BLUF – Challenges to the blending of Cyber/Fraud/AML spaces in financial services gives cybercrime more room to maneuver. Criminals find monetisation advantages in victims’ organisational separations, with innovative solutions based on careful observation and rapid growth in operational maturity. This post uncovers difficulties financial services encounter in preventing cybercrime-monetisation.
For a change there was a quiet week’s end, which was a bit surprising, given the cyber community was anticipating a cyber event taking advantage of 9/11 themes, similar to CISA/ FBI’s vague notice for the holiday week’s end prior. Cybercrime enjoys taking advantage of events – be it COVID, humanitarian efforts, events, even other cyber incidents – possibilities create an endless Crisis as BAU tide.
The trick is monetisation.
Money laundering is a global challenge – so much so there are whole divisions devoted to tracking down and curbing the potential activities. We relay (and likely cover our collective rears) Suspicious Activities Reports (SARs) to crime agencies. It is not necessarily true evidence of wrongdoing, but enough flags are raised to find it suspicious. It may be nothing whatsoever, but we have people looking, training AI and Machine Learning to detect, regulators standing watch. For every heist, criminals cashing out is where money is lost – and the sector spends a great deal to make it so.
Cyber criminals exploit cross-field possibilities between organisational silos. Functional separations between Anti-Money Laundering (AML), Fraud, and cybersecurity often preclude seeing cross-field possibilities that criminals exploit. Our FINCEN definitions and SAR reporting requirements for cyber show the relative complexity and challenge between the divisions handling AML and their relationship to cyber. On the one hand, no one wants others playing in their sandbox (or taking their sand), and on the other hand no one wants someone else sending regulators to their doorstep to pay for indirect faults.
Cyber criminals do not care for organisational problem definitions. Another challenge faced in this space is the definitions we create. Yes, I understand we must define the problem. However when we create rigid boxes or buckets for ill-defined spaces then everything will be limited in interpretation to force-fit into those boxes and buckets. The whole hammer-perception issue at work. You know who doesn’t operate with those definitional restrictions? The criminals that the reporting supposedly helps counter! Depending on the organisation’s maturity with cyber/ fraud/ AML, in both development and relationships, flexibility in definition is (eventually) necessary. If we are able to talk cohesively about where to bucket events and activities, we can progress to talking about when something doesn’t exactly fit normal definitions.
Cyber criminals are endlessly innovative, organisational cyber threat tracking changes very slowly. Which brings me concern – we pay attention to cyber and cyber-enabled compromises in order to adjust our security posture based on another organisation’s becoming a victim. We look to transactions in digital spaces to find mule networks, countering fraud and money laundering. We know market segments such as luxury goods are rife for AML checks.
Are we missing even more surreptitious means of legitimising illicit funds?
Thinking about victims of cyber incidents and their recovery efforts, who tracks the transactions? If they decide to pay the ransomware, who makes certain the payment is legitimately given? How does one know if incident response transactions are suspicious? If they are all suspicious, how do we sort the liars from those who are not?
Perhaps the operations haven’t happened yet. Perhaps it was present all along.
By not digging into the money-laundering possibilities hidden in cyber crime we are missing a trick.