Breaking the silos between financial crime and cybercrime

Share with someone:

ACUMINOR REPORT 2019:3

Financially motivated crimes of today almost always contain IT-related components. As society becomes more digitalized, it is natural that we see this occurrence. It could just be as simple as communication between perpetrators, perpetrators and victims, or used as part of the criminal modus operandi. We see traditional criminal topologies being reinvented with the aid of new tools or methods. For example, extorsion with the aid of malware i.e. ransomware, has inflicted massive damage to individuals, companies and institutions. Illegal goods and services are being sold through online marketplaces that exist on hidden forums, apps and social media. Theft of financial information and fraud have seen an explosive growth the past years due to criminals being able to reach far more victims and utilise a technological toolbox in order to design and get away with crime.

“THEFT OF FINANCIAL INFORMATION AND FRAUD HAVE SEEN AN EXPLOSIVE
GROWTH THE PAST YEARS DUE TO CRIMINALS BEING ABLE
TO REACH FAR MORE VICTIMS AND UTILISE A TECHNOLOGICAL
TOOLBOX IN ORDER TO DESIGN AND GET AWAY WITH CRIM”

A top priority

Due to the rise of cyber related threats, IT and information security have become a top priority in society and well-established procedures are in place to deter, detect and disturb illicit use of IT environments in order to, in the best case, prevent a crime from being committed. The cyber threat assessment is the foundation of the controls that should be in place to mitigate the relevant threats for your unique environment and business. The cyber threat assessment nowadays is often on a granular level so that controls that look at perimeter defences can be developed. Such controls include firewall rules, intrusion detection systems, data loss presentation, log routines etc.

Cyber defence can identify attempts of an intrusion, an at- tacker’s movement within internal IT systems if a breach is successful and potential perpetrators. However, the context can easily be lost if the overall motive is not known.

The goal of a cybercrime could be to cause disturbance with no financial motive behind it, for example disgruntled customers that find that it can exhume “revenge” for a poor customer service by buying a denial of service attack for $5 to bring down for example a banking service or public transportation services for an hour, but more often cyber being used as a tool to steal, whether that be money or information.

Let’s now look at one of the more costly cybercrimes (and equally fraud)

Let’s now look at one of the more costly cybercrimes (and equally fraud);

Chief Executive Officer (CEO) fraud and Business Email Compromise (BEC) fraud are two similar modus operandi that are mainly carried out through social engineering but may also be combined with hacking or malware. Europol reported in 2017 that CEO and BEC fraud were the most reported social engineering types of fraud in the EU and that it was increasing. According to FBIs Internet crime report in 2018, these frauds have accumulated approximately $12 billion losses worldwide since 2013.

At its heart, CEO fraud is using social engineering to manipulate employees to initiate fraudulent payments. Criminals target high ranking personnel to take advantage of organisational hierarchies and often spend a lot of time to research and analyse the victim’s organisation, corporate procedures, languages and payment methods. Some attackers take advantage of publicly reported events such as mergers or acquisitions in order to identify attack vectors. All types of business are affected, both in the private and public sector. When the right persons (victims) have been identified, those persons are then approached, most often through an email directing them into initiate a payment.

“INTRUSION DETECTION SYSTEMS, SIEM-SYSTEMS OR SIMILAR COULD IDENTIFY CHANGES OF

CUSTOMER MANAGEMENT SYSTEMS, MALWARE SIGNATURES AND SUSPICIOUS BEHAVIOUR

THAT SHOULD NOT OCCUR WITHIN THE INTERNAL ENVIRONMENT.”

Transaction patterns related to BEC Fraud

In BEC fraud, the perpetrators spoof an email address belonging to a third-party supplier or other company that the victim regularly makes payments to. This enables the perpetrator to change the destination account to one the fraudster controls. The attacker tricks the personnel into changing payment details, since the email requests originates from what looks like a legitimate source.

The criminal often imposes a sense of urgency in their correspondence with the victim and when assessing risk indictors from an anti-financial crime perspective the following risk indicator can be highlighted:

The beneficiary’s account information is different from what has previously been used;
Sudden change in transaction behaviour, for example transferred amount is not in line with the customers usual behaviour

Identifying suspicious outgoing transactions or a change to account information normally happens after the initial attack. If risk indicators from the cyber security perspective are known, preventive measures could be taken.

But one commonly used attack vector in CEO/BEC fraud is malware. This malware usually comes through a malicious attachment or as a link to a malicious website in an email that will download malware to your system. The malware is used to gain foothold in a business and gather intelligence on persons, routines and customers. Customer management and accounting systems may also be accessed in order to change billing and shipping addresses. After a victim’s system has been comprised an e-mail will arrive with instructions to initiate a transaction that will end up on an account controlled by the criminal.

Intrusion detection systems, SIEM-systems or similar could identify changes of customer management systems, malware signatures and suspicious behaviour that should not occur within the internal environment. Equally cyber security also adds to preventive controls. For example, technical BEC controls can be implemented to screen e-mail sender authentication and impersonation controls, colour coding of emails, that highlights external/internal mail origin, two factor authentications on outgoing transactions, training of internal staff and much more.

The aggregated knowledge from anti-financial crime departments and cyber security departments would greatly increase the overall understanding of how threats and risks looks like and how they can be mitigated.

The methods used to assess cyber threats are almost the same as you use when you perform a financial crime threat and risk assessment. In other words, a method to identify risk exposures, effectiveness of existing mitigating measures and the outstanding gaps. These assessments, though, are rarely used in conjunction with each other. Both anti-financial crime units and cyber security units would however greatly benefit by sharing threats and risk indicators.

Cyber security

Terms of use

You are free to use this report for your own personal development, in internal training or in other risk management activities. You are of course not allowed to resell this report, nor claim that you have made it yourself.

Please remember to state the source as follows:

Acuminor. (2019). Breaking the silos between financial crime and cybercrime . Report 2019:3. Stockholm: Acuminor.