Slick Willie Sutton was an American bank robber who, in a career spanning more than 40 years, is believed to have stolen around $2m in his attempts to rob more than 100 banks. When asked why he robbed banks, Sutton’s reply was simple: “Because that’s where the money is”.

There are those who claim that this quote is apocryphal, but it is nonetheless informative. Banks are the storehouses and conduits for the majority of the world’s wealth, so criminals will always want to breach their walls, whether they are made of concrete or code.

“The banking sector is definitely being targeted,” says Andrew Beckett, managing director and EMEA cyber risk practice leader at corporate investigation and risk consulting company Kroll. “What Sutton said is still true. The biggest cybersecurity breach of a bank that I am aware of would have netted, if successful, $1bn.

“The attack involved substituting SWIFT codes, which are used to send money internationally, but the error in the code was spotted, so the criminals only got away with $73m,” he continues.

Beckett often uses the story of Slick Willie to impress upon banks the need to adapt to new threats as they evolve. Sutton used a shotgun to hold up banks, while the cybercriminals of today have a very different arsenal of virtual weapons – but their goal is exactly the same. Sutton may have been prolific, but today’s organised crime gangs would put him to shame. Imagine an army of automated Slick Willie clones sawing off their virtual shotguns and donning their disguises.

“We are regularly contacted by banks that are being targetted,” Beckett remarks. “It is routine to attack the SWIFT transfer system and divert funds. It can be as simple as changing bank account details so that an invoice payment is sent to a new account. Those kinds of details might not be checked before a transfer of funds is made because the transactions occur so frequently.”

A large sum sent to a casino account and cashed out – given that withdrawals of $1m or more are not uncommon in these circumstances – could deliver a big payday to a criminal gang and be complete before it was even noticed.

Know your enemy

There is much talk about the move to a cashless society and, while that reality remains some way off, parts of the world are moving towards it. Sweden is often cited as the country closest to being cashless, but during the ongoing Covid-19 pandemic there has been a significant push towards contactless payment across the world.

As cards or virtual wallets on mobile devices become the preferred methods of payment for many retailers, and as more people choose to do their banking online, theft is less about stealing bundles of notes and more about redirecting digital codes that represent value and assign money to an owner.

In this new reality, it is more important than ever to know who you are dealing in the digital world. Slick Willie was also known as ‘Willie the Actor’ as he was known for successfully using disguises in his robberies. In this sense he bears some similarities to today’s cybercriminals, who often go undetected because they are able to adopt another’s identity – perhaps by compromising their security information and using their login details to get past a firewall, or by sending a phishing email that appears to be from a bank, a utility or another trusted business.

This means that cybersecurity is an issue not only for banks themselves, but also for their customers – both individuals and businesses – whose accounts represent doors in a bank’s firewalls. One open door can result in a major attack on one or a few accounts, or it could lead to multiple small security breaches across many accounts, the latter being less obvious. With the help of consultants such as Kroll, however, that suspicious activity can be detected and preventative measures put in place.

Banks are fully aware that customers’ login details and security information can be compromised. Phishing attacks are so common because they work. Banks, therefore, know that some activity will be fraudulent, so it is necessary to monitor transactions closely and put controls in place.

These security measures, which begin with verifying customers’ identities, must be sufficient to deter fraud, but too many steps in that process can be intrusive and time consuming. With online banking, for instance, customers want the process to be secure but also quick and convenient.

“In the digital banking world, banks are very focused on security,” says Beckett. “I am happy with my bank’s online security procedures, which is not true of many other online services and apps that we are encouraged to download. Most banks have the right balance of anti-fraud measures and convenience for the customer.

A rational view of risk

The banking industry has a good track record in terms of cybersecurity, though that does not mean that breaches do not happen. It means that the threats are minimised and the response to fraud is robust. Nevertheless, risks are constantly evolving, so security controls must stay in step and remain consistent across large organisations.

“We are not seeing the same level of risk assessment across the industry,” Beckett remarks. “Customer confidence is dependent on how safe their money is. Online banking reduces cost, but it requires proper risk assessment.” “The balance is between financial loss, customer confidence and proper risk controls,” he adds. “Generally, the banking industry has that balance about right.”

Kroll is a consultancy that delivers end-to-end cyber risk solutions worldwide, and a significant proportion of its work is in the banking sector. The nature of that work is often different to the work the company does in other industry sectors, as many banks have taken control of their cyber strategy and made a proper assessment of the risks and countermeasures.

Where Kroll does envisage a growing amount of work in the banking sector is in formulating cybersecurity strategy. The response to security breaches and incidents of fraud is often handled internally, as banks usually have the resources and expertise to identify fraudulent activity and limit its impact. Kroll can be of more value in the defensive side of the equation, understanding the long-term evolution of vulnerabilities and threats.

During the lockdown period, Kroll observed that there was a rise in ransomware – malware installed on enterprise systems that demands payment in return for unlocking access to important data – and in business email compromise, where users’ details are obtained, giving criminals access to internal systems.

Kroll can help to identify such trends and advise banks on the implementation of a uniform strategy across multiple jurisdictions and business divisions. This is vital, as banks are often large, complex, multi-faceted and global organisations.

“It is now easier than ever to set controls from the top down across a global organisation, especially when it comes to cybersecurity,” Beckett observes. “So, the complexity of an organisation is not as much of a problem as it might seem. It is far less complicated to put in place cybersecurity controls than it is to set controls for physical security.

“Cybersecurity measures can be implemented seamlessly and rolled out across a large organisation very quickly,” he concludes.

Today’s Slick Willie is the blackhat hacker or the tech-savvy organised crime gang, so armed guards and silent alarms have become the firewalls and the fraud detection algorithms. While banks understand this, they are still the repositories of wealth, so they will continue to be the target of new kinds of attack. Their approach to balancing cost and risk will not only determine their own performance, but also set the standards for other industries.