The risks of digitalisation in the context of cyber security – phishing

July 2021  |  SPOTLIGHT | RISK MANAGEMENT

Financier Worldwide Magazine

July 2021 Issue

Digitalisation is permeating society like never before ­­– not least due to the COVID-19 pandemic which has caused a relocation of most economic and social interactions online. Even before the pandemic, digitalisation was impacting the lives of many within the scope of the so-called Fourth Industrial Revolution. Not only does most of our communication take place online via social media and other applications, online trade and e-banking have also flourished. However, with the manifold opportunities of digitalisation also comes an abundance of risks and possibilities for fraudulent behaviour.

Generally, cyber crime can be divided into two categories – crimes against infrastructure, which includes hacking, the sharing of malware and viruses, and crimes committed via the internet such as phishing. The term phishing describes computer techniques used by fraudsters to obtain data through the unwitting cooperation of their victims. It is derived from the words password, harvesting and fishing and refers to techniques used to obtain personal information, most often related to banking, for the purpose of committing property offences or identity theft. Because the ingenuity of these techniques endangers the assets of the victims, the issue requires an adequate response under criminal law.

The first peak phase of phishing occurred in 2003 when criminals used techniques such as social engineering to manipulate victims into collaborating with them. The victim would receive an email or text message from the perpetrator who would frequently use a forged or imitated sender address (so-called email spoofing). The message would typically contain a request to renew personal data for security reasons and a link to an imitated web page where the personal data would need to be provided. Another possibility would be that a genuine website has been hacked to host phishing pages, which is known as cybersquatting.

Phishing techniques that require the active collaboration of the victim are mainly divided into two types, namely vishing, which uses voice over IP technology (e.g., via phone call) to trick someone into disclosing their personal, financial or password information, and spear phishing, which focuses on a particular user by using a highly personalised message. Potential victims could be the employees of a company within the scope of so-called CEO fraud.

Over time, phishing techniques have evolved, and today criminals are using techniques which allow them to access the victim’s computer directly by using malware. This type of phishing is known as ‘man in the middle’. The installed malware allows the perpetrator to take control of the victim’s computer or monitor their activity and intercept data they transmit to their bank. In these cases, the victims are usually not aware of the issue and do not consciously collaborate with the attacker.

The two types of man in the middle attacks are pharming, which redirect the victim without their knowledge to a falsified website where they may enter information for the attacker to exploit, and in-session phishing, which involves tricking the target into believing that their bank or trusted organisation is asking for confidential information via email. The email will likely contain a link to a website where a pop-up will appear inviting the user to enter their login information. Opening the website can also cause victims to download malware. The malware automatically installs itself and provides the criminal access to the victim’s computer system.

Recently, perpetrators of phishing have favoured online digital wallets storing cryptocurrency. Not only is the blockchain technology that powers cryptocurrency highly anonymous, it is also of the utmost importance for users to protect their private authentication key from being disclosed to unauthorised parties. Depending on the jurisdiction, there can be a legal vacuum in terms of supervision and computer security standards in relation to cryptocurrencies. Cryptocurrencies are usually not regulated or overseen by a central entity as in the case of fiat money. In the absence of appropriate security measures, the IT security services of cryptocurrency providers are left to the private responsibility of wallet providers and their users. In cases of abuse, it will be almost impossible for law enforcement to trace the stolen funds, ultimately leading to lengthy international mutual assistance procedures.

Given the international nature of cyber crimes such as phishing, requests for mutual assistance will be necessary, as phishing websites are frequently hosted abroad on hacked servers of third parties. In addition, the stolen data is often distributed for reuse on the black market, which leads to the involvement of several jurisdictions. Hence, cyber crimes must be combatted on a global level. The first international convention to deal with cyber crime was the Convention on Cybercrime, concluded on 23 November 2001 in Budapest. Out of the 65 adhering states in 2021, non-EU member states such as Australia, Canada, Japan and the US have ratified the convention. The main purpose of the convention is to urge the adhering states to pursue a common criminal policy aimed at protecting society from cyber crime through the adoption of legislative measures and the strengthening of international cooperation. Offences that the acceding states are required to criminalise include hacking, tampering with data integrity, computer fraud, intellectual property infringements and more.

Users should pay close attention to the email addresses and phone numbers they receive messages from to identify whether they could be forged. In addition, users should install applications that prevent their internet browsers from opening pop ups and automatic downloads.

 

Fabian Teichmann is an attorney at law and public notary and Marie-Christin Falker is a research associate at Teichmann International (Schweiz) AG. Dr Teichmann can be contacted on +41 (71) 260 2440 or by email: teichmann@post.harvard.edu. Ms Falker can be contacted by email: falker@teichmann-law.ch.

© Financier Worldwide

BY

Fabian Teichmann and Marie-Christin Falker

Teichmann International (Schweiz) AG

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.