As cybercriminals step up their game, a growing number of companies are learning lessons the hard way, with previously robust anti-fraud and security systems falling short in the face of today’s threats. Ben Boorer, a director in the financial investigations department of Stroz Friedberg, explains how attackers are not only devising new methods, but also reviving and adaptating old frauds, and what needs to be done to minimise the risk posed by cyberfraud.
Cyberfraud is often analysed and discussed as if it were an entirely new type of crime that business and society has to find a way to counter, but that is only partly true. It has also breathed new life into long-established frauds and given them the opportunity to evolve. Those seeking to counter such risks need to be aware of these adapted traditional frauds while also being mindful of fraud strategies that they may not have previously encountered.
However, for all of the media coverage and heightening of awareness in recent years, cybercrime is not a new threat. The first high-profile arrests for the activity took place in the US in 1983 after the 414s, a group of Milwaukee teenagers and students, hacked into several well-known organisations. At the time, many saw their actions as little more than a prank and most of the gang actually avoided prosecution, but the case highlighted the issue and led to early cybersecurity initiatives.
The threat to companies evolved as increasing automation provided new opportunities for fraud. Computerised systems mean there is now often minimal human interaction from the point a customer places an order, through the process of requesting the products from a supplier and the logistics of delivery being arranged, and on to the settlement of payments. This means that the opportunities available for cybercriminals to exploit have increased exponentially, with the annual cost of cybercrime to the global economy estimated by some as more than $500 billion.
You old fraud
One example of a well-worn fraud being kick-started by technology is the redirection of supplier payments. Prior to the widespread use of technology, the raising of payments had controls in place throughout the process, such as counter-signatures, attached hard-copy invoices or purchase orders, and confirmation of recipient bank accounts. If a supplier notified the accounts payable department that their bank account needed to be changed, there would be controls in place around how this change would be verified as genuine before being enacted. Now, in most companies, a cybercriminal that gains access to the accounts payable system will often possess the ability to circumvent all of these controls and simply change the recipient bank details to one of their choosing.
Another tried-and-tested fraud is the creation of ghost employees to siphon off bogus salary payments. The level of paperwork - CVs, references, interview approval, employment contract, HR and departmental sign-off - meant that it would previously have been difficult for an individual to create these documents manually and establish a non-existent employee on the company payroll. However, a cybercriminal with access to a firm's HR system could manipulate it to add employees and bank accounts without going through any of the approval channels. An organisation may also find it difficult to identify the existence of spurious employees among a workforce numbering in the hundreds or thousands.
At the same time, entirely new threats have emerged. Modern organisations not only look to conduct their business through electronic means but also hold far greater volumes of data than ever before. That data can be just as valuable to cyberfraudsters as cash is, as it can be sold on to multiple third parties. The impact of having third-party data accessed or stolen can be catastrophic to an organisation, as has been evident in recent cases that have become public.
For criminals, the widespread use of technology has created the means of stealing data and the means of deriving value from it. For example, the volume of data that a typical company holds on its customers has vastly increased due to the greater ease with which information can be harvested, stored and then used. This customer information has become increasingly sensitive, with credit card details, addresses, dates of birth, medical records and even criminal records being handled by some organisations.
Historically, it would have been very hard to obtain all this information, which was rarely held in one central location, may have required a physical presence to handle and would have been difficult to store. Finding a buyer for the data would also have proved more difficult prior to the emergence of the dark web.
Social medium
Technology has had many obvious benefits for companies, such as improving workers' ability to communicate with colleagues almost regardless of time or distance, and advancing the capabilities of organisations to respond to matters in a flexible and timely manner. In particular, the uptake in remote access, such as home desktop computers, smartphones, personal email, and access from client sites or over public networks, means that staff can participate in tasks pretty much wherever they are. Clearly, this is a huge benefit few could now remain competitive without. On the other hand, it increases the exposure of the organisation to weak IT security systems outside of its control, and potentially a more lax approach to security by staff that need to meet deadlines or goals.
An organisation's employees are also targets for cybercriminals through platforms such as LinkedIn, Facebook or other social media platforms. Staff may inadvertently or deliberately share commercially sensitive information across these platforms, while cybercriminals also attempt to 'socially engineer' members of staff into performing tasks on their behalf. Criminals can also use information gleaned on social media to duplicate a staff member's identity and conduct cybercrimes using this identity cloak.
There are certainly cybercriminals that actively target organisations by probing the security around the electronic systems and testing staff with attempts at social engineering. They will have no ties to the organisation and will either have selected the organisation at random because they see a justification, however warped, or because there is some shared intelligence on the internet around the organisation's security set-up. Due to the anonymity and random nature of these attacks, a preventative approach by way of a solid IT security system coupled with good and repeated user education is largely the only method of counteracting this threat.
On the other hand, an employee or associate of an organisation can have a range of grievances that, in their mind, justifies fraudulent actions against it. These could include being overlooked for promotion, pressure, disgruntlement or remuneration expectations not being met. These additional factors are coupled with the individual having direct and physical access to the organisation's hardware and systems, which means that a very potent threat to an organisation exists within its own workforce.
Again, a robust IT security system is important to detect attacks but so is considering upcoming events within the organisation. If a new product launch is planned, if a job-cutting restructuring is envisaged, or the business may be moving into areas that may be considered unethical or controversial, then the organisation should raise its security considerations.
There is also a danger from the corporate insider who could be considered as acting on behalf of the organisation. These are likely to be high-ranking members of staff who are acutely aware of the impact of their action on the organisation while having the authority to override controls to ensure their plan is enacted. Typically, these rogue executives will manipulate electronic financial records to protect a share price or to downplay concerns over an organisation to ensure continued investment. These actions are all fraudulent with regard to persuading third parties to enter into transactions based on a false understanding.
Fall and response
Whatever the cause, there are considerable problems associated with recovering the position once cyberfraud has occurred. With regard to the theft of data, it is almost impossible as it can be passed on so rapidly. There are also difficulties with recovering stolen cash due to the challenge of identifying the fraudster and the relevant jurisdiction in which to take action, even if the pertinent jurisdiction is one friendly enough to assist.
Clearly, therefore, the best solution to cyberfraud is prevention. An organisation needs to thoroughly asses their IT systems in order to ensure that the technology systems are as secure as possible. The human element needs to be considered and staff must be educated in the ways of cybersecurity. An organisation can also monitor business events for anything that may spike an increase in attacks.
However, there is no such thing as a perfect system, particularly with the growing sophistication of attacks and diminishing costs of producing the necessary tools. Almost invariably, some attacks will be successful, so rapid detection is essential.
Some frauds will naturally identify themselves in due course but others, such as the ghost employees, have the ability to continue almost indefinitely. Even a material fraud is unlikely to be picked up in an audit owing to the fact that the fraud may not present itself as erroneous. Fraud-risk reviews, communications monitoring systems and big-data analytics can assist organisations in understanding where they are vulnerable to fraud and target these for detailed reviews.
Once a problem has been identified it is important to react and to react very quickly. The access gained by the fraudster must be closed to prevent further problems and, in the case of the loss of money, the route that the funds took out of the organisation must be identified, freezing orders for the recipient bank accounts obtained and efforts made to prevent any onward payment of the proceeds. All of this would need to be done as a matter of urgency in order to maximise the chances of recovering the cash.
Finally, an assessment can be made of the damage suffered by an organisation following a cyberfraud in order to support an insurance claim if a cyberpolicy is in place. With fraudsters now able to profit handsomely from stealing data as well as actual cash, executives need to ensure their IT systems are able to defend against, detect and react to attacks, or face significant reputational and financial damage, if and when fraudsters succeed.
