2017-ICPAS-INSIGHT-Masthead

The 21st Century Heist

While technology enables businesses to innovate faster than ever, it also invites evermore ambitious criminals to steal on an ever greater scale. By Kristine Blenkhorn Rodriguez | Summer 2016

cyber800

You have to wonder what Butch Cassidy would make of it. The infamous bank robber went down in history for his criminal escapades, not least a $20K heist from the San Miguel Valley Bank in Telluride, Co. in 1889. Equivalent to about $450K today, the robbery made Butch Cassidy’s outlaw gang one of the most infamous in US history.

While his notoriety lives on lovingly in folklore, it pales in comparison to the recent spate of financial cybercrimes. In February, headlines trumpeted an $81M digital heist from Bangladesh’s central bank. A year prior, computer security firm Kaspersky Lab estimated $1B had been stolen through ongoing cyberattacks on financial firms in more than 30 countries that started in 2013. The culprit? A cybercriminal gang whose members span from Russia and the Ukraine to China.

As if worrying about malicious outsiders isn’t enough, it seems companies are becoming more vulnerable to criminal activity perpetrated by their very own employees. According to Verizon's 2015 Data Breach Investigations Report, insiders cause about 50 percent of all breaches in information security. Roughly 20 percent are considered insider misuse events, where employees could be stealing or profiting from company owned or protected information.

“The bricks-and-mortar crime model is resource intensive and risky,” says Chris Swecker, former assistant director for the FBI Criminal Investigative division. “Cosa Nostra, criminal gangs and the like are still out there and very active. But the most prolific and profitable criminals are committing financial crimes in the cyber realm.”

Banks and other financial firms are the ones footing the bill. According to the U.S. Government Accountability Office (GAO), from 2009 to 2015 financial institutions paid $6.8B for violations of US sanctions programs, $5.2B for infractions tied to anti-money laundering (AML) requirements, and $27M for breaches of the Foreign Corrupt Practices Act (FCPA).

The New Cyber Frontier

Swecker cites Evgeniy Bogachev, a Russian cybercriminal, as the most notorious to date. He was responsible for a major cybercrime operation that allegedly stole more than $100M through the GameOver Zeus attack network. Victims were tricked into downloading malware that searched specifically for financial information.

Bogachev is one of the FBI’s most wanted cyber criminals, charged last year with conspiracy; wire, bank and computer fraud; and money laundering. Officials have offered a $3M reward for information that helps to bring about Bogachev’s capture, constituting the highest reward ever offered by US authorities in a cybercrime case.

“As technology has progressed and provided more avenues for the bad guys to steal money, the bad guys themselves have also progressed,” says Brian Monroe, director of content and business development for the Association of Certified Financial Crimes Specialists. “They’ve gotten really creative. The cyber realm is the new frontier for criminals. There’s a whole universe of bad guys out there trying to get into your real or virtual wallet, into your bank account, into the information stores of big companies, to turn a profit.”

Cyberspace not only provides opportunities for new crimes, says Swecker, but also makes old crimes like money laundering easier. “Even street gangs are getting in on Internet fraud,” he says. “It can be, in some cases, more lucrative than their drug trade.”

Virtual Borders and Currency

As much as 70 percent of crime crosses national borders, which brings cooperation between law enforcement in multiple countries into sharp focus. “While more countries are trying to share information, privacy laws vary widely from country to country. And criminals generally know which countries are safe havens. If you’re a criminal stealing money online, privacy laws don’t deter you. But if you’re law enforcement trying to get information on a criminal hiding in another country, privacy law still applies. It’s a catch-22.”

The Panama Papers controversy illustrates this point well. Approximately 11.5 million files were leaked from the database of the world’s fourth biggest offshore law firm, Mossack Fonseca. Those files implicated 12 national leaders (among a myriad of others) in the use of offshore tax havens. While some had done this legally, others hid behind corrupt anonymous corporate structures and a web of middlemen, including bankers, agents and accountants. The press had a field day with the leak, citing shell companies that launder illegal funds. Mossack Fonseca says it complies with anti-money-laundering laws and carries out thorough due diligence on all its clients. And yet, 23 individuals who have been sanctioned for supporting regimes in North Korea, Zimbabwe, Russia, Iran and Syria have been named among Mossack Fonseca clients.

Bitcoin adds another interesting layer to financial crimes at home and abroad. The Treasury’s Financial Crimes Enforcement Network (FinCEN) issued its first penalty in the virtual currency sector last year. Valued as a currency and yet not tangible, the anonymity inherent in Bitcoin invites cybercrime, says Swecker. He cites Silk Road, an online drug bazaar described by prosecutors as the most sophisticated criminal marketplace on the Internet. Hidden on the Dark Web, it was on online marketplace for more than just drugs, becoming a hub for hitmen for hire and anything from cyanide to heroin. Government officials said they first began looking into Silk Road when agents at Chicago O’Hare International Airport intercepted mail from the Netherlands that concealed ecstasy pills in its packaging.

The site’s anonymity was part of its ultimate downfall, however. Because Silk Road’s leader never met any of his employees in person, he didn’t realize that one of them was an undercover government agent.

“Take Silk Road and apply it to financial crime,” says Swecker. “I can buy credit card numbers. I can buy code to hack into certain websites—and it’s all anonymous. It’s basically franchising a recipe for the perfect financial crimes.”

“It’s gotten to the point that individual identity theft is small potatoes,” says Monroe. “What the real criminals want is a major data breach, one that gives them the financial keys to thousands of accounts at a time. Which means financial firms and other companies are at the highest risk.”

Criminals You Know

While organized crime networks are responsible for some of the uptick in technology-related financial wrongdoing, employees have also put their firms at risk.

Well-documented chatroom conversations to manipulate markets have taken place between traders at different major financial institutions, for example. And when is an employee transferring files to a home computer innocent versus part of a scheme to steal funds? There’s no telling.

HRZone.com cites a CEO who was the victim of a social engineering scam. A luxury car aficionado, he didn’t think twice when a glossy brochure for the same appeared in his mailbox. When he loaded the CD illustrated with concept cars into his home computer, he had no idea it was in fact malware. What followed wasn’t pretty.

This particular CEO isn’t a criminal, but he did invite criminal activity. That’s not to say employees never act with criminal intent, however.

A case in point: A former IRS agent was indicted on charges of trying to fraudulently collect more than $700K in taxes from a married couple she audited. The agent told the couple to wire the $758,846 to an account she had set up for herself. Unfortunately for her, however, the diligent couple had already mailed a check to the IRS. According to the Department of Justice, she then altered the couple’s address on record to a P.O. box in the hopes of pocketing a $470K tax refund. Finally, the agent opened a joint checking account under the taxpayers’ names, using the husband’s Social Security number and forging the couple’s signatures. She told the bank she needed the account opened as quickly as possible because she was expecting money from the IRS. Instead of money arriving to meet her, however, it was federal investigators. She resigned only after her arrest, ending an eight-year stint with the agency.

Implications for the Future

“If you look back at the major crises, from the American savings and loan crisis to the Wall Street crash, there are many indications economists see with hindsight showing financial crime was a contributing factor,” says Nicholas Ryder, author of Financial Crime in the 21st Century and professor of Financial Crime in the Department of Law at the University of the West of England. “And the global law enforcement community still falls short on criminal convictions for most financial crimes, particularly those that cross borders.

Whether it’s virtual currencies contributing to money laundering, traders fixing markets, terrorists working through shell corporations or a rogue employee, the risk is not being mitigated. Nor should we expect it to be anytime soon. Criminals have access to the very same technology the white hats do. And it appears to be a race to the finish.”