Managing fraud in a digital world
Author: Andrew Rogoyski, CGI UK
Posted: 8 June 2017
Almost every aspect of our lives is now transacted online in ways that would have seemed like far-fetched science fiction only 20 years ago.
I might make a doctor’s appointment, look at photos from my youngest’s gap year travels, do a background check on a job interviewee and order food for tonight’s dinner, all in a fraction of the time it might have taken me a few years ago.
As individuals and as organisations, we are cashing in on the ‘digital dividend’ with ever increasing enthusiasm. However, there is a price to be paid for these new-found freedoms, and we aren’t paying it.
With every digital freedom, we create vulnerabilities. Sometimes because the technology isn’t quite ready for the task at hand, more often because the human user hasn’t adjusted to the different types of risks that they face in the online world.
As a result, online fraud, targeting any kind of transaction that can generate cash, is being perpetrated by clever but unscrupulous criminals who see the digital world as a huge opportunity to make money.
Identity fraud is a key enabler to committing digital fraud, with Cifas’ own research declaring 173,000 recorded events in 2016, the highest ever recorded and representing over half of all recorded frauds. The Office of National Statistics reported that there were over 2 million victims of cybercrime in the UK in 2015. Juniper Research estimated that cybercrime will cost worldwide business $2 trillion by 2019. Digital fraud is big business.
The appeal of online fraud
There are some critical differences between traditional real-world fraud and online fraud which make the new world extremely attractive for the criminally-minded. First and most obviously, we, as citizens, consumers and employees, are simply not prepared. People have not yet developed an appreciation of the risks, the vulnerabilities and the impact that digital-world frauds can have.
More insidiously, the fraudster’s risk of being caught and prosecuted is much lower than traditional fraud – these crimes can be perpetrated from anywhere in the world, with little chance of their operation being discovered.
More interestingly, the balance of investment in a fraudulent scheme is completely different – because such crimes can be undertaken at great distances and in great numbers, the fraudster can afford for the majority of attempts to commit a fraud to fail – it’s now a numbers game, and if the numbers are high enough, it doesn’t matter if 95% of their attempts fail.
This is completely different from traditional real-world frauds where each attempt was personally risky and could only succeed if the rewards for each scam were high enough. One effect of living in this low-risk, high numbers world of digital fraud, is that the scams are becoming increasingly ingenious, sometimes to the point of becoming quite bizarre.
Scam success due to one weakness – us
Most online fraud exploits have one common vulnerability – humans. It is still ignorance, negligence and credulity that allows most fraud, real-world or online, to succeed. According to Norton, phishing attacks – where users are sent carefully crafted emails that attempt to trick them into revealing sensitive personal information or download malware – are now so good that 40% of people cannot tell them from a genuine email.
One scam that depends on human credulity is the ‘business email compromise’, better known as ‘whaling’. The scam targets an organisation, sending a highly credible email, supposedly from the chief executive, to an individual in the company asking for urgent transfer of funds to support a deal, or similar.
The fraudster will have done a fair amount of research on the target company, identifying target individuals and contextual knowledge that allow the email to be extremely credible. This information will have been gleaned from social media, the company website and other sources, all freely available to the fraudster. The FBI recently estimated that this type of fraud alone was worth some $5bn a year to fraudsters.
In a similar vein, so-called ‘mandate fraud’ is where the fraudster persuades individuals or organisations to change outgoing payment details to a new account (the fraudster’s account). The fraudster might pretend to be an established supplier to the target company, with the success of the attack dependent on the background research the fraudster has undertaken and, of course, the gullibility of the human being targeted.
Another type of fraud, highly visible in the news at the moment, is known as ransomware, typically using fake emails to trick users into downloading malware which encrypts their computer files and then demands payment in order to decrypt the files. The ‘WannaCry’ ransomware attacks, responsible for bringing thousands of companies to their knees, including the UK’s NHS, is probably the most recent and most infamous of such attacks.
As an example of ingenuity, one derivative scam involved the sale of encryption software to users, allowing people to protect their information from unauthorised access. In fact, the encryption software was ransomware. It did the job but the user then had to pay a second time to unencrypt their files!
Paying for the ease of digital life
In the face of this onslaught of digitally-enabled fraud, perhaps it is time to pay the price for the digital dividend. It is now true to say that most organisations have cyber risk as one their top business risks. However, investment in cyber security is typically not a company’s highest priority.
CEOs are focused on growing the top or bottom line and tend to regard spend on cyber security as something that doesn’t generate a return. However, in recent research by CGI and Oxford Economics, it was shown that there is a measurable impact of a cyber-incident on share price, averaging at 1.8%, equivalent to a £120 million pound reduction in company value for a typical FTSE 100 firm.
This is getting business leaders' attention, reframing the argument in terms that they understand and in terms that will change investment priorities in support of improving cyber security. It is only as business leaders recognise the damage that cybercrime can do to their organisations and start to support the fight against it, through awareness, investment and advocacy, that we can fight back against the current exponential growth in cybercrime.
CGI’s own principles of cyber security aim to make "cyber part of everything we do"; we ensure that security is baked in, rather than bolted on to the IT services that the company provides. CGI’s cyber security team, one of the largest in the UK, has a 40 year history of designing and building secure IT systems.
Its current capabilities break down into three areas:
- Advisory work on policy, strategy, compliance and governance;
- Engineering work that designs and architects systems security, increasingly in a cloud-based world, and;
- Managed services, providing monitoring, investigation and incident response services for clients that don’t have the deep expertise or cannot attract the skilled people necessary to defend a modern enterprise.
Contact CGI's cyber security team for more details.
Andrew Rogoyski is Vice President of Cyber Security at CGI UK.
CGI UK are one of the sponsors of our Annual Conference 2017.