EUROPOL published the Internet Organised Crime Threat Assessment 2019 (IOCTA) earlier this month which highlights the key developments, threats and trends in cybercrime. A number of priorities were listed including cyber-dependent crimes, child sexual exploitation online, payment fraud, abuse of the dark web, terrorism and crossing-cutting factors such as social engineering, money mules and cryptocurrencies. Although they are all very interesting in their own right, today we are going to dive into the areas which we think are most relevant to FINTRAIL clients and share some tips on how to protect against these key risks.
Supply Chain Attacks
A growing concern that was raised from the private sector, was attacks directed at them through the supply chain, i.e. the use of compromised third-parties as a means to infiltrate their network. With companies becoming increasingly reliant on third parties that use the cloud, the risk that the whole supply chain can be infiltrated by hackers or ransomware attacks increases and even compromises further down the supply chain can have an impact on your company. The issue can also be seen through companies with lower cybersecurity maturity, such as the case in the Marriot International breach where they acquired a smaller company, and this was where the hackers managed to get into the system and steal the records of 339 million guests.
With the increase in external e-KYC platforms, screening tools and monitoring systems for some companies, customer data is likely to be shared and stored across multiple providers which could see them being more vulnerable to these sorts of attacks. This is not saying that if you do everything in-house that you are not exposed, as your internal cybersecurity needs to be up to scratch to try and ward off these attacks.
So what can you do?
There is unfortunately no full-proof plan to mitigate this risk completely, however, there are steps that can be taken to help:
When you are choosing vendors or third parties to work with, question and assess their cybersecurity policies and protocols to ensure they are sufficiently protected, as you cannot outsource the risk
Conduct a regular review of the vendor/third party and agree an escalation and SLA process for any issues
Review the guidance provided by the FCA on outsourcing to third-party IT providers, titled ‘FG 16/5 Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services’
Review your own systems to ensure they are protected against cyber attacks
Visit the National Cyber Security Centre website for guidance and advice on how to protect your business
If you have acquired another company, bring their cybersecurity protocols in line with your own so there are no weak links within the group as soon as possible
Business email compromise (BEC)
More commonly known as CEO fraud, BEC is a scam in which victims, usually accounting, HR or payments staff are tricked into authorising a payment or release of information which they believe was from the instruction of a member of the C-suite or a senior colleague. We do not want to limit the definition to instructions only coming from the C-suite as it could come from anywhere in the organisation, however, it may be more plausible and in turn successful when coming from senior management.
Scammers are able to pose as members of staff as they obtain the means to do it via a number of ways including:
Phishing emails - these are sent to large numbers of users in an attempt to “fish” sensitive information to either take control over their email address or obtain information to enable them to pose as the employee ;
Spear phishing - these are more targeted phishing emails where the cybercriminal has studied the organisation to know who to target
Social engineering - manipulating someone to trick them into divulging confidential information or access to funds and this can be done, for example via social media sites, this can be combined with spear phishing to make it far more effective
Gaining access via hacking a member of staffs email or creating a slightly different email domain to trick the employee into thinking it is an internal email
Once they have been able to gain the appropriate access to the system or information to impersonate a senior manager, the victim is then contacted and asked to authorise a payment outside of the usual process and as it has been seen, they agree due to the pressures of seemingly the CEO or their manager asking them to facilitate an “urgent” payment.
The IOCTA noted that the attacks are becoming more professional and convincing, therefore what can you do to protect yourselves from these attacks?
Provide staff with training on identifying and having a reporting procedure for phishing emails and send periodic test emails to assess the effectiveness of the training and identify if more is required
Educate the staff so they are aware of the threat of social engineering techniques and to not reveal any sensitive or personal information
Ensure there is a formal policy and procedure for requesting and authorising internal payments so if a fraudster tries to get the employee to bypass the procedure that it is not done. If an exception process is needed, it requires additional verification via a different method to the original instruction, e.g. if the request came from email, then a phone call should be made to the individual to authorise it, or by another member of senior management
Implement a strong cybersecurity programme to block the fraudsters from gaining access to the internal systems
Visit the National Cyber Security Centre website for guidance and advice at this website.
Deepfake technology
Deepfake technology is an AI based technique that places images or videos over another image or video, which usually involves using individuals faces or bodies. In the IOCTA report, deepfake was mentioned in the context of it currently being used to place the faces of celebrities on existing pornographic videos. The impact of this could be the criminal potentially selling these online or to tabloids as if they are real videos or blackmailing the celebrity to pay up so it does not get released.
FinTechs need to consider - with the development of this new technology - when using selfies or videos in the onboarding process, that you are sure that the picture or video of your customer is actually real. Although, FinTechs might have ID image validation or video liveliness technology incorporated into your onboarding process, how confident can firms be that this technology picks up on deepfake techniques?
So what can you do to protect yourself from this emerging technology?
Being aware that the technology exists is a good start, as even if an image or video passes the verification checks, it does not mean it is legitimate
If you use external providers for ID/video verification, ask the question of what they are doing in relation to this developing threat and how they see it impacting their product
If you use internal software, testing your own system is be necessary to see if deepfake images pass the verification process
As we continue into an era with developing technological capabilities and with the rising use of social media, internet crime is an area that is likely to develop hugely with new techniques being used by criminals to exploit individuals or target companies for financial gain. With the ever-changing nature of how criminals are exploiting their victims, information sharing between organisations becomes more important so the methods and typologies can be shared to prevent other organisations from suffering the same fate.
If you would like to discuss the issues in this post, or wider anti-financial crime topics, please feel free to get in touch with one of our team or at contact@fintrail.co.uk.