Cyberfraud and cybertheft tend to be under-detected and underpunished in most countries, including Australia, but it is estimated the amount being stolen from corporations worldwide at present totals about $4.9 trillion a year – or close to 5 per cent of global GDP (Australia's GDP in 2015 was $1.62 trillion).
Most fraud and financial crime today is conducted over the internet, which has made it much easier to conduct, cost-free for phishers, less risky for perpetrators, and far more lucrative.
While we are familiar with the daily fraud threat in the form of "419" emails from scammers saying "Your Account Payout $2,815.48 is Pending" or asking us to click on a link so they can download malware, the big money is in targeting corporations. Financial institutions are a prime target but often do not publicly acknowledge losses unless they are too large to hide.
Larger-scale corporate cyberfraud is a group activity – the average successful fraud by an individual is $106,000; for fraud by a group it is $664,000. At present the most sophisticated criminal hacker groups are in eastern Europe. The best Asian hackers are working for Asian governments – but it seems only a matter of time before they start to freelance against the Australian corporations they hacked as government employees.
One of the biggest cyber-heists in the past year was the attempt in February 2016 to steal $1.26 billion from Bangladesh Bank by subverting the inter-bank transfer system. The thieves managed to steal $107 million before a sharp-eyed employee at Deutsche Bank noticed a typo in one of the fraudulent messages, and raised the alarm. Thanks to human intervention, most of the money was saved. Even so, two-thirds of businesses have no analytical capability to detect potentially suspicious transactions.
Cyberfraud by insiders within the banking industry can generate enormous losses for the banks, but usually attracts relatively light penalties for the offenders.
In 1995 derivatives broker Nick Leeson caused the collapse of Barings Bank with the loss of $1.4 billion. Leeson was sentenced in Singapore to six and a half years' jail, but served less than four. In November 2012, Kweku Adoboli, a UBS Bank trader, was convicted of causing the biggest unauthorised trading loss in British history, costing the bank $2.2 billion. He was sentenced to seven years' jail but released in June 2015.
The US is less lenient with corporate fraudsters. The aptly named Bernie Madoff, who made off with $24 billion of his clients' money, received 150 years in 2009, and is unlikely ever to be released.
In Britain, the Annual Fraud Indicator Report 2016 estimates that the annual loss there through fraud could be as high as $332 billion – nearly quadrupling the government's estimate. There is no comparable data for Australia, but identified trends would probably be similar, with the greatest corporate losses being suffered through procurement fraud. This includes false invoicing and gaining contracts through bribes. Payroll fraud was another significant growth area, along with charity-related fraud. In the mortgage lending area, 84 out of every 10,000 applications was suspected of being fraudulent. Insurance sector fraud was another concern. Most of the fraud was conducted electronically.
While the main target was corporations, rather than individuals, increased corporate costs were soon passed on to consumers in the form of higher costs for goods and services.
Meanwhile, fraud against British individuals was estimated at $16.7 billion a year, with identity fraud being the largest single contributor. Most of those who had their identity stolen were members of Generation Y who put too much information about themselves on Facebook, Twitter, Google+, LinkedIn, Instagram and Pinterest or were careless in their communications using Gmail, Outlook, Yahoo, Skype, WhatsApp and Snapchat.
There is no reliable data for global taxation fraud but we know that some $1.46 trillion leaves developing countries illicitly for tax havens each year. In addition, many multinationals are still juggling their books to evade (they say avoid) paying tax in higher taxing jurisdictions.
Taxation fraud by wealthy individuals from developed countries is now under greater scrutiny as a result of tax haven leaks. Another valuable source of intelligence has been information sold to tax offices by those on the inside of the tax evasion industry.
However, a problem faced by tax offices is the sheer volume of electronic data that now has to be investigated. For example, the Panama Papers leak in 2016 of 11.5 million records comprised 2.6TB (2600GB) of data. This compares with WikiLeaks in 2010 at 1.7GB, Offshore secrets in 2013 at 260GB, the Luxembourg tax files in 2014 at 4.4GB, and the HSBC files in 2015 at 3.3GB.
Electronic data can of course be searched more quickly than hardcopy, but you still need to know what you are looking for, and analysis is manpower-intensive. To make matters worse the data may be in a foreign language or encrypted. Just to give you an idea of the scale of the task for taxation offices 1GB of data equates to 900,000 A4 printed pages. (An average book is 350 pages.) This is no doubt why the ATO has an amnesty for so far unidentified tax evaders to come forward and pay up without suffering a penalty – other than being red-flagged for future tax submissions.
Four cyber trends will inevitably make cybercrime easier, and losses greater: the exponential growth in digital channels and data sources such as web analytics and social media; the growth in mobile banking and electronic transactions with capable smartphones; the commercial fusion of personal and corporate data, and; exploitable grey areas related to personal data-sharing and protection of customer information.
Potential cyber-defence measures for corporations include: layered defences; increased staff awareness; advanced counter-fraud strategies; intelligence-sharing on emerging cyberthreats; improved customer and invoice verification; paying bounties to ethical hackers (who report system vulnerabilities); fast computer-led reaction to transaction anomalies, and; becoming familiar with cybercriminal groups and their capabilities.
For those who like it simple, the cyber trends can be summed up from a risk-management perspective as: increased consumer convenience = higher corporate profits = increased cybercrime opportunities!
It will be many years before the white hats are likely to have the upper hand. According to Cisco and ISC Squared (a security certification body), there is a global shortfall today of 1 million cybersecurity professionals – and this will rise to 1.5 million by 2019 because very few universities worldwide are providing courses for the new profession of cybersecurity.
To help its industry, Britain's sigint organisation, GCHQ, now runs cybersecurity summer camps, sponsors academic bursaries, and holds cybersecurity training days and competitions. GCHQ has also created a "cyber excellence" accreditation for British universities and master's programs addressing the education shortfall.
Clive Williams is an adjunct professor at the Australian Defence Force Academy and an honorary professor at the Australian National University's Centre for Military and Security Law. He is currently working in England.