Have you heard of Andre Poisson? Probably not and that’s just the way he would have wanted it. You see Andre was not a shy man, but late in 1925 he would have quite happily slipped into obscurity. Would you want everyone to know you had just been sold the Eiffel Tower?
Today it might seem inconceivable that someone would fall for such a whopper, but beware: it’s the human elements of confidence trickery that make us all susceptible. Even if online methods appear more sophisticated, they still seek to gain trust, exploit vulnerability, and then hide behind the victim’s embarrassment, in exactly the same way as Victor Lustig (our villain in this story) did with his Eiffel Tower scam in 1925.
Have you heard that last year up to 100 banks and financial institutions worldwide lost $1bn to a single Cyber gang? I bet not... Enter our modern day villains, the Carbanak cyber gang with their Bank Spear Phishing con.
Today’s threat to the bank is potentially a similar con
In 1925 one of the issues of the day was the exorbitant cost of maintaining the Eiffel Tower. Victor Lustig used fake government stationery to claim to be the deputy director-general of the Ministry of Posts and Telegraphs and invited six scrap metal dealers, including Andre, to a secret meeting to discuss the disposal of the Tower. Like Lustig, the Carbanak cybergang began the process of establishing trust with their victims through fake credentials. They attempted to gain entry into employees’ computers through spear phishing: an email that purports to be from someone that you know, but isn't. In the same way that Lustig was able to put Andre at ease by appearing to be legitimate, these e-mails attempt to gain your trust through familiarity.
Lustig claimed he had been given sole responsibility to select the dealer for the job, and then took time with each to determine who was most gullible. Sometime later in a private meeting with Andre, Lustig let him know that he was willing to take a bribe for the contract. Andre, confident he was dealing with just another corrupt government official, was reassured enough to hand over the cash. Andre was not a stupid man, but he was eager to join the inner circle of the Parisian business community and this ambition made him vulnerable and ready to accept the veneer of authenticity offered by Lustig. Sadly, before you could say ‘Zut Alors!’ Lustig was over the border, not only with a suitcase stuffed full of cash from the deal, but also a handsome bribe in his pocket.
Of course today’s cyber criminals have the resources to target specific individuals like Andre, but where Lustig had six possible ‘marks’ to choose from the Carbanak gang had as many as there were on the pay-roll. They assumed (correctly) that one of them would be more than keen to open up a personal e-mail from the boss or the CEO, even if it did seem a little fishy at first. And that’s exactly what happened; once the e-mail was opened and the file within downloaded, the malware was on the bank’s system. They were able to track down administrators’ computers and video them remotely and record those who serviced the cash transfer systems and then mimic them. With the correct credentials they could move freely and operate with impunity. Effectively they were over the border with the proverbial suitcase full of cash...
Humiliated and with a reputation to protect Andre chose to remain quiet, and so it has been with information around Carbanak. The full details of those affected remain unclear, a situation that can only benefit the perpetrators and leave other banks vulnerable. Back in 1925 this coyness allowed Lustig to return to Paris, only a month later, and repeat the same scam with another six scrap dealers (you’ve got to admire his cheek).
Is a modern day Lustig after your bank?
If anything, the Eiffel Tower scam teaches us that the modern confidence trickster is much the same as the old. Forged government stationary has been replaced by fraudulent e-mail and malware, but both rely on establishing trust and exploiting human vulnerability. What also remains true is that keeping quiet might spare blushes in the short term, but the criminals remain the real beneficiaries.
Who in the bank will protect you?
So, what to do? Well, clearly cyber security is not just a matter for the CIO, but the business as a whole. The scale of the threat suggests that the whole Board should be keenly interested in and equipped to tackle the threat. But are they?
Today’s Andres can be taken in without nearly as much persuasion, the right e-mail (promotion opportunity or important work to review), under the right cover (the boss or a client) could easily persuade the inattentive. And before you know it the fraudsters are in. Training, sharing information and proper management of the risk are required to protect the bank, its employees and most importantly their customers.
And if you really don’t believe me, I’ve got a French flagpole to sell you!
The sponsor for Cyber Security at Capgemini Consulting UK is Anuj Kumar, Head of Risk and Regulatory Compliance Consulting. Connect with Anuj via his LinkedIn profile here.