Technology has created a tsunami of business fraud – accelerating the pace of crime, making it harder for businesses to protect themselves, and even harder to get ahead of the continuously evolving realm of online crime. The tactics outlined below are not exhaustive by any means but provide a starting point for further investigation.

Impersonation Scams & Phishing

Phishing scams aim to convince the recipient that the origin of communication is a legitimate source that they recognize. The recipient is lured into downloading software that gives the scammer access to enough information to access corporate networks. Even multi-factor authentication can be defeated this way if confirmation messages all come into the same device. Once in, the usual route is for scammers to change passwords so that the victim cannot easily monitor what they are doing.

 Hacktivism, malicious actors and cybertrespass

It was a common theme in financial fraud that any security scheme needed to be a few orders of magnitude more expensive to overcome than the opportunity the fraud revealed. For instance, spending $2M defeating a security device that only gives the fraudster access to a $5,000 is obviously not great business! Diligence ensures that sufficient defenses are maintained at this deterrent level, and that the opportunity cost is too high for fraudsters encouraged to explore other avenues. 

The rise of hacktivism and malicious actors has changed the dynamic away from financial benefit for the cyberintruder and towards disrupting business for other purposes or to gain access to information for political purposes. The Mossack Fonseca Panamanian law firm was the subject of the Panama Papers data breach where some 11.5 million confidential documents were stolen and leaked to the press, implicating individuals and companies in financial transactions designed to avoid tax. Two years after the breach the reputation damage led to the failure of the firm.

Hacktivism has been a common theme in attacks on the fossil fuel industries and the armaments industries amongst others. Part of this group of non-fraud penetrators are cyber-trespassers who breach security systems just for the challenge. In 1996, the title of the United States Department of Justice's homepage was changed to "Department of Injustice". Pornographic images were added to the homepage to protest the Communications Decency Act. Some hacktivism is malicious in intent but cyber-trespassers don’t intend to create long-term damage, curiosity drives their motive. Unfortunately, their lack of skill often results in unintended consequences for them including long prison sentences. Wikileaks has long been regarded as a hacktivist organization by some, but it is unclear whether they undertake breaches or act as a publishing and dissemination portal.

Campaign Driven, Distributed Denial of Service (DDoS), Ransomware

All of these scams are industrial in nature, requiring large scale multiple attacks and coordination. In 1998, hackers created FloodNet, a web tool that allowed users to participate in DDoS attacks or what they called electronic civil disobedience. The goal of DDoS is to flood systems with spurious data, so they are unable to operate normally. Anonymous is a decentralized group that originated on the forums of 4chan during 2003 but didn't rise to prominence until 2008 when they directly attacked the Church of Scientology in their first claimed DDoS attack. Many have followed.

Ransomware uses injected code to disrupt computing resources until a bounty is paid. It’s origins are likely the 1989 AIDS Trojan, when biologist Joseph L. Popp sent 20,000 infected diskettes to attendees of the WHO international AIDS conference. The Trojan hid directories and encrypted file names until the victim sent funds to a post office box in Panama. Modern variants are much more sophisticated but operate using the same mechanic.

Data attacks

Cyber-attacks are designed to use the infected location to spread malicious code through networks to third parties, just like a classic virus. These Supply Chain Attacks have become easier for hackers as modern software increasingly relies on third party API’s and code fragments to deliver services. Code Injection Attacks work the same way and are designed to change the function, operation or destination of services. These attacks spread very quickly. In 2020, IT management and monitoring tool provider, SolarWinds, suffered a hack that managed to inject malicious code called Sunburst into their Orion software. When the company distributed updated code to 18,000 customers, they inadvertently installed backdoor access into those systems that was almost impossible to detect.

Data poisoning

For AI based systems these code injection attacks can involve data poisoning where training data used by AI models is modified to introduce bias, to disrupt the output or to allow for other future code insertions.

Whenever visitors to a website can provide information through forms and comments code can be inserted that impersonates visitors and replicates. Databases can be compromised in a similar way using SQL Injection. Code can even attach to banner ads and pop-up windows to fire malicious code back at the visitor (Malvertising).

Password spraying, replay

Passwords that are the gateways to IT systems have inherent vulnerabilities. Password management systems control their format, storage and permissions, and are ripe for targeting. Password spraying uses a common set of passwords against each account they can identify, and password replay can gain access by injecting an already supplied password. Examples are man-in-the-middle and pass-the-hash attacks where hijacked passwords are reused, or open sessions are exploited.

AI

Generative AI applications such as Large Language Models (LLM’s) like ChatGPT, Midjourney, etc, enable more convincing impersonation of individuals and organizations. The dissemination of false or misleading information will become more sophisticated and industrialized through the use of deepfakes and voice cloning. Although the signs that AI is involved are generally obvious today, as the models, training and filtering improve this task will become harder, and might even target multi factor authentication.

AI chatbots and customer experience services using LLM’s can be encouraged by sophisticated prompts to breach their own security and enable access to services or deliver data that was not intended. Implementation needs to consider these kinds of “exposure” prompts and trap them.

Yet AI is a great weapon in the defense against scammers and fraudsters too, using models that identify and trap suspicious activity, exposing malicious intent. Banks and other financial institutions have been deploying similar tools for some time. 

Corporate Cybersecurity: Actions in Defense

The best defense is to not trust anyone, but practicality drives other strategies, using multiple tools that can help heal corporate vulnerabilities. Companies must also implement comprehensive Cybersecurity Training Programs to ensure users maintain diligence against phishing (and targeted Spear Phishing) attempts. They must know the protocols for reporting suspected breaches and be assured that retribution beyond retraining will not follow. Always limit systems accesses to those that need them, and implement regular reviews of access consents, especially for leavers and anyone on long term absence.

Critical systems need highest protection, especially where remote access might expose vulnerabilities Increasing reliance on third party code fragments and licensing presents access points too, even for cloud services. Subscribe to external services that identify bad actors and attack vectors, including their established playbooks, enabling security teams to proactively deploy prevention and awareness. These services monitor sources and availability of new toolkits designed to defeat security that might be advertised on the dark web - don’t wait for a breach to check the door locks! Incidents and responses must be communicated to teams as soon as practical but prioritize protecting compromised services and data first.

The weakest link in any company is the “wet factor”, or people. Ponemon Institute’s 2020 Cost of Insider Threats study reported that the global average cost of an insider threat was $11.45 million, while the average cost of a data breach over the same period was $3.86 million. Employees can be naive, or too busy to observe protocols that are not automated - and they can act maliciously. Attention must be focused on personnel in critical areas, changes in behavior could signal that threat pressure is brewing as outside agencies using compromat to pressure employees is not just the stuff of fiction.  

Spear phishing

Impersonation can also be expensive: Ubiquiti Networks suffered a spear-phishing attack where emails apparently from senior executives directed employees to transfer $40 million to a bank account controlled by fraudsters. Protocols for unusual request handling can head off this kind of attack completely. Collaboration with external threat agents can be easier to detect but the lone wolf, acting for monetary gain or moral principle, is much more difficult. As an example, Edward Snowden’s actions caused agencies to prohibit bulk copying of information, except under strict multi-person observation and control.

Technical employees might try to circumvent security through personal arrogance or because they believe that their productivity or workflow is inhibited. Encourage feedback from these users so the company can formally review policies to prevent subversion attempts on threat of sanctions.

However for the sake of growth and positive employee experience, Companies need to ensure that they don’t create a culture of default suspicion. Multiple login attempts might be a threat but might also be an employee in distress. It’s a fine line to walk for any organization.