Have you heard the one about the chief financial officer who transferred £250,000 to fraudsters in Hong Kong? Or the imposter “chief executive” who convinced a major media company to send £2 million to his Chinese bank account? Unfortunately, these are not jokes, but actual frauds against real companies – don’t let cyber criminals have the last laugh
In an age where businesses and individuals exist in an increasingly digital milieu, virtually all fraud is cyber fraud. Even more concerning is that sophisticated, big-ticket cyber fraud is on the rise, backed by an emergent criminal ecosystem capable of coming together rapidly for anonymous collaboration on a single co-ordinated cyber attack – and then disbanding, leaving few clues for organisations and authorities to track.
“Today’s cyber fraud is a professional criminal enterprise that rewards innovation, intelligence and aggression. It outsources avidly and assembles the best talent it can find on a project-by-project basis to achieve very clearly defined goals,” explains Phil Huggins, security expert and vice president of Stroz Friedberg, a cyber crime investigations, intelligence and risk management company.
Firms such as Stroz Friedberg are among the most potent weapons businesses can wield against the rising tide of cyber fraud. They help organisations become more resilient by improving their ability to recognise and respond to cyber fraud incidents rapidly enough to mitigate serious damage, and by training employees to spot the often subtle signs of an attack.
Cyber fraud is a professional criminal enterprise that rewards innovation, intelligence and aggression
How it’s done: ‘Social Engineering’ Fraud
Professional cyber criminals exploit gaps in digital security to perpetrate frauds that are ensnaring a growing number of businesses worldwide. Frequently called social engineering or business e-mail fraud, attacks often start with the collection of publicly available data.
Information gleaned from Facebook or LinkedIn profiles offers cyber criminals the insight they need to compose fraudulent e-mails, which sound familiar and authentic, to company employees. Sometimes, they even target a single individual. Triangulated with information from other sources – articles profiling executives, a company’s website, public filings, online requests for proposals or RFPs and job postings, for example – information is synthesised and used to craft convincing e-mails designed to trick someone into clicking a link or opening an attachment.
That action then results in downloaded malware that can capture a person’s login and password credentials, or otherwise provide access to an organisation’s systems and network.
As they’ve honed their skills, cyber fraudsters have begun hunting bigger game. “In the last few years, cyber criminals have moved up to targeting payroll systems and treasury functions at large corporates. We’ve seen social engineering attacks on chief financial officers and senior accountants, people who can move £1 million or £100 million at a time,” reports Stroz Friedberg’s Mr Huggins.
Stroz Friedberg provides a range of services to battle such fraud, from hack prevention to cyber incident preparedness and response services, including digital forensics, tracing money movement and background checks. Because its professional staff comprises technical experts, former prosecutors and other litigators, and law enforcement agents, Stroz Friedberg works effectively with outside counsel, the C-suite and board members, as well as IT personnel.
Digital transformation enables cyber fraud
As digital transformation sweeps through virtually every industry in the global economy, businesses are digitising all aspects of their operations, from customer interaction to partner relationships in their supply chains. This provides transparency and enormous efficiencies, but also exposes the corporation, making it more vulnerable to cyber fraud.
This trend is partly to blame for the recent spike in cyber fraud, according to Spencer Lynch, a director of digital forensics at Stroz Friedberg. “We’re no longer talking about businesses that physically hold money, like a bank, but departments that control money-flow at any business. So payroll systems are a huge target right now; criminals are particularly aimed at individuals with access to payroll via their home computers,” says Mr Lynch.
In fact, in one case that recently landed on Mr Lynch’s desk, criminals discovered someone’s corporate login credentials via his home computer. “They used those credentials to access the payroll system, where they created fake employee records. By manipulating that system they were able to receive payment through the company’s normal business processes,” he says.
For a large organisation with hundreds or thousands of employees, it’s hard to spot a small number of new payroll records, let alone identify them as fraudulent, especially if the organisation is not expecting to be targeted.
Cyber criminals are getting smarter
In recent years, criminals’ understanding of the financial system has become more sophisticated.
Mr Huggins cites many examples of recent creative fraud activity, including an instance in which cyber criminals breached a company’s accounts payable system and changed payment details for one of their suppliers. Instead of money heading to the supplier, large monthly payments went straight to the fraudsters’ accounts.
Another example unfolded while two family businesses negotiated an acquisition. Having agreed to terms, the seller e-mailed account details to the buyer. But criminals intercepted and the bank details that reached the buyer were not the same as those sent by the target. Money was paid into the fraudsters’ account and promptly disappeared.
“Cyber criminals’ growing sophistication and perseverance means that areas historically protected by the complexity of transactions are no longer safe. Complexity, in and of itself, is no longer an effective defence,” explains Mr Huggins.
“Criminal groups are incredibly well structured with outsourced networks; they collaborate on a single criminal activity and then may not work together again. It sounds odd, but it’s true. Cyber fraud has evolved into a trust-based business where nobody knows anyone else’s real identity.
“In this ‘dark market’ there are middlemen who essentially work as brokers and project managers, and even offer warrantees. If a criminal buys an outsourced service and it doesn’t work, he can get his money back. It’s a very efficient set-up. These are professionals and there is a lot of money at stake.”
Having conducted their own risk assessments, fraudsters set themselves up to be near-untouchable. They locate where policing is patchy, legal recourse is limited and there are no extradition treaties with the countries they target.
To meet this growing cyber fraud challenge, organisations are increasingly turning to specialists such as Stroz Friedberg – experts who are capable of detecting fraudulent activity and helping companies act decisively. Its broad range of cyber capabilities helps organisations increase their enterprise-wide cyber fraud resilience and helps executives make quick decisions on an extensive array of areas to combat criminals.
And the faster companies act when the inevitable occurs, the better they can mitigate risks, limit reputational damage, interact with regulators and reduce direct costs.