Cybercrime – another of Fraud’s many faces

Will the “hack” at BDO turn out to be an inside job as now seems more and more likely?

If so, will we still call it by the classy, new name of ‘cybercrime’ or will we give it the more old-fashioned name, ‘fraud’.

For fraud it is, as is all cybercrime. And the defenses against it are not all that different from the defenses we have in place (or should have in place) against fraud in general.

The Event

From late November 2021 the accounts of a large number of Banco de Oro Unibank (BDO) were affected by unauthorised transactions. BDO and the authorities are investigating the unauthorised transactions and the affected customers will be reimbursed. Investigations so far suggest that none of the affected customers contributed to the breach, for example by exposing their passwords or clicking on suspicious links.

While investigations are ongoing, there are already lessons we can learn.

Differing Perceptions

When we write an article about cybercrime, the editors look to illustrate it with images – mainly in electric blues – featuring ones and zeros and sharp-imaged computer screens and laboratory-clean sets.

Like the image we have used at the top of this article.

Fraud, on the other hand, is depicted in shadowy figures, masked individuals, secreted bags of money.

Cybercrime, we tend to think, is carried out in hi-tech call centers in developing countries; fraud by skulking local gangs, or disenchanted or entitled company executives.

False dichotomy

The BDO case gives the lie to this false dichotomy.

Does it matter that we should start to think more clearly about this issue?

Yes, it does. It matters a lot.

Consider the training we give staff on cyber-security.

We teach them about the modalities: the man-in-the-middle schemes; the dangers of social engineering; the vulnerabilities of password types.

And we focus again and again on the theme – ‘Don’t click on the link!’ (Because somebody always does click on the link, and that makes us focus – indeed fixate – on individual responsibility.)

When we teach staff about fraud, we certainty do talk about the modalities, but we teach them a great deal more about the perpetrator. We show them the fraud triangle, we expose them to scenarios about the company secretaries authorizing fake invoices, we teach them to be vigilant.

Stronger defenses

In hardening our defenses against fraud, we teach collective responsibility, we allocate community ownership, we acknowledge that staff vigilance offers one of our strongest protections against fraud and we foster a spirit of shared responsibility.

If we focused less on the technology of cybercrime – let’s cut the jargon, let’s call it cyber-fraud – and more on fostering an attitude of shared vigilance, we’d be much better at preventing it.

How to engender this shared responsibility?

Every business is different; every industry faces a different profile of fraud vulnerabilities. Every workforce exhibits a different ethos.

An off-the-shelf cyberfraud training solution will fit many businesses, but many others will need something more tailored.

Do you have workforces in multiple jurisdictions, facing different regulatory regimes, managing different products?

Are your staff members allocated to tightly-bound teams, or do they belong to a less-siloed whole?

How many of your staff are technicians? How many are masters of people skills? Different staff mixes may require different approaches as you work to engender the shared responsibility for vigilance that is your key defense against cyberfraud.

You cannot fail to consider these questions when you allocate resources to your training program.

Key message

If the criminals that did the BDO hack had been embedded in a milieu where other staff were watching them, do you think they’d have gotten away with it so easily?

GRC Solutions

Talk to us about custom eLearning content development to fit your business. We already provide this service to some of the largest financial services companies in the region.