B4 Secure

Case study:  Insider Threat – Organised Crime Groups (OCGs) and Identity Theft Fraud

Recent analysis the b4Secure team have been involved with has shown the global extent that an organised crime group (OCG) will go to when involved in identity theft.

An OCG is defined by the CPS (section 45(6)) as a group which: has at its purpose, or one of its purposes, the carrying on of criminal activities, and, consists of three or more people who agree to act together to further that purpose.

In this particular case study, the OCG were recruiting couriers and other personnel that had the opportunity to steal banking and personal details that would then enable a bank insider to gain access to a victim’s bank accounts. 

Our analysis displayed the ‘holistic’ approach and methods the OCG was using to steal identities, gain access to accounts and cash or use the cards they had stolen to purchase high-value items for personal use or resale, such as:

  • Targeting of couriers, and staff in roles that routinely have access to personal data to provide information. It was apparent that these employees were identified and approached, particularly at a social level, to scout whether they were amenable to working for the OCG. Once recruited, it was believed it would be difficult to extract themselves from the situation without intimidation.

Organised Crime Groups and Identity Theft Activities

As an example, persons working in mobile phone stores were of use, as they had access to all customer personal data plus the bank data needed to set up direct debits and card details for payment.

  1. Bank workers – the OCG relied heavily on corrupt bank workers in the UK and internationally. These staff would be given account details which would then be subject to fraud, new accounts were opened in the name of the victim, and addresses were amended so that bank paperwork, cards and PIN numbers then went to an OCG controlled address. Once the funds were obtained money would be moved via a series of accounts, the owners of these accounts had full knowledge that the funds were gained illegally. 
  2. These insiders were situated all over the world, not just in the UK and analysis uncovered that applications for jobs were discussed, demonstrating that members of the OCG were applying for positions in order to purely facilitate the fraud.
  3. The analysis also showed stolen bank details or card numbers being passed abroad with access to card machines so that funds could easily be withdrawn.
  4. OCG members utilised open source intelligence (OSINT) research to find out dates of birth and other personal details using various sources, including credit search engines. For instance, they would check credit scores and check how much they could potentially borrow to maximise the amount being applied for without alarm bells being raised.
  5. OCG’s completed ‘test purchases’ for smaller amounts before the stolen credit cards were used in high-value boutiques in London. Luxury items such as designer trainers, ladies shoes and handbags were targeted. These purchases would be conducted by recruited ‘strikers’ (purchasers), usually matched to the age and demographic of the victim of the fraud so that there would be less chance of being challenged. Often the bank insider is aware of when and where the purchases are being made and will warn the strikers if the transaction is likely to fail.
  6. OCGs will also purchase a person’s bank details including online banking passwords and memorable information being sold on the dark web often following a data breach. This data is purchased using bitcoin, and the details are then usually used via online purchases with goods being picked up via click and collect services from one of the large supermarket chains or associated stores. Even deliveries from online retailers using stolen card details would entail a person connected to the OCG taking delivery of the ordered item and receiving either part of the delivery or cash in return.

Often the victims had no knowledge of any fraud until they could not use their bank accounts and contacted the bank to find out why, or their bank accounts were emptied. 

The structure for this type of OCG is around people – the persons collecting the initial data, bank processors or call centre staff, shop workers, recruiters, strikers, and persons taking delivery of the goods ordered.

organised crime groups and identity theft

Suspects have an apparent misguided perspective regarding the effect on a victim and appear to view it as a ‘victimless crime’. They see it as a ‘business’ (therefore less harm in their view) crime – the banks/insurance refund the stolen monies, and we the actual victim, return to normal. In reality, identity theft and having your personal details and bank accounts hacked leaves a person with a range of mental and physical effects, including stress, anxiety and depression. It also leaves the victim with a sense of vulnerability because the organisations that they trust have been involved in the fraud, albeit innocently. 

Intelligence Gaps:

  • Within these organisations how much of a priority is the risk of staff corruption/insider threat, what are they actually doing to continually analyse and monitor the treats (audits will not pick up many types of fraud)?
  • Are there processes in place to identify behaviour and access to data that would identify a threat, such as a member of staff being vulnerable or involved in this type of criminality, i.e indicators and warnings being placed into systems and processes?
  • Are certain roles highlighted as more at risk of staff being potentially groomed or deliberately hired into to commit the fraud?
  • Whilst due diligence may be completed at the recruitment level, is it revisited at points within an employee’s career?
  • Is the move to agency staff and remote call centres allowing due diligence and process monitoring to be followed?
  • How many checks are in place when staff are recruited by the mobile phone companies or the large courier firms, particularly those involved in delivering identity documents such as passports?

On the other side of the situation, can we as individuals take steps to limit how vulnerable we are to identity theft? For instance – our social media and online content and awareness of any subtle changes to bank account data, or knowing when to expect your replacement bank cards or whether your statements have arrived this month? All of this will all add a layer of security to keeping your identity safe. 

However, if the source of the data breach is within the companies we use and trust it is hard to see how an individual can keep their identity safe when data is for sale which includes passwords and memorable information that could only be gleaned from these organisations. With more and more employees working from home there are more opportunities for the OCGs involved in this type of criminality, to access data via corrupt employees.

With insider threat fraud increasing perhaps there should be a cultural change around this type of fraud? It requires being investigated at a more detailed level rather than society accepting that it happens and there is little to be done about it, this may also discourage vulnerable employees from getting involved.

Leave a Comment

Your email address will not be published. Required fields are marked *