Willie Sutton, the notorious twentieth-century bank robber, was famously quoted as saying that he robbed banks “because that’s where the money is.” In an age when digital banking and cryptocurrencies are fast replacing brick-and-mortar banks, however, Sutton’s quote seems oddly quaint. Current-day bank robbers are far more likely to be found pointing and clicking a mouse than pointing a gun.
According to Forter’s Seventh Edition Fraud Attack Index (FAI), fraud attacks against online money and cryptocurrency services rose 48 percent last year. That trend reflects both the rising popularity of digital alternatives to traditional banking as well as the decreasing effort it now takes for fraudsters to monetize their efforts through crypto and money services fraud. In a world where it can take months or even years for fraudsters to sell personal data on the dark web, the instant gratification of stealing cryptocurrency or intercepting peer-to-peer payments is a powerful incentive for cyber criminals.
Of course, financial services companies have long been a favored target of cyber criminals, begging the question: How are cyber criminals able to commit more crime in an industry that’s acutely aware of their presence? There are two reasons for this. One, fraudsters are targeting new digital services, which lack the rich historical data that banks and other financial companies rely on to target fraud and suspicious activities. Two, fraudsters are moving away from purely digital forms of theft and into the harder-to-detect field of social engineering.
Social engineering is, in some ways, a throwback to the pre-Internet days of fraud, when con men (and con women) would fast-talk unsuspecting targets into sending them money or investing in a non-existent business. But today’s social engineering has a distinctly digital angle to it: the massive amounts of personal information – some of it gleaned from highly publicized data breaches – that can be found with relatively little effort on the Internet, particularly on social media. Using this information, fraudsters can piece together enough information about their victims to create accounts in their name or trick companies into wiring them money.
Social engineering is typically a more hands-on approach to fraud, sometimes even requiring direct outreach to the victims. Fraudsters aren’t afraid to call companies or individuals requesting additional personal information or direct money transfers, often under the guise of some urgent matter such as bill collections or a government agency. But it would be a mistake to think of social engineering as small-scale fraud. According to Verizon’s 2019 Data Breach Investigations Report, social engineering is also responsible for one in every three data breaches.1
Since many cyber criminals are themselves technologically savvy, it should come as no surprise that cryptocurrencies have also become a favorite target of fraud. The attraction here is the anonymity of cryptocurrencies; identities are virtually impossible to trace, and lost or stolen cryptocurrency is very difficult to recover. In many ways, crypto theft is the perfect crime. Crypto theft can also take many forms, from Ponzi schemes and investment scams to seemingly legitimate crypto wallet apps that actually steal your money once it’s placed in the wallet.
If money services and crypto theft rely on a certain amount of human intelligence, the very same human intelligence can be used to combat them. Companies must train contact center agents not to disclose personal information, even if the caller appears legitimate. And individuals must do their due diligence when storing cryptocurrencies and transferring funds electronically. Even if physical banks should disappear someday, bank robbers will always remain in one form or another.