The relentless rise of financial cybercrime
Cyber attacks on companies are soaring. Executives must upgrade their tech skills to understand the threat.
In recent years, political cybercrime has repeatedly made headlines. Yet amid a series of sensational stories stemming from alleged Russian hacking during the 2016 US presidential election, the media has largely overlooked a simultaneous surge in a potentially far more damaging global threat: financial cybercrime.
Globally, the average cost of cybercrime for financial services companies increased by more than 40 per cent between 2014 and 2017 to $18.3 million (£14.2 million) per affected firm, according to a 2018 survey by Accenture and the Ponemon Institute technology research group. In the UK, the latest annual Crime Survey for England & Wales recorded 515,000 reported cybercrimes in the year to July 2018 involving “unauthorised access to personal information”. The total number of attacks may well be substantially higher, given the under-reporting of cybercrime by victims who are often too embarrassed to go to the police.
Businesses and the wider public have not woken up to the danger posed by financial cybercrime because “we aren’t very good at understanding risks we can’t visualise”, says Joe Hancock, head of Mishcon de Reya’s cyber-security consulting team. “Unlike a disaster, people find it hard to conjure up the image of a cyber attack on their computer.” Meanwhile, financial cybercriminals benefit from two common misperceptions about them that bolster the illusion of many smaller companies and individuals believing they are not tempting targets for an attack.
Firstly, it is not true that cybercriminals primarily focus on large multinational companies. In fact, estate agents, convenience stores and a host of other high-street businesses with high transaction volumes are tempting targets for hackers, as is anyone who shops on the internet or does their banking online. “A popular example of small businesses and their customer base being targeted is the advent of credit card skimmers at places like outdoor ATMs and petrol stations,” says Jason Davison, Vice President of IT Service & Security at KLDiscovery, a data protection software and services company. “They look like a legitimate ‘portion’ of the host system but are actually smaller systems that clone copies of the customer’s data without their knowledge.”
Secondly, it is equally untrue that most cybercriminals are highly sophisticated tech wizards who know how to break down or bypass state-of-the-art corporate security software. It is easy for a crook to buy do-it-yourself cybercrime toolkits from an international underworld economy that services a booming market. “Access to software packages that allow criminals to penetrate corporate networks is readily available on the internet,” says Davison. “The emergence of “darkweb” malware market places and cybercrime-as-a-service (CaaS) offerings have greatly increased the ability of even novice hackers to gain access to cybercrime tools.”
In some cases, cybercriminals need little more than nerve and a plausible phone manner to steal confidential financial data from individuals and businesses. The case of Feezan Hameed, a Glasgow-based criminal jailed for 11 years in 2016, illustrates how a major financial cyber scam is often the sum of multiple everyday swindles. Hameed and his associates duped hundreds of businesses and individuals into revealing their bank details, simply by convincing them on the phone that they were speaking to the bank’s anti-fraud department.
Chasing the money is often an impossible task for overstretched and under-resourced national police forces because of the borderless nature of data. A cybercrime committed in the UK can involve transferring the money online to another country, where it is laundered, and then on to a bank account in another country. Within seconds, the original theft can span three national jurisdictions with different regulatory regimes.
Furthermore, rogue governments are increasingly involved in financial and commercial cybercrimes, blurring the distinction with more overtly “political” attacks. For instance, last September the US charged Park Jin Hyok, a North Korean hacker, with directing a series of cyber attacks approved by the regime. These ranged from the fraudulent transfer of $81 million (£63 million) in February 2016 from the Bangladesh Central Bank to a failed attempt to penetrate the internal systems of the US defence contractor Lockheed Martin. Responding to the charges, Pyongyang denied that Park even exists as a person.
Yet such state-sponsored attacks bear no relation to the general run of cyber frauds and thefts committed by professional criminals. For individuals, the rules of defence against cyber attacks are straightforward: devise obscure passwords, change them frequently and hang up if a caller pretends to be a bank’s anti-fraud officer. For companies, the challenge is more complicated. It is not just that routine tasks such as changing unique passwords are often not performed properly when repeated across multiple departments and databases.
“Many senior executives I meet need to upgrade their tech skills in order to understand the threat their businesses face from financial cybercrime,” says Hancock. “Companies can’t hold their tech departments to account when an attack occurs if they don’t know the right questions to ask.”
The lesson for companies is that cybercriminals exploit human weakness in the boardroom as much as in the home.