Cyber threats and financial crime, driven by continued high-profile attacks and political instability, are sitting at the top of financial services firms’ risk agendas in 2023. Add artificial intelligence (AI) and cyber-enabled financial crime to the mix and the threat posed by cyber criminals is becoming increasingly complex.
In the United States, the Biden administration should unveil a more assertive cyber strategy in coming months, which will roll out mandatory requirements for all critical sectors and seek to “disrupt and dismantle” hostile networks. While the new approach should not mean too much for banks, which are already regulated for cyber, it emphasizes the magnitude of escalating cyber risks.
Some 72% of chief risk officers (CROs) told EY and the Institute of International Finance that cyber security was their primary concern, beating credit risk (59%). Chief risk officers, however, are not confident they can defend against cyber-attacks. Some 58% said their firms’ inability to manage cyber-security risks was their top strategic risk for the next three years.
ChatGPT: A sign of AI threats to come
ChatGPT’s launch in November 2022 showed AI’s potential and therefore its possible applications in cyber-attacks. Security experts have already sounded alarm bells about criminals using ChatGPT to craft more convincing phishing emails. There has been debate about whether the tool could be used to write malicious code. Barriers to becoming a cyber-criminal are already low. ChatGPT’s message to security professionals is that they need to rethink their strategies on how to keep customers safe.
“We have a more sober voice on ChatGPT. This is the writing on the wall that shows us the direction of travel for cyber security, and what AI can mean. This is what open AI did. It’s showing us the tip of the iceberg. Now, imagine what governments have been doing behind closed doors for years. And what they’re not showing us and what we don’t know about,” said Maximilian Heinemeyer, Darktrace’s chief product officer in Amsterdam.
Today’s cyber criminals operate large enterprises that use AI to drive efficiency in their operations, including ransomware. They use AI and machine learning for automated phishing email campaigns, malware distribution, credit card fraud, insurance fraud, generating deepfake identities and money laundering. AI-powered bots can continually scan a firm’s endpoints for vulnerabilities and unprotected servers. If there is a vulnerability, they will find it. Often, they are simply waiting to pull the trigger.
“Some of the big ransomware gangs — they have so much access already. They run this like an enterprise, with hundreds of employees. They already have fingers in the pie in hundreds of companies and could at any second go in there and fire off the ransomware. Then it’s not a question, anymore, of, ‘where can I get in?’ For them it’s a question of data analysis. ‘Where do I get the biggest payoffs from?’ And that is super scary, I think, because they could nuke many companies that could really do damage. They run financial analysis, like how much revenue does this victim have? And how many employees do they have? What sector are they in? And should they get two people on that, to drive further and negotiate,” Heinemeyer said.
Firms should also be aware of AI deepfake phishing attacks, where criminals, impersonating a senior manager’s voice, convince victims to transfer large sums. Criminals also tamper with cyber security AI training data by introducing malicious samples into the data pool — a technique called data poisoning — to corrupt AI models. It is one method criminals use to circumvent firms’ defences.
Cyber-enabled financial crime
Cryptocurrency has been a game-changer for cyber-crime. It made it easier for cyber criminals to move and launder illicit funds as well as giving them an opportunity to make money by mining cryptocurrencies to use for furthering their criminal enterprises. Cyber-crime, like identity and credential theft, is increasingly used to enable money laundering.
“It’s not just Bitcoin, there’s so many different currencies. And there’s also the [non-fungible token], which you can also use for money laundering, which again is a slightly different ball game, and then blended with the traditional money laundering,” Heinemeyer said.
Cyber criminals have got into bitcoin mining by using crypto-jacking techniques to take over energy companies’ operational technology infrastructure and steal the energy required to power mining. The damage caused by a crypto-jacking infection is serious. It slows down systems while leaving them vulnerable to ransomware and data exfiltration. Despite falls in crypto-asset values, they are useful to criminals as an untraceable way to transfer and launder their illegal gains. Crypto-jacking “offers criminals run-rate, steady and untraceable sources of income, and it is a threat that remains largely underestimated by security teams,” Darktrace’s research note said.
E-commerce platforms, too, are a gold mine for criminals looking for customers’ credentials, identity information and transaction data. Hijacked accounts can also be used for money muling. Yet, retail remains one of the sectors most vulnerable to cyber-attacks. Criminals continually harvest customers’ credentials and financial information as they refresh them, a research note from Darktrace said.
Cyber-crime a U.S. national AML priority
Cyber-enabled financial crime was one of the National AML/CFT Priorities that the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) published in June 2021. FinCEN “is particularly concerned about cyber-enabled financial crime, ransomware attacks and the misuse of virtual assets that exploits and undermines their innovative potential, including through laundering of illicit proceeds”. Some of the highest-priority threat actors, such as North Korea, have used cryptocurrencies “to advance their illegal activities and nuclear weapons ambitions,” FinCEN said.
Firms can expect some new rules relating to FinCEN’s cyber-enabled financial crime priorities in the coming months.
It was the AML Act of 2020, also part of the 2021 NDAA, that required FinCEN to issue its first-ever priorities, as part of a legislative effort to clarify where financial institutions should focus their efforts to police transactions for illicit activity to bolster effectiveness.
The full list of priorities named by FinCEN were corruption, cyber-crime, domestic and international terrorist financing, fraud, transnational criminal organizations, drug trafficking organizations, human trafficking and human smuggling, and proliferation financing.
In the priorities document, FinCEN noted that it “is particularly concerned about cyber-enabled financial crime, ransomware attacks, and the misuse of virtual assets that exploits and undermines their innovative potential, including through laundering of illicit proceeds”.
“Ill-gotten gains from these illicit activities often are laundered through a variety of methods, including rapid transfers through accounts controlled by the cyber actors or money mules. Covered institutions are uniquely positioned to observe the suspicious activity that results from cyber-crime, including cyber-enabled financial crime,” the Treasury bureau said. Naming the priorities did not create an immediate change to AML requirements pursuant to the Bank Secrecy Act, nor did it amend “supervisory expectations” for financial institutions, FinCEN said at the time.
FinCEN added, however, that “covered institutions may wish to start considering how they will incorporate the AML/CFT priorities into their risk-based AML programs”. FinCEN said at the time that it would propose regulations to bring the priorities into force “in the coming months”.
Some 19 months later, financial institutions still await a proposed rule to implement the priorities. It is likely that the proposal will be issued soon.
Some businesses were starting to merge their fraud prevention, cyber risk and anti-money laundering (AML) processes into an optimized financial crime compliance function, industry officials said.
Gene Yoo, chief executive of Resecurity, a software company in Los Angeles, said the year ahead would see the emergence of a new trend: the Cyber-Financial Intelligence (CyFI) unit. This would involve a conceptual shift in how financial services firms manage their financial crime and compliance risks, he said.
“Financial services firms must seek to prevent fraud by leveraging the power of continuous cyber-threat intelligence collection and monitoring. Following this trend in North America and the UK, progressive countries in Middle East have already started to implement CyFi,” Yoo said.
In Saudi Arabia, the central bank has released a Cyber Threat Intelligence Framework and Counter-Fraud Requirements, which must be implemented by June 2023 for all financial institutions, investment firms and insurers.
Digital identity theft will remain one of the key issues for the banks in 2023, as “bad actors” use more sophisticated tools for Account Takeover (ATO) and develop new mobile banking malware. This was one of the common “blind spots” for fraud prevention, Yoo said.
“Banks have started to look at tailored SDK integration into their mobile apps to learn more about the end user to detect suspicious activity and collect digital fingerprints,” Yoo said.
“But not every organization is able to implement it technologically on the scale of the entire customer base.”
There is a triple-threat of superior customized malware, improved adversarial market accessibility, and widespread adoption of mobile banking and payment apps. This has amplified the risk of more persistent attacks targeting smartphone-based financial services platforms in the year ahead, Yoo said.
In Australia, financial services firms have been left reeling from the sophisticated ransomware attacks against health insurers, including Medibank, and the major telco Optus. In 2023, regulators are expected to ramp up their focus on cyber security in response to these high-profile incidents, which have attracted top-level political scrutiny.
“ASIC strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in the light of the heightened cyber threat environment,” said Sarah Court, deputy head of the Australian Securities and Investments Commission.
This article first appeared on Thomson Reuters Regulatory Intelligence and features on Business Insight with permission.