Estimated difficulty: 馃挏馃馃馃馃
Hello, and welcome to another week of Security Queens! 馃帀
This week I’ll try to give you a quick overview (not exhaustive) of a few common types of fraud, a bit of information about money laundering, and a little perspective about how it all ties into the bigger picture.
Fraud is criminal or deceitful activity intended to give someone an unfair advantage – usually financial.
Money laundering is the process of disguising the original source of funds (obtained illegally), and involves three stages; placement, layering, and integration. Placement is the initial deposit of funds; layering refers to the complex web of transactions or transfers made to hide the origin, and integration is the final stage, after which the money is considered “washed” and appears to have been legally obtained. Criminals will launder money for a few reasons – but usually it’s so they can live off the proceeds of their crimes, or so the money can be used more easily to fund organised crime. 馃挵
Firstly, here are a few kinds of fraud…
Romance Scams 鉂わ笍
Romance scams have a bit of a reputation for only affecting older people, but that really isn’t the case – especially with how common dating apps like Tinder are these days. Typically, a victim of a romance scam will meet a beautiful stranger online, develop a bond, and arrange to meet each other – and then tragedy strikes. Something prevents your new love from being able to get to you, and they need your help, and probably your money. Sadly, this isn’t the story of Super Mario and Princess Peach – and it’s a common mechanism for fraud. In some cases, romance scammers will research their victims first (OSINT) to make sure they’re a worthwhile financial target, and to make it easier to play the part of the perfect match (social engineering). Unfortunately, it can take a while to convince victims of romance scams that they’re being taken advantage of.
Rogue Trader Fraud 馃敤
Rogue traders are basically con artists who pretend to be roofers, joiners, or similar, and who will approach their victims in their homes. They might say they’ve noticed a problem with your roof (loose tiles, as an example) and offer to fix it for you, perhaps at a discount. Usually, they urgently request either partial or full payment up front – they sometimes might start the job, or cause damage to the property, but usually they’ll disappear without doing the work. Rogue traders tend to target people who are financially vulnerable – perhaps elderly or disabled people, who might spend a greater proportion of their time at home.
Mortgage Fraud 馃
Mortgage fraud is high value, and quite difficult to pull off – as anyone who’s ever applied for a mortgage knows (especially post-2014 after the mortgage market review), you have to provide a lot of evidence during the process. It takes a lot of skill to be able to fake the identity documents and history needed, and even if someone successfully managed to forge documents, other parts of the mortgage process (like valuation and inspection of a property) can easily highlight fraud attempts. This doesn’t stop criminals from trying, because the lure of a payout of potentially a few hundred thousand pounds is strong.
From a cybersecurity perspective, sometimes a criminal might target a house buyer at the final stages of their purchase with a well-crafted spear-phishing attack. As an example, the attacker might spoof a sender domain, impersonate the buyer’s solicitor, and email them at the last minute to say; “There’s been a change of bank details for your deposit – transfer the money to account X instead.” Often, buyers have been waiting months – potentially longer – to complete on the mortgage, so can be more susceptible to this kind of manipulation. Customers have at times fallen for this, and transferred their life savings into the hands of a scammer.
Okay, but how do they get away with it?
Money Mules 馃惔
Money mules are a method of money laundering where criminals try to use legitimate bank accounts to launder funds. Usually, they’ll offer the account holder some sort of reward in return for allowing them to temporarily use the account – this is really common in cities, and criminals might specifically target students or people who appear to be financially vulnerable. A good example would be if someone asked to transfer you 拢10,000, instructing you to transfer 拢8500 back to them, and letting you keep the remaining 拢1500. Depending on the monitoring in place by the account provider (i.e. your bank) fraudulent transactions on a legitimate account might not be detected as quickly. Agreeing to allow someone to use your account for this purpose is illegal under the Proceeds of Crime Act (2002).
Gift Cards 馃挸
This might seem like a strange money laundering mechanism, but it’s actually really common. Criminals can easily use cash to bulk-buy pre-loaded gift cards, which they can then sell online or abroad (maybe for a discount – selling a 拢100 gift card for 拢90, for example); gift cards aren’t necessarily anonymous, but there’s usually no data tying a physical gift card to an identity or transaction history. For a little more information about gift card fraud check out this article.
Cryptocurrency and Virtual Purchases 馃幃
Cryptocurrency, although not anonymous (more on this in a later post) can be useful to criminals looking to launder money, because it’s unregulated, difficult to trace, and is designed to function without tying a transaction history to an account holder. Although cryptocurrency can be incredibly volatile, there are services such as Bitcoin Blender which will “swap” your cryptocurrency to clean it.
Another pretty straightforward method is to spend money on rare gaming items, virtual currency or credit, and so on. There have been instances of people using MMORPG’s like World of Warcraft to mine cryptocurrency; these platforms are almost like a separate universe, and as with cryptocurrency, not financially regulated. A criminal could use their ill-gotten funds to pay for a super rare item, and then sell that item on an online marketplace. Money laundering in action.
How does this all fit together?
The Morality 馃
Fraud is never a victimless crime. In some cases, independent criminals might want to live off the proceeds; but often there are strong links back to organised crime – people trafficking, funding terrorist organisations or the drug trade, and so on. By assisting someone with money laundering, a person isn’t just breaking the law, they’re also (usually unwittingly) enabling the activity of these organisations to continue.
Useful Advice and Contacts 馃檹
If you (or someone you know) have been a victim of fraud, these organisations might be able to help:
Action Fraud is the main point of contact for information, and to report fraud and seek advice. Action Fraud is run by the City of London Police, and when you report fraud through them, you’ll be given a crime reference number so that you can contact the police about your investigation.
Cifas are a fraud prevention organisation, offering advice, protective services (for vulnerable people and those who have previously been victims of fraud), and maintaining a database to track instances of fraud across the UK.
The NCA investigate a range of criminal activity, from fraud and cybercrime to modern slavery and human trafficking, and they work in conjunction with organisations such as NCSC, the City of London Police, and the Financial Conduct Authority. The NCA website has useful statistics and papers on different kinds of crime – if you like reading about that kind of thing.
This was a super brief introduction to fraud – if you’ve made it this far, thank you for reading, and stay safe! 馃グ
Morgan x
Thanks for the awesome article. A really nice whistle stop tour on all the different types
Thanks Dan! Really glad you enjoyed it 馃コ
Another fantastic blog by the Security Queens!
Thank you Richard 鈽猴笍
Great job on this blog — fraud is a complicated topic and I love that you provide resources at the end for victims. You show a level of compassion and empathy that we’re often missing in cybersecurity.
Thank you very much – I’m glad you liked it. I’m planning to write more on this in the future, hopefully with a wider lens that provides context, but is accessible to general audiences.