. It is not just that routine tasks such as changing unique passwords are often not performed properly when repeated across multiple departments and databases.

“Many senior executives I meet need to upgrade their tech skills in order to understand the threat their businesses face from financial cybercrime,” says Hancock. “Companies can’t hold their tech departments to account when an attack occurs if they don’t know the right questions to ask.”

The lesson for companies is that cybercriminals exploit human weakness in the boardroom as much as in the home.

This article first appeared on FT.com.

Keep reading

...
OffshoreAlert – Marbella – 19-21 June 2024
We are excited to that our sponsors Grant Thornton UK LLP, Kevin Hellard and Colin Diss are attending and sponsoring OffshoreAlert Marbella! Get ready to experience an unforgettable blend of business and pleasure at OffshoreAlert Marbella 2024! Set against the stunning backdrop of the Kempinski Hotel Bahía in Estepona, Spain, this premier event will take place from June 19-21. Join us to
Read
...
‘Project Prevenirea și Perturbarea’ (Project Prevent & Disrupt (PSP)), Press Release, STOP THE TRAFFIK
With funding from the UK Home Office and British Embassy Bucharest, as well as the International Fraud Group, STOP THE TRAFFIK (STT) launches ‘Project Prevenirea și Perturbarea’ (Project Prevent & Disrupt (PSP)), a programme aiming to disrupt sexual exploitation between Romania and the UK. Right now, the Romania to UK route is heavily run by
Read
...
IFG Flagship Fraud Conference. At the Epicenter! Hong Kong, 25th April 2024!
We were delighted at the success of our Spring Conference which was hosted in Hong Kong by Mishcon de Reya LLP in association with Karas So LLP at the Asia Society. A Welcome Address was given by our IFG Chairman Gary Miller and Kevin So, Partner at Karas So LLP which then followed Ken Peng as our Keynote speaker. We had four great panels
Read
...
Black Swan free-standing orders available in Cyprus!
Introduction ‘Black Swan’ freestanding injunctions in aid of foreign substantive proceedings, have been available in the BVI since 2010, making the BVI a very appealing jurisdiction for claimants seeking to safeguard their interests. However, in May 2020 the Eastern Caribbean Court of Appeal in Broad Idea International Limited v Convoy Collateral Limited BVIHCMAP2019/0026, directly overruled Black Swan. Then,
Read