Chinese military general, strategist, philosopher, and writer, Sun Tzu, best known as the author of one of the world’s most famous military treatise, The Art of War, said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

As Sun Tzu advised, it is imperative for corporate treasury and finance professionals to have a comprehensive understanding of the mindset of one of their biggest adversaries: cyber criminals, given that cyber crime poses one of the gravest threats to their organizations.

With a deluge and variety of cyber attacks launched against companies worldwide every day, knowing your enemy is crucial because bad actors deploy a playbook of their most successful strategies and processes to infiltrate organizations.

“In order to most effectively protect against criminal activity, treasury and finance professionals need to understand the playbook that will be used to attack them”, stated the recently released white paper Analyzing the Criminal Mind, underwritten by Trustmi  and powered by Strategic Treasurer.* 

This white paper provides clear explanations of criminal tactics and methods, followed by a defender’s playbook featuring leading practices for robust security.

The white paper brings to light the reality that criminals employ an orderly or structured process for committing theft and fraud, knowing their success is largely driven by the consistency of their approach. They follow a logical sequence for identifying and prioritising victims, then observe them carefully, and devise the best way to carry out their attacks.

According to the white paper, “Salespeople within legitimate business have a sales funnel and move their prospects down through the funnel in order to convert them to customers and get paid for goods or services. In a parallel manner, criminals move their targets through their own funnel, converting them to victims for fraudulent financial gain.”

Here are some of the foundational aspects of how the criminals’ funnel operates. Grasping these is critical because an increasing number of companies are being targeted by this funnel.

Finding new corporate victims

Advances in automation and technology have made it easier for threat actors to efficiently add new corporate targets into their “sales” funnel.

Criminals use three targeting methods to find new corporate victims: broad-based targeting, specific targeting, and buying credentials.

In broad-based targeting, the white paper reveals that “Email distribution and social media postings are made prolifically. The goal is to leverage these low-probability but low-cost phishing messages in an attempt to find those who click or respond and then narrow in and advance in attempting to manipulate those individuals.”

As for specific targeting, various companies are targeted for distinct purposes. Cyber thieves scour social media posts to gather insights that help them “better target your company, your colleagues, or you personally”, the white paper asserts. Information such as your upcoming overseas business trip can be manipulated or exploited to further their objectives.

Regarding buying credentials, the white paper emphasises that if a previous data breach exposes your company’s credentials or those of a partner, criminals can purchase them on the dark web, making your organization a more enticing target.

Surveilling targets

The white paper points out that threat actors conduct surveillance on a target’s actions, communications, and responses to refine and improve their attack techniques. “The better the surveillance, the more likely that the fraud will be effective”, the white paper further adds, as it reveals more about how the organization functions and identifies the individuals involved in key processes.

The primary aim of criminals, while scrutinising targets, is to learn from potential victims. To operate prudently, malicious actors must observe, listen to, or read about how your organization is managed. They start by gathering or extracting information from public sources and then infiltrate email communications to learn more. Remember, “criminals seek to learn”, cautions the white paper, and with each piece of information they collect, they leverage it to uncover even more useful details or data.

Determining the optimal attack vector

Probing the defences to identify weaknesses, removing security layers, and moving horizontally, helps criminals determine the optimal attack vector.

Testing the defences to assess vulnerabilities provides valuable feedback. Testing an account to confirm if bank security features are enabled helps criminals gather important insights, the white paper notes. For instance, if a low-value transfer shows an absence of filters or debit blocks, they might advance immediately to a serious attack. Conversely, if criminals find security measures are in place, they become aware that these need to be bypassed or neutralised before attempting a larger attack, the white paper elaborates.

On the subject of moving horizontally, the white paper warns, “Give them an inch and they’ll take a mile.” This is because cyberthreat actors “Follow the practice of parlaying any information or access into more information or access.” This may commence with a less secure system or a less-trained staff member. Some information about your processes or banking relationships is used to obtain additional details, which is further magnified with each cycle.

Executing the fraud.

The fraud process involves surveilling, probing, setting up infrastructure, testing, and executing the fraud at the right time. Following surveillance and probing, the criminal builds or prepares the infrastructure needed to carry out the fraud.

As per the white paper, this includes either creating a new account or gaining control of someone else’ bank account, which can be used to facilitate the attack; purchasing convincing and similar-looking domain names and establishing corresponding email accounts; crafting email content designed for spoofing and phishing; carefully replicating the writing style and word choice of the individual being impersonated; and producing deepfake content.

Next, the cyber criminal tests “The system and defenses in smaller ways that might be blocked but won’t typically create a major concern. For example, if a criminal tests an account by issuing a debit for $1.00 and a credit for $1.00, and both go through, they know the account doesn’t have certain security features. The company may see that both transactions net to zero, mark them off, and move on without realizing that this was a test and that the criminal now knows this account is not controlled”, the white paper alerts treasury and finance professionals to the risks that accompany bad actors testing the system and defences with miniscule transactions.  

In reference to executing the fraud, timing is a critical factor in the success of fraud. Given that it can take time to move money out of the banking system, some criminal enterprises understand the added value they can gain by timing their fraud with precision. Well-planned timing and patience often results in larger payouts for them and greater losses for the victim’s company, observes the white paper.

“Waiting for more funds to be available or sending money externally right before a long weekend, for example, can help the criminal group to optimize their yield”, the white paper advises.

In conclusion, the Association of Certified Fraud Examiners (ACFE) reports that fraud drains 5% of a typical organization’s annual revenue. ACFE asserts, “As criminals continue to perpetrate fraud, it is no longer a question of if fraud will occur, but rather when it will occur at an organization.”

For now, it is essential for finance leaders, treasurers and their teams to comprehend the playbook criminals use to target their companies in order to effectively protect their organizations from cyber threats and attacks. To do so, we recommend treasury and finance executives unpack the criminal mindset by downloading, reviewing and benefiting from the white paper Analyzing the Criminal Mind.

 

⃰ Disclosure: Strategic Treasurer owns CTMfile.