Most businesses are careful with sensitive information, whether it's point-of-sale card numbers, client and customer personal information, or any other data. Some have learned the hard way, through one or more data breaches, while others have kept abreast of the constant news coverage surrounding the latest retail victims and decided to take preemptive action.
Findings from 2014 demonstrated why addressing cybercrime should be a top priority for businesses, regardless of size or industry. While the number of organizations that reported being subject to payments fraud saw only a slight uptick, according to the 2015 AFP Payments Fraud and Control Survey Report, the more troubling news showed how fraudsters and cybercriminals are changing their approach.
The biggest shift came in the number of organizations that reported attempted wire transfer fraud—which nearly doubled, from 14 percent in 2013 to 27 percent in 2014. While attempted fraud was expected to grow slightly in 2014, that large a jump indicates a dangerous shift in their approach: targeting individuals and attacking organizations from the inside.
Industry experts refer to this particular threat as the "malicious insider,” because the attacker appears to be a trusted employee or network user. Sometimes, the malicious insider is a legitimate employee of the company who has gone rogue and is collaborating with cybercriminals or is striking out on their own. In other attacks, the malicious insider is actually an attacker outside of the company who has stolen employee account credentials and poses as a legitimate user. Either way, the threat is especially dangerous, because it's not easy to detect.
Wire transfer fraud makes a useful case study in demonstrating the rising threat of malicious insiders because they process quickly and reveal the innate weaknesses in human oversight. Imagine this scenario:
An employee in accounts payable receives an urgent email sent in the name of the company's CFO requesting an immediate wire transfer to a new client. The "CFO” urges discretion and says the payment must be completed by close of business. He indicates that the request is related to an unexpectedly large deal that the company closed, which can't be reported until all the contracts are ironed out and the wire transfer processes. While the employee in accounts payable feels uncomfortable with the ask, he'd feel more uncomfortable calling up the CFO to confirm the details of the email, so once he confirms that the email address is legitimate and actually belongs to the CFO, he expeditiously completes the transaction. Days may pass with no one any wiser—until that account is reconciled and the firm realizes that the CFO's email was hijacked.
The AFP survey supports the idea that attacks from malicious insiders are becoming more prevalent and more effective. Reported attacks from account takeovers and third-party vendors both rose significantly between 2013 and 2014. Financial losses from wire transfers more than doubled—from 9 percent of reported losses in 2013 to 20 percent in 2014—suggesting that cybercriminals are making a concerted effort to target this vulnerability within businesses across industries and revenues.
While the numbers demonstrate clear growth in the threat of the malicious insider, the data doesn't explain how attackers are getting inside companies. There are a few popular techniques among cybercriminals, but they all rely on a common method: secretly installing malicious software on a machine connected to a secure network. Most frequently, hackers use a technique called phishing.
While the fundamentals of phishing are becoming more well-known—sending a fake email from a supposedly trusted source to fool users into clicking a link or supplying personal information—what fewer users realize is that victims don't necessarily have to take an action, like submitting account credentials, for a cybercriminal to steal your sensitive information. In some cases, merely opening an email or clicking a link can be enough to infect a computer.
Once a computer is infected, the malicious software will harvest sensitive information from the computer or network—the CFO's email login and password, for instance—and surreptitiously send that information to attackers. From that point, cybercriminals only need to craft a believable phishing email to initiate a wire transfer and steal funds.
As the number of victims continue to rise, your company can fight back by setting up internal controls and processes for employees to follow. Consider:
Solving for the malicious insider isn't something you can do overnight, but with strong controls in place and a keen awareness of evolving cybercriminal threats, you can go a long way toward protecting your business and your clients.
Weekly insights on the economic issues that matter most to your business.