To know how to protect your organisation and yourself from cybercriminals you must first understand what cybercrime is and why it’s become such a problem around the world. This chapter will explain the reasons why it has become a serious global issue. The history of cybercrime will be explored along with legal challenges in addressing cybercrime.
It seems as if everywhere you turn cybercrime is in the news. Everyone is told of the dangers. Banks, for example, are constantly warning their customers about cybercrime threats, and organisations everywhere are launching cybersecurity awareness campaigns to teach people how to protect themselves. Yet cybercrime is still spiralling out of control. What’s going on?
Organisations are investing billions in the latest cybersecurity products and tools to defend themselves. Individuals purchase anti-virus and anti-malware solutions for their computers for protection. Yet, for many types of cybercrime attacks, these tools will be of limited use. Once you are in the crosshairs of cybercriminals things get more challenging.
As you will learn, the odds are stacked against you online. Large internet platforms like Google and Facebook are used by cybercriminals for many of their attacks. In this book you will discover how you can recognise these attacks when you are targeted.
BACKGROUND AND CONTEXT
Years ago, pre-internet, crime seemed better understood. Take bank robberies for example. If a bank was robbed, it was by criminals entering the bank and stealing money. For sure the bank robber had to be in the country to commit the crime. Now, everything has changed. You can rob any bank from anywhere in the world. Not only that, but you can also rob hundreds if not thousands of banks all at once. The barriers to robbing a bank have been greatly reduced.
The world is becoming an increasingly borderless and digital world. Privacy and security can no longer be ensured through the construction of walls. The internet has enabled criminals to scale globally in ways that were unimaginable pre-internet.
The internet is magic for criminals.
Every year, technology advances accelerate. Innovation has never been so great. Unfortunately, new technologies are also used for criminal purposes. Trying to keep on top of these is a daunting task for anyone.
The futurist Kevin Kelly sums up the challenge best in his book The Inevitable:
All of us – every one of us – will be endless newbies in the future simply trying to keep up. Here’s why: First, most of the important technologies that will dominate life 30 years from now have not yet been invented, so naturally you’ll be a newbie to them. Second, because the new technology requires endless upgrades, you will remain in a newbie state. Third, because the cycle of obsolescence is accelerating (the average life span of a phone app is a mere 30 days!), you won’t have time to master anything before it’s displaced, you will remain a newbie forever. Endless Newbie is the new default for everyone, no matter your age or experience.
(Kelly, 2017)
When you begin to peel the layers back on the techniques and methods cybercriminals use today, you soon realise the underlying psychology hasn’t changed much over the years. Historical examples show the mechanisms criminals used centuries ago are mostly still the same today. It’s only the attack methods used that make it appear they are doing something new.
Consider this historical example.
By 1800 in France, the French Revolution was over. The aristocrats and royalty were stripped of power. Social disruption was everywhere.
A wealthy estate owner lived by Lyon (let’s call him Pierre). He had a lifestyle to be envied. One day he received a letter. It excited him. He had never received such a letter before. It confirmed a suspicion he had always had, that he was well regarded throughout France. People respected him. They knew him to be a man of high worth.
Part of the letter read:
I am lost if some honorable person will not lend me succor. That is the reason of my addressing you, of whom I have heard so much that I cannot for a moment hesitate to confide all my affairs to your kindness.
The writer had befallen a terrible set of incidents. He had been transporting diamonds and gold back to Paris. During the trip, he was pursued by thieves and was forced to hide his treasures. Unfortunately, he was caught. He was now in Bictro prison in Paris. It was paramount for him to get his treasure to bribe the prison guards to let him escape. He needed Pierre to get his treasure and keep it safe. There would be a handsome reward for his efforts.
Pierre had received a personal plea for help from someone he did not know but by someone who knew of his esteemed reputation. So Pierre did what many people did. He took the letter at face value. There was no reason not to believe it, and besides, there was no risk in responding and helping. Or so he believed. Pierre, like so many other Frenchmen at the time, responded that he would help. By doing so, Pierre became a fraud victim.
In order to get the location of the treasure, Pierre needed to pay a small fee to the caretaker of the treasure. Fee after fee appeared. Pierre kept paying the fees because he was always told it was the last fee and he would get the treasure afterwards. Pierre wound up losing a small fortune.
Pierre’s experience isn’t so different from many of today’s victims of cybercrime. Instead of letters, people now receive emails, texts and calls. But the persuasive techniques used and the fraudulent nature of these messages are the same.
The above historical criminal playbook is still in use today. It has only been repackaged in modern terms and continues to be effective in duping victims.
WHAT IS CYBERCRIME?
Think of ‘cybercrime’ as an umbrella term. Under it are two key elements.
First, there are cyber-dependent crimes. These crimes are when a computer is used to both commit the crime and is the target of the crime. Think of these as high-tech crimes. Cybercriminals using their computers to create malicious software to hack into bank computer systems to siphon off money is an example of this.
The second key element is cyber-enabled crimes. These are traditional crimes that have been increased in scale due to the use of computers. These types of crimes include fraud, selling illegal items online and stealing intellectual property.
This book isn’t an all-encompassing look at all types of cybercrime. The focus is on the two main types where the bulk of financial losses for individuals and organisations are taking place: cyber fraud and cyber extortion.
Cyber frauds are traditional frauds that have scaled up to previously inconceivable levels because of the internet and technology advances. It is the same with cyber extortion. Individuals and organisations are threatened with serious attacks by individuals thousands of miles away in many cases. Extortion has never been so easy for criminals.
Attack methods for cyber fraud and cyber extortion are increasing, meaning victims are caught out by novel approaches that are new to them.
The evolution of cybercrime
People tend to view cybercrime as something recent, when in fact cybercrime has been around for a long time, always evolving with advances in technology.
Here is a brief history of cybercrime:
- 1834: French Telegraph System is hacked by criminals who steal financial market information. This is effectively the world’s first cyber attack.
- 1903: Technology enthusiast Nevil Maskelyne hacks the first public demonstration of Marconi’s ‘secure’ wireless by John Ambrose Fleming. He sends insulting Morse code messages. The invention is discredited.
- 1955: David Condon figured out if he played the right sound into a phone, he could connect to any part of the phone network. To test his theory, he used a ‘Davy Crockett Cat and Canary Bird Call Flute’. The flute played the sounds he thought would work. The test was a success. The phone system recognised the secret code and thought he was a phone company employee. He was able to connect to any phone number for free.
- 1973: A computer is used to embezzle over $2 million at a New York bank by a clever bank teller.
- 1981: Ian Murphy, aka ‘Captain Zap’, has the honour of being the first person to get convicted of a cybercrime. He figures out how to hack the AT&T network. He changes the internal clock to charge off-hour rates at peak times.
- 1988: A malicious clever program was launched on the internet. It was created by Robert Morris. The worm quickly spreads across the internet and infects numerous computers with a greater impact than Morris expected. This becomes known as the Morris worm.
- 1988: Hacker Kevin Poulsen, aka ‘Dark Dante’, was exposed when police opened a storage locker filled with blank birth certificates, false IDs and a photo of Poulson breaking into a telephone company trailer. This sparked a nationwide manhunt. He managed to evade capture until 1991 when he was finally arrested.
- 1989: The first ransomware attack occurs. A floppy disk containing AIDS data was mailed to numerous AIDS researchers that subscribe to a UK computer magazine. The floppy contained a malicious program that would do a very basic ransomware attack.
- 1995: Citibank gets hacked in New York. Russian software engineer Vladimir Levin authorises a series of fraudulent transactions from Saint Petersburg. He wires an estimated $10 million to overseas bank accounts.
- 2002: Shadow Crew’s website is launched. The website was a message board and forum for criminals. Members could post, share and learn how to commit a multitude of cybercrimes and avoid capture. The site lasted for two years before being shut down by the Secret Service. Twenty-eight people were arrested in the US and six other countries (Au, 2018).
- 2008: Albert Gonzalez and two Russian accomplices hacked into Heartland’s data systems. They stole 134 million credit cards. Gonzalez was the ringleader and was eventually sent to prison for 20 years.
- 2010: An Eastern European gang uses the Zeus Trojan virus to hack into bank accounts. They stole $70 million.
- 2011: Silk Road is launched. It was an online black market on the dark web where criminals could buy and sell illegal goods. It was a huge success. When it was shut down by the Federal Bureau of Investigation (FBI) in 2013, it was estimated Silk Road was generating $30 million in transactions annually (Greenberg, 2013).
- 2013: First ransomware to accept Bitcoin is released. Ransomware begins to take off, causing misery for millions.
- 2017: Equifax, one of the largest credit agencies in the world, loses 143 million personal records (for example driver’s licence numbers, birth dates, social security numbers) in a data breach by cybercriminals.
- 2017: Wannacry, the first ransomware worm, is released. Wannacry self-propagates and quickly infects numerous unpatched Microsoft Windows computers. It is estimated 200,000 computers across 150 countries were impacted (most examples from Herjavec, 2021).
THE IMPACT OF CYBERCRIME
The losses from cybercrime for organisations and individuals are staggering. In 2020, a report by the security firm McAfee and the Center for Strategic and International Studies found that, when hidden costs were factored in, the global losses from cybercrime were over $1 trillion, a 50 per cent increase from 2018 (Smith and Lostri, 2020). Hidden costs include system downtime, opportunity costs, brand damage and loss of trust, incident response costs and cyber risk insurance. This doesn’t factor in the emotional cost this has on victims, which can also be high.
The scale is shocking. There are numerous cases where individuals have lost hundreds of thousands of dollars to cybercriminals. Organisations are faring worse. Many organisations have lost millions of dollars to cybercriminals.
Consider the case of the large financial company, Capital One.
Cybercriminals attacked and stole over 100 million personal records from their American and Canadian customers. Capital One paid $190 million in 2021 to settle a class-action lawsuit to compensate the millions of customers whose personal data was stolen. In addition, they were hit with an additional $80 million fine from the regulators after they identified a string of internal failings that allowed the cybercriminals to obtain the data (Noonan, 2020; Edwards, 2021).
THE CYBERCRIMINALS
Who are the cybercriminals? Are they cunning and devious hackers with magical computer skills? No, most of them are not. Whilst a small amount might be, most cybercriminals are normal criminals except they commit their crimes online instead of in person.
How are cybercriminals able to victimise so many people? There are several, crucial reasons for this. The first is that cybercriminals can commit their crimes from other countries where there is little threat of getting punished. They are often not committing the crimes in their own countries. Think about this for a minute – it’s almost as if they can go and rob as many people as they want and not worry about it.
The second point is that it’s hard to identify who the cybercriminals are. They use virtual private networks (VPNs) and other cybersecurity tools to hide their location and their identity in most cases.
A VPN scrambles your internet traffic so no one can monitor your activities on the internet.
The third point is that cybercriminals never have to meet their victims. It’s easy for them to dehumanise people and forget that there’s a real person behind the email address.
‘When we stop seeing people as human beings, we may feel free to do more terrible things to them. To be online is to experience a disembodiment of ideas. The internet frees us from our physical selves, for better or for worse. And this leads to a flat experience, leaving behind the normal multi-sensory interaction we have with people in real life that reminds us that they are fleshy, vulnerable and sensitive’ – Julia Shaw, psychologist (Shaw, 2019).
The majority of cybercrime is done by organised crime, who often set up call centres and service centres around the world. In some cases individuals who never would have considered a life of crime before are recruited to work for cybercriminals.
THE LEGALITIES OF CYBERCRIME
Cybercrime is illegal in the United Kingdom and in most countries around the world. In the United Kingdom, the Computer Misuse Act of 1990 (CMA; Cps.gov.uk, 2020) is the cornerstone of legislation for cybercrimes. It defines illegal activity like intentional harm, or crime, using computer systems. Activities like hacking and ransomware fall within its scope as well. Penalties for cybercrime range from six months (custody charge) to 10 years with unlimited fines.
There has been successful prosecution of cybercriminals under CMA. In early 2021, Akash Sondhi was convicted under the law for hacking into the social media accounts of 574 girls and young women to extort them. He was sentenced to 11 years in prison. In 2019, Elliot Gunton was convicted of compromising numerous social media accounts and selling on the credentials. He was sentenced to 20 months (CPS, 2021).
While there have been some convictions of cybercriminals, the overall picture to date has been bleak. In 2019, there were an estimated 977,000 computer misuse incidents reported in the United Kingdom. Only about two per cent of these were investigated by the police, and less than one per cent resulted in conviction (CLRNN, 2020). Why this is happening is up for debate. Common reasons include the low number of police officers to investigate the growing number of cybercrime victims, a perception cybercrime is not as serious as other crimes, and the location of the cybercriminal often being outside the country, making it very difficult, if not impossible, to investigate and arrest anyone.
In the United States, there is federal legislation such as the Computer Fraud and Abuse Act. This is a wide-ranging law that covers things like using a computer for extortion and accessing a computer to commit fraud. It is an important law for US prosecutors to address cybercrimes. Another law of significance is the Cybersecurity Act of 2015. This allows companies to share personal information related to cybersecurity with the government to use as evidence to prosecute crimes.
Similar to the UK, the majority of cybercrimes in the United States do not get prosecuted. Another reason for this is that most organisations, and individuals, still do not report cybercrimes. Organisations of all sizes worry about the negative impact and loss of trust that would occur. It’s a similar situation in other countries.
Even with these low numbers, it’s important for organisations and individuals to report when they have become cybercrime victims. Doing so helps others prepare for similar attacks. Cybercriminals will often reuse successful attacks. By reporting the attacks, others become aware of the attack method. Another reason to report is to get victim support for organisations and individuals alike. This will help to limit further attacks and damage.
The number of cybercrime victims is unknown. It is suspected a vast number of incidents are not reported. As such, there is often little transparency into the scale of cybercrime. If everyone reported cybercrime incidents, then people would start to realise the gravity of the problem more and take further steps to improve their cybersecurity. This would also provide law enforcement agencies with information to use for intelligence sharing. Throughout the chapters, numerous ways to report cybercrimes will be listed.
There are signs things are changing for the better. Countries are waking up to the seriousness of cybercrime and what a significant global threat it represents. Since cybercriminals and the technical infrastructure they use are often based overseas, international collaboration is essential. Police forces around the world are starting to pool their resources more frequently.
Take, for example, the arrest of cybercriminals in Ukraine for ransomware in 2021. (Ransomware is discussed in greater detail in the cyber extortion chapter.) French, Ukraine and United States police forces, along with Europol and Interpol, collaborated to arrest two prolific ransomware operators. The cybercriminals are suspected of a string of attacks against large industrial groups in Europe and North America from April 2020 onwards (Europol, 2021b).
Europol is the European’s Union’s (EU’s) law enforcement agency.
Interpol is an inter-governmental organisation. They have 194 member countries that they share and access data on crimes and criminals with, along with providing technical and operational support.
Another case saw 106 people arrested for cyber fraud in September 2021. Spanish and Italian police forces teamed up with Europol and Eurojust for the arrests. It is suspected, at the time of writing, that the cybercriminals are part of the Italian mafia. They are believed to have made €10 million in their criminal activities in 2020 alone (Europol, 2021a).
Eurojust is the European Union Agency for Criminal Justice Cooperation. They work with governments on a wide range of serious and complex cross-border crimes involving two or more countries.
In July 2021, the UK government announced the New Beating Crime initiative. With this, the government will increase funding to further investigate fraud and improve the skills within the police to address the problem. There is an Online Safety Bill forthcoming, at the time of writing, as part of the initiative. It will require tech companies to tackle fraud and make them responsible for protecting their users (something tech companies are not currently doing a good job of, as you will discover in this book). Additionally, the UK government will take a closer look at how paid-for online advertising is used for fraud (this is discussed in greater detail in Chapter 4) (Gov.uk, 2021).
SUMMARY
This chapter has given you an overview of cybercrime and the problems organisations and individuals face in dealing with it. The reasons why cybercrime is such a growing threat have been discussed.
The internet has been a game changer for criminals, giving them new ways to attack organisations and individuals at scale. While the problem may seem daunting, the strategies spelled out throughout the rest of this book will prepare you to face the challenge and gain the upper hand on cybercriminals. You will learn their techniques and demystify the mysteriousness surrounding them. They are simply everyday criminals with new attack methods. Once you understand that you are halfway there in defending yourself and your organisation against them. You will learn to recognise a cyber attack for what it is – an attempt to steal from you or your organisation.
Au, Andrea (2018) A former hacker shares the most twisted things he did. Vice.com. Available from https://www.vice.com/en/article/xw7km4/a-former-hacker-
shares-the-most-twisted-things-he-did
CLRNN (Criminal Law Reform Now Network) (2020) Reforming the Computer Misuse Act 1990. Available from http://www.clrnn.co.uk/media/1018/clrnn-cma-report.pdf
Cps.gov.uk (2020) Computer Misuse Act. Available from https://www.cps.gov.uk/legal-guidance/computer-misuse-act
CPS (2021) Cruel cyber voyeur sentenced. Available from https://www.cps.gov.uk/east-england/news/cruel-cyber-
voyeur-sentenced
Edwards, Jessy (2021) Capital One to pay $190 million settlement after hacker stole data from millions of consumers. Topclassactions.com. Available from https://topclassactions.com/lawsuit-settlements/privacy/
data-breach/capital-one-to-pay-190m-settlement-
after-hacker-stole-data-from-millions-of-consumers/
Europol (2021a) 106 arrested in a sting against online fraudsters. Available from https://www.europol.europa.eu/newsroom/news/106-arrested-
in-sting-against-online-fraudsters
Europol (2021b) Ransomware gang arrested in Ukraine with Europol’s support. Available from https://www.europol.europa.eu/newsroom/news/ransomware-
gang-arrested-in-ukraine-europol’s-support
Gov.uk (2021) Beating Crime Plan. Available from https://www.gov.uk/government/publications/beating-
crime-plan/beating-crime-plan
Greenberg, Andy (2013) End of the Silk Road: FBI says it’s busted the web’s biggest anonymous drug black market. Forbes.com Available from https://www.forbes.com/sites/andygreenberg/2013/10/02/end-
of-the-silk-road-fbi-busts-the-webs-biggest-
anonymous-drug-black-market/?sh=4804a9675b4f
Herjavec, Robert (2021) Cyber CEO: The history of cybercrime, from 1834 to present. Herjavecgroup.com. Available from https://www.herjavecgroup.com/history-of-cybercrime/
Kelly, Kevin (2017) The Inevitable. New York: Viking.
Noonan, Laura (2020) Capital One fined $80m for data breach. Ft.com. Available from https://www.ft.com/content/a730c6a0-c362-4664-a1ae-
5faf84912f20
Shaw, Julia (2019) How the internet made it easier for all of us to be criminals, or victims. Wired. Available from https://www.wired.co.uk/article/julia-shaw-making-
evil-internet-crime
Smith, Zhanna Malekos and Lostri, Eugenia (2020) The hidden cost of cybercrime. Mcafee.com. Available from https://www.mcafee.com/enterprise/en-us/assets/reports/
rp-hidden-costs-of-cybercrime.pdf