Fraud & Cybersecurity

May 9, 2025: Fraud & Cybersecurity Articles

Huge Ecosystem of Unregulated Payment Providers Helps Scammers Collect Victims’ Money

Tom Stocks, Holger Roonemaa, Lawrence Marzouk, Margaux Farran, Begoña Ramirez & Richard Smith; Organized Crime and Corruption Reporting Project

Key Findings

  • Scammers seeking to move money from their victims can access the global banking system quickly, while distancing themselves from the transactions, through a large number of services they referred to internally as “payment service providers,” though they were not licensed and did not appear to correspond to real legal entities in most cases.
  • Some of these payment services, like one operating under the name Bankio, provided scammers with instant access to bank accounts they could instruct their victims to send money to.
  • Bankio and other providers would also create invoices for non-existent goods or services that the scammers could use to justify the transfer of funds.
  • Another payment system helped funnel millions of euros out of Spain through over a dozen companies and 18 bank accounts, including some at major banks.
    In the U.K., a system known to scammers as “Britain Local” connected call centers to U.K. bank accounts held by companies owned by apparent proxies. Experts said the movement of funds through these bank accounts raised several red flags for money laundering.
  • Scammers coach their victims in how to bypass anti-fraud controls at major commercial banks, and often instruct them to open new accounts at online-first “neobanks” to make it easier for them to send money without facing questions.

“Liliana Molina” was a scammer based in a call center in Tbilisi. Over the course of a few weeks in March and April 2024, she had spent hours on the phone with “Mark,” a cheerful British tradesman, convincing him to invest in what she insisted were can’t-lose cryptocurrency and stock opportunities. “If … you do what I say, believe me, we’re going to be very profitable,” she told him. Finally, he agreed.

Payment needed to be arranged quickly. Liliana loaded up the messaging service Telegram and fired off a request to her call center’s finance department: “I need UK details for 7k please,” she wrote. Read more

Hacking Group That Wreaked Havoc on Las Vegas Appears to Be Back

Robert McMillan, Wall Street Journal

Attacks on U.K. retailers appear to mark comeback of ‘Scattered Spider,’ a network that has disrupted operations at dozens of corporations.

Key Points

  • Hacking group Scattered Spider, known for disrupting the Las Vegas Strip, is suspected in recent cyber intrusions at U.K. retailers.
  • Harrods, Marks & Spencer, and Co-op have reported cyber intrusions, with attacks bearing hallmarks of Scattered Spider’s methods.
  • Scattered Spider, which went silent after several arrests last year, uses social engineering and other methods to steal data and demand extortion payments.

The hacking group that once shut down half the Las Vegas Strip has returned and is causing turmoil at U.K. retailers. The hackers call themselves Star Fraud but are more widely known as Scattered Spider, a collective of largely young men and teenagers that have wreaked havoc across industries in recent years.

U.K. retailers Harrods, Marks & Spencer MKS -0.28%decrease; red down pointing triangle and Co-op have all reported cyber intrusions in the past two weeks. Scattered Spider hasn’t been publicly named as the culprit of the hacks, but is suspected in at least some of them, according to people familiar with the investigation.

The attacks bear all the hallmarks of Scattered Spider attacks, disrupting online sales and certain payments and leading to the theft of customer data. The stores have remained open. Read more

White House Proposal Slashes Half-Billion from CISA Budget

Ryan Naraine, Security Week

The proposed $491 million cut is being positioned as a “refocusing”of CISA on its core mission “while eliminating weaponization and waste.”

The White House has signaled plans to cut the Cybersecurity and Infrastructure Security Agency’s (CISA) budget by $491 million on the grounds that the agency became a “censorship industrial complex” at the expense of cyber defense.

In budget documents sent to Congress, the proposed $491 million cut is being positioned as a “refocusing” CISA on its core mission “while eliminating weaponization and waste.” “The Budget also removes offices that are duplicative of existing and effective programs at the State and Federal level,” according to documentation published by the White House.

“The Budget eliminates programs focused on so-called misinformation and propaganda as well as external engagement offices such as international affairs. These programs and offices were used as a hub in the Censorship Industrial Complex to violate the First Amendment, target Americans for protected speech, and target the President,” OMB Director Russell Vought wrote in his justification for the cuts.

“CISA was more focused on censorship than on protecting the Nation’s critical systems, and put them at risk due to poor management and inefficiency, as well as a focus on self-promotion,” the White House added. The White House justification was echoed by Department of Homeland Security Secretary Kristi Noem in an RSA Conference keynote that accused CISA of straying from its founding purpose. Read more

Google Identifies New Malware Linked to Russia-Based Hacking Group

Deborah Sophia, Reuters

Alphabet’s Google, opens said on Wednesday it has identified new malware called “LOSTKEYS” tied to the Russian-based hacking group Cold River, which is capable of stealing files and sending system information to attackers.

The malware “marks a new development in the toolset” of Cold River, Wesley Shields, a researcher with Google Threat Intelligence Group, said in a blog.

Cold River, a name used to track hacking campaigns previously linked, to Russia’s Federal Security Service, is primarily known for stealing login credentials for high-profile targets, including those within NATO governments, non-governmental organizations and former intelligence and diplomatic officers, Shields said in the blog. The central goal was intelligence collection in support of Russian strategic interests.

Recent targets, observed in January, March and April 2025, include current and former advisers to Western governments and militaries, as well as journalists, think tanks and NGOs, and unnamed individuals connected to Ukraine, according to the blog. The Russian embassy in Washington did not immediately respond to a request for comment.

Past high-profile campaigns have included targeting three nuclear research laboratories in the U.S. in the summer of 2022, and the publishing of the private emails of former British spymaster Richard Dearlove, alongside pro-Brexit individuals, in an operation revealed in May 2022.

May 2, 2025: Fraud & Cybersecurity Articles

Debunking Security ‘Myths’ to Address Common Gaps

Arielle Waldman, Dark Reading

Dan Gorecki and Scott Brammer’s interactive session during RSAC Conference 2025 encourages security professionals to rethink their security postures and address evolving and emerging risks.

Organizations struggling to implement and maintain a basic security foundation need to start rethinking compliance checklists. Following industry best practices generally includes managing authentication, compliance, and risk management issues. However, it can be difficult to know what items to prioritize and even more challenging to know which ones are necessary.

One prime example is implementing multifactor authentication (MFA) to bolster security and make it harder for attackers to gain initial access. While MFA is a highly important control to put in place, it is not strong enough on its own, Dan Gorecki, principal and CISO at NGC Risk, warned in his session “Cybersecurity Myth-Busting: Fact vs. Fiction in Cyber Programs” during RSAC Conference 2025 this week in San Francisco. Whether MFA is the strongest security control, Gorecki said “it depends.”

“It’s defense in depth, super strong control, but it needs to work with a lot of other controls to be very effective,” Gorecki said. “We’ve seen with SIM swapping and other things that MFA, while a very strong control, it is not enough.”

Focus on Third Parties That Matter Most
With supply chain risks on the rise, made especially evident by last year’s ransomware attack against United Health’s Change Healthcare, organizations are increasingly tasked with third-party risk management. While it is important to stay updated on what’s happening with third-party vendors, especially as risks rapidly evolve, the methods organizations are currently using can improve and expand beyond questionnaires that may be intentionally or unintentionally misleading. Read more

DOJ Releases Its Data Security Program Compliance Guide

Jeewon K. Serrato, Tony Phillips, Shruti Bhutani Arora, Sahar J. Hafeez, Christine Mastromonaco, Leighton Watson, Sheetal Misra; Pillsbury Law

The guide outlines the requirements of a newly implemented Data Security Program designed to prevent China, Russia and other foreign adversaries designated by the U.S. Department of Justice from accessing American’s sensitive personal data and U.S. government-related data.

Takeaways

  • The Data Security Program (DSP), which effectively establishes export controls on data subject to the Program, applies to a wide range of transactions by U.S. persons, including data brokerage and vendor, employment and investment agreements, involving U.S. government-related data or the bulk sensitive personal data of Americans.
  • U.S. persons must comply with core DSP prohibitions, restrictions and other requirements beginning April 8, 2025, with additional affirmative obligations—including due diligence, reporting and audit requirements—taking effect on October 6, 2025.​
  • U.S. persons must implement risk-based DSPs, conduct annual audits and maintain detailed records for at least 10 years, with noncompliance potentially resulting in civil or criminal penalties.

On January 8, 2025, the U.S. Department of Justice (DOJ) issued its final rule (28 C.F.R. Part 202) implementing former President Biden’s Executive Order 14117 (Order), “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The Order and final rule create the Data Security Program (DSP), which provides for restrictions or prohibitions on access to U.S. government-related data and Americans’ bulk sensitive data by specified countries of concern or covered persons. The regulations largely took effect on April 8, 2025, but additional affirmative compliance requirements for U.S. persons will take effect on October 6, 2025.

On April 11, 2025, the DOJ, through its National Security Division (NSD), issued a Data Security Program Compliance Guide, along with a list of more than 100 Frequently Asked Questions (FAQs) and an Implementation and Enforcement Policy, to assist entities in understanding rule compliance and enforcement.

Below we discuss the key components of the DSP and offer thoughts about compliance.

The DSP provides for:
prohibitions on covered data transactions by U.S. persons that involve data brokerage with countries of concern, covered persons or other foreign persons (unless certain requirements intended to prevent onward transfer of data are met) or involve access to bulk human ’omic data (i.e., large-scale, molecular-level biological datasets) to countries of concern or covered persons designated by the DOJ; Read more

AirPlay Vulnerabilities Expose Apple Devices to Zero-Click Takeover

Ionut Arghire, Security Week

Vulnerabilities in Apple’s AirPlay protocol could have allowed attackers to execute code remotely without user interaction.

Vulnerabilities in Apple’s AirPlay protocol and the accompanying SDK could allow attackers to take over devices, in some instances without user interaction, runtime protection firm Oligo Security says. The identified security defects, 23 in total, could be exploited over wireless networks and peer–to-peer connections, leading to the complete compromise of not only Apple products, but also third-party devices that use the AirPlay SDK.

Two of the discovered vulnerabilities, tracked as CVE-2025-24252 and CVE-2025-24132, enable attackers to build wormable zero-click remote code execution exploits. The compromised devices could be used as a launchpad for additional compromise. “This means that an attacker can take over certain AirPlay-enabled devices and do things like deploy malware that spreads to devices on any local network the infected device connects to. This could lead to the delivery of other sophisticated attacks related to espionage, ransomware, supply-chain attacks, and more,” Oligo says.

A total of 17 CVE identifiers were issued for the disclosed issues, and Apple worked together with Oligo to address them in the recent iOS, iPadOS, and macOS releases. These vulnerabilities, which Oligo calls AirBorne, could be exploited independently or chained together for remote code execution (RCE), protection bypasses, file read, information disclosure, man-in-the-middle (MiTM) attacks, and denial of service (DoS).

CVE-2025-24252, a use-after-free bug, could lead to RCE on macOS. If chained with CVE-2025-24206, a user interaction bypass, it leads to zero-click RCE on “macOS devices that are connected to the same network as an attacker with the AirPlay receiver on and set to the ‘Anyone on the same network’ or ‘Everyone’ configuration”. Read more

Where Can Financial Institutions Turn for Guidelines in Cyber Resiliency?

Tom Nawrocki, Payments Journal

Regulation continues to recede from the realm of cybersecurity, leaving organizations to fill these gaps on their own, using their own knowledge bases. The onus now falls on the financial services industry to self-govern and for cybersecurity leaders to come up with their own standards to ensure best practices.

In 2024, the nonprofit organization MITRE released ATT&CK for mobile, which maps out where a financial institution might be vulnerable to an attack. According to Tracy Goldberg, Director of Fraud and Security at Javelin Strategy & Research, this could be an important step toward enforcing cyber resiliency in an age of lax compliance regulations. Her new report, Leverage MITRE Frameworks for Effective Cyber Investment, examines how financial institutions can use this and other new tools to preserve their cyber resiliency.

Looking for New Guidelines
As we see less regulatory oversight of financial institutions, particularly in the United States, cybersecurity teams must look to their own resources to make decisions on budgeting. Typically, financial institutions set their budgets for cybersecurity based on their need to comply with regulations or to meet certain standards. Without compliance regulations in place, they are forced to seek guidelines elsewhere.

For many years, organizations looked to the Federal Financial Institution Council, or FFIEC, for standards to follow. But the recent downsizing of the Consumer Financial Protection Bureau underscores the fact that the FFIEC has lost some of its efficacy in providing guidance for financial institutions. This has put institutions in the position of not having much oversight or regulatory scrutiny, which is not necessarily a positive thing. Read more

Apr. 25, 2025: Fraud & Cybersecurity Articles

AI-Powered Polymorphic Phishing Is Changing the Threat Landscape

Stu Sjouwerman, Security Week

Combined with AI, polymorphic phishing emails have become highly sophisticated, creating more personalized and evasive messages that result in higher attack success rates.

Our threat research team has observed a rise in polymorphic phishing campaigns being launched on a much larger scale than before. We found a 17% increase in phishing emails in February 2025 compared to the previous six months. Last year, at least one polymorphic feature was present in 76%of all phishing attacks.

Understanding Polymorphic Phishing
Polymorphic phishing is an advanced form of phishing campaign that randomizes the components of emails, such as their content, subject lines, and senders’ display names, to create several almost identical emails that only differ by a minor detail. In combination with AI, polymorphic phishing emails have become highly sophisticated, creating more personalized and evasive messages that result in higher attack success rates. Of all phishing emails we analyzed, 82% contained some form of AI usage, a 53% year-over-year increase.

Traditional detection systems group phishing emails together to enhance their detection efficacy based on commonalities in phishing emails, such as payloads or senders’ domain names. The use of AI by cybercriminals has allowed them to conduct polymorphic phishing campaigns with subtle but deceptive variations that can evade security measures like blocklists, static signatures, secure email gateways (SEGs), and native security tools. For example, cybercriminals modify the subject line by adding extra characters and symbols, or they can alter the length and pattern of the text.

Most polymorphic phishing attacks use compromised accounts (52%), followed by phishing domains (25%) and webmail (20%) to send phishing emails that can bypass domain authentication checks. Read more

IDV in Anti-Money Laundering: Navigating Modern Threats and Countermeasures

Nikita Dunets, Regula

Over the past few decades, the international community has built an extensive anti-money laundering (AML) framework—and it keeps evolving year by year.

For example, the Financial Action Task Force (FATF) introduced new changes in their 40 recommendations in February 2025. They now encourage simplified measures in lower-risk scenarios while still promoting a certain level of caution when performing risk assessment in the first place.

This update is a good representation of how the world is treating AML right now: trying to achieve the delicate balance of user-friendliness and security in all operations. And how does it happen?

In this article, we’ll provide an overview of current AML threats, describe the role of FATF in countering them, and see how biometric verification is playing its part in this process.

Modern money laundering threats
Money laundering methods continue to adapt in response to law enforcement and regulatory measures. Today’s launderers exploit emerging technologies, global trade, and regulatory gaps, and also commit identity fraud. Read more

FBI Says Online Scams Raked in Record $16.6 Billion Last Year, Up 33% from 2023

Kerry Breen, CBS News

Scammers stole a record $16.6 billion in 2024, the FBI said on Wednesday.

That marked a 33% increase from 2023, according to the FBI’s Internet Crime Complaint Center’s annual report. More than a quarter million complaints reported money lost to a scam, with an average of a loss of more than $19,000.

“As nearly all aspects of our lives have become digitally connected, the attack surface for cyber actors has grown exponentially,” the FBI’s Operations Director for Criminal and Cyber B. Chad Yarbrough said in a note attached to the report. While most losses were caused by fraud, ransomware prevailed as the largest threat to critical infrastructure in 2024, the FBI said. Complaints related to ransomware rose 9%.

The reported losses are likely an undercount of the actual amount of money lost to scammers, experts say, because not all targets report the incident to law enforcement or the FBI. Rich Brune told CBS News he never saw the faces of the criminals who scammed him for $1.7 million in three months.

Instead, one day working on his computer, a message popped up claiming that his information had been compromised and that he was under investigation for “unlawful computer uploads.” “Contact this number, lock up your computer, don’t shut your computer off,” Brune recalls to CBS News the message read.

The criminals convinced the Vietnam War veteran to wire money and open up access to his bank account to clear things up. Read more

Complaints About Ransomware Attacks on US Infrastructure Rise 9%

A.J. Vicens, Reuters

Summary

  • Record $16.6 billion in cyber losses reported, 33% increase over 2023
  • Cryptocurrency fraud losses reached $9.3 billion, up 66% from 2023
  • Older adults most affected by cyber-enabled fraud, $4.8 billion in losses

Ransomware was the most pervasive cyber threat to critical infrastructure in 2024 as complaints regarding such attacks jumped 9% over 2023, the FBI said on Wednesday.

Ransomware attacks on critical infrastructure accounted for almost half of all ransomware complaints received in 2024 by the agency’s Internet Crime Complaint Center (IC3), a top FBI cyber official said ahead of the release of the agency’s annual Internet Crime Report, which details scam and cyber-enabled fraud impacts across sectors and to various demographic groups.

Critical manufacturing, healthcare, government facilities, financial services and information technology were the top critical infrastructure sectors targeted, Cynthia Kaiser, deputy assistant director of the FBI’s Cyber Division, told reporters on a call.

Ransomware attacks – which lock a target’s files until an extortion payment is made – are just one of the types of cyberattacks targeting critical infrastructure, a term encompassing 16 sectors, including chemical plants, communications, energy, food production, transportation, and water systems. Their “incapacitation or destruction would have a debilitating effect” on public health and security, according to the Cybersecurity and Infrastructure Security Agency (CISA). Read more 

Apr. 18, 2025: Fraud & Cybersecurity Articles

Deepfake Detection Partnerships Span AI, Academia, C-Suite, and Celebrity Content

Joel R. McConvey, Biometric Update

Advances in cheap, easy tech mean threat presents at every level.

The deepfake threat continues to spur partnerships, as providers aim to refine their technology in the face of increasingly sophisticated synthetic media, AI-generated audio and likeness theft.

Reality Defender has announced a strategic data partnership with the AI voice generator platform PlayAI, which will see it leverage data generated from PlayAI’s voice models to improve the accuracy and resilience of its deepfake detection tools.

A release says the collaboration demonstrates PlayAI’s “commitment to the ethical and responsible use of AI, and the importance of maintaining trust and accountability within the digital landscape.”

The firm presumably feels the need to specify that they are not among those causing the deepfake problem Reality Defender aims to solve. However, their stated offering – “generate AI voices as real as humans. Deploy everywhere – to web, to phone, to apps, and beyond” – certainly sounds like the kind of cheap, easy speech engine technology deepfake warriors warn about. Read more

Why ‘One Community’ Resonates in Cybersecurity

Marc Solomon, Security Week

Our collective voices and one community will provide the intelligence we need to safeguard our businesses in today’s modern digital environment.

The annual 2025 RSA Conference is fast approaching and as we prepare for the biggest event impacting cybersecurity professionals, I couldn’t fail to notice how the key themes over the past few years, including this year, really resonate with what we are seeing across the cybersecurity industry.

A fitting anchor theme
The key theme for this year’s event is “Many Voices. One Community”. And there really are many voices at RSA with 531 sessions, 600 exhibitors and more than 40,000 delegates. But this is a great anchor theme and one that is very close to my heart because it emphasizes the importance of sharing, collaboration, and unity within the cybersecurity sector.

Of course, like any major event, there’ll be lots of hype, noise and a flurry of announcements to sift through, but the reality is that big conferences, like RSA, really help to move the needle and drive the industry forward. Naturally, there will be all the major vendors who already have an established presence, but it is worth exploring the smaller booths – the startups – who will undoubtedly be showcasing new innovative ideas that could become tomorrow’s big idea.

Falling into the ‘Innovator’s Dilemma’ trap
That isn’t to say that the larger vendors don’t have the wherewithal to innovate, but they often fall into the ‘Innovator’s Dilemma.’ This happens when successful vendors focus too heavily on sustaining core products that serve their existing customer base, while neglecting disruptive innovations and technologies that initially target niche markets but eventually redefine whole industries. Read more

The Cost of Inaction: Why FIs Are Investing in Scam Prevention Now

Wesley Grant, Payments Journal

A consumer receives a text about an unpaid toll bill demanding immediate payment—only they haven’t driven on a toll road recently.

A homeowner locked out of their house calls a locksmith, only to discover the business listing on Google Maps was fake, and they have been redirected to a criminal trying to manipulate them into sending funds. These scams are alarmingly common, with new tactics emerging every day. Yet despite the persistence and damage caused by these threats, many financial services companies still fail to allocate sufficient budget to protecting themselves and their customers.

In the Battle of the Budget: Prioritizing Scam Classification for Future Cost Savings report, Suzanne Sando, Senior Fraud and Security Analyst at Javelin Strategy & Research, examined the scam identification and prevention tools available to financial institutions—and the growing urgency of dedicating more resources to the fight against fraud.

Altering the Priority List
Though most financial institutions often notify their customers about emerging scam types, there have not been as quick to invest in the technology needed to mitigate them.

“A huge issue as far as budgets go—whether the funds are there or not—there’s always something flashier to spend the budget on,” Sando said. “This goes for any organization. So many are going to spend their money on enhancements that will improve the user experience and keep them competitive in the market, or things that might handle regulatory issues that come up. As these things crop up, the priority list changes.” Read more

Google Blocked Over 5 Billion Ads In 2024 Amid Rise In AI-Powered Scams

Lawrence Abrams, Bleeping Computer

Google blocked 5.1 billion ads and suspended more than 39.2 million advertiser accounts in 2024, according to its 2024 Ads Safety Report released this week.

The company says the increasing enforcement activity is caused by the growing threat of AI-generated content, impersonation scams, and abuse of its ad platform. In particular, Google highlighted the use of generative AI tools to create deepfake video impersonations of celebrities and public figures to promote scams, which in the BleepingComputer experience are commonly investment and cryptocurrency scams.

As a result, Google says it permanently suspended over 700,000 advertiser accounts for policy violations related to AI-driven impersonation scams.

“To fight back, we quickly assembled a dedicated team of over 100 experts to analyze these scams and develop effective countermeasures, such as updating our Misrepresentation policy to suspend advertisers that promote these scams,” explains Google’s 2024 Ads Safety Report.

“As a result, we were able to permanently suspend over 700,000 offending advertiser accounts. This led to a 90% drop in reports of this kind of scam ad last year. While we are encouraged by this progress, we continue to work to prevent these scams.” Read more

Apr. 11, 2025: Fraud & Cybersecurity Articles

Phishing Kits Now Vet Victims in Real-Time Before Stealing Credentials

Bill Toulas, Bleeping Computer 

Phishing actors are employing a new evasion tactic called ‘Precision-Validated Phishing’ that only shows fake login forms when a user enters an email address that the threat actors specifically targeted.

Unlike traditional mass-targeting phishing, this new method uses real-time email validation to ensure phishing content is shown only to pre-verified, high-value targets. Although not overly advanced or particularly sophisticated, the new tactic excludes all non-valid targets from the phishing process, thus blocking their visibility into the operation.

Email security firm Cofense, which documented the rise in adoption of this new tactic, noted that it has created a significant practical problem for them. When researching phishing sites, it is common for researchers to enter fake email addresses or ones under their control to map the credential theft campaign.

However, with this new technique, invalid or test email addresses inputted by researchers now display an error or redirect them to benign sites. This impacts automated security crawlers and sandboxes used in research, reducing detection rates and prolonging the lifespan of phishing operations. “Cybersecurity teams traditionally rely on controlled phishing analysis by submitting fake credentials to observe attacker behavior and infrastructure,” explains Cofense. Read more

In Salt Typhoon’s Wake, Congress Mulls Potential Options

Alexander Culafi, Dark Reading

While the House Committee on Government Reform was looking for retaliatory options, cybersecurity experts pointed them toward building better defenses.

The threat of state-sponsored groups targeting US critical infrastructure remains top of mind, and there’s no better example of this than Salt Typhoon.

Congress waded into the issue on April 2. The House Committee on Government Reform dedicated a hearing to Salt Typhoon, the infamous state-sponsored Chinese threat group that was found last fall to have targeted a swath of major telecommunications providers, including T-Mobile, Verizon, and AT&T. In one of the worst US critical infrastructure attacks in recent memory (if not ever), the group breached the systems that law enforcement agencies use for wiretapping.

This gave the Chinese government access to sensitive data belonging to politicians as well as the Republican and Democratic 2024 Presidential campaigns. Despite this, and despite continued fallout (such as the April 2 hearing), Salt Typhoon has continued its siege on telco infrastructure around the world and well into the new year.

Before the Department of Homeland Security more or less shuttered the Cyber Safety Review Board in January, it was in the middle of a Salt Typhoon investigation. House committee chairman William Timmons (R-SC) hosted the meeting, hearing testimony from Josh Steinman, CEO of operational technology security vendor Galvanick; Edward Amoroso, research professor at New York University; and Matt Blaze, McDevitt chair in Computer Science and Law at Georgetown University. Read more

Treasury’s OCC Says Hackers Had Access to 150,000 Emails

Eduard Kovacs, Security Week

The Office of the Comptroller of the Currency (OCC) has disclosed an email security incident in which 100 accounts were compromised for over a year.

The US Treasury Department’s Office of the Comptroller of the Currency (OCC) on Tuesday shared information on a recently discovered email system breach that has been described as a “major incident”. The OCC, whose role is to regulate and supervise national and foreign banks, revealed in late February that it had become aware of a security incident involving an administrative account in its email system.

The initial investigation revealed that a “limited number” of email accounts were affected and there was no evidence of impact on the financial sector. An update shared by the regulator on Tuesday provided more information on the incident, which it discovered on February 12, 2025, after learning of unusual interactions between OCC user inboxes and system admin accounts.

An analysis showed that threat actors had gained access to emails of executives and employees, including messages containing “information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes”.

Based on a draft letter from the OCC to Congress and information from sources, Bloomberg reported that 103 email accounts were compromised and the attackers gained access to highly sensitive financial information. Read more

Who’s Calling? The Threat of AI-Powered Vishing Attacks

Bleeping Computer 

Imagine receiving a call from a high-ranking official, urgently requesting a wire transfer to resolve a national crisis. This was the case for several wealthy entrepreneurs in Italy recently, leaving them in an awkward position.

However, it was in fact fraudsters impersonating the Italian Defense Minister Guido Crosetto, trying to trick individuals into transferring large sums of money. This is an example of vishing—a growing cybersecurity threat that’s at risk of going nuclear thanks to AI.

Vishing, or “voice phishing,” is a form of social engineering where scammers use phone calls to deceive victims into revealing sensitive information or making fraudulent payments. While traditional vishing relied on human impersonation, AI now enables attackers to generate highly convincing synthetic voices, even cloning the voices of real individuals.

How can your voice be cloned?
AI can create realistic human voices using text-to-speech (TTS) synthesis and deep learning techniques. Advanced models like Google DeepMind’s WaveNet and AI-powered vocoders are able to replicate human speech patterns with remarkable accuracy. Microsoft claims that a voice can be cloned in just three seconds, meaning a scammer could phone someone for a very brief conversation and then create a realistic AI voice using only that recording. Read more

Apr. 4, 2025: Fraud & Cybersecurity Articles

Congress Urged to Reform AML Rules, Repeal Corporate Transparency Act Amid Rising Fraud Costs

Pymnts.com

Witnesses from the ranks of business and banking told lawmakers that efforts to fight payment and investment scams must be aided by a “whole government” approach, along with fine-tuning of suspicious activity reporting — in addition to a repeal of the Corporate Transparency Act.

Tuesday, (April 1), the House Financial Services Subcommittee on National Security, Illicit Finance, and International Financial Institutions held a hearing titled “Following the Money: Tools and Techniques to Combat Fraud” that delved into the rising costs of fraud, and the ways in which advanced technologies can be, and are being, leveraged by criminals and banks as they do battle with one another.

But most witnesses charged that existing regulations have not kept pace with new attack vectors, and impose burdens on smaller businesses as they seek to comply with those regulations. Subcommittee Chair Warren Davidson, R-Ohio, said in his opening remarks that the Federal Trade Commission has estimated that U.S. consumers lost $5.7 billion to investment scams last year.

“Criminals are increasingly finding ways to bypass U.S. financial regulations to scam Americans into draining their life savings for the sake of their own illicit gain,” he said.

Eyeing the Bank Secrecy Act
Separately, in demonstrating the scope of illicit activity, Kathy Stokes, director of fraud prevention at the AARP, said in her testimony that even the FTC has underreported the amount of money stolen annually; in 2023, there were reports that the money stolen from fraud topped $158 billion.

“These criminal enterprises leverage a vast array of tools to commit their crimes, including all methods of communication and forms of payment, complex impersonation schemes, anonymous shell companies, and human trafficking,” Stokes said. Read more

Explosion in Identity and Payments Fraud Forces Governments, Private Companies to Act

Joel R. McConvey, BioMetric Update

UK sees formation of data sharing fraud squad as easy access to tech democratizes fraud

A common enemy can bring together unlikely allies, and right now the common enemy of banks, tech and telecoms firms is fraud. According to the UK Office for National Statistics, fraud accounts for around 41 per cent of all crimes in England and Wales, costing an estimated £6.8 billion (US$7.3 billion) each year. In the U.S., data breaches are having more severe consequences, and payment fraud is growing like a bad mold across the digital financial landscape. Injection attacks, deepfakes and other products of generative AI are getting easier to execute and distribute. The problem has become severe enough to force responses from both governments and the private sector.

Supergroup of UK banks, tech and telecom firms bands together to fight fraud
The Financial Times reports on a plan by some of the UK’s biggest companies to begin sharing live fraud data, in a united front against a fierce and fast-advancing foe.

A joint statement from the coalition says that after a period of testing, it is transitioning to real-time exchange of fraud indicator data, such as suspicious URLs or unusual transaction activity. Signatories include Barclays, Lloyds, Santander, Nationwide, HSBC, NatWest and Monzo on the financial side, as well as tech giants Amazon, Google, Match Group and Meta, and telecoms groups BT and Three.

Ruth Evans, chair of Stop Scams UK, a cross-sector umbrella group leading the initiative, says that “by making this pledge, our members are redoubling their efforts to create a safer environment for all businesses and consumers online.” Read more

How Visa Fights Financial Crime with its Anti-Scam Unit

Louis Thompsett, FinTech Magazine

Visa combines AI-driven detection with human expertise to combat increasingly complex fraud techniques in the digital economy.

Visa has established a dedicated scam disruption practice that aims to identify and interrupt sophisticated financial crimes as they emerge. The unit, which sits within Visa Payment Ecosystem Risk and Control (PERC), provides an additional layer of security beyond traditional fraud prevention systems.

In its first year of operation, the department prevented £335m (US$433m) in attempted fraud across various scam operations, complementing the £39bn (US$50bn) in attempted fraud PERC blocked across Visa’s broader network during the same period.

Paul Fabara, Chief Risk and Client Services Officer at Visa, explains the strategy behind the unit: “Visa has invested over £11bn (US$14.2bn) in technology over the last five years, including to reduce fraud and enhance network security.

The hybrid approach to fraud prevention
The Visa Scam Disruption (VSD) unit represents an evolution in financial crime prevention by combining technological capabilities with human expertise from diverse professional backgrounds. What distinguishes this approach from conventional fraud management is the recruitment of specialists beyond the traditional technology sector. Read more

Further Clarity Regarding Coverage for Funds Transfer Fraud

Alexander Cogbill and Jane Warring; Zelle LLP/JD Supra

At this point, your IT department has almost certainly warned you to approach your e-mail inbox with skepticism–for good reason. Cybercriminals regularly and effectively impersonate our legitimate contacts for illegitimate gain.

They may be targeting your servers and systems—through attacks like malware, ransomware, viruses, and hacking—or they may just be targeting you to authorize transmission of your company’s data and money without ever infiltrating your computer. This distinction between manipulating computer systems and manipulating people is an important one. Your IT department has comparatively fewer tools to prevent you from being manipulated (sometimes called social engineering). Education is the best—and, perhaps, only—protection against social engineering attacks. As cyber insurers attempt to align coverages and policy limits to the risks inherent to each industry and each insured, the risk of social engineering remains difficult to measure. For this reason, coverages for this risk are sometimes limited.

Given this limited coverage for social engineering schemes, insureds often claim that social engineering risks come within coverages written to insure risks of computer system manipulation. Courts responding to these arguments in the context of disputed claims have taken divergent approaches with respect to this legal question.

For example, a circuit split in the federal courts has developed in deciding whether social engineering triggers coverage for “[t]he use of any computer to fraudulently cause a transfer of Money, Securities or Other Property.”.[1] Some circuits interpret this language to apply only where bad actors gain control over an insured’s computers, while others have employed a chain-of-causation analysis with differing results. This split introduces uncertainty for insureds and insurers alike when social engineering claims arise under policies containing this “Computer Fraud” provision. Read more

Mar. 28, 2025: Fraud & Cybersecurity Articles

Future of Bank Security Is Being Written by Ethical Hackers

PYMNTS.com

Historically, banks built security the same way they built vaults: thick walls, high fences and minimal exposure.

But digital transformation has upended that perimeter. Open banking APIs, third-party FinTech integrations, cloud-native architectures and rapid app deployments have created an attack surface far too broad for static defenses. Banks’ security postures have to evolve in parallel with the products they launch.

“Banks work with money, so they’re always targeted,” Santiago Rosenblatt , founder and CEO of Strike, told PYMNTS. “Attackers are using AI too,” he said. “If you’re not automating and continuously testing, you’re going to be outpaced. Cybercriminals are optimizing their ROI. They’ll target the weakest link which is the bank testing least often.”

Since launching Strike, Rosenblatt’s team has worked to flip the paradigm from annual penetration tests, or “pen testing,” a sluggish, bloated ritual, to adaptive resilience. After all, the stakes in financial services are uniquely high. Regarding traditional pen testing, “you’d wait a month to launch a test, then three more to get the report. And in between, zero visibility,” Rosenblatt said, noting that the down time might as well be a welcome mat for cybercriminals.

Breaking the Traditional Pen Test Model
As the pace of payments innovation accelerates toward embedded finance, programmable money and artificial intelligence (AI)-generated fraud, the gap between defense and offense will continue to narrow. Banks that thrive will not be those with the thickest walls, but those with the most adaptive immune systems.

Rosenblatt, who started hacking when he was six and a half, considers himself a reformed ethical hacker: someone who uses his hacking knowledge and know-how for good. That’s what inspired him to start Strike. “Luckily for me, and my parents, I realized I was better off helping companies get protected,” he said. Read more

How Staffing Inadequacies Are Driving AML Troubles

Allissa Kline, American Banker

When TD Bank pleaded guilty last fall to criminal money-laundering conspiracy charges and agreed to pay $3.09 billion in fines, its board of directors also promised to improve AML staffing.

Not only was the board to ensure that the bank always had an officer in charge of Bank Secrecy Act compliance, but it also needed to make sure TD had enough managers and staff to support the officer and the bank’s overall Bank Secrecy Act/anti-money-laundering compliance program.

In the wake of TD’s troubles and other consent orders last year related to money laundering, banks moved quickly to assess potential vulnerabilities within their own programs, including whether their staffing is adequate and whether the teams have enough authority to do the job right.

At Texas Capital Bancshares in Dallas, the Bank Secrecy Act officer and head of financial crimes compliance spoke directly to the board, offering “lessons learned” from TD’s situation, according to David Oman, who became Texas Capital’s chief risk officer in June.

Texas Capital employs about 300 people across risk and compliance, including a few dozen contractors. Staffing in the anti-money-laundering segment is “very, very stable,” in part because the company prioritizes expansive training and career progression opportunities, Oman said.

“My job is so much easier when the CEO says that we need to do it the right way and staff it appropriately and be totally supportive of risk and compliance,” Oman told American Banker. Read more

Inspector General Report Points to Banks’ Cybersecurity Risks and Dwindling FDIC ‘IT Expertise’

PYMNTS.com

A deep dive into Federal Deposit Insurance Corp.’s (FDIC) Office of Inspector General’s latest audit and report on the agency reveals key risks to banks:

They face threats from cyberattacks and from vulnerabilities in third-party relationships. As the number of problem banks remains elevated, the FDIC is also facing the prospect of skilled examiners with IT expertise — the very experts who uncover those risks — walking out the door.

The 191-page report, released Thursday (March 20), took note of the fact that in the latest fiscal year, which ended in September, the number of “problem institutions” for “safety and soundness” concerns stood at 66, with total assets on hand of $87.3 billion. Those figures are up sharply from the 44 similarly defined institutions with $54.5 billion in assets seen in the previous year.

Banks are placed on this list when a range of issues are identified, including operational risks. As can be seen here in the examination guidelines, which exists as a separate document, information technology, anti-money laundering (AML) compliance and other technological processes are sources of information in measuring an examined bank’s safety and soundness.

Elsewhere in the audit, the FDIC examiners made supervisory recommendations — including matters requiring banks’ board attention — in 104 cases tied to risk management and 90 cases tied to information technology. “IT examinations identify areas in which a financial institution is exposed to IT and cyber-related risks and evaluate bank management’s ability to identify these risks and maintain appropriate compensating controls,” the report stated.

Looming Staffing Shortage?
But there are pressures looming: “Currently the FDIC faces risks in ensuring that it has examiners with the requisite skillsets to perform IT examinations using existing examination procedures.” Call it a staffing shortage on the horizon. The audit detailed that a total of 53% of examiners classified as “advanced IT subject matter experts were eligible to retire in 2024 with retirement eligibility rising to 63% for this population in 2028.” Those examiners qualified as having “intermediate IT expertise” have commensurate retirement eligibility rates of 16% last year and 27% in 2028. Read more

State Of Ransomware: Evolving Threats and Strategies to Stay Safe

Dale Zabriskie, Security Magazine

Ransomware in 2025 is no longer just a cybersecurity challenge — it has escalated into a global crisis affecting economies, governments, and essential services.

From multinational corporations to hospitals and schools, no organization is immune to these increasingly sophisticated attacks. According to Cohesity’s Global Cyber Resilience Report, 69% of organizations paid a ransom in the past year, emphasizing the urgent need for stronger defenses against cybercriminals.

Recent and notable attacks
Over the past year, ransomware gangs have grown bolder and more advanced in their tactics. The ALPHV (BlackCat) ransomware group targeted several hospitals across Europe, crippling emergency services and demanding multimillion-dollar ransoms. Meanwhile, LockBit attacked a major United States energy provider, disrupting fuel distribution and causing regional shortages.

Attackers have also refined their extortion techniques. While double extortion (encrypting and leaking stolen data) has become standard, triple extortion has emerged, incorporating distributed denial-of-service (DDoS) attacks to further pressure victims into paying. In another unprecedented move, ALPHV (BlackCat) attempted to exploit SEC regulations to pressure MeridianLink, a publicly traded digital lending solutions provider, to comply with their ransom demands. To escalate pressure, ALPHV filed a complaint with the SEC against MeridianLink for this alleged non-compliance, marking a novel tactic in ransomware extortion strategies.

Additionally, supply chain attacks are on the rise, with ransomware infiltrating cloud platforms and software providers, allowing malware to spread across multiple organizations. From security weaknesses in black-box commercial software to cryptocurrency applications and infrastructure, supply chain attacks are an increasingly popular tool for bad actors. Read more

Mar. 21, 2025: Fraud & Cybersecurity Articles

How Banks Can Fight ‘Under the Radar’ Citizen Fraud

Suman Bhattacharyya, The Financial Brand

Citizen fraud — or fraud committed by customers who exploit glitches or inefficiencies in the banking system — is becoming a significant driver of first-party losses. 

A layered approach that combines technological capabilities with industry sharing efforts is the most effective way to fight it, analysts say. Last summer, a series of fraudulent transactions at JPMorgan Chase were linked to a scheme where customers deposited bad checks and immediately withdrew the provisional credit before the checks inevitably bounced.

Called the “infinite money glitch,” the scam was amplified on TikTok as users exploited a vulnerability where provisional funds credited to customers were much higher than the typical $225 available upon deposit — sometimes tens of thousands of dollars or more. Thousands of customers reportedly participated. The bank quickly closed the loophole and sued some customers to recover improperly withdrawn funds.

Chase may have minimized the immediate damage from the so-called glitch, but the incident is symptomatic of a bigger problem where a growing number of fraudsters are customers instead of organized crime syndicates. “Citizen fraudsters” generally avoid criminal activity in their lives, but they might be motivated to engage in fraud by exploiting a glitch or inefficiency or taking advantage of loopholes — with minimal chance of getting caught.

The extent of this activity is difficult to quantify. Given the increased fraud activity they are reporting, banks can help combat the problem by addressing the key vectors of attack, which include payment dispute fraud, check fraud and other deceptive behaviors. Authentication controls, application controls and data sharing mechanisms are a critical part of this effort. Read more

RELATED READING: Fraud Losses Reached $12.5 Billion in 2024
21% of Financial Scams Start on Social Media

PYMNTS.com

They’re smart, they’re sophisticated and they’re on social media.

A recently released report sheds light on the increasingly sophisticated tactics employed by financial scammers, revealing a disturbing trend of these criminals adopting strategies akin to legitimate businesses to target and defraud individuals.

The study, titled “How Scammers Tailor Financial Scams to Individual Consumer Vulnerabilities,” a collaboration between PYMNTS and Featurespace, uncovers how scammers are no longer relying on a one-size-fits-all approach but are instead leveraging personal data and circumstances to craft highly convincing and tailored scams. This personalization extends from the initial point of contact to the manipulative tactics used to gain victims’ trust and ultimately their money.

The findings underscore the pervasive nature of financial scams, with a staggering 3 in 10 U.S. consumers, representing roughly 77 million individuals, reporting financial losses to scams in the last five years. The financial damage is often significant, with most victims losing over $500 and many suffering losses in the thousands.

Perhaps more alarmingly, the report debunks the notion that these scams primarily target older generations, revealing that victims span all demographics, including age, education and income. Read more

Top Security Challenges Facing Data Centers in 2025 and Beyond

Jeff McLaughlin, Guidepost Solutions/JD Supra

It is without question that data centers will continue to play a central role in powering the digital economy, housing critical data, and enabling cloud services, AI, IoT, and other emerging technologies.

However, as the demand for data storage, processing, and transmission grows, so too do the security challenges that data centers face. These challenges are becoming more complex and dynamic due to the increasing sophistication of cyber threats, the shift toward hybrid and multi-cloud environments, and the broader implications of regulatory changes. Solutions like the Stargate AI initiative, whose primary objective is to construct advanced AI data centers and bolster electricity generation capabilities essential for AI development, will also increase these challenges. The project commenced with an initial investment of $100 billion, with plans to scale up to $500 billion over the next four years. Below, we explore the top security challenges data centers will encounter in the coming years.

1. Evolving Cyber Threats and Advanced Persistent Threats (APTs)
Cybersecurity threats are becoming more sophisticated and persistent, especially with the rise of Advanced Persistent Threats (APTs). APTs often involve highly organized, long-term campaigns where attackers aim to infiltrate data centers, remain undetected for extended periods, and steal sensitive data or disrupt operations. The rapid pace of technological evolution is likely to make these threats even more difficult to combat. Attackers will continue to exploit vulnerabilities in both hardware and software components, and as data centers become more interconnected and complex, the attack surface expands. Attackers may target vulnerabilities in cloud architectures, hybrid cloud environments, and software-defined networks, making perimeter defenses alone insufficient. Organizations should implement a zero-trust architecture. Continuous network monitoring and event management and endpoint detection. Regular patching, vulnerability management, and penetration testing ensure that security gaps are addressed before attackers exploit them.

2. Increased Complexity of Hybrid and Multi-Cloud Environments
Many organizations are adopting hybrid and multi-cloud architectures, which combine on-premises data centers with public and private cloud services. While this approach offers greater flexibility and scalability, it also introduces a multitude of security concerns. Read more

How to Protect Your Business from Cyber Threats: Mastering the Shared Responsibility Model

The Hacker News

Cybersecurity isn’t just another checkbox on your business agenda. It’s a fundamental pillar of survival. As organizations increasingly migrate their operations to the cloud, understanding how to protect your digital assets becomes crucial.

The shared responsibility model, exemplified through Microsoft 365’s approach, offers a framework for comprehending and implementing effective cybersecurity measures.

The Essence of Shared Responsibility
Think of cloud security like a well-maintained building: the property manager handles structural integrity and common areas, while tenants secure their individual units. Similarly, the shared responsibility model creates a clear division of security duties between cloud providers and their users. This partnership approach ensures comprehensive protection through clearly defined roles and responsibilities.

What Your Cloud Provider Handles
Microsoft maintains comprehensive responsibility for securing the foundational elements of your cloud environment. Their security team manages physical infrastructure security, including state-of-the-art data centers and robust network architecture. They implement platform-level security features and regularly deploy security updates to protect against emerging threats. Your data receives protection through sophisticated encryption protocols, both during transmission and while stored. Microsoft also ensures compliance with global security standards and regulations, conducts regular security audits, and employs advanced threat detection capabilities with rapid response protocols.

Your Business’s Security Responsibilities
As a Microsoft 365 user, your organization must take ownership of several critical security aspects. Read more

Mar. 14, 2025: Fraud & Cybersecurity Articles

A Guide to Security Investments: The Anatomy of a Cyberattack

Torsten George, Security Week

Organizations must recognize that security is not about the number of tools deployed, it is about ensuring those tools effectively disrupt the attack chain at every stage.

NAC, SDN, SASE, CASB, IDaaS, PAM, IGA, SIEM, TI, EDR, MDR, XDR, CTEM—the list goes on. If this “alphabet soup” sounds familiar, it is because organizations worldwide are deploying an array of security tools, all promising protection against data breaches. Global spending on information security is projected to reach $212 billion in 2025, a 15.1% increase from 2024, according to a recent Gartner forecast.

With such significant investments, one might assume we are several steps ahead of cybercriminals. Yet, hardly a week goes by without a new high-profile cyberattack—whether it’s the mass exploitation of a PHP vulnerability, data breaches across multiple healthcare organizations, or ransomware attacks on enterprises like Tata Technologies.

This raises a crucial question: Are we focusing on the right security measures? The sheer number of tools deployed does not determine an organization’s cyber resilience. What truly matters is the efficacy of these security controls and the ability to disrupt the attack chain in its early stages. To achieve this, organizations must understand the anatomy of a cyberattack. Read more

Join us and America’s Credit Unions on May 13 – 15, 2025, in Charleston, SC, for the 2025 Cybersecurity Conference.

Cyber threats are evolving—are you prepared? Gain expert insights, strategic solutions, and the latest in cyber defense to protect your credit union and members. Click here to learn more

CISA: Medusa Ransomware Hit Over 300 Critical Infrastructure Orgs

Sergiu Gatlan, Bleeping Computer

CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.

This was revealed in a joint advisory issued today in coordination with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

“As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing,” CISA, the FBI, and MS-ISAC warned on Wednesday.

“FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents.” As the advisory explains, to defend against Medusa ransomware attacks, defenders are advised to take the following measures:

  • Mitigate known security vulnerabilities to ensure operating systems, software, and firmware are patched within a reasonable timeframe,
  • Segment networks to limit lateral movement between infected devices and other devices within the organization, and
  • Filter network traffic by blocking access from unknown or untrusted origins to remote services on internal systems. Read more
As Cyberscams Grow, So Do Protections Against Them

Tom Nawrocki, PaymentsJournal

More than two-thirds of U.S. adults have experienced a financial scam or fraud in their lifetime, with nearly a third falling victim in the past year, according to research from Bankrate.

However, there’s some good news—more consumers are taking steps to protect themselves from scams.

The financial fraud survey from Bankrate found that 34% of respondents have been targeted by a scam since January 2024. But thanks in part to better education about cyberattacks, only 37% of those targeted actually lost money. This includes cases where criminals accessed personal information, victims sent funds directly to a criminal, or paid for a fraudulent service.

Protecting Against Fraud
The most common form of fraud in the past year involved attempts to access personal financial information, such as credit card details or Social Security numbers. Encouragingly, more than half of those targeted reported that these attempts were unsuccessful.

Consumers are taking action after experiencing fraud. More than three-quarters of U.S. adults who have taken precautionary steps to protect their finances in the past year say they have been scammed at some point.

Overall, Bankrate found that 89% of respondents have taken steps to protect themselves from scams in the past year. These measures range from updating passwords and enabling two-factor authentication to checking credit reports and shredding sensitive documents. Read more

The Future of AML: Why Compliance-First AI Is the Key to Financial Crime Prevention

FinTech Global

As artificial intelligence (AI) continues to transform financial crime compliance, a new industry benchmark is emerging: compliance-first AI.

In a landscape where balancing cutting-edge technology with compliance has never been more vital, adopting AI the right way can enhance efficiency, mitigate risks, and prevent financial crime. Napier AI, a next generation intelligent compliance platform, recently delved into the compliance-first AI and what firms need to know.

Financial institutions face immense pressure to implement AI-driven anti-money laundering (AML) systems to combat financial crime effectively. However, the challenges of regulatory compliance, risk assessment, and model testing can push compliance officers toward opaque, ‘black-box’ AI solutions. While such systems may seem effective at first, they often lack explainability, exposing firms to regulatory penalties, reputational damage, and inefficiencies. Compliance-first AI, on the other hand, addresses these challenges by ensuring AI solutions remain transparent, adaptable, and aligned with financial institutions’ risk frameworks.

The risks of implementing AI without transparency
Many financial institutions (FIs) face a dilemma: regulators and stakeholders demand advanced AI tools to combat increasing transaction volumes and emerging threats, but ‘black-box’ AI models pose significant compliance risks. If compliance teams cannot explain AI-driven decisions to auditors and regulators, they risk severe scrutiny. Read more

Mar. 7, 2025: Fraud & Cybersecurity Articles

The Dirty Dozen: 12 Worst Ransomware Groups Active Today

John Leyden, CSO Online

Ransomware is on the rise across all industries. Here are the criminal operations cybersecurity professionals must be aware of.

Ransomware-as-a-service (RaaS) models, double extortion tactics, and increasing adoption of AI characterize the evolving ransomware threat landscape.

Law enforcement takedowns of groups such as LockBit have contributed to making the ransomware marketplace more fragmented, with emergent players attempting to muscle in on the action.

Attackers range from nation-state actors to RaaS operations, lone operators, and data theft extortion groups. The following non-exhaustive list contains a rundown of the main currently active threat groups, selected for inclusion based on their impact or innovative features.

  1. Akira: Akira is a sophisticated RaaS operation that emerged in early 2023 and remains active.

How it works: Groups deploying Akira often exploit lack of authentication in corporate VPN appliances, open RDP (remote desktop protocol) clients, and compromised credentials to attack corporate systems.

Targeted victims: The key targets are small to midsize businesses across North America, Europe, and Australia. Affected industries include manufacturing, professional and legal services, education, telecommunications, technology, and pharmaceuticals, according to Palo Alto Networks’ Unit 42 intelligence unit. Read more

Financial Organizations Urge CISA to Revise Proposed CIRCIA Implementation

Ionut Arghire, Security Week

A group of financial organizations is asking CISA to rescind and reissue its proposed implementation of CIRCIA.

A group of financial organizations sent an open letter to the US cybersecurity agency CISA, urging it to rescind and reissue the proposed implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

CIRCIA, which was signed into law in March 2022, requires covered entities to report any major cybersecurity incident within 72 hours, and to report ransomware payments within 24 hours of making the payment.

Last year, CISA asked for public comment on a proposed rulemaking, saying that CIRCIA would lead to better understanding of cyber threats and that the cyber incident reporting rule would likely impact roughly 316,000 entities.

CISA’s proposed rules to implement CIRCIA are set to enter effect in October 2025, but the American Bankers Association, Bank Policy Institute, Institute of International Bankers, and the Securities Industry and Financial Markets Association believe that it would have detrimental repercussions in its current form.

According to the advocacy group, while CIRCIA is expected “to establish a uniform incident reporting standard across all critical infrastructure sectors,” CISA’s notice of proposed rulemaking (NPRM) departs from the initial intent and requires organizations to divert resources from response and recovery. Read more

EncryptHub Deploys Ransomware and Stealer via Trojanized Apps, PPI Services, and Phishing

Ravie Lakshmanan, the Hacker News

The financially motivated threat actor known as EncryptHub has been observed orchestrating sophisticated phishing campaigns to deploy information stealers and ransomware, while also working on a new product called EncryptRAT.

“EncryptHub has been observed targeting users of popular applications, by distributing trojanized versions,” Outpost24 KrakenLabs said in a new report shared with The Hacker News. “Furthermore, the threat actor has also made use of third-party Pay-Per-Install (PPI) distribution services.”

The cybersecurity company described the threat actor as a hacking group that makes operational security errors and as someone who incorporates exploits for popular security flaws into their attack campaigns.

EncryptHub, also tracked by Swiss cybersecurity company PRODAFT as LARVA-208, is assessed to have become active towards the end of June 2024, relying on a variety of approaches ranging from SMS phishing (smishing) to voice phishing (vishing) in an attempt to trick prospective targets into installing remote monitoring and management (RMM) software.

The company told The Hacker News that the spear-phishing group is affiliated with RansomHub and Blacksuit ransomware groups and has been using advanced social engineering tactics to compromise high-value targets across multiple industries. Read more

Breaches and Legacy Authentication Methods Inviting Tax, Business Fraud Risk

Chris Burt, BioMetric Update

TransUnion survey shows troubling reliance on hackable data

U.S. tax filers face an increased risk of fraud this year, in part because 640 million consumer records were breached last year, most of them including Social Security numbers (SSNs). According to the second half update to the “State of Omnichannel Fraud” report from TransUnion, 71 percent of breaches in the first half of 2024 included SSNs, up from 57 percent in full-year 2023.

Government agencies should deploy identity verification and document authentication technologies to stop the photo-realistic credentials malicious actors can create with breached personally identifiable data (PII) and AI.

Identity verification is an effective technology available for preventing fraud, according to 56 percent of business leaders surveyed by TransUnion. Behavioral biometrics was selected by 38 percent, just behind synthetic identity detection, and amidst a set of measures based on the reputation of the user’ IP, device, phone number or email address. Those reputational methods were chosen by between 35 and 47 percent of those surveyed.

Phishable credentials prominent
The most common primary method of customer authentication used remains a username and password (39 percent), well ahead of biometric authentication (29 percent), which perhaps even more worryingly is followed by PINs (21 percent). If the legitimate account-holder’s device is compromised, they are in trouble, as the most popular secondary authentication method is a one-time passcode (OTP), at 35 percent. Read more

Feb. 28, 2025: Fraud & Cybersecurity Articles
Forget Phishing, Now “Mishing” Is the New Security Threat to Worry About

Sead Fadilpašić, Tech Radar Pro

  • Businesses are increasingly relying on mobile phones for key operations, and cybercriminals have spotted the shift
    Hackers have adapted their methods, Zimperium report claims
  • Most phishing attacks are tailored for mobile phones
  • Phishing is “so 2020” – the threat to be worried about most right now is “mishing” a new report from Zimperium has claimed.

Mishing, a term coined by Zimperium, covers all sorts of mobile-first phishing techniques: Smishing (SMS/text-based phishing), Quishing (QR code phishing), voice phishing, Wi-Fi-based phishing (the so-called “Evil Twin” attack), and many others.

Zimperium says organizations are increasingly relying on mobile devices for business operations, including multi-factor authentication, mobile-first applications, and more, and cybercriminals are taking notice, tailoring their phishing attacks for mobile devices, successfully evading traditional anti-phishing measures designed for desktops.

Smishing, Quishing, and more
As a result, businesses urgently need to adopt mobile-specific security, Zimperium stresses. Smishing, for example, is now the most common mobile phishing vector, accounting for 37% of attacks in India, 16% in the US, and 9% in Brazil. Quishing, on the other hand, is described as an emerging threat, with notable activity in Japan (17%), the US (15%), and India (11%). Furthermore, 3% of phishing sites use device-specific redirection, showing benign content on desktops while targeting mobile devices with phishing payloads. Mishing activity peaked in August 2024, Zimperium added, with over 1,000 daily attack records. Read more

Senators Urge Courts to Rule Congress Can Crack Down on Money Laundering

Liz Carey, Financial Regulation News

U.S. Sen. Ron Wyden (D-OR) and other colleagues urged two federal courts to affirm that Congress has the power to crack down on money laundering.

As part of an amicus brief in the Texas Top Cop Shop v. Bondi, a case at the U.S. Court of Appeals for the 5th Circuit, and Community Associations Institute v. Treasury, a case for the 4th Circuit, Wyden and his fellow Senators argued that under Article I, Congress has the authority to legislate on national security, tax, foreign affairs, and interstate and foreign commerce matters. Congress passed the bipartisan Corporate Transparency Act in 2021 which ensured law enforcement and national security officials were able to learn the identities of people who own, or control U.S. corporations and other legal entities used as shell companies to conceal illegal activities.

The brief, also signed by U.S. Sens. Sheldon Whitehouse (D-RI), Elizabeth Warren, (D-MA), and Jack Reed (D-RI), and U.S. Rep. Maxine Waters (D-CA), helps the federal government to better combat terrorist financing, money laundering, sanction evasion and other illicit financing carried out through the shell companies. The lawmakers said the legislation has helped Congress engage in oversight.

In January 2025, the members filed a similar amicus brief in Firestone v. Yellen, a case for the 9th Circuit, and in April 2024, the lawmakers filed their first amicus brief in National Small Business United v. Yellen, a case for the 11th Circuit. VBI

Fake Accounts and Refund Abuse Biggest Fraud Challenges Gig Economy Faces

Lu-Hai Liang, Biometric Update

Incognia has released the Gig Economy Edition of its annual Frontline Report, which ranks the biggest fraud challenges faced by global food delivery and ride-hailing companies in 2024.

Incognia’s findings show that fake accounts were employed in 57 percent of driver-side fraud cases, while refund and promotion abuse were tied as the top consumer-side fraud with 48 percent.

In a particularly notable case, Incognia analyzed a fraudster who created 800 fake accounts to make use of new user coupons, making off with 1.5 percent of the total redeemed coupon value that month. Another case showed how a bad actor accessed 400 different accounts on a single device to take advantage of thousands of dollars worth of promotions in 30 days.

“Fraudsters are becoming more sophisticated, relentlessly targeting gig economy platforms with advanced fraud techniques that erode user trust and degrade the overall experience,” said André Ferraz, co-founder and CEO of Incognia.

Incognia also found that refund abuse accounted for nearly half (48 percent) of consumer-side fraud, while it affects nearly 50 percent of merchants worldwide, according to the MRC 2024 Global eCommerce Report. A noteworthy case Incognia identified was a single Samsung device that accessed more than 200 accounts to fraudulently return over $5,000 worth of stolen merchandise. The fraudster could then resell the items to further their profits. Read more

FinCEN Reminds Financial Institutions to Remain Vigilant Regarding Potential Relationship Investment Scams

In support of the multiagency #DatingOrDefrauding Campaign, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) is reminding financial institutions to remain vigilant regarding suspicious activity that may be indicative of relationship investment scams.

The Commodity Futures Trading Commission launched the #DatingOrDefrauding national awareness effort to alert the public to relationship investment scams targeting Americans through wrong-numbered texts, dating apps, and social media. Losses from romance and confidence scams reported to the Federal Bureau of Investigation exceeded $650 million in 2023.

FinCEN has previously published several resources to help stakeholders identify and report illicit financial activity that may be indicative of relationship investment scams and other types of romance and confidence scams:

  • Alert on Prevalent Virtual Currency Investment Scam Commonly Referred to as “Pig Butchering” by Perpetrators (September 2023) – This alert describes a prominent relationship investment scam in which scammers leverage fictitious identities, the guise of potential relationships, and elaborate storylines to trick victims into believing they stand to profit from trusted partnerships before defrauding them in virtual currency investment and over-the-counter foreign exchange schemes. These scams are largely perpetrated by criminal enterprises overseas who use victims of labor trafficking to conduct outreach to millions of unsuspecting individuals around the world.
  • Advisory on Elder Financial Exploitation (June 2022) – This advisory highlights how romance scams are commonly used to perpetrate elder fraud, or the illegal or improper use of an older adult’s funds, property, or assets. Perpetrators of these scams may attempt to establish a close or romantic relationship with older adults to exploit their confidence and trust for financial gain.
  • Financial Trend Analysis: Elder Financial Exploitation: Threat Pattern & Trend Information, June 2022 to June 2023 (April 2024) – FinCEN’s analysis found that romance scams, often perpetrated through online dating platforms, were cited frequently among Bank Secrecy Act (BSA) linked to elder financial exploitation. This report describes how romance scams can follow several distinct patterns and can evolve into investment scams once a connection is established.
  • Financial Trend Analysis: Mail Theft-Related Check Fraud: Threat Pattern & Trend Information, February to August 2023 (September 2024) – This analysis describes, among other findings, how fraudsters in mail theft-related check fraud schemes convince romance scam victims to negotiate a check and then send the funds elsewhere, using the victims as money mules to move stolen funds.

FinCEN reminds financial institutions to use the specific Suspicious Activity Report (SAR) filing instructions and key terms noted in its alerts and advisory products. SAR filings, along with effective BSA compliance, are crucial to helping law enforcement detect, investigate, and prosecute cases involving relationship investment scams.

Feb. 21, 2025: Fraud & Cybersecurity Articles

How Phished Data Turns into Apple & Google Wallets

Krebs on Security

Carding — the underground business of stealing, selling and swiping stolen payment card data — has long been the dominion of Russia-based hackers.

Happily, the broad deployment of more secure chip-based payment cards in the United States has weakened the carding market. But a flurry of innovation from cybercrime groups in China is breathing new life into the carding industry, by turning phished card data into mobile wallets that can be used online and at main street stores.

If you own a mobile phone, the chances are excellent that at some point in the past two years it has received at least one phishing message that spoofs the U.S. Postal Service to supposedly collect some outstanding delivery fee, or an SMS that pretends to be a local toll road operator warning of a delinquent toll fee.

These messages are being sent through sophisticated phishing kits sold by several cybercriminals based in mainland China. And they are not traditional SMS phishing or “smishing” messages, as they bypass the mobile networks entirely. Rather, the missives are sent through the Apple iMessage service and through RCS, the functionally equivalent technology on Google phones.

People who enter their payment card data at one of these sites will be told their financial institution needs to verify the small transaction by sending a one-time passcode to the customer’s mobile device. In reality, that code will be sent by the victim’s financial institution to verify that the user indeed wishes to link their card information to a mobile wallet.

If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control. Read more

The Browser Blind Spot: Why Your Browser is the Next Cybersecurity Battleground

Bleeping Computer/Keep Aware

For years, defensive security strategies have focused on three core areas: network, endpoint, and email. Meanwhile, the browser, where most modern work happens, sits across all of them. Cybercriminals have adapted to this, shifting attacks away from perimeter defenses and into the browser itself.

Browser-based threats manipulate web applications in real-time, evading detection by firewalls, Secure Web Gateways (SWGs), and Endpoint Detection & Response (EDR) solutions. From multi-step phishing to malware reassembly, new attack methods make it critical for security teams to rethink detection and response at the browser layer.

This article examines three key areas where attackers focus their efforts and how browser-based attacks are evolving.

A New Class of Threats – Malware Reassembly: The New Breed of Fileless Attacks
Traditional security models are designed to detect and block file-based malware. However, attackers have moved away from conventional payloads in favor of malware that dynamically reassembles itself within the browser. These attacks are virtually invisible to endpoint and network security tools. Read more

How Russian Hackers Are Exploiting Signal ‘Linked Devices’ Feature for Real-Time Spying

Ryan Naraine, Security Week

Incident response specialists at Mandiant are sounding alarm bells after catching multiple Russian professional hacking gangs abusing a nifty Signal Messenger feature to surreptitiously spy on encrypted phone conversations.

In a fresh report published Wednesday, Mandiant threat hunter Dan Black warns that several APT groups have perfected the abuse of Signal’s “linked devices” feature that enables the privacy-themed chat and voice messenger to be used on multiple devices concurrently.

By tricking users into scanning malicious QR codes embedded in phishing pages or disguised as group invite links, Mandiant says APT groups linked to the Kremlin are secretly adding their own device as a linked endpoint.

Once this connection is established, every message sent by the user is duplicated to the attacker’s device in real time, effectively bypassing Signal’s heralded end-to-end encryption without having to break the underlying cryptography.

The company said Signal’s popularity among common targets of surveillance and espionage activity — military personnel, politicians, journalists, and activists — has made the messaging application “a high-value target for adversaries seeking to intercept sensitive information that could fulfill a range of different intelligence requirements.” Read more

CISA and Partners Release Advisory on Ghost (Cring) Ransomware

CISA—in partnership with the Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC)—released a joint Cybersecurity Advisory, #StopRansomware: Ghost (Cring) Ransomware.

This advisory provides network defenders with indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and detection methods associated with Ghost ransomware activity identified through FBI investigations.

Ghost actors conduct these widespread attacks targeting and compromising organizations with outdated versions of software and firmware on their internet facing services. These malicious ransomware actors are known to use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) where available patches have not been applied to gain access to internet facing servers. The known CVEs are CVE-2018-13379CVE-2010-2861CVE-2009-3960CVE-2021-34473CVE-2021-34523CVE-2021-31207.

CISA encourages network defenders to review this advisory and apply the recommended mitigations. See #StopRansomware and the #StopRansomware Guide for additional guidance on ransomware protection, detection, and response. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including added recommended baseline protections.

Feb. 14, 2025: Fraud & Cybersecurity Articles

White House Shelves FCPA Enforcement

ACAMS/MoneyLaundering.com

President Donald Trump has formally directed federal prosecutors to halt enforcement of the Foreign Corrupt Practices Act on the basis that the 1977 statute harms U.S. economic interests and thereby threatens U.S. national security.

An executive order published late Wednesday evening instructs Attorney General Pam Bondi to review all current investigations and enforcement actions that pertain to alleged violations of the FCPA, and issue updated guidance or policies on the measure that align with Trump’s “Article II authority to conduct foreign affairs and prioritize American interests.”

“Overexpansive and unpredictable” enforcement of the FCPA against U.S. parties who engage in what other nations view as “routine business practices” threatens those objectives, and “wastes limited resources that could be dedicated to preserving American freedoms,” the order reads.

The order comes less than a week after Bondi closed the Kleptocracy Asset Recovery Initiative, a Justice Department-led effort to find, seize and repatriate the proceeds of foreign corruption.

It also fulfills another key objective of Project 2025, a right-wing political roadmap that Trump disavowed in the runup to his election. Read more 

Anti-Money Laundering (AML) Software Market Is Booming So Rapidly with Thomson Reuters, AML Partners, Experian

Nidhi Bhavsar, HTF Market Intelligence Consulting/Open PR

The Latest published market study on Global Anti-Money Laundering (AML) Software Market provides an overview of the current market dynamics in the Anti-Money Laundering (AML) Software space, as well as what our survey respondents all outsourcing decision-makers predict the market will look like in 2032.

The study breaks the market by revenue and volume (wherever applicable) and price history to estimate the size and trend analysis and identify gaps and opportunities. Some of the players that are in coverage of the study are BAE Systems, Verafin Inc., Regulatory DataCorp, Inc., NICE Actimize, ACI Worldwide, Inc., Aquilan, Truth Technologies, Inc., AML Partners, Experian, Thomson Reuters Corporation, FICO TONBELLER, EastNets, Safe Banking Systems LLC, Oracle, FIS & SAS Institute Inc..

The global AML software market was valued at $4 billion in 2024 and is projected to reach $19 billion by 2033, exhibiting a CAGR of 16.7% during the forecast period from 2024 to 2032.

The Anti-Money Laundering (AML) Software Market refers to the global industry dedicated to the development, deployment, and maintenance of software solutions designed to detect, prevent, and report illicit financial activities, including money laundering and terrorist financing. These solutions are utilized by financial institutions, government agencies, and other organizations to ensure compliance with regulatory standards and to safeguard the financial system’s integrity. Read more

Cybercrime Threatens National Security, Google Threat Intel Team Says

Kevin Townsend, Security Week

On the eve of the Munich Security Conference, Google argues that the cybercriminal threat should be treated as a national security threat like state-backed hacking groups.

It is no longer realistic to treat cybercriminals and state-backed cyber adversaries as separate threats – the personnel, tools, and effects are often indistinguishable.

On the eve of the 61st international Munich Security Conference, the Google Threat Intelligence Group (GTIG) argues that financially motivated cybercriminal activity should be treated as a threat to national security requiring coordinated international cooperation.

Cybercrime is traditionally classified as either financially motivated cyber criminality or state-backed politically biased intrusions. While state-backed cyberattacks often receive more media attention, and perhaps more intelligence scrutiny, financially motivated crime is more common (in 2024, Mandiant responded to almost four times more financial than state-backed attacks).

Both sets of attackers are criminals, but there is no clearcut distinction since adversarial nations can and do co-opt criminals for state activity and can and do purchase criminal capabilities to further their political aims. Similarly, Iran and North Korea have used state-backed operatives to conduct financially motivated crimes to finance their regimes. Read more

Massive Brute Force Attack Uses 2.8 M IPs to Target VPN Devices

By Bill Toulas, Bleeping Computer 

A large-scale brute force password attack using almost 2.8 million IP addresses is underway, attempting to guess the credentials for a wide range of networking devices, including those from Palo Alto Networks, Ivanti, and SonicWall.

A brute force attack is when threat actors attempt to repeatedly log into an account or device using many usernames and passwords until the correct combination is found. Once they have access to the correct credentials, the threat actors can then use them to hijack a device or gain access to a network.

According to the threat monitoring platform The Shadowserver Foundation, a brute force attack has been ongoing since last month, employing almost 2.8 million source IP addresses daily to perform these attacks.

Most of these (1.1 million) are from Brazil, followed by Turkey, Russia, Argentina, Morocco, and Mexico, but there’s generally a very large number of countries of origin participating in the activity. Read more

Feb. 7, 2025: Fraud & Cybersecurity Articles

Revealed – Top Emerging Threats for Banks and Insurers

Josh Recamara, Insurance Business Magazine

Geopolitical uncertainty is the primary driver of emerging threats for banks and insurers, according to the 2025 ORX Horizon and Cyber Horizon reports.

The reports, based on input from 47 global financial services firms, ranked cybercrime as the top risk for the fourth consecutive year, placing it ahead of other risk categories by a significant margin. Published by ORX, an operational risk association, it identified technology & digital strategy and business service disruption as the second and third most significant risks.

Geopolitical risk
Firms surveyed in the reports highlighted geopolitical tensions and political instability as major contributors to cybercrime, particularly threats linked to nation-state activities, including cloud service provider compromises and state-sponsored cyberattacks. The development of artificial intelligence is further increasing the complexity, frequency, and severity of these threats.

Top cyber threats
Third-party compromise was identified as the top emerging cyber threat in both the short- and long-term, with 92% of firms ranking it among their top five concerns for the next six to 12 months.

Ransomware attacks were the second-highest concern for 76% of firms in the short-term and 60% in the long-term. While the likelihood of a successful ransomware attack was considered low, the potential impact on business operations, customers, reputation, and finances was a key concern. Regulatory requirements are also influencing the focus on ransomware risks. Read more

Five Agencies Release Guidance on Securing Edge Devices

Ionut Arghire, Security Week

Five Eyes cybersecurity agencies have released guidance on securing edge devices against increasing threats.

Government agencies from the Five Eyes countries have released joint guidance for device manufacturers to secure their edge products against increasingly frequent malicious attacks.

Sitting at the edge of a network, always connected to the internet, and acting as entry points for data between the network and the web, edge devices may include firewalls, routers, IoT devices, VPN gateways, sensors, servers, smart appliances, and operational technology (OT) systems.

These devices are of particular interest because they handle important data, and threat actors are increasingly targeting them in malicious attacks, cybersecurity agencies from Australia, Canada, New Zealand, the US, and the UK warn.

The joint guidance sets a minimum standard for forensic visibility, encouraging device makers to integrate secure-by-default logging and forensic features to help detect malicious activity and investigate incidents.

The guidance is limited to VPNs, firewalls, and routers, which the authoring agencies deem as the most used edge devices, providing secure connections, enabling monitoring and control of data traffic, and directing traffic between internal networks and the web. Read more

Ransomware Extortion Drops to $813.5M in 2024, Down from $1.25B in 2023

Ravie Lakshmanan, the Hacker News

Ransomware attacks netted cybercrime groups a total of $813.5 million in 2024, a decline from $1.25 billion in 2023.

The total amount extorted during the first half of 2024 stood at $459.8 million, blockchain intelligence firm Chainalysis said, adding payment activity slumped after July 2024 by about 3.94%.

“The number of ransomware events increased into H2, but on-chain payments declined, suggesting that more victims were targeted, but fewer paid,” the company said.

Adding to the challenges is an increasingly fragmented ransomware ecosystem, which, in the wake of the collapse of LockBit and BlackCat, has led to the emergence of a lot of newcomers that have eschewed big game hunting in favor of small- to mid-size entities that, in turn, translate to more modest ransom demands.

According to data compiled by Coveware, the average ransomware payment in Q4 2024 was at $553,959, up from $479,237 in Q3. The median ransomware payment, in contrast, dropped from $200,000 to $110,890 quarter-over-quarter, a 45% drop. Read more

Related Reading: A Brief History of Mass Hacks

DeepSeek Exposes Database with Over 1 Million Chat Records

Bill Toulas, Bleeping Computer

DeepSeek, the Chinese AI startup known for its DeepSeek-R1 LLM model, has publicly exposed two databases containing sensitive user and operational information.

The unsecured ClickHouse instances reportedly held over a million log entries containing user chat history in plaintext form, API keys, backend details, and operational metadata.

Wiz Research discovered this exposure during a security assessment of DeepSeek’s external infrastructure.

The security firm found two publicly accessible database instances at oauth2callback.deepseek.com:9000 and dev.deepseek.com:9000 that allowed arbitrary SQL queries via a web interface without requiring authentication.

The databases contained a ‘log_stream’ table that stored sensitive internal logs dating from January 6, 2025, containing:

  • user queries to DeepSeek’s chatbot,
  • keys used by backend systems to authenticate API calls,
  • internal infrastructure and services information,
  • and various operational metadata. Read more 

Jan. 31, 2025: Fraud & Cybersecurity Articles

Cyber Insights 2025: Cyberinsurance – The Debate Continues

Kevin Townsend, Security Week

Better risk management could lead to reduced premiums on top of value for money, making cyberinsurance a silent driver for improved cybersecurity.

SecurityWeek’s Cyber Insights 2025 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we discuss what to expect with Cyberinsurance.

Cyberinsurance offers a risk transfer option for the management of cybersecurity risk. This risk is complicated by the ever-changing nature of the threats and the attack surface. The cybersecurity industry has so far failed to get ahead of the attackers. Can the cyberinsurance industry do any better?

Is it even possible for insurers to match cover with cost in a mutually beneficial manner on an ongoing basis?

General adoption
While the adoption of cyberinsurance as a means of cyber risk transfer is growing, less than half of SMEs are currently thought to carry cyberinsurance. Most US businesses, probably around 33 million, are categorized as SME – so the untapped market remains huge

The difficulty is that SMEs traditionally believe they are too small to be attacked until they are, and frequently hope they are covered by their general business insurance. When a compromise happens, they may survive the breach itself but are poorly prepared for the immediate legal and forensic expenses that follow a compromise. Read more

U.S. Supreme Court Removes Hurdle to Anti-Money Laundering Law

Nate Raymond, Reuters

Summary

  • Despite action by the justices, the law remains on hold
  • Challengers say Trump administration may decide the matter

The U.S. Supreme Court on Thursday declined to block enforcement of an anti-money laundering law that forces millions of business entities to disclose the identities of their real beneficial owners to the Treasury Department, though it still will remain on hold and its fate could be decided by President Donald Trump.

The justices put on hold, opens new tab a nationwide injunction issued on Dec. 3 by Texas-based U.S. District Judge Amos Mazzant who, at the behest of small businesses, had concluded that Congress overstepped its powers under the U.S. Constitution in passing the Corporate Transparency Act in 2021.

The law’s enforcement remains blocked and companies still are not required to report information as a result of a separate order issued on Jan. 7 in another case by Texas-based U.S. District Judge Jeremy Kernodle.

Lawyers at the conservative Center for Individual Rights, representing the small businesses in the Supreme Court case, cited the other ruling in saying it was now up to the new Republican president’s administration to decide what to do. Trump returned to the presidency on Monday. Read more

A Tumultuous Week for Federal Cybersecurity Efforts

Krebs on Security

President Trump last week issued a flurry of executive orders that upended a number of government initiatives focused on improving the nation’s cybersecurity posture.

The president fired all advisors from the Department of Homeland Security’s Cyber Safety Review Board, called for the creation of a strategic cryptocurrency reserve, and voided a Biden administration action that sought to reduce the risks that artificial intelligence poses to consumers, workers and national security.

On his first full day back in the White House, Trump dismissed all 15 advisory committee members of the Cyber Safety Review Board (CSRB), a nonpartisan government entity established in February 2022 with a mandate to investigate the causes of major cybersecurity events. The CSRB has so far produced three detailed reports, including an analysis of the Log4Shell vulnerability crisis, attacks from the cybercrime group LAPSUS$, and the 2023 Microsoft Exchange Online breach.

The CSRB was in the midst of an inquiry into cyber intrusions uncovered recently across a broad spectrum of U.S. telecommunications providers at the hands of Chinese state-sponsored hackers. One of the CSRB’s most recognizable names is Chris Krebs (no relation), the former director of the Cybersecurity and Infrastructure Security Agency (CISA). Krebs was fired by President Trump in November 2020 for declaring the presidential contest was the most secure in American history, and for refuting Trump’s false claims of election fraud.

South Dakota Governor Kristi Noem, confirmed by the U.S. Senate last week as the new director of the DHS, criticized CISA at her confirmation hearing, TheRecord reports. Read more

Microsoft Teams Phishing Attack Alerts Coming to Everyone Next Month

Sergiu Gatlan, Bleeping Computer

Microsoft reminded Microsoft 365 admins that its new brand impersonation protection feature for Teams Chat will be available for all customers by mid-February 2025.

Once enabled, it will display alerts when detecting phishing attacks targeting organizations that have enabled external Teams access (which allows threat actors to message any user from external domains).

​The company first announced that it was working on defenses against Teams brand impersonation in late October 2024 (when it added this initiative to the Microsoft 365 roadmap), and it began rolling it out to users almost one month later, in mid-November.

While the initial rollout timeline estimated it would reach general availability in mid-January, the company said a Microsoft 365 message center advisory updated on Friday that it would be completed in mid-February and enabled by default with no admin configuration needed.

“This rollout will happen automatically by the specified date with no admin action required before the rollout. You may want to update any relevant documentation,” Microsoft said. “We recommend that you educate your users on what the new high-risk Accept/Block screen means and remind users to proceed with caution.” Read more

Jan. 24, 2025: Fraud & Cybersecurity Articles

Scrutiny on Financial Institutions Compliance Expected to Increase During Trump Administration

Travis Nelson and Andrew Soven; Polsinelle/JD Supra

Key Takeaways:

  • Federal bank regulators plan for vigorous review of safety and soundness and consumer compliance functions.
  • BSA/AML, fair lending and mapping compliance to controls are expected to be the focus of examiners’ review.
  • State regulators are expected to fill the void if the Trump Administration restrains federal supervision.

In the final months of 2024, federal regulators were outlining their respective supervisory priorities for 2025, in terms of personnel allocation, budget needs and examination priorities. As in the past several years, these regulatory previews served as potent prognosticators of supervisory surveillance to come. The agencies’ own predictions of their supervisory priorities serve as helpful aides for financial institutions in how to allocate their own legal and compliance resources. Then, Donald J. Trump was re-elected as the 47th President of the United States.

With sweeping power to appoint agency heads of pivotal federal financial regulators such as the Federal Deposit Insurance Corporation (“FDIC”), the Office of the Comptroller of the Currency (“OCC”) and the Consumer Financial Protection Bureau (“CFPB”), President Trump has broad authority to shape the future of federal regulatory examinations and enforcement. However, if the regulatory environment of the previous Trump Administration is any indication, this is no time for financial institutions to give their compliance functions a sabbatical.

What are the Agencies Predicting?
In the past few months, the federal bank regulatory agencies have offered their expectations for supervisory priorities. For the OCC, the regulator for most large banks, the agency has indicated that it will focus its 2025 resources on, among other things, compliance. The OCC has indicated that it will focus on BSA/AML/OFAC compliance, assessing whether “operations and systems are reasonably designed and implemented to mitigate and manage money laundering, terrorist financing and other illicit financial activity risks from business activities, including products and services offered and customers and geographies served.” Read more 

Ransomware Gangs Pose as IT Support in Microsoft Teams Phishing Attacks

Bill Toulas, Bleeping Computer

Ransomware gangs are increasingly adopting email bombing followed by posing as tech support in Microsoft Teams calls to trick employees into allowing remote control and install malware that provides access to the company network.

The threat actors are sending thousands of spam messages over a short period and then call the target from an adversary-controlled Office 365 instance pretending to provide IT support.

This tactic has been observed since late last year in attacks attributed to Black Basta ransomware but researchers at cybersecurity company Sophos have seen the same method being used by other threat actors that may be connected to the FIN7 group.

To reach to company employees, the hackers take advantage of the default Microsoft Teams configuration at the targeted organization that permits calls and chats from external domains.

Observed activity
The first campaign that Sophos investigated has been linked to a group the researchers track internally as STAC5143. The hackers started by emailing targets a massive number of messages, to a rate of 3,000 in 45 minutes.

Shortly after, the targeted employee received an external Teams call from an account named “Help Desk Manager.” The threat actor convinced the victim to set up a remote screen control session through Microsoft Teams. Read more

Citigroup Must Face New York Lawsuit Over Handling of Fraud Scams

Jonathan Stempel, Reuters

Summary

  • Bank accused of failing to protect, reimburse victims
  • Judge says bank misread law governing fund transfers
  • Citigroup evaluating next steps, says it followed the law

A federal judge on Tuesday rejected Citigroup’s (C.N), opens new tab bid to dismiss a lawsuit by New York Attorney General Letitia James claiming it failed to protect customers from online scammers and refused to reimburse customers who were victimized.

U.S. District Judge Paul Oetken in Manhattan said the bank’s Citibank unit must face James’ claim it violated a 1978 federal law concerning electronic wire transfers, and parts of three other claims.

Oetken said Congress intended the 1978 law, the Electronic Fund Transfer Act, to protect consumers from sophisticated frauds involving technologies they may not understand, leaving banks in a better position to shoulder the risks of fraud.

In seeking a dismissal of the lawsuit last April, Citigroup argued that the law expressly excluded wire transfers.
But in his 62-page decision, Oetken said “Citibank’s reading would operate in derogation of the statutory purpose.”

The judge dismissed some claims against New York-based Citigroup, the third-largest U.S. bank. Citigroup said in a statement it was disappointed and was evaluating its next steps. “The industry-standard practices we employ have long been recognized as satisfying applicable law,” it said.

James said the decision would help her office ensure that Citigroup follows the law to protect customers.
“When New Yorkers deposit their money in a bank, they expect it to be kept safe from scammers and thieves,” the attorney general said in a statement. Read more

Why CISOs Must Think Clearly Amid Regulatory Chaos

Marene Allison, Dark Reading

Even as the rule book changes, the profession of the CISO remains unchanged: protecting the organization in a world of constant, continually evolving threats.

In the high-stakes world of cybersecurity, the ground is shifting beneath the feet of those charged with protecting our digital infrastructure. First came the new Securities and Exchange Commission (SEC) rules and lawsuits related to cybersecurity. More recently, a US Supreme Court ruling promises to reshape the regulatory landscape, compelling federal officials to rethink their approach to cyber governance.

Yet amid this whirlwind of change that has descended on the industry, it’s critical for chief information security officers (CISOs) to remain steadfast and not be deterred — or discouraged — by this shift.

Therefore, my message, drawn from decades in the security field, resonates with the stiff-upper-lip slogan of Britain in the run-up to World War II: Keep calm and carry on.

A Regulatory Tsunami
The SEC’s rules went into effect last December. Under the new rules, public companies must report any cyber incidents within four business days of determining that it was a material event. The SEC also requires that public companies disclose their strategies for handling cybersecurity risks.

Those in the security world apprehensive about these anticipated changes became downright frightened when the SEC — even before its new rules went into effect — sued a company, SolarWinds, that had been going so far as to single out its CISO in its filings. Just weeks before its new cybersecurity laws were set to go into effect, the agency was sending a clear message to the country’s CISOs: Complacency is no longer an option. Read more

Jan. 17, 2025: Fraud & Cybersecurity Articles
State of Passkeys 2025: Passkeys Move to Mainstream

Vincent Delitz, BioMetric Update

More than 1 billion people have activated at least one passkey according to the FIDO Alliance – an astonishing number that highlights the quick evolution of passkeys from a buzzword to a trusted login method.

In just two years, consumer awareness of the technology jumped from 39% to 57%. Let’s see how passkeys have moved to mainstream.

Why did big tech bet on a new login technology?
Back in May 2022, the FIDO Alliance, with the collective support of Apple, Google and Microsoft, announced a major initiative to promote passkeys as passwordless authentication standard, ensuring compatibility across devices, operating systems and browsers.

At first glance, this seemed bold, even for these tech giants. Passwords have dominated authentication for decades – why risk time, money and reputation on a new technology?

The answer lies in addressing a growing problem: password management had become the biggest source of user frustration and security vulnerability. Users were juggling countless accounts and password resets, while businesses struggled with data breaches caused by stolen or weak passwords. Social engineering attacks, especially phishing exploited these weaknesses.

Passkeys moved out of early-adopter stage
While Apple, Google and Microsoft enabled passkey support on devices, the technology needed to be adopted by websites and apps. Early adopters emerged in environments with high security requirements:

Banking, payment & crypto
Payment providers (e.g. PayPal, Mastercard, Visa) and cryptocurrency exchanges (e.g. Binance, Coinbase) handle enormous volumes of financial transactions, making them high-value targets for cybercriminals. Strict regulations protect consumers and their accounts, so many payment providers already offer passkeys. Digital-first banks like Revolut, Ubank or Finom followed suit and offer passkeys to reduce fraud, build trust and comply with regulations. Read more 

Governments Call for Spyware Regulations in UN Security Council Meeting

Lorenzo Franceschi-Bicchierai, TechCrunch

On Tuesday, the United Nations Security Council held a meeting to discuss the dangers of commercial spyware, which marks the first time this type of software — also known as government or mercenary spyware — has been discussed at the Security Council.

The goal of the meeting, according to the U.S. Mission to the UN, was to “address the implications of the proliferation and misuse of commercial spyware for the maintenance of international peace and security.” The United States and 15 other countries called for the meeting.

While the meeting was mostly informal and didn’t end with any concrete proposals, most of the countries involved, including France, South Korea, and the United Kingdom, agreed that governments should take action to control the proliferation and abuse of commercial spyware. Russia and China, on the other hand, dismissed the concerns.

John Scott-Railton, a senior researcher at The Citizen Lab, a human rights organization that has investigated spyware abuses since 2012, gave testimony in which he sounded the alarm on the proliferation of spyware made by “a secretive global ecosystem of developers, brokers, middlemen, and boutique firms,” which “is threatening international peace and security as well as human rights.”

Scott-Railton called Europe “an epicenter of spyware abuses” and a fertile ground for spyware companies, referencing a recent TechCrunch investigation that showed Barcelona has become a hub for spyware companies in the last few years. Read more 

Cyber Insights 2025: Cyber Threat Intelligence

 Kevin Townsend, Security Week

SecurityWeek’s Cyber Insights 2025 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months.

We spoke to hundreds of individual experts to gain their expert opinions. Here we discuss what to expect with Cyber Threat Intelligence (CTI). CTI is valuable and beneficial to cybersecurity, but only if it is complete, accurate, and actionable.

The importance of Cyber Threat Intelligence
Cyber threat intelligence is cybersecurity’s early warning. It seeks to understand the source and nature of attacks, the adversaries and their targets, the presence of existing attacks, and the likelihood of imminent attacks. Being forewarned allows defenders to be forearmed.

“You cannot overstate the importance of cyber threat intelligence (CTI) as part of a comprehensive security program,” says Pascal Geenens, director of threat intelligence at Radware. “Threat intelligence is crucial in helping organizations gather insights on the threats they are facing and assess the risks so they can prioritize resources and budget to ensure adequate protections.”

Callie Guenther, senior manager of cyber threat research at Critical Start: “CTI will become more critical as organizations pivot from reactive to proactive cybersecurity strategies,” she says.

“Current cybersecurity strategies are unsustainable for reasons other than the sheer futility of investing endlessly to raise higher ramparts. Simply building higher walls isn’t working,” says Morten Mjels, CEO at Green Raven Limited. “Better threat intelligence, so our practitioners don’t feel like they’re working blindfolded, will be a clear improvement that is already achievable.”

Guenther adds, “Since threats evolve faster than traditional defenses can adapt, CTI will play a vital role in enabling near-real-time situational awareness and informed decision-making.” Read more 

Microsoft: Happy 2025. Here’s 161 Security Updates

Krebs on Security

Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and related software, including three “zero-day” weaknesses that are already under active attack. Redmond’s inaugural Patch Tuesday of 2025 bundles more fixes than the company has shipped in one go since 2017.

Rapid7‘s Adam Barnett says January marks the fourth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also saw the publication of nine critical remote code execution (RCE) vulnerabilities.

The Microsoft flaws already seeing active attacks include CVE-2025-21333, CVE-2025-21334 and, you guessed it– CVE-2025-21335. These are sequential because all reside in Windows Hyper-V, a component that is heavily embedded in modern Windows 11 operating systems and used for security features including device guard and credential guard.

Related: CISA Shares Guidance for Microsoft Expanded Logging Capabilities

Tenable’s Satnam Narang says little is known about the in-the-wild exploitation of these flaws, apart from the fact that they are all “privilege escalation” vulnerabilities. Narang said we tend to see a lot of elevation of privilege bugs exploited in the wild as zero-days in Patch Tuesday because it’s not always initial access to a system that’s a challenge for attackers as they have various avenues in their pursuit.

“As elevation of privilege bugs, they’re being used as part of post-compromise activity, where an attacker has already accessed a target system,” he said. “It’s kind of like if an attacker is able to enter a secure building, they’re unable to access more secure parts of the facility because they have to prove that they have clearance. In this case, they’re able to trick the system into believing they should have clearance.”

Several bugs addressed today earned CVSS (threat rating) scores of 9.8 out of a possible 10, including CVE-2025-21298, a weakness in Windows that could allow attackers to run arbitrary code by getting a target to open a malicious .rtf file, documents typically opened on Office applications like Microsoft Word. Microsoft has rated this flaw “exploitation more likely.” Read more 

Jan. 10, 2025: Fraud & Cybersecurity Articles

A Day in the Life of a Prolific Voice Phishing Crew

Krebs on Security

Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently caution that they will never reach out unbidden to users this way. However, new details about the internal operations of a prolific voice phishing gang show the group routinely abuses legitimate services at Apple and Google to force a variety of outbound communications to their users, including emails, automated phone calls and system-level messages sent to all signed-in devices.

KrebsOnSecurity recently told the saga of a cryptocurrency investor named Tony who was robbed of more than $4.7 million in an elaborate voice phishing attack. In Tony’s ordeal, the crooks appear to have initially contacted him via Google Assistant, an AI-based service that can engage in two-way conversations. The phishers also abused legitimate Google services to send Tony an email from google.com, and to send a Google account recovery prompt to all of his signed-in devices.

Today’s story pivots off of Tony’s heist and new details shared by a scammer to explain how these voice phishing groups are abusing a legitimate Apple telephone support line to generate “account confirmation” message prompts from Apple to their customers.

Before we get to the Apple scam in detail, we need to revisit Tony’s case. The phishing domain used to steal roughly $4.7 million in cryptocurrencies from Tony was verify-trezor[.]io. This domain was featured in a writeup from February 2024 by the security firm Lookout, which found it was one of dozens being used by a prolific and audacious voice phishing group it dubbed “Crypto Chameleon.” Read more

Fraudsters on the Line: The Rise of Call Spoofing in the Financial Industry

Jonjie Sena, PaymentsJournal

Today, we carry devices with us wherever we go, making us highly vulnerable to imposter scams, call spoofing, and data breaches. With the rise of artificial intelligence, threat actors can now commit fraud by mimicking a person’s voice over the phone. This troubling trend is affecting both consumers and businesses, with financial institutions being especially at risk.

In an increasingly common imposter scam known as the “grandparent scam,” the threat actor calls someone, posing as a family member. They claim to be in some kind of trouble, such as a car accident or an arrest, and request money to help get them out of the predicament. The criminal is able to mimic the voice of the person they’re impersonating by closing it with AI. Today’s technology is so advanced that only a short audio clip is needed.

According to 2024 Federal Trade Commission data, consumers reported that imposter scams were the leading method of fraud in 2023, with the highest losses per person coming from phone scams. Scammers have stolen over $10 million from U.S. consumers this year, reaching an all-time high, according to the FTC.

A separate report on cyberattack trends found that financial services is the most impersonated industry by criminals. Case in point, a Hong Kong finance worker was duped out of more than $25 million after falling prey to a deepfake video call scam earlier this year, in which the attendees looked and sounded just like his coworkers. Read more

Sen. Scott, Rep. Hill Seek Information from Treasury on Cybersecurity Breach

Dave Kovaleski, Financial Regulation News

U.S. Sen. Tim Scott (R-SC) and U.S. Rep. French Hill (R-AR) are seeking answers about the China state-sponsored cybersecurity breach at the U.S. Department of Treasury.

In a letter to Treasury Secretary Janet Yellen, Scott and Hill wanted more information about the protocols for safeguarding sensitive federal government information.

“We write regarding the major cybersecurity incident that the Department of the Treasury disclosed to the Senate Banking and House Financial Services Committees yesterday involving a China state-sponsored Advanced Persistent Threat actor breaking into Treasury’s computer systems and remotely accessing information maintained by Treasury users. This breach of federal government information is extremely concerning. As you know, Treasury maintains some of the most highly sensitive information on U.S. persons throughout government, including tax information, business beneficial ownership, and suspicious activity reports.

This information must be vigilantly protected from theft or surveillance by our foreign adversaries, including the Chinese Communist Party, who seek to harm the United States. As such, the fact that a CCP-sponsored APT actor was able to access Treasury’s information systems is unacceptable and raises serious questions about the protocols for safeguarding sensitive federal government information from future cybersecurity incidents,” Scott and Hill wrote in a letter to Yellen.

The lawmakers also demanded a detailed briefing on the incident. Specifically, they are seeking details on cybersecurity incident, including when and how it occurred and which China-sponsored APT actor is responsible. They also want to know about the type and extent of information accessed by the CCP-aligned actor.

How Initial Access Brokers (IABs) Sell Your Users’ Credentials

Bleeping Computer/Specops Software

Even if you haven’t looked into the methods of initial access brokers (IABs), you’ve almost certainly read about their handiwork in recent cyber-attacks.

These specialized cybercriminals break into corporate networks and sell stolen access to other attackers. Think of them as high-tech locksmiths for hire — they crack security systems and sell the “keys” to ransomware groups and cyber criminals who launch their own attacks.

To understand how IABs operate, consider a recent incident targeting Amazon Web Services (AWS) customers. The attackers systematically scanned AWS systems for vulnerabilities, stealing over two terabytes of sensitive data, including thousands of credentials — from AWS access keys to database logins.

True to the IAB business model, they sold this stolen access through private Telegram channels, allowing other criminals to target the compromised organizations. So how can your business protect itself against IABs? Here’s what you need to know about how IABs operate, why they prize user credentials above other digital assets, and the steps you can take to fortify your organization’s defenses.

How IABs run their criminal enterprises
IABs run their operations like legitimate businesses, complete with customer service teams, tiered pricing models, and money-back guarantees if their stolen access doesn’t work. And they have something for everyone on the dark web. For small-scale criminals who have funds but lack technical expertise, IABs provide an entry point to high-value corporate targets they could never breach independently. Read more