Clobbering cyberfraudsters

It’s been a busy few years for Rachel Wilson, head of wealth management data security and infrastructure risk at U.S investment bank Morgan Stanley. And it looks like her job is getting tougher as cybercriminals become more sophisticated and quickly react to her efforts to fight them. The dynamics of cybersecurity have gone through a well-documented transformation following the COVID-19 pandemic. The health crisis has only accelerated the use of personal computers and mobile devices for everything from banking to shopping, and that’s opened a myriad of opportunities for fraudsters.

If that’s not enough, banks now must brace for potential cyberattacks from Russia as that country invades Ukraine and responds to sanctions imposed by the U.S. and other European nations. Wilson’s experience fighting bad actors and terrorists in cyberspace at the National Security Agency (NSA) positions her well to tackle the challenges Morgan Stanley and the financial system face in an increasingly volatile world.

During Wilson’s tenure at the NSA from 2002 to 2017, hackers connected to the Iranian government coordinated cyberattacks on U.S. banks and stock exchanges. That was a frustrating experience for Wilson who at the time thought if she left government, she’d want to help protect critical infrastructures of the financial services sector. (See Morgan Stanley’s profile of Wilson, and “Seven Iranians Working for Islamic Revolutionary Guard Corps-Affiliated Entities Charged for Conducting Coordinated Campaign of Cyber Attacks Against U.S. Financial Sector,” U.S. Department of Justice, March 24, 2016.)

Wilson, who’ll be a keynote speaker at the 33rd Annual ACFE Global Fraud Conference in Nashville, Tenn., June 19-24, is doing just that at Morgan Stanley and more. She talks to Fraud Magazine about how best to fight back against cyberfraudsters, what Russian hackers may do, sensible cyber hygiene and why this field needs more fraud examiners. 

How did you make your start as a cybersecurity expert?

From the time I was a little girl, I always wanted to be a technologist in national security and work for the American government. So, when I finished graduate school, I went straight to the National Security Agency (NSA). I literally graduated on a Friday and started on a Monday. I had no plans of ever working anywhere else and was a lifer from day one. And I was doing cybersecurity before cybersecurity was a thing, before the phrase existed.

Can you give us some insight into your work at the NSA, your jobs and what you learned from that experience?

I did a whole bunch of different jobs at the NSA. I ran the counterterrorism operation for a couple of years, using technical means to get onto terrorists’ smartphones, tablets and laptops, and read their emails, geolocate them and listen to their phone calls.

Then I spent a couple of years in the U.K. That job was all about getting ready for the 2012 Summer Olympics, which involved all kinds of work, including protecting all the Olympians’ data.

And then I spent the last five years in what was my dream job at the NSA — running the offensive cyber mission, hacking into networks of the Russians, Chinese, North Koreans and the Iranians, stealing their secrets and giving them to our policymakers and war fighters. It was super fun because I got to recruit all these amazing computer scientists and computer engineers from across the United States. I obviously couldn’t pay them like Microsoft, Facebook, Apple or Amazon, but I could give them the opportunity to do something that would be illegal anywhere else all while serving their country.

This is where I started to get exposure to the kinds of things that fraudsters do on a regular basis. As we were working for the government, we were doing everything in the name of good. But frequently that meant concealing our activities and doing the kinds of things a professional fraudster does. Even though I was not covered by the Computer Fraud and Abuse Act in the U.S. — the NSA is not subject to that — I was routinely being caught up in the kinds of dragnets intended to catch fraudsters.

I was always interested in cybersecurity, but that was when my fascination with fraud took off — how you distinguish between what is good and bad, what is legitimate and what is illegitimate. [See “Computer Fraud and Abuse Act (CFAA), National Association of Criminal Defense Lawyers, and “US Government Hack-Back and the Computer Fraud and Abuse Act,” by Herb Lin, Oct. 21, 2015, Lawfare.]

You’re now head of wealth management data security and infrastructure risk at U.S investment bank Morgan Stanley. Could you run us through what you do there and how this relates to fraud prevention?

My team is responsible for two things primarily. The first is the security of our clients’ data. And I mean soup-to-nuts security, working to prevent any form of data loss. From my computer falling off the back of a truck to someone breaking into a post office box, that is what my team works to prevent. We have to protect our hardware, our networks and our applications. We worry about malicious insiders but even more so about careless insiders — people who aren’t intending to do anything wrong but are making mistakes. Part of my job is ensuring that doing the right thing is as easy as possible, and doing the wrong thing is really hard. It is about education and applying controls around a person.

And the last piece of it — probably the piece that is most applicable to Fraud Magazine’s readers — I am also responsible for protecting client data even when it is the client who is potentially putting their data at risk. So essentially protecting our clients from themselves. That is one of the hardest parts of my job. I can encrypt a hard drive, carry out a penetration test in an application to make sure it is secure, and train my workforce to know my expectations for how they protect client data. But despite all  we do to protect them and educate them, customers can make mistakes that put them at risk, and I am sure your readers can commiserate with me.

So where does the burden of responsibility fall when it comes to guarding against fraud, the banks or their clients?

Without a doubt, our regulators are pushing more accountability to the banks. Everything that Senator Elizabeth Warren is doing now to revise regulations to say, “banks if your clients authorize a payment under duress or under terms they didn’t understand, if they were socially engineered into authorizing that payment, you banks will still make them whole.” (See “Senator Warren Unveils Bill to Expand Criminal Liability to Negligent Executives of Giant Corporations,” press release, April 3, 2019.)

That is in many ways a sea change, not the way it was previously. If a client legitimately authorized a transaction, banks weren’t responsible for understanding their headspace in the moment of that authorization. But now there is increasingly this expectation that banks will make them whole irrespective of the circumstances if they were in fact misled or socially engineered into authorizing that transaction. That has been a huge wake-up call for all of us, that we are expected to provide that level of care and that we have got to be more proactive in detecting things like elder abuse, and friends and family fraud. We have to be able to know if a client is someone who is in a state where they shouldn’t be authorizing transactions at all. “Know your client” has changed completely in terms of the level of expectation for banks. I think there is a lot of good in this, but it is forcing the banks to really take notice and sit up and watch.

How have you prepared for cyberattacks from Russia considering the recent invasion of Ukraine?

Across financial services, we are all taking this very seriously and going to great lengths to protect our industry and our clients. We view this as a point of collaboration, all of us getting together, sharing information, getting intelligence to inform our defenses. All of us are concerned that with the sanctions the U.S., the U.K. and the EU have applied to Russian banks, we could be a natural point of retaliation. This could boomerang right back at American, British and European banks. We could become the targets. We expect that because we have seen it many times before. If you go back — I think about it all the time — when things were really tense with Iran in the 2012-2014 time frame, this is exactly what the Iranians did. They went bank to bank to bank on Wall Street conducting these very impactful denial-of-service (DoS) attacks all in retaliation for economic sanctions. [See “What is a denial of service attack (DoS)?” paloalto networks.] They recognized off the bat, that cyber is an asymmetric threat. Sailing an aircraft carrier into New York harbor wasn’t a near-term proposal, building a nuclear weapon is hard, but they put 40 guys into the basement in Tehran and they managed to wreak havoc on Wall Street for 2½ years. We could be right back at a place like that.

What types of attacks do you envision? 

All of us in financial services have to consider and prepare for all kinds of attacks. The Iranians were not very sophisticated. These were denial-of-service attacks, SYN floods that overwhelmed your infrastructure that made it that legitimate customers and clients couldn’t access their accounts, which is annoying but not devastating. (See “SYN flood attack,” Cloudflare, Learning Center.) There are ways to address that. But with the Russians, we are all worried about ransomware attacks, and those get scary on three different fronts.

The ransomware attacks conducted by cybercriminals now tend to be triple-extortion scams. They get into your environment and irrevocably encrypt your production data so you can’t run basic operations. You can’t trade or do the things you do, so they ask for ransom to get your data restored. But at the same time, the hackers have already stolen your data, and they are going to ask you for a second ransom to not have that data disclosed on the dark web. As you can imagine, I encourage everyone to focus on the resilience of their platforms and to ensure that they can provide the services and functions that their clients expect and their regulators require. But if your data has also been stolen, then I am doubly worried.

The ransomware actor will say “pay me such that I don’t sell your data on the dark web.” But here is the kicker. There is actually a third plank to this. What the hacker will say is that “I am still in your environment. I haven’t left. I am letting you run your production. I am not selling your data on the dark web, but you need to pay me a subscription fee.” This is literally a monthly fee. This is protection money. This is like the Mafia. The hacker will show up once a month. You give them that money in a sack, and they won’t encrypt or sell your data. Sometimes, they will work to protect you from others who are trying to come in. It is crazy.

Prevention of fraud and corruption is one of the key tenets of ACFE founder and Chairman Dr. Joseph T. Wells, CFE, CPA. How can you prevent cyberfraudsters from carrying out these types of attacks?

Once they are in, it is very difficult. That’s why I preach all the time that with cybersecurity an ounce of prevention is worth a pound of cure, and why I am so emphatic about all these phishing tests and making sure that people are not clicking on links and downloading attachments. This type of cyber hygiene is really, really important because it is still the case that the majority of cyber actors get in through these phishing emails, the links and attachments.

Cybercriminals also take advantage of vulnerabilities in your environment to access computer systems. No. 1 on your to-do list for cyber hygiene should be keeping your systems fully patched and up-to-date. Any software manufacturer puts out a patch. It could be Microsoft, Google or Apple, it doesn’t matter. That patch is the solution to a security vulnerability you didn’t even know you had. However, when this patch comes out, we enter this race with the hackers because for them it’s an opportunity. The hackers are going to reverse-engineer the patch, discover the underlying vulnerabilities that it mitigates and weaponize those vulnerabilities against anyone who is not yet patched. And so, what we saw so much of last year was this purely opportunistic targeting, where the cyber actor is not coming after you because you are you. They are coming after you because you are vulnerable and then they figure out how to monetize that access.

It’s interesting that cybercriminals and fraudsters don’t necessarily target people initially who clearly have something to steal but rather those who are vulnerable. It makes sense but it is almost counterintuitive. Do you have any examples of this?

People tell me all the time, Rachel, I don’t have anything valuable. Why would anyone hack me? And what I tell them is that it is not what is valuable to someone else it is what is valuable to you. You are going to pay to get that back if someone steals that from you. So, we even see this now with grandmothers who think they have nothing valuable. We had a case where a grandmother in Iowa was on the phone with me explaining that a hacker got onto her system. In this case, it was one of these IT phone scams where they call you and say, “We’re calling from Microsoft.” She falls victim to it, and the hacker gets on to her computer and uses a keystroke logger to harvest her credentials and logs into her accounts. This is a huge problem for all of us in the fraud space right now. The hacker discovers that she has a bunch of digitized photos of before her family even emigrated to the United States, and he realizes that these are her prized possessions. He encrypts those photos and then sends her an email saying if you ever want to see your grandmother again you have to send me $50,000 in this cryptocurrency. I get involved because she calls her Morgan Stanley financial advisory and says I need to know how to send $50,000 to South Africa. This is terrible, and of course we bent over backward to help this client. It goes to show that it is very opportunistic. It is a question of who picks up the phone and a question of who didn’t update their device. Who isn’t running the latest version of Chrome. The hackers are going to scan broad swathes of the internet. They are going to figure out who is vulnerable, and they are going to go to town.

How has cyberfraud and security changed since the pandemic and how do you see it developing over the next few years?

I think we are going to continue to be very much in a cat-and-mouse game. When I think about where we were five years ago, I was all about protecting systems from cyber actors, and it was less about fraud and more about disruption of service, about bulk exfiltration of data. Then we went through that whole phase where all of us were dealing with credential validation attacks all the time. The bane of our existence, waking up every morning to just being inundated by a botnet sending millions of credential pairs against our front door. That was painful. (See “Credential stuffing,” by Neal Mueller, OWASP.) 

I think where we are now across the financial services industry is that every new control we implement from a fraud space, literally within in a matter of weeks, we have actors who have figured out what we have done, what kinds of thresholds and ceilings I have put around it, whether those are volumetric thresholds, whether those are dollar thresholds, whether those are velocity thresholds. (See “Gbps vs. pps vs. rps DDoS: On Volumetric, Protocol and Application Layer Attacks,” by Dima Bekerman, imperva, blog, Sept 25, 2017.) They figure them out, and they are coming right underneath whatever thresholds we have set. Across the industry we are in this place where we’re having to be incredibly dynamic in terms of the fraud controls and settings we are putting into place.

Senator Elizabeth Warren said during a Senate Banking Committee hearing last year that crypto “puts the [U.S. financial] system at the whims of some shadowy, faceless group of super coders and miners.” Are more of your clients using cryptocurrencies, and does this make your job more difficult and pose greater fraud risks?

I have two thoughts on this. The first is that you are exactly right. More and more of our clients want opportunities to invest in cryptocurrencies, but they want to do so in a way that doesn’t leave them really, really exposed. They see what has happened to bitcoin in the last year and they want no part in that. They want a long-term plan. So, what we have been working to offer them are investments that are one step removed from cryptocurrency itself. So, think of the companies that help facilitate cryptocurrencies, that help enable the investment and the transactions of cryptocurrencies without actually being part of Bitcoin itself. That has been appealing to investors.

But from a fraud perspective, there has been a huge trend over the last year of fraud schemes that are about trying to lure people in based on cryptocurrency investments. So, I get dozens of calls every month from people who say they have received this email with very enticing proposals about how they can get rich and make a ton of money if they just send $10,000. It is your Nigerian prince fraud scheme being replaced by cryptocurrency and crypto banker, and people are finding themselves right back where they were 10 or 15 years ago.

You’ve mentioned North Korean hackers who rob central banks to finance that country’s missile program also moonlight as cybercriminals to supplement their poor income. Who are the fraudsters involved in cybercrime today?

If anything, the North Korean bank-hacking efforts have continued to increase. You saw all the missile activity just in the last two months. I fear that all of that is coming off the back of their bank-hacking activities.

There has also been a rise in cybercriminal syndicates to the point now where 70% of the malicious cyberactivity we see on the internet is financially motivated. It has been through the roof. Just look at the ransomware numbers — $60 billion in global losses last year.

What are some of the types of fraud they’re carrying out?

Across financial services, we see many instances of customers experiencing business email compromise — situations where the hacker gets into someone’s email account and starts sending emails pretending to be them. We are seeing this constantly. Hackers are finding that even just access to the mail queue can be hugely lucrative. You think about the ability to conduct identity theft, impersonation fraud, all of that. Beyond this, I think so many people in the pandemic were stressed and picking up the phone when they wouldn’t otherwise. They are falling for all kinds of things.

Are there enough security experts to combat cyberfraud, and what advice would you give to fraud examiners who might want to get involved in this field?

I have been beating this drum for years, trying to convince anyone with college-age kids that this is the route you want to go. You will have job security. Every talk I give is a recruiting opportunity for me because across financial services, we can’t find qualified people fast enough. Across the country, we have a total dearth of expertise in this space. We all need more Certified Fraud Examiners. I need them to be technical. I need them to be passionate. And what I am finding is that a) they are few and far between and b) that the war for talent is more acute than it has ever been in this space. Compensation is competitive. Fraud prevention is a good place to be as an individual, but it is a difficult place to be if you are trying to scale up your team, and everyone right now is trying to scale.

I do think CFEs’ ability to invest in becoming more technical and understanding the cyber aspects of this field is going to be the differentiator over the next two years. The other thing I would say is that it is not like we are out of the woods on all this traditional, internal, first-person fraud. All of that is alive and well too.

Paul Kilby is former editor-in-chief of Fraud Magazine. Contact him at pkilby@acfe.com.