How the dark web is making fraud easier
Professional Insights
AICPA logo
AICPA logo
  • Home
hooded figure sitting behind laptop with face not visible
Professional Insights

How the dark web is making fraud easier

3 years ago · 3 min read

This hidden criminal marketplace amplifies fraud risk for finance departments the world over.

The dark web is widely discussed and often poorly understood. However, no matter how widespread the misconceptions and hype surrounding the dark web are, finance professionals need to pay close attention to the significant risk it poses to their work and livelihoods.

Put simply, the dark web is the part of the internet that is not indexed by search engines and reachable only via special browsers. To access the dark web, users need special software that unlocks those hidden sites while also masking their identities, activities, and locations.

While popular imagination and media hype often portray the dark web as a vile den of depravity, the truth is often more banal, yet more dangerous for businesses, governments and others. The dark web is smaller and less coordinated than it would seem by the hype surrounding it; Massachusetts-based cybersecurity research firm Recorded Future found only 8,400 active dark web domains in a recent report and added that most of those were disorganized and unreliable.”

Not every anonymous user on the dark web is a criminal — journalists seeking to protect sources, activists avoiding state censors, or companies wanting to shield data also may use the technology.

However, the dark web’s anonymity and obfuscation make it simultaneously attractive to criminals and dangerous for businesses.

“The dark web is the part of the internet that is home to some pretty pervasive criminal communities,” said Emily Wilson, vice president of research at Terbium Labs, a Baltimore-based cybersecurity firm that monitors and detects data on the dark web. “It’s home to a lot of criminal marketplaces where you can go buy drugs, software, and stolen payment information that look just like you are shopping on eBay.”

These anonymous marketplaces, which Wilson calls the “fraud economy,” empower a global criminal network to act in new and more dangerous ways while amplifying the value and potential use of stolen data.

Wilson recently shared several ways that the dark web is posing an ever-larger fraud risk.

Fraud economy of scale. The dark web has turned fraud into a business model, with criminals offering stolen data as a marketable product, complete with discount pricing, customer service, product lists, and sales events, according to Wilson. Personal and financial data are goods and services in the fraud economy, driving demand for more, and larger, data breaches.

“This part of the internet has allowed for a high volume of data to be hosted and leaked and sold to a variety of different criminal communities,” Wilson said. “That allows fraudsters to create these scalable business models.”

The dark web technology has also expanded and sped up the market for stolen information, according to Wilson.

“You’ve taken fraud and you’ve multiplied it 10 times over, and you’ve added technology that makes it very easy and very fast,” she said.

A la carte crime. Criminals no longer need to steal every piece of data required to perpetrate a fraud; rather, they can create bespoke datasets a la carte. The dark web enables fraudsters to connect with one another and shop for custom stolen datasets, according to Wilson.

Criminals are also creating massive datasets numbering billions of records made of material from numerous previous breaches. In January 2019, an anonymously posted dataset called “collections 1–5” contained nearly 2.2 billion records.

For example, if fraudsters wanted to create a business email compromise scheme targeting finance departments, they could comb LinkedIn for a list of company employees, combine that list with current employees’ personally identifiable data stolen by another source, and company banking data stolen in yet another unrelated breach.

All of this means that companies are vulnerable, even if they themselves have not been breached.

“We live in a world where even if it’s not your breach, it might still be your problem. Which means that you, as an organization, deal with the fallout from breaches that impact all of your employees and all of your customers,” Wilson said.

Changing risks. Fraudsters’ ability to gather such massive datasets has changed the types of crimes they are committing, according to Wilson. Gone are the days of a few hundred dollars charged on a compromised credit card. Criminals can now create much more elaborate fraud schemes like invoice fraud, business email compromise, payroll fraud, and many others with the vast troves of data that they are able to assemble on the dark web.

“We're starting to see people understand that the potential consequences from these data breaches have changed because of the sheer scale of data that's been exposed,” said Wilson.

Visit the Cybersecurity Resource Center, where the AICPA provides resources to help organizations and businesses, including CPA firms, assess risks.

What did you think of this?

Every bit of feedback you provide will help us improve your experience

What did you think of this?

Every bit of feedback you provide will help us improve your experience

Mentioned in this article



Manage preferences

Related content