Web and mobile fraud
Cyber-Resilience and Taming the New “Wild West World”
“Oh, What a Tangled Web We Weave, When First We Practice to Deceive.” – Sir Walter Scott, 1808
We live in a world where respect for borders, sovereignty, and the rule of law cannot be taken for granted, as witnessed by the horrendous images coming out of Ukraine in the last few months.
However, away from the physical frontlines, nation states face an everyday, clear, and present danger that is far from visceral, but one that is virtual and viral. The distinction is ostensibly a binary and generational one—it is old versus new, digital natives versus digital migrants, avatars and AI analysts versus analogue apologists.
There are those who argue that the late twentieth century development of the internet and its san frontier opportunities swept away national borders and with it the ability to regulate the behaviour of rogue individuals and digital criminals. International Governments’ inability to effectively regulate content on social media platforms—from corrosive click-bait to harmful hate speech and incitement to riot—illustrates the increasing divergence between the lawmakers and so-called “free speech absolutists.” But the genie is well and truly out of the bottle, and the jury is out as to where it will all end.
A Digital Pandora’s Box
For all its opportunities, the internet opened a Pandora’s box and the birth of its mirror reality, the dark web, the shadowy, super-encrypted shop window for the industrial levels of cyber-crime committed with seeming immunity and impunity. Casual open-source searches of the extent of the problem produce a myriad of eye-watering figures, and the notion that we are far from home in terms of taming what has been unleashed.
Like the pioneers of old, we find ourselves in something of a lawless frontier where “www” could equally stand for Wild West World rather than one that respects the guiding principles of operating in one of the oldest democracies in the world under the inscrutable eye of the unflinching rule of law.
According to the CyberEdge 2021 Cyberthreat Defence Report (CDR), which examined digital crime in seventeen countries and across nineteen industries, including retail, 86 per cent of organisations in the UK had experienced a cyber-attack in the year prior to the study, compared to 82.3 per cent in the previous annual findings. While this sounds high, the UK was far from the worst-hit country, with Colombia (93.9 per cent), China (91.5 per cent), and Germany (91.5 per cent) all seeing a higher portion of organisations dealing with attacks.
Equally, over a twelve-month period, ransomware, one of the weapons of choice for the keyboard criminals, many of whom are linked to organised criminal gangs, affected 71 per cent of UK organisations.
According to another survey by cyber-security experts Mimecast, 96 per cent of organisations had been on the receiving end of email phishing attempts in the last twelve months, while four out of ten organisations that had fallen victim to ransomware attacks had not been able to get their compromised data back.
CyberEdge’s report found that while more than half of UK organisations dealt with the ransomware attacks, it had one of the lowest spends on cyber-security across the study. The average security spend as a percentage of a company’s IT budget ranged from 10.6 per cent in Japan and France to 15.9 per cent in Mexico. UK firms had the third-lowest spend at just over 11 percent of their respective IT budgets.
In the UK Government Department for Digital, Culture, Media & Sport’s (DCMS) Cyber Security Breaches Survey from March 2021, it was found that almost two-fifths of businesses and over a quarter of charities reported having cyber-security breaches or attacks in the previous twelve months, with one in five ending up losing money, data, or assets.
Relentless Assault on the Retail Sector
Arguably, the retail sector is one of the most exposed as it is seen as a vanguard of embracing new digital ways of fulfilling the so-called frictionless customer journey, even to the detriment of its own balance sheets in terms of increased shrinkage. In the last twelve months, cyber-criminals targeted the retail sector with a staggering 264 per cent surge in ransomware attacks on e-commerce and online retail businesses.
The figures from the 2022 SonicWall Cyber Threat Report revealed that cyber-attacks and IT security threats have surged over the past year, with more than 625 million “digital assaults” taking place throughout 2021—more than double the amount seen the year before.
A record 97.1 million crypto-jacking attacks also took place in 2021, with a 33 per cent increase across the retail sector. A sustained increase was also witnessed across nearly all types of malicious digital assaults, including ransomware, encrypted threats, and Internet of Things (IoT) malware.
The global report revealed that the UK retail market was seen as particularly vulnerable to ransomware attacks, which typically hit supply chains and cause widespread system downtime, economic loss, and reputational damage. Ransomware attacks in the UK increased by 227 per cent overall and, of those, one in every five attacks was targeted at an online retail business (21 per cent).
It will therefore not come as any surprise that many businesses, although embracing the benefits of the internet, have felt overwhelmed by its darker abuse, particularly when having to rely upon organisations such as Action Fraud as the only source of potential remedial activity as the problem falls outside of the remit of the forty-three Police forces. Action Fraud, which is overseen by the City of London Police, utilises the National Fraud Intelligence Bureau to sift through the evidence of tens of thousands of reports to determine which will be delegated to a specific force to pursue and prosecute, but this is the exception rather than the norm.
The focus has therefore been on pro-active deterrence rather than reactive policing. It is an educational approach from a wide range of organisations such as Cifas, the UK’s fraud protection body, so that businesses effectively insulate themselves against such attacks.
Support from the National Cyber Resilience Centre Group
Now imagine a less-linear world where crime-fighting experience is embracing new digital thinking through the recruitment of the latest IT talent—the best binary brains from the finest universities and the perfect union of gumshoe investigations and digital detective work.
In December last year, Minister of State for Security and Borders Damian Hinds MP officially launched the National Cyber Resilience Centre Group (NCRCG), a new, not-for-profit organisation bringing together expert practitioners who will make up the new frontline in helping to embed cyber-resilience across the UK’s economy.
Funded and supported by the Home Office, Policing, and selected “Ambassador Partners” representing some of the UK’s largest businesses and organisations, the NCRCG has been designed as an over-arching support to the existing network of nine Cyber Resilience Centres (CRCs) across England and Wales that are already helping smaller organisations—those that perhaps do not have a large IT security infrastructure—face the challenges posed by cyber-crime.
One of its secret weapons is the “talent pipeline” of students it will bring through from leading universities to assist in expanding UK capabilities in cyber-protection.
At the launch event, Damian said: “Cyber-crime can exert an horrendous impact on people’s lives. It costs the UK economy £27 billion each year and it is businesses who bear the brunt of this—improving the UK’s cyber-resilience is therefore a key priority for the Government.
“The National Cyber Resilience Centre Group will build on the work of nine regional CRCs and is a great example of what effective collaboration between Government, Police forces, business, and academia can achieve.
“I welcome the involvement of businesses and other organisations across the UK who have stepped up as Ambassador Partners for the National Cyber Resilience Centre Group,” Damian added. “All of them are leading examples of how to combat cyber-crime. What’s more, they’re also creating the next generation of cyber-experts by supporting the growth of a nationwide student talent pipeline.”
Its centralised Student Services Programme sits with the NCRCG to deliver a range of cyber-resilience services to the SME community on behalf of the regional CRCs.
Detective Superintendent Nick Bell, CEO of the National Cyber Resilience Centre Group, said, “We recruit a unique and talented cadre of students who are employees of the NCRCG. We have worked with forty-two universities across England and Wales and from that will manage 100 students per year. They are mentored and trained and work alongside senior cyber-security practitioners in delivering the services.
“Through this process the students develop real-world skills, they understand how these organisations operate, the pressures they face, and the environment in which cyber-crime occurs so that, when they enter employment, they have all the skills they need to succeed in the workplace,” Nick said. “They can remain on the programme until graduation, and we pay them throughout training and service delivery.”
Currently, each CRC works closely with universities in their region to hand-pick unique and talented students who help deliver the cyber-resilience services they offer.
“This new National Cyber Resilience Centre Group is a flagship enterprise of the public and private sector ably demonstrating how innovation can support the business community,” he added.
“Need for Champions” across Sectors
Representatives from several of the National Cyber Resilience Centre Group’s founder Ambassador Partners attended the event, including individuals from Cantium, CGI, KPMG UK, and The Very Group, one of the UK’s leading online retailers.
Nick, who is also the national policing director for the Cyber Resilience Centres, said, “Cyber-crime costs our national economy. It affects organisations’ ability to trade, their ability to recruit and retain staff, and, ultimately, can have a considerable impact on their bottom line.
“In the National Cyber Resilience Centre Group, we have a platform for leading the charge to strengthen our national cyber-resilience and develop best practice across the country. By working together, the Police, Government, business, third-sector organisations, and the academic communities have the potential to minimise the risk posed by cyber-criminals and support those who most need cyber-protection,” Nick explained.
“We’ll never be able to prevent attempts at cyber-crime, but we can build our reputation as a country that takes this issue seriously and ensures our organisations are educated on and resilient against cyber-attacks,” he added.
In the spirit of expanding its scope and understanding, the NCRCG continues to recruit other national ambassador organisations to inform research, thinking, and approach. Over the course of its first year, the NCRCG will seek to partner with those organisations and leaders who are committed to playing their part.
“As the remit of the CRCs continues to grow and expand, so too will NCRCG and our need for champions across the business, third-sector, and academic community. Thus, looking to the future, we will be unveiling additional opportunities whereby organisations can join us,” said Nick.
“The future growth is looking bright with several sectors already involved in conversations with the NCRCG. These include online retail, online delivery, encryption specialists, facilities management, retail banking, insurance, cyber-security, a large Government agency, pharmaceuticals, and management consultancy, and we are seeking engagement across all sectors.
“We believe this is a real and unique leadership opportunity to work with senior policing and the Home Office in addressing the future security needs of the business community to engage in a strategic dialogue with other private sector ambassadors and policing and Home Office to support their supply chains and customer base,” said Nick.
“This enables larger companies to support the strategic development of the national student talent pipeline and to put cyber-resilience at the heart of corporate social responsibility (CSR) and environmental, social, and governance (ESG) strategies supporting law enforcement and businesses of all sizes in the supply chain, including charities and those in the third sector.
“This is an opportunity for the ambassadors to indicate to their own supply chains and customers, members, and audiences that they are working at the highest national level to seek to provide reassurance and guidance on matters of cyber-resilience.”
Addressing recent global events including the invasion of Ukraine and the potential for rogue states to use cyber-attacks as a form of undermining national infrastructure, Nick told Loss Prevention Magazine Europe, “Yes, we live in precarious global times and what has become even more apparent during the horrific war in Ukraine is the importance of supply chain issues and their impact on populations around the world.
“Secondly, the potential for rogue nations, or hackers more generally, to target core infrastructure, governance, and business organisations as a form of destabilising a population.
“The potential threat to business has only increased over the last two years, galvanised by a change in behaviours and therefore crime patterns as a result of the pandemic.”
He added, “Cyber-crime is fluid; it keeps changing and advancing as technology changes and advances and so we need to pool all our resources and knowledge from across Police, Government, academia, and industry. As patterns change in how companies and organisations work and operate, particularly in terms of hybrid working, it becomes even more important that our approach to cyber-crime continues to evolve to meet new vulnerabilities that have been exposed.”
“Every organisation in this country is potentially a target for cyber-criminals and there is no hiding place from the impact that cyber-crime can have—whatever an organisation’s size, location, or sector. That said I believe in a trust and confidence message that by SMEs engaging in a range of relatively basic controls the CRCs can help with, can substantially reduce the risk from the vast majority of cyber-attacks.
Nick, who was previously the South East Regional Organised Crime Unit’s head of cyber-crime, digital forensics, and economic crime investigations, said the new body provided strategic advice to larger corporate entities while the regional CRCs assisted smaller businesses.
“As our nation’s smaller organisations are increasingly looking to reinforce their cyber-resilience, we know how important it is that they can seek guidance from a trusted source and from specialists who understand how they operate and who are able to help build cyber-resilience against threats that are specific to them. The CRCs therefore serve smaller organisations in their locality, providing affordable but high-quality services to help them make their cyber-operations safer, more secure, and more resilient,” Nick explained.
“At a macro level, NCRCG is helping to create collaborative solutions that meet our national priorities and giving larger organisations the opportunity to better protect their customers and supply chains.”
Pros and Cons of Cryptocurrency
Many online retailers have experienced scams involving the use of cryptocurrency, which was described by security researcher John Hammond as “the perfect getaway car for hackers.”
In an article in The Cyber Post, he said, “It offers autonomy, anonymity, and permanence in their transactions. With cryptocoins, there is no oversight—there aren’t any intermediary authorities like banks or Governments, no banking fees, account maintenance, minimum balances, or overdraft charges—you can truly do what you want with your money.
“By accepting payment solely in cryptocoins, bad guys can remain practically anonymous. Transactions do not carry your identity, or things like email addresses, names, or any details. Ultimately, cryptocurrencies are just digital data. A ‘wallet address’ is just nonsense letters and numbers that might look like gibberish.”
Nick Bell takes a more pragmatic view. “Cryptocurrencies and virtual assets, on the whole, have significant user benefits that can aid the UK economy—consumer and business alike. The vast majority of their usage is completely legal, with illicit use being very low, but attracting headlines in their usage. Fraudsters like cryptocurrency due to the user benefits that are attractive to customers and businesses, borderless, fast, high privacy, potential for low-cost transactions.”
He advises those using it to take a cautious, risk-assessed approach and provided the following advice: “If you are accepting cryptocurrency, use a reputable firm that is FCA (Financial Conduct Authority) registered. Third-party providers exist to take away the ‘strain’ of accepting crypto payments that analyse and check the origin of the funds with built-in money-laundering and terrorist financing checks.
“Be clear to your customers whether crypto is something your business engages in with good communication. If you would never ask or want cryptocurrency as payment, make it clear so customers never respond to a cryptocurrency phishing email,” he explained.
“If you are being targeted either via ransomware, DDOS (distributed denial of service attack), blackmail, and cryptocurrency is a demand, seek help. Report via NCSC or Action Fraud.”
Nick added, “Finally, be very wary of stories that are too good to be true such as investments or initial coin offerings (ICOs). If you don’t understand it or it is too good to be true, seek expert advice, carry out due diligence, and be very careful you do not get involved in a scam or fraud.”
Cyber-resilience is rightly moving up the agenda and leaders of large organisations are increasingly recognising its vital importance in helping to protect the day-to-day and future operations of their supply chains and customers. It has been up to now slow progress and playing cyber-catch-up, but at last there is a strategy to bake digital resilience into large and small corporate entities so that new growth plans can be future-proofed or tested to destruction, and so that the Wild West World of yesteryear can be recognised as a more law-abiding place in which to do business.