Cybercrime: Winners and losers
IT boggles the mind to consider just how organised and sophisticated cybercrime has become from its humble beginnings in the days of telephone frauds to a flourishing global industry that is now said to be worth trillions of US dollars.
As Eli Hirschauge, ANZ head of information security at ANZ New Zealand told Fijian media this week, “I’ve been in this industry for 30 years. Last 10 in very senior roles and other roles in technology and I’ve never seen the level of cyber threats that we are seeing today.”
Mr Hirschauge is part of ANZ Bank’s information security team currently in the country as the bank prepares for the enforcement this month of Fiji’s Prudential Supervision Policy Statement 2 or PSPS2, which will make it mandatory for banks and insurance companies in Fiji to comply to minimum cybersecurity standards set by the Reserve Bank of Fiji.
His discourse with the media, alongside ANZ Fiji’s country head Rabih Yazbek, was part of the bank’s effort to raise awareness on cybercrime or crimes committed in cyberspace such as scams, phishing, identity theft, ransomware attacks and hacking among others.
“In January, the World Economic Forum (WEF) released a really good report about global cyber risk. In this report, 39per cent of the people they interviewed indicated that cyber risk will have a likely global impact in the next three years. So it’s not just in this region, it’s a global issue,” Mr Hirschauge said.
“Now if we look at that same report over 10 years, that risk continues. There are other risks that will come up but cyber-risk is sustained in that list that the WEF is warning us about.”
What’s breathtaking about this is this empire building by cyber criminals has been going on as consumers remain largely unaware, cyber-ignorant and in most cases, plainly careless about their personal identification numbers, passwords and generally their login information that opens the door to a digital world that not only stores their financial assets but is also riddled with communities of “threat actors” or cyber criminals who have made a career out of scamming people.
The value of cybercrime globally, according to Mr Hirschauge, is estimated to reach $US10.5trillion ($F23.8t) by next year.
“That trend unfortunately is going to continue because when the attackers are able to get money out of businesses and consumers, they invest some of it in building their own capabilities to get even better at it.”
The sophistication improves as technology evolves, for example the latest Artificial Intelligence (AI) revolution is also a revolution in the cybercrime business.
“They will use whatever technology, whatever trends are available in technology to improve their business model,” Mr Hirschauge said.
“Last year, a piece of software called WormGPT was launched which allows threat actors to generate malicious attacks.
“So one of the simple use cases is they can create phishing emails a lot more efficiently, a lot more effectively than they could before because they use these models to generate phishing emails that look a lot closer to what we would engage or business email compromises that looks very genuine.
“One thing that’s very important to note is, if you think about the cost of an attack, you’ll try to write something in English and then you try to use it in all the English speaking countries and just go region by region – ‘I have an email that seems to work and I’ll just improve that and attack English speaking countries’… but shifting from that to another language could be hard.
“But with a large language model and with automated translation, we are now starting to see an increase in those very tailored to local dialect or something that people respond to better without the cost of those attackers learning the local languages.
“So AI is a tool for them (threat actors) to drive more efficiency into their attacks and that’s what we will continue to see increase.”
And if, for a moment, we dare to think of these obscure criminals as tech geeks sitting in stuffy garages squinting at laptop screens and plugging away at overused keyboards, we do so at our own undoing.
“This is a big business,” Mr Hirschauge said. “These crimes are very well organised. They work in office buildings, they get paid and they take annual leave.
“They are not hobbyists and that’s what makes it so prevalent.”
Mr Hirschauge shared tips on how individuals and businesses can protect themselves and stay safe online:
Tips for consumers:
1. Don’t move your money. If somebody is calling you asking you to transfer your money, and it doesn’t feel right, it probably isn’t.
2. Make a difficult password. The longer the password, the harder it is for criminals to guess it.
3. If you can, don’t use the same password everywhere.
4. Don’t give your personal details, like date of birth, etc.
5. And if something goes wrong, let us (ANZ) know.
Tips for businesses
1. Patching. “Most attacks we see around the world occur in vulnerabilities that we know about. Not only that we know about the vulnerabilities, we also know how to fix them. But many organisations don’t prioritise the patching and keeping the system up to date, exposing themselves and their customers to those attacks that are prevalent.
2. Manage your users well. We strongly recommend for organisations to have a process to review on a regular basis who have access to their systems. If staffs leave the business or they move to another company and the credentials of that employee are still in the system, and because nobody is using that, it provides an opportunity for attackers. So every now and again review and remove unused accounts.
3. Backing up your systems. We know that in a lot of the attacks, the threat actors are trying to generate revenue for the criminal organisations and they do it by disruption. One of the best ways to tackle that is if you have the ability to recover from that disruption, if you are able to recover from the erosion of your data by having a back up, you are in a much better place.
4. It’s important to remember we are better as a collective and we get the best of us as a system. We are going to look into ways in which we can support and encourage greater collaboration across the industry. So working together as a team is really important.
5. Last is to make sure that your staff is aware. So part of the reasons that I’m here is because we’re trying to encourage businesses to make their staff aware. For the last few years, everybody knows about phishing attacks or when you get an email and somebody is asking something of you. But it’s still the most dominant part of an attack because the attackers will always try to do the easiest possible thing to get your money or to disrupt your business and quite often, it starts with phishing. So training your staff, even for the simplest thing such of detecting phishing or providing some alerts, really kick off something that is really, really useful and help us in defending ourselves collectively.