I joined Coalition Incident Response (CIR)* after working in law enforcement for almost two decades, with six years in a cyber crime unit, followed by five years in private sector Incident Response. In that time I’ve seen significant shifts in the cyber crime landscape. 

When I started working in cybercrime a decade ago, the scale and expertise was relatively low. There was little overlap between traditional organised crime and cyber crime. Now, that’s no longer the case. Organised crime has gone digital in a big way and moved into the cyber crime space. 

Cyber crime is big business, with an estimated value of over $8 trillion in 2023, and predicted to grow to almost $24 trillion in the next three years. With cyber crime carrying lower risks than their traditional criminal operations, organised crime groups may have a lot to gain. With the ability to remain anonymous online via VPNs and the dark web, the risks of detection and enforcement are lower. And if caught, custodial sentences tend to be lower for cyber crimes than other more typical criminal activities. 

Intelligence shows that organised crime groups are running their operations extremely efficiently using the same business models that legitimate businesses do. Reputation and credibility are increasingly important, and the barriers to entry are much lower for cyber crime than traditional physical crime. 

Commonly seen, all a criminal organisation needs is someone with a bit of know-how and a small amount of hardware to get started, making it relatively easy to get up and running compared to other organised operations like drug smuggling. Coming from policing and having worked in areas with high gang activity, organised cyber crime is unique in that there is very little friction between gangs due to the ability to remain anonymous. The significantly lower risk from opposing gangs makes cyber crime attractive to criminals who might typically be used to high levels of gang violence around physical crime operations. 

How do cyber crime organisations choose their targets? We see a mix of targets of opportunity and targets of choice. The majority of attacks are not extensively planned or targeted, but rather simple and carried out at scale. Phishing emails sent to as many accounts as possible, often using email lists that are available on the internet, are most common. However, in the case of funds transfer fraud, we often see more sophisticated target of choice phishing where more complex attacks are carried out. In 2023, Coalition saw a 15% year-on-year uptick** in funds transfer fraud (FTF) and a large number of our cases at CIR currently come from this type of attack.

These may involve significant research on an individual or organisation and utilise social engineering to create more convincing attacks. We’re currently seeing tactics evolving with the increased use of AI to create more believable scams, as well as the increased use of QR codes to bypass spam filters and hijack MFA sessions.

Where Funds Transfer Fraud attacks originate

Most of us are probably more familiar than we’d like to be with the constant barrage of phishing emails and calls. A simple click on one of these can give a threat actor access to a business email account, from where they will often then carry out reconnaissance and identify attack options. 

Depending on the account they’ve managed to compromise, they will look for financial transactions they can hijack or other sensitive information they can use to monetise the attack. If nothing is available, they might try to move laterally through accounts in the organisation using the credibility the compromised account gives them. 

People who are authorised to make transactions, such as C-suite and finance, as well as people with access to customer accounts or personal or sensitive data such as HR, are prime targets. Although most attacks we see are relatively unsophisticated and easy to identify, phishing tactics are evolving to utilise more research and social engineering tactics. These may be supercharged by the use of AI, making attacks appear increasingly far more believable.

Why FTF can be difficult to detect until it’s too late

Once in an account, the Threat Actor (TA) can monitor activity, potentially using search terms to locate key communications that could be used to carry out an attack. The TA then may attempt to insert themselves into an email thread to communicate on behalf of the account holder, whilst using inbox rules to keep their activity hidden from the legitimate user. Requesting payment of an invoice to a fraudulent bank account, sometimes known as payment diversion fraud, is common. 

The use of inbox rules is a filtering system that normally allows housekeeping of an inbox but can be misused by a TA to conceal emails from the account owner by directing them to rarely used or hidden subfolders. This allows the threat actor to use the account to communicate whilst remaining unnoticed. The threat actor can sit and dwell in an account for quite some time, waiting for the perfect time to jump in and be able to take over these communications tricking employees or other parties into sending money to fraudulent accounts.

Once funds are stolen, there are several tactics to hide and wash them. By transferring money through several local accounts owned by money mules, funds can be moved and diverted to money laundering processes in ways that are difficult to trace. Transferring money across legal jurisdictions or via cryptocurrency exchanges also increases barriers for tracing. 

This is why time is of the essence when responding to an incident and clawing back stolen funds. A layered approach to cybersecurity is key, along with a robust cyber incident response plan in case of an attack. Coalition always aims to recover funds whenever possible, and in Incident Response we know how crucial early detection and response is for achieving the best possible outcomes. 

The financial losses and operational disruption of a FTF incident can be devastating for a business. For more detail on the topic and some key prevention tactics, watch our webinar on-demand: Lifting the Lid on Cyber Crime: Funds Transfer Fraud.  > Read this guide for more ways to safeguard against this type of cyber attack

* Coalition Incident Response services provided through Coalition’s affiliate are offered to policyholders as an option via our incident response firm panel.

** Coalition Inc., 2024 Cyber Claims Report

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites.