High Tech, Low Lives: For Criminals, Only Results Matter

One of our coworkers got defrauded. 

We work at an anti-fraud company. We live and breathe scams and fraud. So you would think we’re well-guarded. 

In this case, the victim did in fact due their basic due diligence, but still got duped. They used an ATM at a store, and while they did make sure there is no skimmer device or mechanism installed, the machine threw an error saying it erroneously swallowed the card. 

In the two minutes it took the victim to approach the store manager with this – right next to the machine too – the thief who set up the trap had made a quick getaway with the card, proceeding to abuse touchless payments and withdrawals.

Using different machines and a gambling outfit, they made sure the victim’s bank account was soon empty of cash.

All of this, by the way, was broadcast via their banking app’s notification system, resulting in a stressful chase straight out of a Guy Ritchie movie.

Is Shiny New Tech Really After You?

When it comes to fraud and technology, there is a tendency to bat for the cool. We too have warned about the rise of deepfake technologies and their use by cybercriminals. Deepfakes grab attention in headlines, so journalists are also interested in covering how Shiny New Tech Is Actually Bad and Dangerous. It doesn’t really stretch one’s imagination to see how tech innovation can be abused by bad actors.

And yet criminals still tend to surprise us in less attention-grabbing ways. Techies have a tendency to follow innovation and place emphasis on the importance of new technology – especially as every brand now knows very well how to push the hype machine around their solutions. 

But criminals don’t look at things the way we do. 

To them, technology is only a means to an end, one of many tools they can deploy in a war that’s waged in a rapidly changing environment.

Why bother coming up with a convincing deepfake if you can just pay, force or trick people into sharing with you their identity, password or other information?

This was what John Shier from Sophos said to a rather surprised El Reg reporter in October.

But it’s a common secret nobody speaks about: Social engineering, and especially phishing, works so well that there’s not much of an incentive for criminals to try more complicated, high-tech and resource-heavy methods. 

Who can blame them when the money is so good?

Criminals made $6.9 billion in 2021 just using social engineering attacks. Just in the US, 466,501 reports were filed by victims in the same year. And the USA is not even one of the highest-risk countries for cybercrime. It is actually ranked third safest.

Flesh and Bone and Sci-Fi

As our world is increasingly interwoven with digital technologies, analogies of cyberpunk come about as daily facts of life. Sci-fi pioneer William Gibson’s phrase “high-tech lowlifes” comes to mind. Only here, these lowlifes lead “low lives” – despite the high tech out there.

Petty criminals are using technology to relieve people and businesses of their money. But standing opposed to the caricature of HackerMan, hooded at their computer committing crime, is the real-life criminal who only looks to understand the weak points in different defenses.

These frequently come in playbooks but, often, scam or fraud itself is as much flesh and bone, taking place in the real world as it is digital.

Good Enough Is Enough 

Fraud and crime evolve around the path of least resistance due to a number of reasons.

One, there are only so many loopholes available at any given time that your return on investment is maximized if you have one or two attacks that work and you can scale them quickly.

Two, technically sophisticated people are relatively rare in the booming economy known as cybercrime. They will more or less meet market demand with sufficient enough technology to help the guys running the scams, or they’ll code custom stuff for big-ticket clients. 

The C2C (criminal to criminal) market has a lot of “retail” demand and just a few enterprise clients.

This means that the attitude to technical innovation is not so much “move fast and break things” as “if it ain’t broke, don’t fix it”. The two rules of being a successful fraudster are:

1. Don’t get greedy.
2. Don’t get caught.

So there’s not much reward in being a daredevil. This is why you don’t hear about all the crime that goes down. Only the most audacious of thieves make headlines, precisely because they’re insane enough that nobody else thought of pulling it off this way. 

The subheading to these stories that you don’t see is usually:

There’s a safer and easier way to do this.

Absolutely Their Stepping Stone

While sooner or later there’s no doubt that shiny new technology will make its way into the cybercrime toolkit, there is another path that fraudsters can take – and that’s learning the criminal methods of offline crime, and using their tools of tricks and coercion to make money. 

All these apps and services and tech that we have are just stepping stones for more elaborate plots that revolve around moving money around fast – money that they shouldn’t be getting their hands on in the first place.

The big question then is how a completely digital-first economy can be secured against this form of asymmetric warfare: Criminal plots that play out in the real world might barely be blips on the radar when it comes to monitoring internal systems.

Worse still, crime leaves its traces in databases that are siloed at different companies – putting both cybersecurity firms and law enforcement on the back foot when it comes to proactive detection.

And maybe that’s a less interesting story than your nan getting scammed by someone hacking your biometrics to deepfake your face.

It’s just missing a catchy phrase that captures the phenomenon accurately. But “high tech, low lives” certainly has a ring to it. Doesn’t it?

Sources

• The Register: Phishing works so well crims won’t bother with deepfakes, says Sophos chap
• Forbes: Cybercriminals Stole $6.9 Billion In 2021, Using Social Engineering To Break Into Remote Workplaces