Tech and the fight against Financial Crime

Back in the day, a computer ‘bad guy’ was characterised as a spotty, disaffected teenager toiling away on a Sinclair in his bedroom, plotting the destruction of whatever Hollywood deemed as a respectable target. Times have changed.

Financial crime now sits fairly and squarely in the Organised Crime space, which is not surprising when one consider the numbers involved. In 2017, the Annual Fraud Indicator estimated fraud losses to the UK at around £190 billion every year, with the private sector hit hardest, losing £140 billion. The National Crime Agency adds that the public sector may be losing more than £40 billion and individuals around £7 billion. Worse, these numbers are set to keep increasing, year on year.

Even if we don’t like to admit it, we’re all vulnerable. Almost all of us has, at some time or other, posted information about ourselves on social media without realising that this could eventually backfire on us. The worry used to be that an injudicious post of, say, a great night out clubbing, might result in not getting the job one’s applied for. Now, a criminally-minded Social Engineer can harvest all the information they need to commit a crime like identity theft from a series of seemingly far more innocuous posts.

Once this data has been harvested it is used, in conjunction with very advanced and expensive technology, to attack first the ‘harvested’ individual and then any other targets they can identify as a result of the initial attack, including the company they work for.

At the recent PIMFA Financial Crime Conference, panellist John Cosson – head of IT & Chief Information Security Officer (CISO) for JM Finn –  described a particularly disturbing example of how easily new tech can bamboozle even the most aware, known as ‘vishing’ (voice phishing). A colleague decided to have a workmate call his wife, using voice-disguising software to mimic his own voice, and persuade her to record a West Ham football match on Sky Plus that evening. It worked.

This technology is so advanced that it can bypass current voice-recognition software, so the threat here is clear. For example; someone claiming to be an Investment Manager calls a client about a change to a trading account and requiring funds to be transferred from the old to the new account. He says he will confirm the details via email. The voice sounds like the real IM and the email from which the confirmation is sent appears to be the IM’s email address, so no alarm bells ring. But, if the requested transfer takes place, the client loses a chunk of money. This message is also clear – even if you trust, verify!

As connected devices move into people’s homes and everyday lives, cyber-security risks are becoming intensely personal, with hitherto unforeseen challenges to the protection of people’s data and privacy. Cameras that provide details of what is going on inside your house are a prime example. The National Cyber Security Centre (NCSC) recently advised consumers to tweak the settings of the cameras fitted in baby monitors, and appliances such as smart fridges and even kettles, as these can provide gateways into your life for a hacker.

On the plus side, new and complex AI-driven tech is on the way which will allow an individual’s way of working a computer to be recognised, rather in the same way as a covert radio operator’s ‘handle’ was identifiable during the Second World War. However, a trustworthy version of this may still be some way off so, in the meantime, protect and preserve are the orders of the day.

With this in mind, and to avoid turning yourself into ‘low-hanging fruit’, cover the basics both regularly and often. Password complexity, with regular changes thereof, is a must. Understanding of the prevailing threats is critically important so the sharing of information on both attacks and solutions is also vital, regardless of the fact that firms are, at least technically, in competition with each other. Top level digital security, closely and regularly monitored and tested, is essential, as is proper training – and monitoring – of staff.