Article 7 min

Cybercrime: 6 trillion dollars in the making


December 5, 2019  


Conventional wisdom tells us that innovation in technology lowers crime. New innovations and advancements in science are adopted by law enforcement, and then developed beyond what was considered successful in the lab or the workshop. For example, the most popular system of fingerprint classification was a joint effort between Sir Francis Galton, a civilian scientist, and Sir Edward R. Henry, the police commissioner in London at the time. Nearly 100 years later, Alec Jeffreys’ invention of DNA fingerprinting in 1984 was an immediate revolution in immigration and paternity issues. But it wouldn’t be until its first forensic usage in 1985, leading to the conviction of Colin Pitchfork, that the technology spread around the world.

The conventional wisdom isn’t wrong, but it’s only half the story. New technologies create just as many new opportunities for criminals as they do for police officers or crime fighters. However, criminals don’t worry about whether or not they’re using the technology lawfully. The digitization of the world in the 21st century has created a new trillion-dollar industry: cybercrime.

What is cybercrime?

What is cybercrime? As a word, it has a very broad definition. Most experts only agree that it’s any crime that can only be committed on or to a computer via network. (Smashing a computer with a large rock would be a foul crime, but not a cybercrime.)

These crimes include:

  • Viruses
  • Malware
  • DoS attacks
  • Cyberstalking
  • Phishing emails
  • Identity theft
  • Modern money-laundering

Cybercrime is on the rise worldwide. Partly this is due to growing opportunity: the amount of data that is stored in the cloud will increase a hundredfold by 2021. Just as retailers can’t ignore the digital marketplace, street gangs have begun operating online as well. In 2018, the State of California Department of Justice arrested and indicted dozens of members of the BullyBoys and the CocoBoys, Bay Area street gangs, in a million-dollar case of identity theft and credit card fraud. Their successes are just a fraction of what dedicated cybercriminals have managed to achieve. Established gangs are world renowned, including China’s Rocke, Venezuela’s Machete, and most infamously, the truly international Magecart, which for 10 years has been committing skimming operations, installing malware onto retailers’ websites to collect the credit card information provided at the checkout screen. Some of their most famous crimes include the hacks of Ticketmaster and British Airways. Magecart is shrouded in mystery, an umbrella organization with dozens of different nationalities belonging to no fewer than six different groups.

The costs of cybercrime

Credit skimming is seen in criminal circles as a victimless crime. The credit card holders with compromised accounts can tell their provider that they’ve been hacked, and since they’re compensated for any bills the hackers ran up, it’s not the civilian who pays the price.

No, it’s the world’s financial institutions that are left holding the bill. It’s a big bill, and it’s growing. In 2015, the estimated cost of cybercrime was USD $3 trillion. By 2021, that number will have doubled to $6 trillion. As early as 2007, according to an University of Maryland study, there was a hacking attempt made every 39 seconds. In 2019, Alibaba’s former executive chairman claimed that they were subjected to 300 million cyber attempts per day.

Each variety of cybercrime is on its own growth trajectory, and the crime that’s growing the fastest is ransomware. There were 184 million ransomware attacks last year, and the average cost of a ransomware attack is just over USD $36K.

An organization fell victim to ransomware once every 14 seconds this year, and according to Cyber Security Ventures, that interval will shorten to 11 seconds by 2021.

And before these ill-gotten gains can be spent, they need to be laundered. If they’re laundered successfully, they become part of the USD $2 trillion that the United Nations estimates is cleaned each year. The process of money laundering compromises economies around the world. A good example of this is how money laundering has altered real estate markets in both Europe and North America, leaving locals unable or unwilling to purchase homes at inflated prices.

Like everything else today, money laundering has also gone digital. Earlier in the decade, launderers did their business in plain sight on large retail platforms. Now, a growing amount of money laundering is done through cryptocurrencies like Bitcoin and Ethereum, and fraudsters and hackers “tumble” dirty cryptocurrency between various wallets before reassembling the total in their final destination, or simply sell it on exchanges that don’t ask too many questions. They aren’t hard to find; according to CipherTrace, two-thirds of the world’s leading cryptocurrency exchanges “lack strong Know Your Customer (KYC) policies.”

How to protect your business from cybercrime

Cybercrime is a pervasive, insistent and growing threat around the world. But there are ways to mitigate business risk while operating online.

To begin, cyber-insurance is a wise investment. 68 percent of American businesses have no cyber-insurance or data breach coverage, despite the average cost of an American data breach rising to $8.19 million this year. The cyber-insurance industry is growing worldwide: Singapore debuted the world’s first cyber-risk pool, providing $1 billion in risk capacity.

The majority of data breaches are perpetrated by hackers, but 34 percent of data breaches were performed by internal actors. Prudent data access management can help reduce this risk.

Ransomware tends to be planted by phishers; anti-phishing training for all staff can keep ransomware from (hopefully) ever becoming an issue. Disallowing the use of public, unsecure networks for teleworkers and maintaining updated firewalls and anti-virus are also valid strategies.

These activities will help protect your organization, but they won’t reduce the threat of cybercrime in the world at large. For that, you’ll need proper Know Your Customer (KYC) and AML (Anti-Money Laundering) compliance.

KYC and AML Compliance vs. Cybercrime

KYC compliance standards require that financial institutions verify the identities of applicants before they’re allowed to open an account. AML compliance standards mandate that institutions check the names of applicants against lists of known criminals, launderers and politically exposed people (PEPs), as well as ensuring that any individual organization that goes into business with the institution has an acknowledged and cleared Ultimate Beneficial Owner (UBO). Beyond the onboarding process, these compliance procedures compel financial institutions to monitor accounts and their transactions, and report accordingly.

Proper implementation of KYC best practices can easily reveal a bad actor: whether they’re attempting to open an account despite being a known entity to watchlists or they’re pretending to be someone they aren’t, a solid KYC solution will show who you don’t want to do business with so you can show them the door. The penalties for negligent KYC and AML compliance are quite severe. In 2021 alone, there were over $5 billion in fines.

As of June 2021, cybercrime is one of the 22 acknowledged predicate offenses of money laundering according to the EU’s Sixth Anti-Money Laundering Directive (6AMLD). This designation as a predicate crime ensures that, if the launderers are cybercriminals, they will face prosecution.  6AMLD’s oversight will also include those who “aid and abet” attempts to launder money. A financial institution that fails to report bad actors and suspicious transactions is doing just that.

It doesn’t matter how impressive the heist is: if cybercriminals can’t launder their loot, it’s worthless. Without a viable method of money laundering, criminals are left with fewer incentives and fewer opportunities to commit further crimes. When cybercrime becomes too risky for the criminals, the risk for financial institutions and their customers will finally recede.