Insights on the latest innovative technology for forward thinking corporates.
Barclays discusses the fast-evolving cyber crime landscape and how professional services firms can protect themselves from attack.
The changing cyber threat landscape
Senan Moloney, Head of Cyber Crime for Barclays Chief Security Office, and Alex Maclean, Barclays Head of Corporate Cyber & Information Security, discuss the fast-evolving cyber crime landscape and how professional services firms can protect themselves from attack.
Professional Services firms operate in an increasingly data-driven, online world. Data has become critical to the way firms operate and more and more of it is being stored digitally.
As firms continue to operate online and store information in the cloud, the threat of cyber crime continues to grow.
Cyber attacks against organisations have reached an unprecedented scale and frequency. For example, new variants of global ransomware and wiper attacks have toppled international companies.
Data breaches are also growing exponentially: 10 billion records were reportedly stolen in 2018 and that figure increased to 12 billion for the first half of 2019 alone.
With 72% of large businesses suffering a cyber-breach or attack during 2018, it’s clear that all firms are at risk.
As the technology firms use evolves, cyber attacks become more sophisticated. The integration of 5G and move to cloud infrastructure open different avenues for cyber criminals' to steal data, while recent advances in quantum fusion may render existing encryption methods obsolete within a matter of years.
The impact of cyber crime can be enormous: firms that fall victim to attacks not only face substantial financial losses and regulatory fines, but client confidence is undermined.
Firms therefore need to understand the scale of the cyber economy, how they could potentially be exposed to an attack, and what they should do to protect themselves.
The term ‘digital underground’ might bring to mind an image of criminals sitting at computers in dark rooms, using complicated code to hack into systems, but that’s no longer the reality. These days, the digital underground – or dark web as it’s sometimes called – isn’t that far underground.
Crime as a service
A surprising amount of information on cyber criminal activity is readily accessible on the internet. For example, without any special tools or internet browser, anyone can google ‘CVV’ in order to buy credit card CVV codes to use in online fraud.
The barriers to entry to cyber criminality are therefore lower than ever before. Cyber criminals don’t need to be coders or technical experts because they can simply buy or rent the services they need online. From credit cards to malware, it’s all available to those who know where to look. Some suppliers even offer contracts, money-back guarantees and product support.
It’s also possible to learn about hacking and cyber crime simply by watching YouTube videos. While a lot of the material available is there to educate those trying to fight cyber crime, it can also help educate criminals.
This ‘crime as a service’ model has opened up cyber crime to organised criminal groups and the wider population, whereas in the past it was limited to the more technically minded.
The new global cyber criminal
Meanwhile, the ‘traditional’ cyber underground has developed considerably over the past few years.
For example, online criminal forums have existed for a long time, but are now evolving to meet the needs of the global cyber criminals, allowing them to share information on what activities are legal and illegal in which countries, and where it’s best to attack based on the various countries’ regulations.
Cyber criminals are collaborating in new ways, sharing toolsets, knowledge, services and infrastructure. They also help each other carry out cyber crimes to stay beyond the grasp of law enforcement. And, typically, they’re no longer purely cyber criminals, but often organised crime groups working across many types of criminal activity.
Global legal frameworks have not yet caught up with the pace at which cyber crime is evolving. And, while the highly regulated environment in which professional services firms operate offers support and protects business activities, it also hinders organisations’ ability to work collaboratively and share information as easily as the criminals do.
There are a number of different types of cyber enabled fraud. The most common are social engineering scams, malware attacks, supply chain attacks and direct payment channel attacks.
Cyber criminals use social engineering to manipulate individuals into breaking normal security procedures in order to divulge confidential information or allow malicious software to be installed onto their devices. They may even trick their target into carrying out a fraudulent payment.
The most common forms of social engineering methods are phishing, vishing, smishing, CEO fraud and invoice fraud.
The easiest way to infiltrate an organisation is via email – 90% of all attacks start by someone clicking on a fake email. With email-based fraud – phishing – a cyber criminal poses as a legitimate source and sends emails to people within an organisation attempting to trick them into divulging information or transferring funds. The email might contain a link to a fake website that will request confidential details, or a link or an attachment that delivers malware to your system.
Smishing and vishing scams are similar to phishing, except the fraudsters attempt to trick individuals via sms and voice.
CEO and invoice fraud account for 85% of the frauds reported to Barclays on a daily basis. Typically, this involves cyber criminals imitating a senior executive within a business and persuading an employee to do something, like making a payment or divulging sensitive information.
Invoice fraud, or invoice redirection, usually occurs when a fraudster poses as one of your firm’s third-party suppliers and notifies your finance team of new payment details for their account.
These forms of social engineering are evolving rapidly. Criminals have detailed knowledge of firms’ fraud controls and authentication measures, they know how to leverage underground and legitimate VOIP and messaging system technologies, and they can make use of complex money laundering schemes. Criminals are also starting to use voice technology to commit CEO fraud, and fake videos can be created using replay technology that look and sound exactly like a CEO or senior executive.
On average, 25% of employees click on malicious emails, so education and awareness are key to protecting your firm from the threat of social engineering. But it’s not enough to educate. It’s also important to perform regular checks to ensure your processes work and that employees are up to date with the latest scams, and therefore less likely to be the victim of an attack.
Criminals use malware – malicious software – to disrupt computer operations and access confidential information.
Malware is now more pervasive and sophisticated than ever before. Previously, different types of malware would have been designed for different tasks, such as to steal data from a browser, email account or cryptocurrency wallet; to insert remote access trojans or worm modules on to a computer; or to drop ransomware into a system. Nowadays, malware is designed to be self-aware and perform multiple actions or a combination of different tasks, depending on the computer or environment it accesses.
One example is Trickbot, a banking trojan distributed through phishing emails. Once clicked, it has the ability to spread itself laterally across a network and further propogate by acquiring access to a victim’s email contacts to whom the malware will be subsequently distributed. It’s believed to have compromised more than 250 million email accounts since 2016.1
Malware can exist undetected within a firm’s network environment for months, infiltrating secure information to the point that it takes over the domain and has access to everything from accounting details to confidential client information.
Supply chain attacks
Cyber criminals will always look for the weakest link in the chain, whether it’s an individual employee or an entire third-party organisation in your network. A supply chain attack occurs when a fraudster targets a less-secure supplier or vendor in your supply chain and uses it as the gateway to the different businesses in the chain. Criminals usually use a combination of social engineering and malware in these attacks.
In a recent supply chain attack, a Ukrainian accountancy software provider was used as the entry point for a global ransomware attack. The software provider sent its clients regular software updates, which the clients were used to installing. Once the ransomware had attacked the accountancy software provider, it was able to spread globally across organisations through these supposedly ‘trusted’ updates.
Given that 75% of global IT infrastructure systems are controlled by third parties, it’s essential that firms ensure they have the necessary in-house knowledge and expertise to correctly manage and protect their environments, particularly those elements linked to supply chain networks.
Direct payment channel attacks
Over the past few years, the number of network intrusions targeting payment channels has grown considerably. The well-publicised attack on SWIFT in Bangladesh is just one example. However, it’s important to note that SWIFT itself wasn’t breached – while its environment was secure, the network within which it was operating was not.
Payment platforms are increasingly moving to lower-cost and faster infrastructure, and expanding across global networks and channels. But these innovations introduce new opportunities and weaknesses for cyber criminals to exploit.
Domestic payment platforms like faster payments and BACS are also beginning to be targeted.
While the cyber economy and cyber attacks are bound to continue to grow, it’s possible for professional services firms to combat many of the threats.
Insights on the latest innovative technology for forward thinking corporates.
A series of articles discussing key issues and opportunities for the legal sector, from expanding overseas to investing in innovative technologies.
Fraudsters are working as hard as you are. Our content can help you stay ahead of them.
Brexit transition: Barclays corporate explores what can businesses expect after the UK has left the European Union?