APWG Issues Second Quarter 2021 Phishing Activity Trends Report

In the field of cybercrime, one of the oldest and simplest, and still one of the most effective, cyberattack methods is phishing: i.e., engaging in fraudulent solicitations via emails or websites to acquire access to victims’ computers and data.  In 2020, the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) received 241,342 reports from victims of phishing and phishing variants – by far the largest number of victim reports filed with the IC3 in 2020.

On September 22, the APWG (formerly the Anti-Phishing Working Group) issued its Phishing Activity Trends Report for the second quarter of 2021.  Key findings in the report included the following:

  • General Phishing Trends: After approximately doubling from mid-2020 to mid-2021, the amount of phishing remained “at a steady but high level” in Q2 2021.  APWG saw 222,127 attacks in June 2021, which was the third-worst month in APWG’s reporting history.
  • Most Affected Sectors: Phishing cyberattackers most frequently victimized the financial institution and social media sectors in Q2 2101.  The financial sector accounted for 29.2 percent of all attacks – a 30 percent increase from 22.5 percent of all attacks in 4Q 2020 – while the social media sector accounted for 14.8 percent and the payment sector for 12.2 percent of all 2Q 2020 attacks.  Phishing against cryptocurrency targets, such as cryptocurrency exchanges and wallet providers, increased substantially in 2021, from just 2 percent of all attacks in Q1 2020 to 7.5 percent in Q2 2020.
  • Business Email Compromise Schemes (BEC): A BEC can be defined as a response-based “spear phishing” attack that involves the impersonation of a trusted party (such as a company executive or vendor) to deceive a victim into conducting a financial transaction or sending sensitive materials.  According to the APWG report, the average amount requested in wire transfer BEC attacks in Q2 2021 was $106,000 – a 140 percent increase from the average $75,000 in Q4 2020 BEC attacks.  The APWG attributed this increase to “both a rise in high-dollar transfer requests (20 percent of attacks requested more than $100,000 in Q2 compared to just 10 percent in Q1), as well as a decrease in lower-dollar requests.”
  • BEC Finance Attacks:  In addition, there was a substantial resurgence in BEC attacks directed at payroll diversion in Q2 2021. 24 percent of all BEC attacks reportedly tried to divert employee payroll deposits. That percentage “surpassed wire transfer BEC attacks for the first time since September 2019.”
  • Use of Encryption to Deceive Victims: In Q2 2021, 82 percent of phishing websites were protected by Secure Socket Layer encryption – only a slight decline from Q1 2021.  Cyberattackers’ use of encryption technology is directed solely at making their sites appear more legitimate to prospective victims.

Information security and compliance officers in companies and government agencies should disseminate this APWG Report to appropriate members of their teams, and include selected data from the Report to other senior officials in their respective enterprises.  At a time when many executives have asserted that the COVID-19 pandemic forced their organizations to bypass cybersecurity processes, it is important that Chief Information Security Officers keep them informed about key cybercrime trends and the need to bolster cyberdefenses.

Saudi Arabian Prosecution Service: Failure to Give Required Vaccines to Children Under 18 Is Abuse

One of the more hotly debated issues, in the global welter of reporting (and misinformation) about COVID-19 vaccines, is whether children below the age of majority should be given the COVID-19 vaccine.  Even as infection from the Delta variant is surging among children in multiple countries, a Kaiser Family Foundation poll recently calculated that approximately half of parents are holding off on COVID vaccinations for their children and found “significant opposition to schools mandating the vaccines for children ages 12-17.”

In the midst of this global debate, the Saudi Arabian Public Prosecution Service (PPS) has taken an exceptionally bold step to ensure that children receive all required vaccinations, including COVID.  According to Arab News, the PPS has declared that every child under age 18 “has the right to be vaccinated against diseases and failure to do so amounts to abuse.”   This statement is firmly based in Saudi law.

Article 1 of Saudi Arabia’s Child Protection System, any failure to provide a child’s “basic needs or failure to do so, including: physical, health, emotional, psychological, educational, intellectual, social, cultural and security needs” is considered neglect.  The Child Protection System also provides that a child must be provided with vaccines “as specified by the relevant health authorities and in accordance with the scheduled dates and periods prescribed in this regard.”  Under Article 3/3 of the Child Protection System, not completing a child’s required health vaccinations is considered abuse or neglect.

Moreover, Article 18 of the Child Protection System directs the relevant authorities to take “all appropriate measures” for “[p]revention of infectious and dangerous diseases of the child” and “[s]upporting the school health system to play its full role in the field of prevention and health guidance.”  In that regard, the Saudi government has previously directed that only fully vaccinated students could return to the classroom when the new school year begins at the end of August.

Under Saudi law, providing vaccinations to a child is the duty of the child’s father or guardian, and authorities “are obliged to create a medical file for every child to register the required vaccinations and the development of his or her health conditions.”  In addition, school health or substitute health authorities are required, at least annually, to conduct periodic medical checkups for school students throughout pre-university education levels.

This announcement by the PPS is not surprising, in light of the global surge of the Delta variant and the fact that only 30 percent of Saudi Arabia’s population has received full COVID vaccination.  Nonetheless, few countries are likely to take as strong a position on child COVID vaccination as Saudi Arabia has – at least until after clinical trials, perhaps this fall, further establish that children can safely be vaccinated and health authorities can establish how great a risk COVID continues to pose to children.

UK Financial Reporting Council Reports Increases in Investigations and Enforcement Division

Over the past year, the United Kingdom Financial Reporting Council (FRC) has been showing substantial vigor in its efforts to oversee auditors, accountants, and actuaries.  In addition to the widely publicized £15 million fine against Deloitte and sanctioning of two former Deloitte partners in relation to Deloitte’s audit of Autonomy Corporation’s financial reporting, the FRC has been seeking a joint-record £15 million fine against another leading audit firm, KPMG, relating to KPMG’s role in the sale of mattress company Silentnight and recently declared, in its annual audit quality inspection results, that nearly one-third of audits that it inspected “still require improvement.”

The FRC’s Annual Enforcement Review 2021, published July 29, provides a detailed review of the FRC’s commitment to increased enforcement.  The Review noted that the FRC had opened more investigations in the past year than the previous two years combined, had an increase in the number of open investigations/enforcement actions at year end, and a 44 percent growth in its Enforcement Division.  In particular, it stated that the FRC had opened 95 cases in the preceding year (compared to 88 in 2019/20 and 46 in 2018/19), and closed 103 cases in the preceding year (compared to 83 in 2019/20 and 53 in 2018/19).

The Review also reported on a number of misconduct-related “themes” that it identified from concluded investigations of accountants over the past six years:

  • Accountants’ fraudulent use of company funds;
  • Misleading financial reporting (e.g., fabrication of revenue streams, wrongly recognizing revenue, premature recognition of revenue, inappropriate capitalization of costs, failure to account appropriately for bad debts, and inappropriate categorization of liabilities as operational rather than financial);
  • “[I]ncorrect and sometimes reckless work” by management on goodwill; and
  • Management misleading auditors, for example by withholding key information and even providing false documents.

Chief Compliance Officers in United Kingdom accounting, auditing, and actuarial firms should peruse the Review, and use specific examples of firm and individual misconduct cited in the Review in their internal briefings and training materials.  While the future leadership of the FRC has yet to be determined, firms should expect that the FRC will remain vigorous in its enforcement work as it moves toward transformation into a still more robust and independent regulator, the Audit, Reporting and Governance Authority (ARGA).

UK Competition and Markets Authority Fines Two Drug Companies More Than £260 Million for Drug Overcharging and Market-Sharing Practices

Since 2017, the United Kingdom (UK) Competition and Markets Authority (CMA) has been investigating the UK pharmaceutical sector for possible anticompetitive agreements and concerted practices in relation to pharmaceutical products.  A recent action by the CMA provides some clarity regarding the CMA’s core concerns under the Competition Act 1998 (CA98).

On July 16, the CMA announced that it had imposed fines totaling more than £260 million on two UK pharma firms, Auden Mckenzie and Actavis UK (now Accord-UK) for two sets of CA98 violations.  First, the CMA reported that both firms had charged the National Health Service (NHS) “excessively high prices for hydrocortisone tablets for almost a decade.”  Accord-UK (and, for their respective ownership periods, its parent companies Intas and Accord and its former parent firm Allergan) were fined £155 million for charging the NHS excessive and unfair prices for hydrocortisone tablets for nearly 10 years, from 2008 to 2018.  Although Auden Mckenzie sold hydrocortisone tablets from 2008 to 2015, the CMA stated that Actavis UK (now Accord-UK) took over the business in 2015 “and is held liable for Auden Mckenzie’s conduct before that date.”

The CMA found that Auden Mckenzie and Actavis UK increased the price of 10mg and 20mg hydrocortisone tablets by more than 10,000 percent, compared to the original branded version of hydrocortisone, which the drug’s previous owner sold prior to April 2008.  As a result, the amount that the NHS had to pay for a single pack of 10mg hydrocortisone tablets rose from 70p in April 2008 to £88.00 by March 2016, and for a single pack of 20mg hydrocortisone tablets rose from £1.07 to £102.74 per pack over the same period.  Even after competitors entered the market and prices fell gradually, “Actavis UK continued to charge high prices and higher prices than its rivals.”

The financial impact on the NHS (and, by extension, UK taxpayers) “was significant. Before April 2008, the NHS was spending approximately £500,000 a year on hydrocortisone tablets. This had risen to over £80 million by 2016.”

These actions, in the CMA’s view, violated Chapter I of the CA98, which prohibits anti-competitive agreements and concerted practices between businesses that have as their object or effect the prevention, restriction, or distortion of competition within the United Kingdom.

Second, the CMA fined Accord-UK and Allergan (as former parent) an additional £66 million for paying two would-be competitors to stay out of the market.  According to the CMA,

Auden Mckenzie paid pharmaceutical companies Waymade and AMCo (now known as Advanz Pharma) not to enter the market with their own generic versions of hydrocortisone tablets. Waymade was set to enter with 10mg and 20mg versions and AMCo with a 10mg version. In exchange for staying out of the market, Auden Mckenzie paid the companies on a monthly basis – paying AMCo £21 million and Waymade £1.8 million in total over the duration of the relevant agreement. After taking over sales of hydrocortisone tablets in 2015, Actavis UK continued to pay off AMCo.”

The CMA also fined Advanz and its former parent Cinven a total of £43 million, and Waymade £2.5 million.

These actions, in the CMA’s view, violated Chapter II of the CA98, which prohibits the abuse of a dominant position by one or more companies which may affect trade within the United Kingdom or a part of it.

In its announcement, the CMA did not specify how it had calculated the fines.  Under the CA98, the CMA may impose a financial penalty on any business found to have infringed either the Chapter I or Chapter II provisions of up to 10 percent of its annual worldwide group turnover.  In these cases, the CMA explained only that “[i]n calculating financial penalties, the CMA takes into account a number of factors including seriousness of the infringement(s), turnover in the relevant market and any mitigating and/or aggravating factors.”

Antitrust and competition law compliance teams at pharmaceutical firms – not only in the United Kingdom – should include the details of these CMA actions in briefings to senior executives and in internal training sessions.  While pharma firms have often sought to blame the high costs of drugs on “middlemen”, future actions such as those highlighted in the CMA’s decision are certain to attract the attention of competition enforcement agencies.

London Metropolitan Police Seize Nearly £180 Million In Cryptocurrency

For many cybercriminals, it has been an article of faith that Bitcoin is preferable to conventional currency in obtaining fraudulent or extortionate payments because Bitcoin is untraceable.  In recent weeks, however, law enforcement authorities in the United States and the United Kingdom have demonstrated that Bitcoin transactions, though anonymous while making their way through the blockchain, are indeed traceable.

On June 8, the U.S. Department of Justice announced that it had seized 63.7 bitcoins, valued at more than $2.3 million, that were part of the ransom that Colonial Pipeline paid to its ransomware attackers.  Shortly thereafter, on June 24 the London Metropolitan Police (Met) announced that it had seized £114 million – then the largest cryptocurrency seizure in the United Kingdom – in connection with an international money laundering investigation.

On July 13, the Met announced that it had set a new record for UK cryptocurrency seizures, with the seizure of nearly £180 million.  The Met indicated that this seizure was connected with the same investigation in which the £114 million seizure took place.  The focus and direction of that investigation are still unclear.  The Met reported, however, that a woman who had been arrested in connection with the £114 million seizure was “interviewed under caution” in relation to the discovery of the £180 million of cryptocurrency that was seized.

These incidents are significant accomplishments for law enforcement.  They may also be, for more astute cybercriminal organizations, a signal that they need to change their money laundering strategies.  Law enforcement, as well as anti-money laundering teams at financial institutions, will need to watch for such changes, which may include switching to other widely-recognized cryptocurrencies, more rapid extraction of funds from the blockchain, greater use of financial institutions in higher-risk jurisdictions to do so, and tighter controls over the criminals’ private keys.  In the meantime, law enforcement should take full advantage of the techniques it has developed to pursue crypto-related money laundering on a broader front.