Old Tactics, New Landscape

ACFE President and CEO

Bruce Dorris, J.D., CFE, CPA

We get them every day, multiple times a day. Most contain misspelled words that easily reveal the emails are fake. But that’s not the case with all of them. I’ve seen plenty of sham emails and advertisements that look authentic and made me think twice before deleting them. CFEs have a good eye for these scams and can usually spot them quickly. But sometimes the language and graphics are so convincing that they fool even the most skilled observer.

The Lazarus Group, a North Korean state-sponsored hacking group, recently pulled off one of the biggest cryptocurrency thefts of all time using just such a technique. This issue’s cover article — “Fraud and the North Korean cyberthreat,” by Patrick Westerhaus, CFE — illustrates that fraudsters can trick even the best and brightest using rogue emails or advertisements.

The financial ecosystem may be getting more complex, but fraudsters are still using basic social engineering tactics to give them access to computer systems. It’s simple deception, perhaps. But it’s effective, and con artists have been using similar methodologies since time immemorial.

What’s new, however, is how these skilled manipulators navigate what’s an ever-changing cyberworld and one that brings new challenges for fraud investigators. Cybercriminals may not be completely invisible, but they operate at much faster speeds than “traditional” fraudsters. They can deplete an organization’s digital coffers in seconds. That’s breathtaking when you consider that the median duration of a fraud — the typical time between when a fraud begins and when it’s detected — is 12 months, according to Occupational Fraud 2022: A Report to the Nations.

To make matters worse, cryptocurrency tumblers or mixers — a service that allows fraudsters to make anonymous digital transactions even more anonymous — raise the stakes and increase the challenges for CFEs trying to trace these illicit funds. These advances demonstrate why it’s so important to build up our internal controls, especially IT, and train our staff accordingly. When it comes to internal controls, we must fully equip ourselves because these criminals know where our vulnerabilities are. As Westerhaus writes, “Criminals get away with so much fraud because no one is watching closely enough to correlate what they’re seeing.” 

Our mission of training CFEs to understand the mindset of this new type of fraudster is more critical than ever. “Cyberfraud is all about the human behavior of criminals and victims,” says Westerhaus. The better we understand cybercrime and the people who perpetrate such frauds, the better job we can do to prevent it.

Bruce Dorris, J.D., CFE, CPA, is president and CEO of the ACFE. Reach him at: moc.EFCAnull@tnediserP.

SOURCE: ACFE Insights – A Publication of the Association of Certified Fraud Examiners