Finance and the dark web

One cybersecurity expert explains how to guard against the threats posed by the 'fraud economy' lurking in the internet's deep underbelly.
Finance and the dark web

The threat of the dark web can leave organisations feeling powerless against the onslaught of cyberthreats.

Even the term "dark web" is foreboding, as it may evoke images of a sinister, inaccessible digital back alley where hackers openly sell stolen data; drugs and terrorism proliferate; and anonymity reigns.

However, the truth of the dark web is more complicated and requires finance departments to take a more sophisticated risk management approach than with other cyberthreats. Corporate executives need to start planning now to insulate their companies, employees, and customers from cyberbreaches and the harms of the dark web, said Emily Wilson, vice-president of research with Terbium Labs, a digital risk protection company.

Wilson sat down recently with FM magazine to offer a primer on this dark underbelly of the internet. She offers ways management accountants can steer their organisations to policies and practices that mitigate the financial and reputational risks posed by the dark web.

The content for this Q&A came from a podcast interview conducted with Wilson. It has been edited lightly for clarity and brevity. The entire interview is available in two parts here and here.

What is the dark web?

Wilson: It is home to some pretty pervasive criminal communities. We're talking about places where you can go buy drugs and software and stolen payment information as if you're shopping on eBay. That's a part of the dark web that I tend to focus on — what I've come to call the fraud economy on the dark web. We think of the internet as sort of existing in three tranches.

  • The clear web part of the internet is what we all use every day. You can use any browser to access it, you can get to it on your phone or on your laptop, and you can find it on Google.
  • The deep web is all of the pages that you can only see when you're logged in to a certain account. People have bank accounts, social media accounts, email accounts, financial services accounts, insurance accounts — all of these accounts that we have online and that might be behind logins. "Deep web" also can refer to a corporate network where I have to be on a certain VPN to access or on a certain network to access.
  • The dark web is just another part of the internet, but the technology that supports and underpins it allows for increased anonymity, user obfuscation, and all of the things that are very good for privacy and security — which also means that they're very good for criminals.

Should we be terrified about what's lurking on the dark web?

Wilson: Not necessarily. There's a lot of myth and misconception around the dark web, and there's a lot of fear there. And there are a lot of companies who rely on that fear for marketing.

Understanding how the dark web actually works strips away one of the biggest things that criminals have going for them, which is confusion, which is aversion to looking something new and different in the face. We don't like it; it makes us uncomfortable. They love that. They want us to be unsure. They don't want us to understand all of the cards they're playing with. They want businesses to be more focused on who's forging checks than who has access to hundreds of thousands of payment cards.

Can anyone access the dark web?

Wilson: You do tend to need special technology to access the dark web. It's technology that effectively says, "Yes, this person is allowed to access this network."

One example is Tor. The browser and network are two of the more popular and well-known dark web networks. You can download the Tor browser online.

The browser is software that effectively tells that dark web network this person is allowed to access these websites that you wouldn't be able to access on a regular network. On those websites, the technology provides anonymity and obfuscation. It masks user traffic by going through a variety of different locations, and there's a lot of encryption involved. You have users who can use this technology to browse without anyone knowing who they are or where they come from. They can hide. Very good for privacy and security, very good for criminals.

How does the fraud economy prosper on the dark web?

Wilson: The technology and the infrastructure that people have built up on this part of the internet has allowed for a high volume of data to be hosted and leaked and sold to a variety of different criminal communities. That allows fraudsters to create scalable business models. We're not talking about one person with five stolen credit cards; we're talking about entire networks with tens of thousands of stolen credit cards.

This is an economy because we see vendors who are competing for market share, people who are offering customer service, and people who are trying to differentiate themselves amongst their competitors.

There's enough supply that it's driven prices down except for highly differentiated goods, the same as we would see in a traditional economy, and there's plenty of demand because fraudsters have found that this is incredibly lucrative. You've taken fraud and you've multiplied it ten times over, and you've added technology that makes it very easy and very fast and, in some cases, very automated.

So, it is an economy, and we need to change the way we think about the scale of fraud to adjust to that concept.

You've talked about the need to shift mindsets. Can you explain what that means?

Wilson: The first shift is to move away from "Have we had an incident? Have we had information exposed?" to "How much of our information is out there, and what of our information is out there?"

Start to think about where regulation is going, where legislation is going, because there's certain things I think organisations should begin to do now. That includes taking stock of the information that they hold, getting a sense of their exposure and the sort of risk they face from their exposure.

Other questions to ask are: What sort of expectations do you see on the horizon? Do you want to wait to be incentivised by one of your biggest competitors getting some sort of massive fine? Or do you have an ethical responsibility to start to take your data seriously?

What should those in finance roles be paying attention to when it comes to dark web activity?

Wilson: Ask those who do dark web searches on behalf of your company about financial data. This could come in the form of stolen payment cards, credit cards, debit cards, which include both personal and corporate cards — those are incredibly popular. There are dedicated markets that are built around nothing but the sale of those cards and sell in bulk. We have seen indicators that business cards command a slightly higher price than personal credit cards, as fraudsters can assume corporate cards have a higher credit limit (and perhaps a more unusual "typical" spending pattern) than your standard personal card. These carding markets offer wholesale discounts. They have holiday sales. In addition to payment cards there are, of course, bank accounts — very good for laundering money.

But personal information is really important and account credentials in particular. I say, "OK, you need to be worried about having your credentials exposed. How do you think they're going to get access to that information?" Most often it's things like business email compromise. It's things like phishing. It's things like account takeover.

There's a very limited market for something like intellectual property or financial projections or M&A activity or payroll records, but there's a big market for credentials.

Are the effects of data breaches on the dark web felt right away?

Wilson: No. It can take months or even years for these sorts of things to develop because information gets leaked and releaked, sold and resold, remarketed under a new brand, and businesses have to deal with that on all fronts. Think about that for every employee you have. Think about that for some of your high-profile customers. It starts to build up really quickly.

How do we start to insulate against the risks posed?

Wilson: Once we understand the fraud economy, we understand the resources they're playing with, we understand the playbooks they're working off of, we understand how they're learning from each other, how they're reacting to what's happening in the traditional economy, the legitimate economy — once we understand what this looks like in practice and that it's actually something more like eBay but for fraud as opposed to scary chat rooms full of nation-state actors who are whispering in code, then businesses can start to do something about it.

They can start to say, "Oh, I see. I can build a model with this. I can understand these risks. This is the box it fits into. This is how they could be harming us. This is how they might approach the problem."

Once you have all those pieces in place, businesses have a real leg up, especially if they understand what data specifically fraudsters are dealing with and what specific avenues they could have into a business. It changes the calculus entirely.

Does approaching risk on the dark web differ from other types of operational risks?

Wilson: Think about this the same way that you think about other risk factors for your organisation. You're not going to go get one data point and then say, "OK, great. Now we understand it entirely." It takes time to track. It takes time to figure out, "How am I doing compared to the rest of my industry? Is this a problem, or is this what I should expect? Is it normal for an organisation like mine to have a hundred credentials exposed in a month? A thousand? Is it a spike from last month? What kind of activity can I expect over a given year?"

That's what I see for mature organisations who are really looking at data as a commodity, data as a point of risk in their organisation. They're tracking what information shows up. They're tracking what it means, and they're tracking how it changes.

Are the fraudulent abilities of the dark web here to stay?

Wilson: There's a blurred line now, if there ever was a line, between traditional fraud and cyber-enabled fraud. The same way that every business is now unavoidably a tech company — everyone relies on technology in order to do what they need to do — we see fraud moving the same way.



Online courses

CIMA members

AICPA members

Sarah Ovaska is a freelance journalist based in the US. Drew Adamek is an FM magazine senior editor. To comment on this article or to suggest an idea for another article, contact Chris Baysden, an FM magazine associate director, at