A Call for Better Cybercrime Investigation

The financial sector is both a target and a tool for cybercriminals. Year after year, criminals syphon billions of dollars from financial institutions (FIs) and victimize customers through fraud and identity theft. Yet despite these staggering losses, cybercrime remains an unchecked scourge as criminals continuously use trial and error to find new and better ways to steal and hide ill-gotten gains.

This state of affairs begs the question of what can be done to stem the tide. A major part of the solution is better investigation. Cybercrime is a special area of criminal activity and stopping it requires the coordinated investigative efforts of the private sector, law enforcement and regulators.1

Among the many participants and skillsets needed to stop cybercrime, anti-money laundering (AML) professionals are essential. The work of AML and financial fraud investigators already involves a combination of criminal, civil and regulatory rules; these investigators also already operate at the front lines for identifying criminal activity. With this existing experience and knowledge, AML and financial investigators have the potential to serve as highly effective anti-cybercrime actors. However, there is a need for more investigators who are trained in how to identify, trace and stop cybercrime and cyber money laundering, and who fully understand how their work can support (and be supported by) the efforts of other investigative participants.

Cybercrime Profits, Payments and the Need for Improved Financial and AML Investigation

Most cybercrime is undertaken to make money and takes place within a nefarious online economy focused on financial theft and fraud, data theft, malicious software, document forgery and identity theft. There are thousands of criminals generating earnings online—each in their own way—through scams or the provision of criminal goods or services. Cybercrime is typically committed from a distance, often internationally and can be immensely profitable. All of this activity relies upon payments, transfer of funds and storage of funds, which in turn demonstrates why the AML profession is essential to investigate cybercrime properly.2

Cybercriminals take advantage of all forms of value, including government-issued currency (fiat) and virtual currency.3 If there is a way to steal it, they will try. If there is a payment method that is convenient and can be used anonymously, they will use it. Successful cybercriminals earn a lot of money and want to spend it, so they will also use any convenient anonymous method available to launder their earnings.

Cybercrime techniques can be technologically sophisticated and difficult to trace. However, the flow of these illicit profits is directly within the expertise of AML professionals. Tracking and reducing this flow is a crucial element of fighting cybercrime.4 AML professionals are essential to this fight for three reasons:

  • Cybercrime attacks FIs and money services businesses (MSBs) for the data and funds they control.
  • Cybercrime targets the customers and clients of these businesses.
  • Cybercriminals use FIs and MSBs to transmit their funds.

With this important role in investigating and stopping cybercrime, AML professionals are key contributors to limiting these crimes.

As AML and other financial experts address the value-related aspects of cybercrime, other investigators examine cybercrime from different angles, including digital forensics and review of the criminal tactics and techniques. Cybercrime investigations are greatly improved when individuals and entities appreciate the perspectives, resources and expertise of different investigators and organizations. A successful cybercrime investigation requires both broad knowledge about all the potential investigative paths and contributions from investigators with specific capabilities. Investigators from any of the multiple perspectives involved in fighting cybercrime benefit from a full understanding of methods, laws and regulations, as well as a general overview of the process.

Three main groups investigate cybercrime: law enforcement, the private sector (including FIs) and regulators. Law and regulation weigh heavily into many aspects of cybercrime investigation for two reasons. First, for regulated industries like the financial sector, a certain level of diligence in the investigation may be required under regulatory standards. Second, organizations investigating cybercrime must consider a host of applicable criminal and civil laws. The following is an example of how a cybercrime investigation may play out.

A Hypothetical Cybercrime Investigation

Consider a hypothetical FI, a bank in New York that is regulated by the state and federal governments. The bank holds customer funds, provides a range of services and employs many people. A new state law of general applicability enhances data breach reporting and requires “reasonable cybersecurity.”5 Existing state and federal regulations also require the bank to maintain a stable and secure information system with appropriate security protections for its confidentiality, integrity and availability.6 Regulators inspect the information security program annually to ensure it complies with these rules. The bank must guard against identity theft7 and must be on the watch for criminal activity, including cybercrime and reporting suspicious or criminal activity to the Financial Crimes Enforcement Network (FinCEN).8

The FI and its customers experience constant cybercrime attacks. Each attack—even if unsuccessful—is itself a crime (an attempt) that also allows criminals to refine their tactics and techniques. These attacks include the following:

  • Attempts to install malware, break into computers and networks, and steal customer and financial data
  • Attempts to take over customer accounts
  • Attempts to steal funds through illicit transfers or charges

This hypothetical bank suffers an anomaly in its information systems. The bank needs to make a series of decisions, including whether to activate its incident response team (comprised of members across many departments, e.g., AML, information technology, information security, legal, communications) and whether reporting is required to the government and affected parties.

In order to make these decisions, the bank must preliminarily investigate and determine certain facts. Here, the initial investigation indicates the anomaly occurred because of a successful cybercrime (such as a data breach or theft of funds), reporting and notifications are required and additional investigation is needed. The bank must notify state and federal regulators, law enforcement and those whose information was stolen. This does not mark the end of the bank’s investigation, but merely a significant decision point and milestone.

The bank reports to law enforcement who start their investigation. They are the only sector with the ability to apprehend, deter and punish cybercriminals, so the hope is that someday they may bring perpetrators to justice. Today’s data breach reporting laws recognize that in the past, many corporate victims kept silent in the face of these serious cybercrimes, choosing to protect their reputations rather than report crimes. Law enforcement’s investigation requires diverse skillsets within their sector, but also extensive cooperation from the victims and witnesses in the private sector (including within the financial sector). To understand the facts surrounding the technical nature of the attack, law enforcement relies upon information gleaned by the bank’s own investigation and review of its systems. To discern the flow of illicit funds, law enforcement relies upon AML and financial investigators at the victim bank and others in the financial sector.

The bank reports the incident to its state and federal regulators and files a suspicious activity report (SAR) with FinCEN. Regulators receive and review the reports and then their investigation begins. One consideration is whether the reporting was timely, sufficient and compliant with the requirements. Another consideration is whether the security measures in place before the crime were sufficient.

As these investigations unfold, law enforcement and regulators have a number of questions for the bank about when and how the attack occurred as well as what data was accessed or stolen. Customers may find they are the direct victims of fraud and may turn to the bank for answers about how the crime occurred and where the money went. If the attack involved a data breach (or direct financial loss to customers), required notifications to affected customers might lead some to sue the bank, alleging insufficient security as well as violation of regulations and laws. In addition, the media may report on the incident and business could suffer. For all these reasons, the bank must continue its own investigation to uncover necessary facts and help resolve matters properly.

The Many Parts of a Cybercrime Investigation Become a Whole

This example shows the varying perspectives and goals that different groups bring to a cybercrime investigation and the many areas of knowledge required. A cybercrime investigator should have a general understanding of criminal, civil and regulatory law, including how to preserve evidence in a manner that will be helpful and legally admissible. It also helps to understand some basic technical and information security principles in order to have productive conversations with experts in those fields.

Importantly, financial fraud and AML professionals should know something about attribution, the part-science/part-art of connecting online conduct to an individual. In significant ways, attribution interconnects with know your customer, customer due diligence and other AML processes. Cybercrime investigators rely upon FIs’ records, which can prove both the crime and the criminal’s identity. When these records are created, preserved and accessible, they can be key to identifying a cybercriminal. Sometimes, a SAR could point law enforcement to the relevant financial records that connect these dots.

In one massive cybercrime and money laundering case, it was financial analysis that helped make the case by proving both criminal conduct and identity. FIs’ records and reports showed the true extent of the crimes—the illicit profits earned, the transactions engaged in and the path of the funds to the defendants. Bank wires, money remittances, credit card transactions and virtual currency payments all played a role throughout the investigation and their records were essential evidence at trial. They also helped prove who did it.

Consider that one clue left in the records of an FI was critical evidence for attribution. A single instance of attempted online credit card fraud resulted in the recording of an email address, nickname, name and a physical address in the records of the company. There was no way to predict at the time the record was created that it would later become a vital clue to help develop a suspect for prolific cybercrime activity and that these records would finally help convict him at trial. An awareness of how record keeping and AML procedures might later serve as evidence against cybercriminals can lead to better investigative and preventive results for all parties.

By learning about the attribution process, financial and AML investigators will see how their analyses, summaries, reports and preserved records might be used to create a chain of logical links from the crime to the suspect.9 Financial investigation has a critical role in slowing cybercrime, coupled with other key areas including electronic communications, digital forensics, information security and applicable areas of the law.

Better Investigation Can Reduce Cybercrime

It is not hard to see the effect cybercrime is having upon society and individuals. For all organizations, regulatory requirements are increasing, with more rules designed to prevent attacks and improve reporting. In turn, these rules create increased compliance costs. If a cybercrime occurs, an organization will suffer direct financial damage and costs, plus reputational damage and other indirect costs. For individuals and small businesses, the harm caused by cybercrime frauds and identity theft can be life changing, sometimes even resulting in the loss of life savings. AML and financial fraud investigators can lead the way toward the investigation of cybercrime and the fight against it.

To fight cybercrime, an investigative response must always follow these crimes. It is time to take greater action, recognizing that combating these crimes requires a different approach and mindset compared to traditional criminal activity. Cybercrime investigation is most effective when done by knowledgeable investigators working across different sectors, organizations and backgrounds. All investigators can tackle cybercrime more successfully by learning about the cybercrime economy, appropriate investigation and evidence-gathering steps, and the ways different investigative pieces might fit with the broader investigation. The opportunities for better investigation increase as knowledge and collaboration grow. The AML profession is on the front lines and diligence and teamwork can create the effective synergy to reduce cybercrime.

John Bandler, Esq., CAMS, Bandler Law Firm PLLC and Bandler Group LLC, New York, NY, USA, johnbandler@bandlergroup.com

Antonia Merzon, Esq., Boulder, CO, USA, antonia@cybercrimeinvestigationsbook.com

John and Antonia are co-authors of Cybercrime Investigations: A Comprehensive Resource for Everyone.

  1. John Bandler and Antonia Merzon, Cybercrime Investigations: A Comprehensive Resource for Everyone, (Taylor & Francis, 2020). This article draws from the main premise of the book, especially as it applies to financial investigations.
  2. “Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime,” Financial Crimes Enforcement Network, October 25, 2016, https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2016-a005. FinCEN recognized the AML profession’s importance toward the investigation of cybercrime with this advisory. This advisory also recognizes that a good cybercrime investigation draws upon multiple areas of expertise, including AML, information security and anti-fraud measures.
  3. Bandler and Merzon, Cybercrime Investigations, Chapter 15 (Financial Investigation). Investigators should focus on the concept of value and be mindful of evolving and differing terminology in this space, including digital currency, virtual currency, virtual assets, cryptocurrency, crypto assets and “value that substitutes for currency.”
  4. John Bandler, “Stemming the Flow of Cybercrime Payments and Money Laundering,” ACAMS Today, June 9, 2017, https://www.acamstoday.org/stemming-the-flow-of-cybercrime-payments/
  5. New York’s new SHIELD Act is found within the General Business Law sections 899-aa and 899-bb, and the full text of the law is available at https://www.nysenate.gov/legislation/bills/2019/s5575
  6. “Cybersecurity Requirements for Financial Services Companies,” New York State Department of Financial Services, https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf; Federal requirements are even more detailed and include the Cybersecurity Assessment Tool from the Federal Financial Institutions Examination Council. “Cybersecurity Assessment Tool,” Federal Financial Institutions Examination Council, https://www.ffiec.gov/cyberassessmenttool.htm
  7. “Title 16: Commercial Practices,” Electronic Code of Federal Regulations, https://ecfr.gov/cgi-bin/text-idx?SID=d1a1f7573243239ae256f61822657b6b&mc=true&node=pt16.1.681&rgn=div5
  8. “FinCEN Issues Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime,” Financial Crimes Enforcement Network, October 25, 2016, https://www.fincen.gov/news/news-releases/fincen-issues-advisory-financial-institutions-cyber-events-and-cyber-enabled
  9. Bandler and Merzon, Cybercrime Investigations, Chapter 16 (Identification/Attribution).

Leave a Reply