Threats Without Borders - Issue 146
Cyber-Financial Crime Newsletter - Week ending September 3, 2023
A commonly posed question is “Why is there so much cyber fraud?”. My quick answer is some version of "because it's so easy". My longer explanation is based on two criminological theories: the Fraud Triangle and the Routine Activity Theory. Many other theories can be attributed, but I think these two play heavily and make the most sense to me.
The Fraud Triangle is a framework that has been widely used since criminologist Donald Cressey first proposed it in the mid-1950s. It has become the de facto theory guiding those in the fields of forensic accounting and fraud prevention.
The Fraud Triangle consists of three key elements:
1) Pressure: This is also known as incentive. It's the personal pressures the individual faces that push them to commit fraud. These pressures can be financial, mental, or physical, but most of the time it’s financial. People facing intense pressure may become more susceptible to engaging in unethical behaviors to relieve the strain.
2) Opportunity: This is the essential element. The person under strain must have the opportunity to commit the fraud. Organizations with lax security measures and weak internal controls allow unethical employees to act on their desires. Organizations with more avenues for fraud face a greater risk of fraud occurring. It’s an easy equation to solve. (I’m looking at you volunteer-based community organizations).
3) Rationalization: This is how the person under pressure, and with the opportunity, internally accepts their behavior. They convince themselves the actions are justifiable. Rationalization is a psychological trick that allows individuals to commit a crime and then overcome a guilty conscious. Rationalization is also a favorite pressure point exploited by criminal investigators when interviewing fraud suspects.
The Fraud Triangle, as designed by Cressey, mandates that for fraud to occur, all three elements of the triangle must be present. The individual must be under some form of pressure, have the opportunity to commit the crime, and be able to justify the act (at least in their mind).
Now, we know there are exceptions when one or none of these elements are at play and the person still commits, or attempts, fraud. But, this theory works in most cases.
The second criminological theory at play is the Routine Activity Theory as proposed by criminologists Marcus Felson and Lawrence Cohen in 1979. The couple believes that crime will occur when three elements meet: a Motivated Offender, a Willing Victim, and the absence of a Capable Guardian.
The criminologists asserted that crime happens when the motivated offender meets the suitable target at the same time and place that lacks a capable guardian. Crime will not occur if any one of those elements is removed from the setting. On the Internet, there is no shortage of motivated offenders, and willing, or at least ignorant, victims are plentiful. The defining aspect, of determining if cyber fraud occurs or not, is the presence of a capable guardian. Who, or what, plays that role on the Internet?
Of course, in the realm of Internet-facilitated fraud, time and place are fluid. The suitable target and willing offender can be individually located anywhere in the world and still meet in time and place. Chances are, there will not be a capable guardian present.
My graduation thesis was based on the Routine Activity Theory as applied to a high-crime cyberspace.
Combining those two theories - An individual must be faced with external forces applying financial, mental, or physical pressure. They must meet another person, or business entity, willing, or at least unknowingly, offering themselves as a victim. The place where the offender and victim meet has no security controls to intervene and stop the actions. Finally, the offender must be able to rationalize their actions to clear their conscious.
And the Internet is the great facilitator.
A simple fix…
When speaking to young persons about “sextortion”, specifically men, I always ask, rhetorically, “What’s the best way to avoid having a nude image of yourself leaked to your friends and family… don’t take images of yourself nude! It’s a fairly simple prevention. A new sextortion scheme sends an email pretending to be from the adult site YouPorn, warning that a sexually explicit video of the recipient was uploaded to its network. The recipient is advised the video will be published unless they “request” to have it removed. The conclusion to the threat is easy if you have never made a sex-tape, but for those that have starred in a “home-grown” video, or two, …the decision to delete the email as spam might be a bit tougher. https://www.bleepingcomputer.com/news/security/fake-youporn-extortion-scam-threatens-to-leak-your-sex-tape/
Mandatory for High School Graduation
I beleive that a main driver of fraud is the financial illiteracy of our population. SO MANY people just don’t understand basic financial principles. They can’t explain simple banking concepts, how money flows, or how personal financial implements function. They get scammed because they don’t know the scheme the scammers are telling them simply can’t work…ever. I strongly believe that every high school student should have to complete a financial literacy class prior to receiving their diploma. https://theconversation.com/are-you-financially-literate-here-are-7-signs-youre-on-the-right-track-202331
Apple issues a RARE response
In 2021, Apple announced a plan to scan all images uploaded to iCloud for indications of CSAM - Child Sexual Assault Material, aka Child Pornography. The plan drew the obvious outrage from privacy advocates and outrage-driven politicians. Apple abandoned the plan which then drew the obvious outrage from child protection advocates and outrage-driven politicians. A new coalition of child safety groups have issued Apple an ultimatum to institute a plan to “detect, report, and remove” CSAM from their platform, or else. Apple responded in writing…something they rarely do. https://www.wired.com/story/apple-csam-scanning-heat-initiative-letter/
Security is hard…
The organization I work for has several educational entities as customers. We have offered to provide user-awareness training to their employees, specifically for safe email usage, for free. None of them have ever accepted. Maybe it’s because they have their own security teams offering training, maybe it’s because the leadership doesn’t understand the danger. But dammit, schools back in session and so are the ransomware gangs! I don’t know the cause of this particular event, and obviously not every security incident is the result of an unfortunate mouse-click, but enough are that security awareness training should be mandatory - day one. https://therecord.media/pennsylvania-school-district-stays-open-after-ransomware-attack
The Rest…
The Move-It attack has now affected over 1000 companies. https://konbriefing.com/en-topics/cyber-attacks-moveit-victim-list.html
The Microsoft Threat Analysis Center (MTAC) reports on how Russian groups are attempting to influence politics in Africa. https://blogs.microsoft.com/on-the-issues/2023/09/01/russias-african-coup-strategy/
A federal jury in the Western District of Arkansas convicted four men for their roles in an investment fraud and money laundering conspiracy that cheated victims out of more than $18 million. https://www.justice.gov/opa/pr/four-men-convicted-18m-global-investment-fraud-scheme
The Best Evidence Rule and collecting evidence from social media posts. https://www.x1.com/2023/08/30/best-evidence-rule-requires-post-level-collection-for-social-media-evidence/
Cool Jobs
Director of Information Security - Vivid Seats. https://boards.greenhouse.io/vividseatsllc/jobs/4015529007
Special Agent - National Insurance Crime Bureau (Various Locations) https://www.nicb.org/about-nicb/careers
Cool Tools
Learn how to tie a knot. Or two. https://www.animatedknots.com/
Irrelevant
I’m a son of northern Appalachia and although I now live too far east … my soul still connects to the Laurel Highlands. Returning to the hills brings me an inner-peace thats hard to describe to low-lander’s. Like everything else, even the nation’s economic basement is splitting into the have’s and have-not’s, split between the northern and southern region of the mountain chain. https://urbanreforminstitute.org/wp-content/uploads/2023/08/The-Future-of-Appalachia.pdf
A life well lived. RIP Jimmy.
https://apnews.com/article/obituary-jimmy-buffett-4295f355b39237f40663d485c4c6d557
If you made it this far - Thank You! Please consider forwarding the email to a friend or colleague that might find the newsletter interesting.
Thanks,
Matt
“IF YOU KNOW HOW QUICKLY PEOPLE FORGET THE DEAD, YOU’D STOP LIVING TO IMPRESS PEOPLE.” - someone with more awareness than me.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.