How individual extortion could become the future of business led cyber crime

Extortion and espionage seem to be two of the biggest areas of Cyber crime in 2021. This should come as no surprise in the main; ransoms as a result of ransomware have climbed three-fold within the pandemic environment and the risks have become more alarming with a workforce suddenly mobilised to work from home, following COVID-19.

Big companies have always been an attractive target. The downside for criminal individuals, gangs, organised crime and even state sponsored shadowy syndicates, is that they tend to have higher expenditure around security services and often employ teams of people and suites of specialist software, tasked with preventing, identifying, and remediating the myriad of security alerts. 

Smaller companies are often easier targets and the 2021 DCMS breach survey indicated that 65% of medium sized businesses were breached or attacked in the past year, representing a further percentage rise from the 2020 breach survey.

Robert Brooker, Joint Head of Forensics and Fraud at PKF is keen to point out the convergence of Cyber and Fraud, with Fraud now 90% Cyber related. Understanding both industries in tandem will be crucial in preventing attacks and protecting businesses and their people.

A traditional (but erroneous) view might be to see fraud as something affecting individuals and Cyber affecting businesses. But what if we combine both approaches?

The Scenario

Within the Covid landscape, remote working has not only become accepted but has likely become the norm. Business leaders who have high level permissions and access to restricted and sensitive data are at particular risk.

A company safeguarding data might have a robust, layered, and thorough approach to security, but the individuals associated at the top are less likely to have adopted safe and thorough individual behaviours. By targeting the individual, firstly through social engineering and by then targeting their WIFI and home security, the attacker has a greater chance of success. Then all that is required is something to compromise them with. We all have something to hide. The scenario then plays out like this.

The attacker begins by using the veil of threat, threatening to release the information publicly across social media platforms, to affected individuals or to the person’s parent company. The information could range from private romantic type conversations with someone other than the persons spouse, browser history, private or embarrassing content, sexualised private photographs/ videos and anything else anyone of us would not want exposed. 

Then the extortion game begins. The attackers true target is the employee’s business, but they don’t want to show their hand just yet. They start by demanding a ransom which is unaffordable. The figure will be eye watering. Pleading, the victim will state that they don’t have the financial resources to meet the ransom. Then the attacker will offer a counter possibility. This will have been planned to ensure the victim (most probably a c-suite exec) has access within the company systems and high-level administration rights. The attacker will position themselves as someone trying to help. They will sympathise and show false empathy. 

What about the business you work for?  Tell me about the data on the system? What systems do you employ? A reconnaissance mission will begin. The attacker will give the victim an alternative to paying the ransom; install a malware client on the system, download a large chunk of data, provide highly confidential files. And the victim will do it because they’re so compromised and see no other way out. To use the Cressley triangle, they’ll have Motivation, Opportunity and their rationale will be that their high-level position will allow them unfettered access. Their position might not be challenged.

You are only as strong as your weakest link. And more often than not, that link is the susceptible human in front of the device. 

(The views presented above are my personal opinion)