APWG Issues 4Q 2018 Report on Phishing Trends

On March 4, APWG (formerly the Anti-Phishing Working Group released its report on phishing trends for the fourth quarter of 2018.  The report included the following key trends and developments:

  • Phishing Sites: In Q4, APWG detected 138,328 phishing sites. This continued the steady decline in phishing sites over Q1 (263,538), Q2 (233,040), and Q3 (151,014), and amounts to only 52 percent of the Q1 total.  As was the case in Q3, APWG members still detected an increased number of redirectors before the phishing landing page, and after the victim submitted his or her data, “in an effort to obfuscate phishing URLs from detection.”
  • Phishing Reports: In Q4, 239,910 phishing reports were submitted to APWG, slightly lower overall than Q2 (262,704) and Q3 (264,483).
  • Most-Targeted Industry Sectors: According to MarkMonitor data, phishing that targeted software as a service (SaaS) and Webmail services’ brands increased dramatically, from 20.1 percent of all attacks in Q3 to nearly 30 percent in Q4. In contrast, attacks against cloud storage and file hosting sites continued to decrease, from 11.3 percent of all attacks in Q1 to 4 percent in Q4.
  • Use of Domain Names for Phishing: 6,718 confirmed phishing URLs reported to APWG in Q4 were hosted on 4,485 unique second-level domains.  The highest-ranked Top Level Domain (TLD) used for phishing was the legacy globalTLD .com, which accounted for 2,098 unique domains for phishing.
  • Use of HTTPS Encryption Protocol: APWG contributor PhishLabs found that in 4Q, for the first time since it began measuring use of the HTTPS encryption protocol by phishing sites, the number of phishing sites protected by HTTPS fell slightly to 47 percent of all phishing sites. That 47 percent, however, is still the second-highest percentage (other than 3Q 2018) since Q1 2015.
  • Phishing Kits with “Black Friday” Theme: In November 2018, Brazil-based firm Axur saw

phishing kits being sold with a Black Friday [November 23, 2018] theme. Phishing kits are software packages that allow a phisher to set up phishing sites, send out spam messages to lure in victims, collect the data from the victims, and other useful capabilities. This kind of phishing is very popular in Brazil during the week preceding Black Friday and it affects the country’s main e-commerce companies.

Note: Chief Information Security Officers (CISOs) and Chief Compliance Officers (CCOs), should share this information with their respective teams.  Because cybercrime techniques change so quickly, information that identifies critical trends affecting particular business sectors needs to disseminated quickly as well.

Revolut Faces Financial Conduct Authority Inquiry Into Sanctions Compliance Controls and Belatedly Acknowledges CFO Resignation

Within the past week, The Telegraph published several articles reporting on two issues involving compliance and governance at digital bank startup Revolut Ltd.  First, on February 28, it reported that the London-based firm, which offers a variety of retail financial-services products through its app, had failed “to block thousands of potentially suspicious transactions on its platform, due to Revolut’s switching off an automated system designed to stop dubious money transfers” between July and September 2018.  The report speculated that “thousands of illegal transactions may have passed through [Revolut’s] system” during that period.

On March 1, The Telegraph stated that Revolut launched an internal investigation in late 2018 after a whistleblower contacted its board about “serious issues with its sanctions screening system.”  It reported that Revolut’s head of legal drafted a letter to the FCA that detailed the change, but that “a  decision was made internally not to send the document.”

On March 1, the Financial Conduct Authority acknowledged that it had been in contact with Revolut “to understand and assess the issues” that the Telegraph reporting raised. It further stated that it “expects all firms to have appropriate systems and controls in place at all times to monitor and counter the risk their services are abused for financial crime.”  A Revolut spokesman stated that “the company investigated after a whistleblower went to Revolut’s board with concerns that the sanctions compliance system had been turned off.”

Second, on March 1, The Telegraph reported that Peter O’Higgins, Revolut’s Chief Financial Officer, had resigned from the company in January 2019.  It said that Revolut confirmed that O’Higgins, an experienced financial-services executive who had been at Revolut since 2016, “quit the company at the start of the year.”  A Revolut spokesman separately responded that O’Higgins had left the company, but asserted that “there is no relation whatsoever to the compliance issue suggested by The Telegraph.”

The founder and Chief Executive Officer, Nik Storonsky, responded with a blog post, entitled “Let me set the record straight,” on both the compliance-controls issue and O’Higgins’s resignation.  On the compliance issue, Storonsky characterized The Telegraph’s reporting as “some misleading information in the media relating to our compliance function.”  He explained that in July 2018

we rolled out a more advanced sanctions screening system in parallel with our existing controls. Like any other technology company, we’re always looking to improve our systems.

During the initial testing stage of these new systems, we decided that they were not calibrated to a standard that we would expect, so we therefore decided to temporarily revert to our existing controls, while we continued to enhance the new systems. In our view, the new systems were imprecise and were resulting in too many false positive cases, which in turn resulted in an increase in customer dissatisfaction.

He also stated that

[a]t no point during this time did we fail to meet our legal or regulatory requirements. We conducted a thorough review of all transactions that were processed during this time, which confirmed that there were no breaches. Unfortunately, this fact was not included in the original news story. This roll-out did not result in a breach of any sanctions or money laundering laws and requirements – so we did not send a formal notification to the regulator.

With regard to O’Higgins’s resignation, Storonsky explained that O’Higgins’s decision to resign was unfortunately “caught up” in the media coverage on the compliance issue:

Any suggestion that Peter’s resignation is in any way, shape or form connected to this roll-out is utterly false and damaging. Peter has since expressed to me that he has been hurt by this suggestion and sad that his departure has been tainted in this way.

In reality, Peter has decided to step down on the basis that he feels that the business will require someone with global retail banking experience as we prepare to apply to become a licensed bank in multiple jurisdictions.

Storonsky added that the Revolut team “will be sad to see Peter go,” but respect his decision to step down, and expressed his gratitude to O’Higgins “for his commitment, enthusiasm and accomplishments” over his three-year tenure.

Note: These reports are the latest in a spate of unwelcome publicity for Revolut in the past month.  On February 8, Revolut admitted that in its series of London Underground ads, precise data in the text about the spending habits of users of its app were “just made up.”  On February 28, Wired reported, based in part on interviews with former company staff, that Revolut’s dramatic growth “has come at a high human cost – with unpaid work, unachievable targets, and high-staff turnover.”

As of this writing, the FCA has not made any determination about whether Revolut’s changeover of its sanctions compliance system last year involved a compliance breakdown.  At a minimum, other companies should treat this situation as a reminder that whenever they need to revise or test any compliance system, such as anti-money laundering or sanctions, that require constant screening of specific financial transactions, they need to be certain that they do not lose transaction data or fail to review those data timely in order to prevent processing prohibited transactions.

In his post, Storonsky wrote that although they reverted to their existing controls for a time, they “conducted a thorough review of all transactions that were processed during this time” and found no breaches.  Storonsky, however, did not specify how promptly that review occurred.  Even if the facts bear out Storonsky’s statement that they found no breaches, the FCA will undoubtedly want to determine whether there were significant delays in that review that could have allowed prohibited transactions to clear through Revolut’s app.

Storonsky’s statements about O’Higgins’s resignation also warrant a closer look.  At several points in his post, he used conditional, perfect, and future tenses to refer to that action (emphasis supplied):

  • “Yesterday, it was reported that my friend, Peter O’Higgins, would be stepping down as our Chief Financial Officer . . . .”
  • “ . . . Peter has decided to step down on the basis . . . .”
  • “ . . . myself and the wider team will be sad to see Peter go . . . .”

If, as The Telegraph reported, O’Higgins quit Revolut at the start of 2019, these statements by Storonsky are needlessly misleading.  Regardless of the reasons for a senior executive’s departure, if an executive has in fact left, the company needs to inform the public (and potentially regulators) promptly that he or she has departed, and not to imply that the departure is a future event.  For Revolut to fail to report a C-level executive’s departure for a month or more, then to issue statements by its CEO that suggest the executive has not yet done so, can only invite additional scrutiny from regulators.

European Banking Authority Opens Investigation into Estonian and Danish Financial Services Authorities Relating to Danske Bank

On February 19, the European Banking Authority (EBA) announced that on February 18, it had opened a formal investigation into a possible breach of European Union (EU) law “by the Estonian Financial Services Authority (Finantsinspektsioon) and the Danish Financial Services Authority (Finanstilsynet) in connection with money laundering activities linked to Danske Bank and its Estonian branch in particular.”

This announcement is the second step in a process that began with a September 21, 2018 letter from Tiina Astola, Director-General of the European Commission (EC) Directorate-General Justice and Consumers, to Andrea Enria, then EBA Chairman.  In her letter, Director-General Astola took note of Danske Bank’s September 19, 2018 issuance of its internal investigation into money-laundering activities through its Estonian branch.  In that regard, he referred to provisions of the EU’s Fourth Anti-Money Laundering Directive, including Article 48.  Article 48 directs EU Member States, in pertinent part, to “require the competent authorities to monitor effectively, and to take the measures necessary to ensure, compliance with this Directive,” and “ensure that the competent authorities have adequate powers, including the power to compel the production of any information that is relevant to monitoring compliance and perform checks, and have adequate financial, human and technical resources to perform their functions.”

Director-General Astola then addressed three principal concerns:

  1. Finantsinspektsioon: Astola raised questions regarding the extent and depth of Finantsinspektsioon’s inspections of the Estonian branch’s anti-money launder (AML) compliance, and whether “sanctions were applied in an appropriate way”;
  2. Finanstilsynet: Astola started that “[t] he actions of the Danish [AML] supervisor, as the one responsible for the compliance with group-wide AML/CFT policies and procedures remain unclear and raise questions as to whether the Danish supervisor carried out effective supervision of the Danske Bank group.”
  3. Finantsinspektsioon-Finanstilsynet Information Exchange: Astola remarked that Finantsinspektsioon “notified their Danish counterparts of the exposure of Danske Bank’s branch to non-resident deposits,” and questioned “whether the exchange of information between the two supervisors was adequate and relevant, given that the AML problems at the Danske Bank Estonian branch did not relate only to non-resident deposits.”

Accordingly, Astola requested that the EBA “investigate this possible breach or non-application of Union law both by the Estonian as well as the Danish supervisors.”

Under Article 17 of the EBA’s founding regulation, Regulation (EU) No 1093/2010 (as amended), upon request of one or more “competent authorities” (e.g., national financial supervisory agencies), “the European Parliament, the Council, the Commission or the Banking Stakeholder Group, or on its own initiative, and after having informed the competent authority concerned, the [EBA] may investigate the alleged breach or non-application of Union law.”  Each competent authority in question must provide the EBA, “without delay, . . . with all information which the [EBA] considers necessary for its investigation.”  No later than two months after initiating such an investigation, the EBA “may, not later than 2 months from initiating its investigation, address a recommendation to the competent authority concerned setting out the action necessary to comply with Union law.”  Thereafter, the competent authority has only 10 working days from receipt of the EBA’s recommendation to inform the EBA “of the steps it has taken or intends to take to ensure compliance with Union law.”

On the basis of its preliminary inquiries into both competent authorities, the EBA notified the EC on February 18 that it had opened a formal Breach of Union Law Investigation under Article 17.

Note: The EBA’s investigation represents a new escalation of the scrutiny to which authorities are subjecting the actions relating to the Estonian branch’s massive channeling of apparently laundered funds.  While criminal authorities in Europe and the United States are already conducting criminal investigations of Danske Bank, the EBA’s action indicates that the EU, with EC support, is preparing to hold national AML regulators accountable for their failure to conduct adequate supervision of Danske Bank.

Given the two-month timeframe for the EBA’s recommendations to Finantsinspektsioon and Finanstilsynet and the 10-day timeframe for their responses, Danske Bank watchers can expect significant next steps to be announced by the latter part of April and early May.  Depending on the degree of severity of its findings, the EBA’s recommendations could implicate not only the two financial services authorities, but by extension their respective national governments if the EBA concludes that the competent authorities lacked adequate powers and resources to do their jobs effectively.

Decline in United Kingdom Prosecutions Bodes Poorly for Fraud Enforcement

On February 21, the United Kingdom Ministry of Justice published its Criminal Justice Statistics quarterly report for England and Wales for the year ending September 2018.  The report stated that while the conviction ration for court prosecutions increased to 87 percent – the highest such ratio in a decade — the total number of defendants prosecuted fell 4 percent to 1.37 million.

The report also observed that the 4 percent decline in overall prosecutions (compared to the preceding year ending September 2017)

is primarily driven by a 12% decrease in defendants prosecuted for indictable offences, continuing the downward trend seen since 2011. Compared to the previous year, there have been decreases in prosecutions for all indictable offence groups except possession of weapons, where there was a 2% increase.

It also reported that 1.19 million offenders were convicted during the 2017-2018 reporting period, reflecting a 3 percent fall from the previous year.  It noted that “[a]s with prosecutions, this decrease is driven by a fall in convictions for indictable and summary motoring offences (down 12% and 2% respectively) and there have been decreases in convictions for all indictable offences apart from possession of weapons, which continue to show an increasing trend.”

What this report does not clearly state is that, as The Times reported, “the number of suspects dealt with [via prosecution] fell to its lowest since records began almost 50 years ago,” while “recorded crime in England and Wales rose by more than 8 per cent to 5 million offences in the same period.”  It also does not make clear the practical consequences of rigid and sustained dedication to austerity.

Last October, the then-outgoing head of the Crown Prosecution Service (CPS), Alison Saunders, said that “the CPS and police were failing to investigate thousands of cases efficiently – from rape to fraud to modern slavery – and were critically short of the skills and resources required to combat crime.”  In particular, she noted that she “had to lose a third of her workforce as a result of funding cuts of more than 25%.”

Such drastic and sustained reductions in force cannot help but diminish the quantity and complexity of fraud cases that prosecutors can bring.  According to data that the auditing and consulting firm BDO gathered, in 2018 only 525 reported cases for fraud exceeding £50,000 were brought in the United Kingdom – a decrease from 577 in 2017.  A BDO executive characterized that 2018 total as “the tip of the iceberg . . . Cases are rarely being brought against individuals for fraud.  Given the amount of frauds we see out there, the amount of prosecutions at a corporate and individual level is tiny.”

In 2018, the United Kingdom Parliament’s Home Affairs Committee issued a report declaring the proportion of fraud cases investigated “shockingly low,” in comparison to the calculated total of 1.7 million offenses a year, adding: “It appears highly unlikely that more than one in 200 victims ever sees their perpetrator convicted.”  The likely effects of this continuing drain of prosecutive capacity include not only a general decline in public confidence about the criminal justice system, but a risk of high-value complex fraud, as the BDO executive opined, “increasingly being dealt with [‘]outside the judicial system’ as companies attempted to avoid reputational damage.”

At a time when large-scale external or internal fraud schemes can involve a billion pounds or more,  regulators, as important as their work is, should not be expected to be the sole public authority to protect the public as well as the public fisc.  Criminal prosecutors and regulatory enforcers can work effectively and in close coordination to meet those critical needs – but only if they are adequately resourced to do so.

U.S. Department of Justice Repatriates Millions in Kleptocrat-Stolen Assets to Kyrgyz Republic

On February 26, the U.S. Department of Justice announced that it would be repatriating a total of $6 million to the Kyrgyz Republic related to the corruption and theft of government funds by the family of former Kyrgyz President Kurmanbek Bakiyev, including Bakiyev’s son Maxim Bakiyev.  To mark the successful cooperation of both countries in the repatriation, senior Kyrgyz Finance Ministry and U.S. Department of State officials participated in a joint public event.

The repatriation stemmed from a $6 million forfeiture order entered in a successful money-laundering prosecution in the U.S. District Court for the Eastern District of New York.  In October 2018, the Department of Justice granted a Petition for Remission that the Kyrgyz government had filed with the Department’s Money Laundering and Asset Recovery Section (MLARS).  The Kyrgyz government asserted that that the funds subject to the forfeiture order “traced back to monies stolen by Maxim Bakiyev from Kyrgyz state authorities and other banking institutions.”  Prosecutors in MLARS’s Kleptocracy Asset Recovery Initiative assisted in the investigation that connected these funds to the corruption offenses in Kyrgyzstan.

As of February 26, the Department of Justice stated, approximately $4.5 million of the funds had been collected and would be available for repatriation to the account of the Kyrgyz government.  It also said that both the U.S. and Kyrgyz governments would make additional efforts “to try to locate and return the remainder of the stolen assets in the forfeiture order.”

The Department of Justice also reported that the repatriated assets would “be used for the benefit of the Kyrgyz people, with a focus on social projects and anti-corruption and transparency.”  Those projects reportedly include:

  • Healthcare: “Improving public access of the rural population to the healthcare system by buying and installing medical equipment (X-ray, diagnostics equipment, etc.) for regional hospitals to deliver better medical services to the rural area population”;
  • Water: “Construction of water supply facilities in order to expand access  to clean drinking water for the rural population through upgrades of drinking water systems and expansion of the scope of ongoing construction of large-scale water supply facilities (water pipes, water pumps, water purification facilities) currently under way with financial support of the World Bank and other International Financial Institutions;” and
  • Anti-Corruption: “Strengthening Kyrgyz institutions responsible for anti-corruption programs and promoting the transparency of court proceedings and financial integrity of state organs, including the purchase and installation of audio and video equipment for projects in district courthouses to increase transparency and public control in the justice sector.”

Note: This case marks another significant (if comparatively small) success in international cooperation to locate and repatriate assets stolen by kleptocratic regimes.  In contrast to some other countries with high bribery and corruption risks, such as Equatorial Guinea, where the prospects of repatriated funds being used for the benefit of the general population are vanishingly small, the Kyrgyz Republic, despite its low ranking in the current Corruption Perceptions Index (132nd out of 180 countries), appears to represent a genuine opportunity for repatriated funds to meet everyday needs of Kyrgyz residents.

The Justice Department announcement does not specify how the use of the repatriated funds to support the announced projects will be monitored and audited.  Organizations and experts focused on anti-corruption and kleptocracy issues should therefore make a sustained effort to track and report publicly on what happens with these funds, and how successfully these funds have been used to support the identified projects.  More countries are likely to join in efforts to find and repatriate kleptocrats’ assets if they have confidence that recipient countries’ mechanisms for using repatriated funds for public benefit are both transparent and effective.