One advantage of running a small boutique consultancy is I get to steer the business activity towards subjects I personally find interesting. Throughout my career, I have always been fascinated with frauds and that is where my focus normally lies. It’s that magic-like performance for me that has a very similar feeling to the showmanship of great magicians.
When you watch a magic show, you are drawn into a belief almost against freewill. Temporarily, logic is suspended and you go with the flow. It starts to feel fun and the magician starts to interact directly with our inner child.
Sadly, in fraud, when this magic show starts to air, people’s lives are ruined. The first recorded instance of financial fraud was around 300BC – a greek merchant named Hegestratos insured his ship and later that year attempted to sink it whilst selling the cargo and pocketing the loaned money. The whole event ended badly as his passengers weren’t as bent as him and he drowned at sea.
Now, I can only speculate but I am sure if the risks were similar today, if that one phishing email could result in angry mobs and public drownings, then we would see a decline in cyber crime. But in reality, this is far from the truth.
In fact, I believe how we are as a nation in 2016 is supportive of the whole fraud industry. Whilst this sounds a little extreme, the evidence seems to support my views.
The Office of National Statistics published findings last year detailing the ever rising numbers of frauds – they were up from the previous year’s numbers, of course, but around this time they decided to grab the bull by the horns and rethink the now 30-year-old survey for fraud.
Already encompassing the new methods for data collection we now have some more realistic categories, as seen below:
- Code 101 – Confidence fraud – with loss
- Code 102 – Attempted confidence Fraud – with no loss
- Code 103 – Unauthorised access to bank/credit accounts – with loss
- Code 104 – Unauthorised access to bank/credit accounts – no loss
- Code 105 – Unauthorised access to personal information – with loss
- Code 106 – Unauthorised access to personal information – no loss
- Code 107 – Attempted access to bank/personal information
- Code 108 – Computer virus
- Code 109 – Fraud falling outside the survey’s coverage
The survey now estimates 3.8 million fraud victims and 2.1 million computer misuse victims in the UK. That’s more like it – you can see fraud is alive and healthy and it’s going digital.
So back to my original point… We are nurturing fraudsters and hackers. If this simply isn’t true, why are they thriving? Whatever we are doing in our little petri-dish of a society, we are not drowning these malicious clusters and it seems all the variables are perfect for their growth.
Less than 1% of online ‘Cyber crime’ results in a conviction
Individuals and businesses alike are skipping merrily through the streets as these criminals watch on from the back alleys, carefully focused on their continual technological developments and your wealth. For me, this is the forefront of social engineering.
It’s so much more than fraud, it’s advanced so much in such a short space of time that the previously unthinkable is now possible. When you combine cyber crime skills with the banter and tactful pattern of a fraudster, you have forged a key to the city. You are able to bridge the gap. You can step out from dark alleys and mingle with the corporates in the street.
I’m not saying we need to chuck that new AV subscription in the bin or cease attempting to try, but we need to look at the whole two competing industries a little bit less subjectively.
Security and crime are intrinsically linked. We need to take our defences for a spin and learn from every method we can about these two fascinating fields. We need to make the changes that will see a decline in these crime statistics, and I really don’t think a new policy or security program is going to cut it.
Security training; IT user education and empowerment; public awareness! If we had to vote on a solution. these would be mine.
Richard De Vere (@AntiSocial_Eng) is the Principal Consultant for The AntiSocial Engineer, he has an extensive background in penetration testing and social engineering assessments, including ‘red team’ exercises and information gathering assessments for financial institutions and some of the UK’s largest companies.