Details on how this global gang of cybercriminals used spoofing and impersonation methods to social engineer banks time and time again shows how effective these tactics are.
An indictment recently filed in U.S. District Court extraditing U.K. citizen Habeeb Audu provides some valuable insight into how stolen personal data is used by a second group of cybercriminals. I talk a lot about how the bad guys like to steal your customer and employee personal data, but rarely does the story go beyond “and they could potentially sell the data on the Dark Web”, etc. But in this case, the story picks up where many of my articles have left off.
According to the indictment, Audu was part of a gang of cybercriminals targeting the personal and small business accounts serviced by banks in the US, Canada, the UK, Italy, and UAE. In each attack, they used personal details of bank customers – this means they used a stolen database of personal information that contained details like date of birth, address, full name, bank they use, and probably account numbers. This information was used along with fake email accounts, a caller ID spoofing service and even voice-altering software to communicate with bank employees in an attempt to gain access to the real bank customer’s accounts.
Over a period of 6 years (from 2013 to 2019), over $2 million was stolen by this cybercriminal group. One of the members is already locked up on another charge, Audu is currently being extradited to face charges, and one member is still at large.
This kind of story paints the picture of how one cyber criminal gang will focus purely on the business of breaking in and stealing personal data, while another is really good at taking that data and monetizing it via a scam like the one outlined above.
A data breach can materially impact the individual whose details are stolen. So, it’s up to organizations to put security measures in place – that include Security Awareness Training – to protect their customers, their reputation, and in many cases, their compliance with government regulations.