By James Hatch, Director of Cyber Services at BAE Applied Intelligence, discusses how he believes fighting modern fraud needs a radical new level of collaboration and trust.
Fraud? Or cyber fraud?
What’s the difference between fraud and cyber fraud? Is there one? Cyber fraud can be described very simply as fraud that’s enabled by technology. Not so much a new type of fraud as a shift in the way fraud is carried out.
But the phrase “enabled by technology” is problematic. It struggles to capture the significance of what’s changing.
Just as there are myriad ways to commit fraud, there is a broad and ever-expanding range of ways that technology enables fraud. There are some common traits of what we mean by cyber fraud today, such as being:
- Remote: fraudsters and targets are not limited by geography
- Industrialised: able to scale and adopt approaches that were not previously viable
- Depersonalised: using digital identities with limited or no links to real people or businesses
- Rapidly evolving: techniques can evolve rapidly and build on one another
Why does fraud matter?
Fraud matters because it’s so rife right now. Recent crime surveys have found that a person is now more likely to be a victim of fraud than any other crime[1]. It accounts for nearly half of all crimes and over half of all frauds are thought to be cyber-enabled.
Fraud creates or facilitates a wide range of problems. It results in economic losses – both directly and to wider society. It creates a fear of crime. It erodes trust in digital society and business. It prevents law and justice from being administered. And, most chillingly, it enables the financing of terrorism and other criminal activity.
The impact of fraud on businesses is equally disconcerting. As well as suffering direct losses, organisations are exposed to reputational damage from falling victim to fraud or losing data – that puts their customers at risk, too.
A shared problem
There’s confusion around whether cyber fraud is a cyber security or a financial crime problem. Often, it’s both. Cyber attacks are carried out to enable fraud and, as we’ve mentioned above, most instances of fraud are made possible through technology.
To make matters more complicated, the individuals or groups carrying out the cyber attacks may not be the same as those perpetrating the fraud. Victims are often different – across industries, countries and jurisdictions. Digital transformation is making it increasingly easy for criminals to exploit this complex interconnected web.
The cyber fraud lifecycle
If we instead look at the end-to-end lifecycle of cyber fraud, the systemic and societal challenges become clearer.
At the moment, the system isn’t working. Responsibilities and mechanisms that are intended to address fraud are fractured and poorly-aligned to the current problem:
- Criminals usually need personal information or account credentials to commit fraud. Occasionally this information will be available from public sources but, typically, some kind of cyber compromise is needed using social engineering and/or technical means. The organisations targeted for this information suffer the technical and possible reputational impact of the compromise but do not generally experience the direct financial loss of the fraud. And that makes it hard to build the business case for better security.
- Personal information, account credentials or technical access are all required for a successful fraudulent transaction. This will happen through deception (e.g. compromising business emails), coercion (ransomware) or directly using information or credentials obtained. Often, fraud victims have very little visibility or control over what is happening, especially if they are individual consumers.
- Financial institutions have greater visibility of (and control over) transactions and they have fraud systems in place which identify and deal with most fraudulent activity. However, where transactions are carried out using legitimate but stolen credentials or where they relate to subsidiary processing or money laundering, individual financial institutions often do not have the information or the power to block them.
- Money laundering and other compliance reporting regimes provide law enforcement organisations with a source of financial intelligence but these schemes were designed some time ago and tend to provide limited information which law enforcement finds difficult to translate into direct action.
With split responsibilities and misaligned incentives, the effort to reduce cyber fraud is fragmented and less effective than it could be. As a result, the opportunity and return on investment for criminals conducting cyber fraud is significant and growing.
How cyber fraud can be tackled
While individual participants lack all the pieces of the puzzle necessary to make a substantial difference, by working together society has the power to make these crimes more difficult – disrupting the return on criminal efforts and therefore reducing the appeal and prevalence of cyber fraud.
The challenge is achieving coordination, cooperation and alignment in a world of thousands of financial institutions and law enforcement agencies, and millions of potential cyber and fraud victims. Let’s be realistic – this won’t happen quickly, or through central planning. But it is possible that a substantial difference could be made in the medium term by changing the economics and mechanisms of interactions between the four groups set out above.
The key is adopting more reliable, effective and scalable cyber security practices while reducing the technical and organisational barriers that currently prevent this approach and leave opportunities for criminals on the table. Regulations such as the EU’s GDPR provide a welcome renewed impetus to the corporate management and protection of personal information but the fear of fines means most organisations are focussing on narrow, local compliance and risk avoidance.
Organisations now need to work together to seize the opportunity and develop a more collaborative and constructive approach to fighting fraud – one that can improve the security of society as a whole. We have started an industry initiative to do just this. The Intelligence Network is inviting organisations to be a part of the change they want to see within the industry and make the digital society a safer place. We hope to create a community to solve the challenges we face in a spirit of openness, collaboration and trust. To find out more, visit www.baesystems.com/theintelligencenetwork