Cyber-Based Financial Fraud Impact
From the moment interconnected networks were used to facilitate financial and business operations, threat actors have been attempting to attack these networks for their own gain. Repelling these attacks has been on a continuous curve of improvement for many years, and yet businesses continue to lose significant amounts of money and intellectual property to cyber-based financial fraud even today.
Let’s review the most common forms of cyber-based financial fraud found in the online world of today:
- Email-based fraud operations
- Credential compromise for fraudulent purposes
- Employee sabotage and theft
- Identity theft for fraudulent purposes
Email-based Fraud Operations
Over the past several years, threat actors have been increasing their use of direct email attacks against organizations of all sizes and affiliations. These include attempts to socially engineer employees into providing access to accounting systems and other financial platforms; to various forms of attempts to trick employees into wiring assets into fraudulent bank accounts. With the advent of cryptocurrencies such as bitcoin, a new form of this threat has emerged in the form of emails which attempt to coerce or trick an employee into converting assets to cryptocurrency and then transferring that currency to the treat actor. Wire fraud is not a new phenomenon. The core tenants of this form of fraud began with threat actors decades ago who attempted to trick telegraph and teletype operators into entering money transfers into wire systems to illegally obtain those funds; and was codified in law with Title 18 of the United States Code [[http://uscode.house.gov/]]. While the methods have changed, the basic idea of the fraud has not changed for the most part. Now, instead of telegraph and teletype operators being tricked into creating fraudulent wire transfers; threat actors craft emails to perform the same trick. With the ability to modify headers and sender information, a threat actor can make an email appear to be from an employee with legitimate responsibility over disbursement of funds. The threat actor creates an email from such an employee to another employee who has responsibility over banking and financial transactions; directing them to create an online wire transfer of funds from corporate accounts to the threat actor account. The threat actor then receives the funds – quickly moving them to a less-traceable account or into cryptocurrency to hide their tracks – and the fraud is complete. The threat of cyber-fraud by wire transfer is growing. As of June 2018, the FBI has seen over US$12 Billion in losses from this form of cyber-based fraud and reported an increase in threat activity of 136% over the last two years. [[https://www.ic3.gov/media/2018/180712.aspx]] As this form of cyber-fraud requires little up-front work for a threat actor, we can expect that this trend will continue, with threat actors attempting this form of attack more and more over time.
Credential compromise for fraudulent purposes
Wire fraud operations require a level of social engineering finesse, as the threat actor must create a viable illusion that they are an employee with rights to demand disbursement of funds. A much easier attack method is to simply trick an employee into providing their credentials to the attacker, or the theft or illicit purchase of such credentials already exposed by another threat actor. Phishing emails which compel a user to enter their credentials into threat actor websites or obtain the credentials as a reply to such an email are on the rise. Cofense, owners of the Phishme employee testing system, estimates that phishing activity has increased over 65% in 2017 alone, with the total cost to business estimated at over US$5 Billion in theft and revenue loss [[https://cofense.com/wp-content/uploads/2017/11/Enterprise-Phishing-Resiliency-and-Defense-Report-2017.pdf]]. Malware can also be deployed to log keystrokes and utilize other methodologies to gain credential information, allowing a threat actor to fraudulently gain credentials and other information from any device infected by the malware. A threat actor can use such stolen credentials to gain fraudulent access to corporate financial accounts, to move laterally into partner systems, or to commit identity theft (see below). Each of these methods can be used to directly remove business funds from the organization and partner organizations into the accounts of the threat actor. These methods, when successful, also erode public confidence in the brand of impacted companies, and result in lost revenue as customers move to other organizations and partners shy away from future interactions with the targeted firm.
Employee sabotage and theft
When employees become disillusioned or disgruntled, they can and do attempt to damage the company before departing in an increasing number of cases. As a current employee who has not yet announced their intention to resign still has access to all data systems assigned to them; this can lead to direct access to financial records, bank and other fiduciary accounts, customer accounts, and other forms of money-related platforms. With this access, the employee could directly remove funds from one or more accounts into their own accounts; or could perform activities that damage the company, resulting in loss of revenue. Unhappy employees are also less likely to report theft, and to commit direct acts such as tax fraud to undermine the company – causing further financial losses. [[http://losspreventionsystems.com/disgruntled-employees-may-be-stealing-and-disrupting-efforts-to-stop-shoplifting-manager-training-to-stop-employee-theft-can-help-you-prevent-both-problems/]]
Identity theft for fraudulent purposes
Identity theft itself is not a new problem – occurrences have been reported for as long as humanity has used any form of identification to gain access to goods and services. Even in early Rome there were known incidents of using fraudulent identification to receive extra bread rations [[https://books.google.com/books?id=SaTzyXVX-NgC&pg=PA116&lpg=PA116&dq=roman+bread+token&source=bl&ots=2KDEjtueE6&sig=ACfU3U2ZJbErEP_xuDP4vxctvzOEp0QQYw&hl=en&sa=X&ved=2ahUKEwjcsZGEofDgAhVBJt8KHaIHDcAQ6AEwFXoECAsQAQ#v=onepage&q=roman%20bread%20token&f=false]]. In the modern age, identity theft has become a popular method to open false bank accounts, obtain credit cards, open loans and other lines of credit, and otherwise steal from individuals and businesses alike. The threat actor obtains enough personally identifiable information to impersonate a legitimate employee (either through purchase of such information from illicit sources or by directly obtaining the information through social engineering). With this information, the threat actor represents themselves as the victim to businesses and financial institutions, illegally obtaining funds and services before disappearing under the guise of another victim to start the process over again. Lifelock estimates that over 16 million people in the United States fell victim to identity theft in 2017 alone, resulting in the theft of over US$16 billion through direct theft and loss of revenue [[https://www.lifelock.com/learn-identity-theft-resources-how-common-is-identity-theft.html]].
Defending the business against cyber-based fraud
Any of these methods of cyber-based fraud have a direct and real impact on the operations and fiscal stability of a business of any size. A successful cyber-based fraud attack will syphon funds from company accounts, compromise employees’ and executives’ identities, and erode public trust in the company brand.
Defending against these forms of threat requires a combination of tools and technologies to be applied consistently and accurately. First, businesses should invest in security awareness training so that employees know how to identify cyber-based fraud and how to respond to it when they do find it. Monitoring of systems and infrastructure to detect when fraudulent activity is happening is also vital, as no awareness training program can hope to be 100% effective as new employees are hired and existing employees may harbor ill-will toward the company and purposely defy the training. Continuous adaptive monitoring of email and messaging systems is also a key component of defense. As threat actors get better at their craft, monitoring systems must also evolve to identify these more and more well-crafted attack messages.
While the impact of cyber-based fraud is very real; costing organizations billions in lost funds and lost business, there are effective ways to minimize these risks in your organization. Train your employees, remain vigilant for employee fraud, and monitor infrastructure and systems to keep attackers from gaining a foothold. SkOUT Secure Intelligence can provide each of these components to organizations of all sizes. From security awareness training tailored to your company’s needs, to monitoring of infrastructure and messaging platforms, to assisting in creating and evaluating policies and procedures to keep your financial systems safe and secured; SkOUT helps you find trouble before trouble finds you.