Given the recent success of Ralli Solicitor’s Serious Fraud Defence Team in a seven figure money laundering fraud on an international bank, in what is commonly known as a ‘phishing’ scam, we thought a blog updating the current threats and defence measures being undertaken would be a useful exercise.
The fishing scams in our case a ‘whaling’ scam are fairly well documented. As in our team’s case they often start by infiltrating the computer of a junior person in an organisation and then by seeing the layout and information contained in emails gradually working up the company until arriving at the person with authority to give instructions for large sums of money to be transferred.
Businesses have become more familiar with the telephone call to a cashier from someone purporting to be the Inland Revenue or other government department or a supplier or a bank, aimed at teasing out information. Surprisingly this still remains very successful especially at the end of a busy day when the recipient of the call is tired and wants to go home or even working remotely from a train. Perhaps I might just pause to say never ever do financial transactions from an unsecure Wi-Fi on a train.
Companies still fall victim to the scam email especially when it is in a list of many others. When a manager goes through a plethora of emails at speed he or she is tempted to click on an attachment which then takes over their computer. If there’s one thing to take away from this blog it is do not click on an attachment unless you are sure you know from whom it has come.
The scammers have come a long way from looking over your shoulder at an ATM machine for fitting a device to a machine or merely taking a photograph of the front and back of your credit card and sending it to a small fraud factory in the back room of somebody’s flat which will then produce a replica card to be used for few weeks at your expense. But this still goes on as new people try their luck at scamming you.
I recall the case of the rather good hotel manager and chef who rented a luxury small hotel in an expensive ski resort, provided excellent fair the three months and then ran all the high value credit cards which satisfied customers had earlier used to pay their bills, through a card machine for thousands of pounds and left with a lot of money from the credit card companies which the former guests knew nothing about until they received a bill about a month after ‘mine host’ had disappeared! Ingenuity seems to have no bounds.
The skilled modern fraudster is able to stay a step ahead of you. They try to tread where nobody has trodden before to catch you unawares.
For example it is reported that there is now a website called Checkrain which claims to give iPhone users the means to ‘jailbreak’ their phone. What it actually does, is prompt users to download a malicious profile which in turn allows the attacker to conduct click fraud. Also recently ‘checkm8’ has been discovered and this seems to be an unpatchable bootrom exploit capable of affecting Apple devices. Other telephone suppliers are no less vulnerable than Apple. So beware Checkrain.com!
One of the newest and most concerning developments in the tools of the fraudster is the very sophisticated artificial intelligence which results in the victim receiving a telephone call and immediately recognising the voice of the person on the other end of the phone. The current buzzwords for this are ‘deepfake technology’. The instructions given and excuses used will vary but ultimately you seem to recognise the boss’s voice. He tells you to urgently transfer money to an account, usually abroad. If you are fooled once you may expect another call and a request for further sums to be transferred before very long. This deepfake technology can be used however in many other areas not least of all blackmail. Perhaps a ‘Deepfake video’ of a bedroom scene with somebody who resembles you performing sexual acts with somebody else in the bedroom which can be posted on social media unless a substantial payment of money is made. A racist comment which you have never made which might suddenly circulate in your industry and makes you persona non grata or even the subject of a criminal enquiry unless of course a substantial payment is made to withhold it!
Criminals can record your everyday conversations. They can engage with you in a telephone call which seems entirely plausible and innocent and does not involve any suggestion that you part with money e.g. a survey or a request purportedly from the police for assistance in respect of ‘an incident’ about which they believe you may have information. Once fraudsters can convincingly imitate your voice the boundaries will be endless. Take an election or promotion selection contest for example where one candidate is shown apparently maligning a group of the electorate. It will go viral very quickly and by the time it is discredited the ‘no smoke without fire’ brigade will have had their say and the election will have taken place and been lost. I don’t want to appear a pessimist but the more voice recognition is used by banks and institutions the more this deepfake technology can be used to part citizens from their savings, or companies from their capital. Voice recognition may become as useful as the proverbial chocolate fireguard as a security measure.
This leaves us with the problem that speaking to anybody can have inherent dangers. So what can be done to protect us?
To give them their due major technology firms are investing substantial monies to help detect fraudulent videos. In the case of Facebook for example the company is reputedly investing $10 million to combat deepfake technology, but in the world we are talking about that may merely be a spit in the ocean.
You may well feel that it is unfair to just dump the problem at the door of the technology giants. Are they to be solely responsible for policing their domain? They facilitate the use of the internet and I suggest do have responsibility to guard against abuse of their platform but the problem is people and sometimes even governments, who choose to spend their time engaging in the world of crime.
According to a recent UK government release it will be working with technology firm Arm to strengthen cyber security measures for businesses and the public in the UK, investing £36 million. This is in response to the fact that about one in three of all businesses report having cyber security breaches or attacks in the last 12 months. If one adds in those who have not reported an attack the number could be considerably higher. All companies should review the strength of passwords and ensure that their software is updated regularly as these measures are the first line of defence where the average cost to a company if a breach has resulted in a loss of data or assets has increased fourfold in the last year.
In addition to the £36 million which is very welcome the UK Government is putting in another £18 million of investment through the Strategic Priorities Fund to tackle privacy abuses and wrongful use of data, for example by disinformation and online fraud.
An ‘Online harms’ White Paper sets out plans to make the UK the safest place in the world in which to be online. There is currently an estimated 1.9 billion of government investment into the National Cyber Security Strategy and support for a new prosperity partnership with Toshiba, the University of Bristol and GCHQ in an attempt to deal with threats through wireless networks.
Clearly these are serious initiatives to fight the fraudsters and the funding numbers are impressive but the fraudsters are at least one step ahead or put another way they have a head start and we are playing catch up.
This blog was written by: Stephen Fox
DISCLAIMER: Please note that this post sets out the general position under the general law. It should not be acted upon in any specific circumstances without taking specific legal advice as to those circumstances. Also, it should not be relied upon, acted upon or treated as a substitute for specific advice relevant to particular circumstances. If you do require specific advice please contact us for assistance.