In this month’s Risk Management Update, we’re highlighting recent insights and observations in the world of cybercrime. While there is nothing new about most of these activities, cybercriminals are continually adapting their methods to stay one step ahead of financial institutions, financial institutions’ clients, and the law. As cybercriminals continue to adapt new methods to thwart old countermeasures and protections, so, too must we adapt our countermeasures and protections to keep up. It is a dynamic environment, to be sure.
Often, it begins innocently enough: a friendly email, a click of a mouse, or some other seemingly innocuous means of attracting your attention. Before long, you find yourself deep in the middle of the dizzying world of cyber scams and cybercrime.
One of the missions of the United States Federal Bureau of Investigation (“FBI”) is their focus on investigating cybercriminals. Because cybercrime is a worldwide problem, they have national and international reach and occasionally locate and extradite criminals from abroad so they can face criminal charges here in the United States.
What kinds of cybercrime does the FBI pursue? You may be surprised by how routine and everyday some of them seem. According to the FBI, much of the cybercrime they see consists of Ransomware, Business Email Compromise, and to a lesser extent, Denial of Service (“DoS”) attacks.
Ransomware
What it is: A malicious code that can infect a single computer or a whole network. Ransomware locks a user out of his or her computer or network unless a ransom is paid, often in cryptocurrency. If no ransom is paid, information on the computer or network is stolen and released onto the Dark Web.
Ransomware rings have become highly organized and sophisticated, including customer service phone agents who guide victims through the process of acquiring cryptocurrency to pay the ransom. After the ransom is paid, Ransomware attackers will often send customer satisfaction surveys to their victims.
- Defeating a Ransomware Attack: The old “backups are key” advice is no longer considered 100% effective. Ransomware attackers now write commands into their code that delay deployment of the ransomware for months after the computer or network is infected; any periodic backups created during that period will be similarly infected. The top countermeasure is to make multiple backups over time and having an IT team that can identify uninfected backups. However, this still means when no ransom is paid, information is released to the Dark Web. Additionally, using older backups means any updates made to the computer or the network will be negated.
- Contact the FBI early as they have capabilities that may help with damage control in the wake of a Ransomware Attack.
- The FBI aggressively investigates Ransomware Attacks and uses information gathered in each investigation to track down, locate, and enable prosecution of Ransomware attackers.
- Note: Some cyber insurance carriers advise clients not to contact the FBI because they may find something that voids the cyber insurance policy. Thus, it will ultimately be a business decision whether to pay a ransom or to fight the attacker(s).
Business Email Compromise
What it is: An attacker breaks into an email account, changes the forwarding rules to have all received emails sent to a fake email address and automatically deleted from the legitimate email account, and uses the legitimate email account as if he is the legitimate user.
- Defeating a Business Email Compromise attack:
- Review and update email forwarding defaults. MS 365 is particularly vulnerable to Business Email Compromise attacks and thus countermeasures should be taken to disable Auto Forwarding and enable Logging
- Contact FBI within 72 hours of an initial fraudulent asset transfer; after a week, the chances of recovering assets transferred substantially decreases
These main types of attacks are not the only types of cyberattacks the FBI sees in the course of their investigations. Other types of attacks observed include:
- Pig Butchering: Involves an attacker offering suspiciously high rates of return on cryptocurrency investments—which the attacker will indeed deliver—thereby inducing the victim to make a series of progressively larger investments until the attacker steals all of the cryptocurrency invested and stops communicating with the victim.
- Romance Frauds: An attacker pretends to be romantically interested in the victim and uses that as a pretext for the victim to send money to the attacker. These have become very elaborate, with attackers reportedly using AI videos to create a “person” with whom the victim has live videochats.
- Deepfakes: Speaking of AI, a new type of attack, especially pernicious due to financial firms’ procedures for verifying emailed transaction instructions, involves creating an AI version of a financial firm’s client and then putting that AI version on the phone or videoconference when a financial firm calls to verify an emailed instruction, such as an asset transfer to a previously unknown third-party account. These AI versions can mimic, with great accuracy, the appearance, speech style, and mannerisms of the real client. These attacks usually occur in conjunction with an email compromise attack against the financial firm’s client. As for defeating this type of attack, now is the time for financial firms to consider establishing a password with a client and using that password each time the firm speaks to the client telephonically or via videoconference.
- Low-tech Workarounds: With financial institutions becoming increasingly wary of frauds and electronic funds transfers related to frauds, attackers have sometimes shifted tactics to get victims to send them money. Methods such as mailing large sums of cash in a shoebox, cash “dead drops”—an old-school spy craft technique where one party leaves an item in a public place for a second party to retrieve later, and even sending a person to the victim’s home to collect money have all been observed.
When navigating the world of cybercrime, it is good to know that there are resources available for you to use. But with those resources come important information of which to be mindful:
- The FBI is a federal law enforcement agency; they do not prosecute cases. At the conclusion of an investigation, the FBI refers the case to the U.S. Attorney’s Office (“USAO”) of the appropriate federal district to decide whether to prosecute. Each USAO has a dollar amount threshold below which they will decline to prosecute and this threshold varies from one district to the next. HOWEVER, if the victim is a senior citizen and there is deemed to be sufficient evidence to secure a conviction, the USAO will prosecute regardless of the dollar amount lost in the fraud.
Another resource available is the FBI’s IC3 website[1], which may be used to report fraud in addition to filing a Suspicious Activity Report with FinCEN. Also consider signing up on infragard.org, which is an FBI cybercrime intelligence-sharing website where members have access to the latest cyberthreat intelligence. To become a member of infragard, you must be:
- a US Citizen
- have no significant criminal record (no felony record)
- sign up for the website membership.
In conclusion, though the specter of cybercrime casts a long and menacing shadow over modern life, knowing what we are dealing with and how to mitigate or even eliminate the threat are great first steps toward securing our electronic future. Core Compliance and Legal Services can help by conducting Cybersecurity Risk Assessments and creating robust cybersecurity procedures to guide your firm through these treacherous issues. For more information about this and other compliance-related topics, please contact us at info@corecls.com, at (619) 278- 0020 or visit us at www.corecls.com.
Author: Matthew Rothchild, Sr. Compliance Consultant, Core Compliance & Legal Services; Editor: Tina Mitchell, Managing Director, Consultation Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, and private fund managers on regulatory compliance issues.
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon regarding any particular facts or circumstances without first consulting with a lawyer and/or tax professional.