Treasury Fraud & Controls, Part 2:
Payoff Size of Fraud Points Explains Continued Escalation of Attacks
In the final quarter of 2018, the average payoff amount for retrieving files encrypted in ransomware attacks was holding steady around $10,000. Early in 2019, the number began to rise, and only six months later it had quadrupled at $40,000. In 2019’s final quarter, the average amount was $84,116, and as if to warn that this number wasn’t going to drop anytime soon, the month of December saw the average rise to an unprecedented and shocking $190,000[i].
- $10,000 Average – 2018 Q4
- $190,000 Average – 2019 December
Coupling this with Strategic Treasurer and Bottomline Technology’s recent survey data, which shows success rates for ransomware more than doubling, and one begins to feel an abrupt (but appropriate) need to brush up on security practices. Ransomware is a relatively new type of fraud, and it seems that, lamentably, criminals are getting the hang of how to make it pay off.
However, while ransomware may be the keynote speaker at this year’s conference of alarmingly successful fraudulent activities, it isn’t the only crime we need to watch. Business Email Compromise (BEC) fraud may be less flashy on the surface, but in a Public Service Announcement from September 2019, the FBI called BEC “the $26 billion scam.”
The data released in the PSA showed that from June 2016 to July 2019, victim complaints totaled over $26 billion in “exposed dollar loss” (actual and attempted loss). The PSA additionally notes the doubling of exposed losses to BEC from mid-2018 to mid-2019, and it’s not uncommon for individual realized losses to reach several millions of dollars[ii].
The burgeoning payoff amounts should drive home two points. First, with such high likelihood of successful and highly profitable payoff, criminals won’t be slowing down anytime soon. Second, we in treasury have to face not only how likely, but also how damaging the loss on our side could be.
The Arms Race
As concerning as the data may be, our aim with these statistics is far from fearmongering. Instead, we aim to encourage a realistic look at the threats and at our defenses. Currently, we’re locked in an arms race with cyber criminals, and they’ve pulled ahead. Our job now is to discover what’s giving them the upper hand and find a way to overcome it. While many of the details related to their success are more suited to analysis by IT and cyber security professionals, there are a few threateningly powerful strategies and skills that we in treasury could stand to learn from our adversaries.
Criminals have learned three key skills that are driving up the threat levels: patience, automation, and sophistication.
- Patience: We don’t often think of patience as powerful, but it may be time we started. The patient mindset of cyber criminals can be seen in their willingness to put in significant efforts now for payoffs in the future.
Example: Criminals have begun stealing encrypted data that no current technology can decode. While this information is useless to them now and may continue so for many years, they are playing the long game and banking on future innovations that could allow them to crack it down the road. This patient, forward-looking attitude creates unexpected angles of attack that will cause treasury a great deal of pain at some point if we are not just as patient and forward-looking in our defense.
- Automation: The criminals are getting the most out of their resources by leveraging automation to ramp up the number of attacks and responses, increasing the likelihood of hitting a payoff.
Example: Automatically sending malicious emails, auto-responding when an victim answers an email, and tracking clicks to focus efforts on the weakest links are only a few ways we know of that criminals are utilizing automation to expand their reach and improve their chances of successfully penetrating defenses.
- Sophistication: A major contributor to the recent increases in success, sophistication allows our adversaries to approach their victims in a more believable way, leading to more breaches in the human firewall of incredulity.
Example: The use of AI to credibly “spoof” the voices of CEOs and others, leading employees to believe they are cooperating with their boss’s wishes as they actually aid criminals, is only one example of how incredibly sophisticated these scams can be. A more common, related example is spoofed email addresses in BEC fraud, again allaying the victims’ suspicions by convincing them they are corresponding with a trusted party.
If we want to catch up in this arms race, we have two areas to improve. One is the technology. With the constant changes and innovations, both in our technology (leading to new potential vulnerabilities) and in our enemies’, this area will always need our attention and action.
In both sides of the fraud war, however, the technology is only as good as the one leveraging it. If we fail to consistently approach the human element of cyber security with the same level of proactivity the criminals employ, they will always stay ahead. We too must adopt patience, automation, and sophistication, and in order for our technological investments to pay off, we must be adaptable and vigilant, resisting the urge to rest on our laurels no matter how recently we updated our systems. This includes ensuring our mindset is current and our staff has payment and cyber security training.