The relentless rise of financial cybercrime

Cyber attacks on companies are soaring. Executives must upgrade their tech skills to understand the threat.

In recent years, political cybercrime has repeatedly made headlines. Yet amid a series of sensational stories stemming from alleged Russian hacking during the 2016 US presidential election, the media has largely overlooked a simultaneous surge in a potentially far more damaging global threat: financial cybercrime.

Globally, the average cost of cybercrime for financial services companies increased by more than 40 per cent between 2014 and 2017 to $18.3 million (£14.2 million) per affected firm, according to a 2018 survey by Accenture and the Ponemon Institute technology research group. In the UK, the latest annual Crime Survey for England & Wales recorded 515,000 reported cybercrimes in the year to July 2018 involving “unauthorised access to personal information”. The total number of attacks may well be substantially higher, given the under-reporting of cybercrime by victims who are often too embarrassed to go to the police.

Businesses and the wider public have not woken up to the danger posed by financial cybercrime because “we aren’t very good at understanding risks we can’t visualise”, says Joe Hancock, head of Mishcon de Reya’s cyber-security consulting team. “Unlike a disaster, people find it hard to conjure up the image of a cyber attack on their computer.” Meanwhile, financial cybercriminals benefit from two common misperceptions about them that bolster the illusion of many smaller companies and individuals believing they are not tempting targets for an attack.

Firstly, it is not true that cybercriminals primarily focus on large multinational companies. In fact, estate agents, convenience stores and a host of other high-street businesses with high transaction volumes are tempting targets for hackers, as is anyone who shops on the internet or does their banking online. “A popular example of small businesses and their customer base being targeted is the advent of credit card skimmers at places like outdoor ATMs and petrol stations,” says Jason Davison, Vice President of IT Service & Security at KLDiscovery, a data protection software and services company. “They look like a legitimate ‘portion’ of the host system but are actually smaller systems that clone copies of the customer’s data without their knowledge.”

Secondly, it is equally untrue that most cybercriminals are highly sophisticated tech wizards who know how to break down or bypass state-of-the-art corporate security software. It is easy for a crook to buy do-it-yourself cybercrime toolkits from an international underworld economy that services a booming market. “Access to software packages that allow criminals to penetrate corporate networks is readily available on the internet,” says Davison. “The emergence of “darkweb” malware market places and cybercrime-as-a-service (CaaS) offerings have greatly increased the ability of even novice hackers to gain access to cybercrime tools.”

In some cases, cybercriminals need little more than nerve and a plausible phone manner to steal confidential financial data from individuals and businesses. The case of Feezan Hameed, a Glasgow-based criminal jailed for 11 years in 2016, illustrates how a major financial cyber scam is often the sum of multiple everyday swindles. Hameed and his associates duped hundreds of businesses and individuals into revealing their bank details, simply by convincing them on the phone that they were speaking to the bank’s anti-fraud department.

Chasing the money is often an impossible task for overstretched and under-resourced national police forces because of the borderless nature of data. A cybercrime committed in the UK can involve transferring the money online to another country, where it is laundered, and then on to a bank account in another country. Within seconds, the original theft can span three national jurisdictions with different regulatory regimes.

Furthermore, rogue governments are increasingly involved in financial and commercial cybercrimes, blurring the distinction with more overtly “political” attacks. For instance, last September the US charged Park Jin Hyok, a North Korean hacker, with directing a series of cyber attacks approved by the regime. These ranged from the fraudulent transfer of $81 million (£63 million) in February 2016 from the Bangladesh Central Bank to a failed attempt to penetrate the internal systems of the US defence contractor Lockheed Martin. Responding to the charges, Pyongyang denied that Park even exists as a person.

Yet such state-sponsored attacks bear no relation to the general run of cyber frauds and thefts committed by professional criminals. For individuals, the rules of defence against cyber attacks are straightforward: devise obscure passwords, change them frequently and hang up if a caller pretends to be a bank’s anti-fraud officer. For companies, the challenge is more complicated. It is not just that routine tasks such as changing unique passwords are often not performed properly when repeated across multiple departments and databases.

“Many senior executives I meet need to upgrade their tech skills in order to understand the threat their businesses face from financial cybercrime,” says Hancock. “Companies can’t hold their tech departments to account when an attack occurs if they don’t know the right questions to ask.”

The lesson for companies is that cybercriminals exploit human weakness in the boardroom as much as in the home.

This article first appeared on FT.com.

Keep reading

...
Sovereign & States Disputes and Enforcement Summit 2025!
We are delighted as Media Partner to be able to promote the ThoughtLeaders4 FIRE “Sovereign & States Disputes and Enforcement Summit 2025!” Uniquely bringing the Sovereign Disputes and FIRE communities together to address the latest in Sovereign & States Disputes and Enforcement. In-person Date: 29th & 30th January 2025 Venue: The Law Society, 113 Chancery Lane, London
Read
...
Offshore Alert – Bangkok – 5 and 6 March 2025. Book NOW!
We’re thrilled to partner with OffshoreAlert for their Second Annual Asia-Pacific Conference on March 5-6, 2025, at the prestigious Siam Kempinski Hotel Bangkok. This highly anticipated event brings together top-tier investigators, insolvency practitioners, asset recovery attorneys, and intelligence specialists from around the world. Attendees will gain actionable insights, explore innovative solutions, and expand their global
Read
...
Economic Crime Prevention DACH Summit Returns – 18-19 March 2025! BOOK NOW!
Economic Crime Prevention DACH Summit Returns – March 2025! Industry experts Simon Plüss (Head Export Controls and Sanctions, SECO), Vanessa Sisti (Assistant Chief, FCPA Unit, US DOJ), Sara Chouraqui (Joint Head of Fraud, Bribery and Corruption, UK Serious Fraud Office), and Kevin Mosley (Deputy Chief, Bank Integrity Unit, US DOJ) will headline the 4th Annual
Read
...
2nd Annual IBA Asset Recovery Conference- Madrid – 4-6 December 2024 – IFG Exhibitors!
We are delighted to be sponsoring the 2nd Annual IBA Asset Recovery Conference in Madrid – 4 – 6th December 2024. The theme of this year’s conference is ‘Tackling and conquering impediments to asset recovery’. Topics will include: Tackling and conquering common (and uncommon) defences raised in attempts to defeat asset recovery strategies and proceedings
Read