Top cyber criminal earnings outpace those of business leaders

An expert cyber fraudster can make as much as £6m in a year, more than three times the 2020 average salary of a FTSE 100 chief executive, and even rookies are raking it in, taking home approximately £15,000 a month, according to statistics on the state of fraud and internet account security, compiled by Arkose Labs.

The firm said that if it was a country, the global fraud industry would be the third-biggest economy in the world, lagging only the US and China.

Arkose’s chief criminal officer Brett Johnson – the former “Internet Godfather” who was a key player in the operation of the ShadowCrew cyber crime collective – said it was no surprise to see how or why the underground cyber crime economy has become so large.

“The temptation for committing online fraud is higher than ever, simply because the results yield thousands, if not millions of pounds, for even the newest and most junior cyber criminals in the chain,” said Johnson.

“Online criminals have a shopping list of opportunities available to them – everything from refund fraud to account takeover,” he said. “They can almost pick and choose which type of fraud they want to commit.

“In particular, marketplace and messaging platforms have become vastly popularised in the fraud community, where cyber criminals can promote their own personal fraud business, recommend attack tools and techniques, and offer free step-by-step guides for the rookie fraudster.”

Arkose’s report reveals there has been a tenfold increase in people choosing the life of a career fraudster since 2019, with the introduction of furlough policies and growing unemployment during the Covid-19 pandemic the likely cause.

This echoes a report produced by Check Point, which found that desperate jobseekers were turning to underground hacking forums on the dark web to look for work, tempted by the promise of swift, cash-in-hand payments.

“Unfortunately, many people have fallen on hard times, with many unable to find employment,” Sean Wright, application security lead at software firm Immersive Labs, told Computer Weekly at the time. “While not an excuse, it’s understandable that some may turn to cyber crime to make some money to survive.

“Given some of the lenient sentences given for cyber crime, it does make it one of the lower-risk crimes to commit, and sometimes has a suitable pay-out as well,” he says. “There’s also the disconnect from the victim, making it easier on a personal level to commit the crime for some. Some may even view it as victimless, when in reality it’s not.”

Arkose’s report found that up to 35% of total website traffic at the most-attacked businesses was fraudulent, and estimated that in the UK alone, 28% of all online transactions are now either fraudulent or cyber attacks.

The most frequently victimised sectors were found to be gaming, social and digital media, streaming services, technology, travel, retail, and financial services, with three of those sectors – gaming, financial services and technology – seeing 88% of all attacks.

Arkose also highlighted other concerning trends – notably a significant spike in bot-driven attacks during the first three months of 2022, which was consistently higher than the average across all of 2021, driven by scraping and credential stuffing on an unprecedented scale – up to 4% of all online logins are now credential stuffing attempts.

It also warned that many businesses were wading into the metaverse without paying adequate attention to cyber security – with master fraudsters quick to take advantage of companies running new and untested strategies. Attacks on companies operating in this space are up 40% over the past three months of 2021, and cyber criminals are heavily investing in ramping up metaverse attacks.