Phishing: A New Age of Bank Robbery
Want to know why phishing attacks increased in 2014 to their highest level in five years? Compare phishing to the messy business of offline bank robbery.
In its most recent release of bank crime statistics (2011), the FBI reported 5,000 annual bank robberies in the United States. In 90 percent of those cases, robbers made off with some form of loot (e.g., cash, checks, safe deposit box contents) totaling some $38.3 million. These robberies involved the physical presence of the criminals, which not only exposed them to the possibility of getting caught, but also greatly increased their chances of being killed (10 of 13 robbery-related deaths that year were the perpetrators). Bank robbery is risky business. And with an average take of less than $8,000, it's a testament to the adage that crime doesn't pay.
Or does it?
Enter phishing, the easiest way for anyone with a laptop to become the next John Dillinger without the occupational hazards associated with traditional bank robbery. And with organizations facing average losses of $10,000 per attack, the cost benefit of phishing is just too good to pass up.
Tools of the Trade
What does it take to rob a bank? It starts with conducting surveillance, then gaining entry (preferably without being recognized), getting the cash out and, most important, making a clean getaway. It shouldn't be surprising that cybercriminals must follow similar steps when conducting a phishing campaign, but the availability and inconspicuousness of tools favor the phishers. The table below compares tactics, techniques and procedures between physical bank heists and phishing.
Small Timers, Big Takes
In January 2014, Florida couple Steve and Robin Barone were arrested for allegedly orchestrating a phishing scheme that compromised nearly 400 identities and resulted in the theft of $550,000. The pair was involved with a known cybercriminal element operating out of Nigeria, and had been in business for as many as four years before they were caught. What alleged criminals like this lack in some of the excitement and lustrous veneer of a modern-day Bonnie and Clyde, they more than make up for in volume of assets stolen. Phishing is an all-steak, no-sizzle enterprise. Oftentimes, this characteristic confounds investigations because there's little public outcry over even the most egregious phishing offenses.