Cybercrime and Fraud Part 1: Modern Tales of Piracy and Plunder
Calico Jack, Captain Blood, and Blackbeard. So many recognizable stories, books, and movies have been made about the period of stealing and looting exemplified by the golden age of piracy. Time will tell whether we see such romanticized stories of dashing rogues based on this new golden age of criminality that we now live in. In fact, if you look at the FBI’s statistics, the internet has enabled cybercriminals to increase their ill-gotten gains by 700% in 10 years (2007-2017). To put that in perspective, when pirates looted and plundered their way across the seven seas, the top 20 pirates ever stole about $615.5 million when adjusted to 2017 dollars. Flash forward several hundred years and compare that to the takings from cybercrime in the US alone, where the FBI has just released new estimate losses exceeding $2.7 billion in 2018!
In this series of blogs, I’ll be exploring cybercrime and fraud, outlining some of the strategies that you can adopt to help mitigate risk, and how you can use Cisco products and technologies to help implement those strategies.
So, let’s delve into this golden age of criminality in a little more detail. First, it’s important to realize that the scale of this illicit profit has brought with it a tremendous amount of professionalism. This is illustrated by the fact that while losses have increased 700%, the number of incidents has only increased by 50%, resulting in a much higher loss per incident. Of course, the FBI only has a US-centric view, so how representative is it globally? If we consider research from the Center for Strategic and International Studies (CSIS), the estimated global cost of cybercrime is 0.59% to 0.8% of GDP ($445 billion to $608 billion). Furthermore, if we then compare that to the value that the UN Office on Drugs and Crime (UNODC) assigns to the global cost of the illicit drugs trade of 0.5% to 0.6% of GDP, you realize that the cybercrime market is at least as big, if not bigger, than the global trade in illicit drugs! With such profits obtained at risks that are fractional compared to other criminal enterprises, it’s easy to see why cybercrime remains an attractive and growing area for professional criminals.
So how much could it continue to grow? Are we already at peak cybercrime? In October 2017, BITKOM (German Association for Information Technology, Telecommunications and New Media) published a survey that showed 49% of German internet users had been a victim of cybercrime. Furthermore, if we compare this to an analysis from the US Department of Justice looking at the Lifetime Likelihood of Victimization that estimated that 99% of people would be a victim of robbery at least once and that 87% of people would be a victim 3 or more times, and you can see that, depressingly, there appears to remain a significant growth prospect for cybercrime.
So what’s driving this explosive growth in cybercrime? Interestingly enough, it’s actually a new form of a very old crime: Fraud. And by old, I mean really old! They say the earliest recorded form of fraud is the story of Hegestratos in 300 BC! Hegestratos took out a large loan for cargo secured against the value of his ship. When the ship arrived, and the cargo was sold, the lender would be repaid with interest. If the loan was not repaid, the lender had security in the form of the ship. However, if the ship sank, the lender lost both the loan and the security. Needless to say, Hegestratos figured it was easier to sink the ship, save the cargo and sell it and pocket the loan for good measure! What’s remarkable is how, since those days, fraud has evolved as time, technology, and most importantly, the law has advanced. After all, why even bother going to all the trouble of having a ship if you can just pretend to have one? This was made an offense in the UK by as early as 1541 (obtaining property by false or counterfeit token). Once again, fraud evolved so that by 1757 the law would need to be updated to the broader concept of false representation. In the US, with its larger geography, the symbiotic evolution of fraud, technology, and the law are even more clear where counterfeiting laws of 1797 evolved into false claims in 1863, mirroring the evolution of the law in the UK before then having to add mail fraud in 1872 and then wire fraud in 1952. At each stage you can see how criminals are the first to adapt and exploit the opportunities new technology provides for fraud before the defenders can catch up.
Today, little has changed as we continue to see the same scenarios playing out. According to the German Federal Police Division responsible for Crime, the Bundeskriminalamt (BKA), 99.4% of all recorded cybercrime loses come from fraud. The emphasis here is on recorded losses as the BKA makes some great points about the difficulties in truly quantifying cybercrime losses, especially intangible losses such as reputational or brand impact. Therefore, if we cross reference these numbers with the annual Internet Crime Report from the FBI Internet Crime Complaint Center (IC3) and some quick addition reveals that all forms of fraud accounted for approximately 85% of the overall number, validating the BKA’s approach. In fact, they specifically call out the losses associated with two specific forms of fraud known as Business Email Compromise (BEC) and Email Account Compromise (EAC). These are two variations on a fraud in which the criminals use social engineering, deception, or other intrusion techniques to conduct unauthorized transfers of funds.
The classic example of this is when the person responsible for the finance or payment of suppliers receives an email purportedly from the Chief Executive Officer (CEO) demanding the urgent payment of a supplier via wire transfer. Of course, the email isn’t from the CEO and the account details are nothing more than an account being held by another unsuspecting person who will transfer it on again. By the time the fraud has been identified, the money has moved several times through various accounts and potentially countries and will rarely be recovered. Emphasizing the earlier point regarding the professional nature of this type of crime, the FBI said the perpetrators of this are “transnational criminal organizations that employ lawyers, linguists, hackers, and social engineers” who “may spend weeks or months studying the organization’s vendors, billing systems, and the CEO’s style of e-mail communication and even his or her travel schedule.” The gains for the criminal are staggering, in its 2016, 2017 and 2018 reports, the FBI IC3 identified it as a hot topic and estimated the losses in 2018 were nearly $1.4 billion.
How does this compare with losses from other forms of cybercrime? Well, in 2018, the FBI statistic for losses due to another popular from of cybercrime, the classic corporate data breach, was $117.7 million or 8% of the loss due to BEC/EAC. Looking at the state of California within the FBI statistics, we see that BEC/EAC is the single biggest cause of losses, accounting for 33% of the overall losses due to any form of cybercrime. So, has this risk peaked? Well, examining a survey from credit agency, Experian, you can see that they identified that 72% of businesses have a growing concern about fraud in 2017 and 63% of them have experienced the same or higher losses due to fraud pointing to a real and growing risk. It’s worth bearing in mind that despite the FBI’s estimated total losses from BEC/EAC now exceeding $5 billion, the losses increased 78% between 2016 and 2017 and again by 92% between 2017 and 2018. Bad as it is, things may continue to get a lot worse.
So, what is to be done? In the next blog post, I’ll be talking about some of the strategies, products, and technologies that can help address and mitigate the issues I discussed in this blog. Of course, I welcome your thoughts, comments and feedback so please do take the time to let me know your thoughts!