Phil Chapman is a senior cyber security instructor, specialising in fraud and crime training for law enforcement. These trends are informed by his professional career teaching Regional Organised Crime Units (ROCUs) across the UK at Firebrand Training. Phil has also contributed his expertise to The Intelligence Network as it progresses its work to tackle cyber fraud.
Both cyber-enabled and cyber-dependent acts of fraud remain a constant battle for law enforcement and security forces in the UK.
Data from Action Fraud – the National Fraud & Cyber Crime Reporting Centre – reveals 44,000 cases of cyber-related fraud reported between April 2018 and March 2019. But, with many crimes going unreported, this is just the tip of the iceberg.
The massive number of cyber fraud cases is a challenge for police across the UK. Right now, there is a substantial gap between crimes committed and those resulting in a conviction.
Due to the sheer number of these crimes and the difficulty required to convict, cyber fraud can be seen by criminals as an easy route to market - with little-to-no chance of law enforcement agencies being able to respond.
New cases show that, for the most part, cyber fraud trends have not changed dramatically over recent years. Social engineering techniques, like phishing, vishing (impersonation through the telephone or VoIP) and hacking of social media accounts, still represent a large proportion of reported cyber fraud crimes.
Recently, however, the level of sophistication being employed in phishing email scams has increased dramatically. Criminals are moving away from the now commonplace style of ‘lottery win’ messages to seemingly realistic scams that impersonate established public sector organisations like TV Licensing and HMRC.
In particular, my work with UK police has revealed that scammers are now utilising software service fraud in order to install key loggers and other malware that can take control of systems. These scammers typically masquerade as telecommunications, IT and media companies.
With the increase in cloud-based ‘as-a-service’ technologies, cyber-dependent fraud is now increasingly aimed at gaining unauthorised access to email servers or online accounts.
This leads to acts like mandate fraud which can result in large amounts of money being diverted from company accounts.
Despite robust and highly advanced security features, Microsoft 365 and other cloud service providers are a particular target. A lack of end-user and administrative knowledge across cloud provider’s customers leads to the insecure accounts. Users often leave security settings, like passwords, as default – inviting intrusion attacks by cyber criminals.
Other criminals are exploiting poorly configured cloud-based resources, leading to both data theft, Denial of Service (DoS) and ransomware attacks.
Other notable trends include the increase in crypto-jacking – the unauthorised exploitation of internet users processing and bandwidth to mine for cryptocurrency.
Major vulnerabilities continue to emerge alongside the adoption of new technology. The growing number of Internet of Things (IoT) devices which are being purchased and installed in households is one particularly alarming trend.
That’s because ‘Plug and Play’ devices that utilise default security configurations continue to provide easy entry for hackers and scammers.
As The Intelligence Network’s latest thinking on IoT states, “we need some regulation and basic security principles in place…to show consumers that devices follow certain security principles.” Without this level of accountability – required at a global level – poor-security products will continue to be manufactured and continue to harm consumers.
What’s more, millions of mobile users continue to let their guard down when using public wireless access points for personal and financial transactions. Those that do are leaving themselves open to an alarmingly high risk of interception and exploitation.
But even without accessing public Wi-Fi, mobile users have to stay vigilant. Although most modern devices are reasonably well protected, there remains a continued threat from malicious apps which resemble legitimate programs which unsuspecting users are still able to download from app stores and online sources.
Despite the issues highlighted across UK law enforcement, cyber fraud is a global problem that requires a global solution. As a member of BAE Systems’ industry initiative, The Intelligence Network, organisations and professionals like myself are working towards safeguarding society from cyber fraud.
More information on how we’re doing that can be found in The Intelligence Network’s Vision for Tackling Cyber Fraud.