Over the past several decades, the U.S. Secret Service has successfully identified, located, and arrested cybercriminals responsible for some of the most significant and widely publicized public and private industry data breaches. The U.S. Secret Service cybercrime mission has expanded the scope of its investigative efforts beyond its traditional limits.

As part of its mandate to combat financially motivated cybercrime, the U.S. Secret Service complements its investigative efforts with educational outreach programs. These programs are aimed at strengthening the ability of private and public sector entities to protect themselves against an array of cybercrime. The U.S. Secret Service conducts in-depth analyses of the activities, tools, and methodologies used by cybercriminals to better assess the evolving threats they pose to the financial infrastructure. The U.S. Secret Service then shares the results of these reviews with its network of public and private partners through its outreach programs.

The U.S. Secret Service is a Contributor to the Verizon Data Breach Investigations Report.

The U.S. Secret Service has cultivated mutually beneficial partnerships with law enforcement agencies around the globe, leading to successfully extraditing criminal suspects residing overseas to face prosecution in the United States. The U.S. Secret Service continues to forge new international partnerships in furtherance of its mission to pursue and apprehend cybercriminals globally.

As a result of the convergence of advanced technology and the Internet, both the quantity and sophistication of cybercrimes targeting U.S. financial institutions and critical infrastructure have increased. To protect the nation’s financial infrastructure from cyber criminals, the U.S. Secret Service has adopted a multipronged approach that includes:

The Criminal Investigative Division (CID) - a headquarters division in Washington D.C. dedicated to protecting the nation’s financial infrastructure in the cyber domain and supporting cyber investigations through intelligence collection, liaison, and asset management. The division serves as an integrated mission center, monitoring and supporting strategic investigations with a potential impact on the integrity of the U.S. financial infrastructure. The U.S. Secret Service cyber workforce has contributed to the apprehension of transnational cyber criminals responsible for large-scale data breaches, online criminal hosting services, and the trafficking of stolen financial data.

The Electronic Crimes Task Force (ECTF) Program - an established network of trusted partnerships to combat cybercrime through coordinated investigations, training, and technical expertise and information sharing. The 40 strategically located ECTFs boast a strong alliance of over 4,000 private sector partners, 2,500 international, federal, state and local law enforcement partners, and 350 academic partners. Since its inception, the ECTFs have prevented over $13 billion in potential losses to victims and arrested approximately 10,000 individuals. State and local law enforcement ECTF partners are trained by the U.S. Secret Service National Computer Forensics Institute. To prepare for and confront cyber incidents, as well as participate in sharing real-time information regarding threats and protective measures, become a member of an ECTF. Please use the below listing of ECTFs to find and contact your local ECTF.

The National Computer Forensics Institute (NCFI) - a state-of-the-art facility in Hoover, AL, providing state and local members of the law enforcement community with training in cyber incident response, investigation, and forensic examination. Graduates of NCFI join ECTFs as valued partners making vital contributions to significant cyber investigations, and work hand in hand with U.S. Secret Service agents and analysts. Since 2008, NCFI has trained over 3,800 state and local law enforcement officers, prosecutors, and judicial officials representing all 50 states and three U.S. territories.

The U.S. Secret Service Mobile Device Forensic Facility at the University of Tulsa - a forensic laboratory center specializing in digital forensics of a broad range of mobile electronic devices, to include smart phones, drones, skimmers, and Internet-of-Things (IoT) devices. The center provides training, develops hardware and software solutions for extracting and analyzing digital evidence from mobile devices, and supports criminal investigations conducted by the U.S. Secret Service and its partner agencies.

The Network Intrusion Responders (NITRO) Program - a cyber workforce of special agents dedicated to responding to and investigating network intrusions, business email compromises, ransomware and other cyberattacks, while collecting and preserving digital evidence.

The Electronic Crimes Special Agent Program - Computer Forensics (ECSAP-CF) - a cyber workforce of agents dedicated to conducting advanced computer, mobile device, and vehicle infotainment systems forensic examinations using specialized methods, software and equipment.

The Network Intrusion Forensic Analyst (NIFA) Program - a cyber workforce of forensic experts assigned to ECTFs to respond to cyber-attacks and cyber investigations by tracking, collecting and preserving digital forensic evidence. NIFAs possess prior cyber forensic experience and serve as subject matter experts within ECTFs. Strictly dedicated to our investigative mission, they provide continuity to Secret Service investigations.

Cyber Partnerships

The Cybersecurity and Infrastructure Security Agency (CISA) - established in 2018, as part of the Department of Homeland Security, to defend against threats and build a more secure and resilient infrastructure. CISA works with partners on evaluating physical and cyber risk to Critical infrastructure and Key Resources (CIKR), and houses US-CERT, ICS-CERT and the CISA Integrated Operations and Coordination Center (CIOCC). The U.S. Secret Service’s liaison team to CISA enhances information sharing, and promotes operational synchronization, and is responsible for interagency coordination and deconfliction of ongoing investigative operations and analysis.

The Computer Emergency Response Team (CERT) in coordination with the Carnegie Mellon University (CMU) - a federally funded research and development center (FFRDC), as part of the Software Engineering Institute (SEI), developing software and systems, designing training curricula, and conducting risk assessment and mitigation for critical infrastructure. The CERT liaison program leverages non-public technology and training to meet emerging cybercrime challenges, and provides technical support for complex cybercrime investigations.

The National Cyber Forensics & Training Alliance (NCFTA) - a nonprofit corporation founded in 2002, created for the sole purpose of establishing a neutral, trusted environment to facilitate information sharing with the ultimate goal to neutralize cyber threats. A partnership between law enforcement, private industry, and academic experts, focused on proactively identifying, mitigating, and neutralizing cyber threats globally. A centralized NCFTA database aggregates real-time data of daily fraud occurrences, cyber trends, and criminal targeting, shared by members, which is examined by NCFTA analysts. Analysis reports are issued in real time with both corporate and law enforcement partners, thus facilitating the mitigation of emerging threats and minimizing future losses.

The U.S. Secret Service partners with numerous private and public sector entities locally, nationally, and globally to prepare for and protect from cybercrime. U.S. Secret Service employees are detailed to other Department of Homeland Security agencies, the Departments of Justice and Treasury, Europol and Interpol.

Cybercrime

Crime trends show an increased use of the cyber domain to carry out financially motivated crimes by breaching and exploiting electronic data. The U.S. Secret Service continues to pursue and arrest cyber criminals who take advantage of human error, IT security complacency, and technical deficiencies in networks and electronic devices. These crimes include:

Access Device Fraud - an elicit transferring of funds that involves credit and debit cards, or other types of account access devices. More information

Network Intrusion - unauthorized access to computers or networks, using a variety of methods, to include malware and bots. More information

ATM Cashout Attack - involves Access Device manipulation and Network Intrusion.

Illicit Financing Operations and Money Laundering - investing illicit proceeds into the financial system, while attempting to disguise them as legitimate transactions. Visit here and here for more information

Cryptocurrency Illicit Activity, Cryptojacking - illicit hijacking of the processing power of computers or networks by exploiting vulnerabilities in webpages, software, and operating systems, and installing cryptomining software to earn cryptocurrency. More information Point-of-Sale System Compromise - unauthorized access to checkout or cashier systems that process the electronic transfer of payments (i.e., credit cards/debit cards, mobile payments) for goods and services. More information

Business Email Compromise - type of payment fraud that involves the compromise of legitimate business email accounts for the purpose of conducting unauthorized wire transfers. More information

Ransomware - type of malicious software designed to block access to computers or networks until a sum of money is paid. More information

Identity Theft and Use - theft of Personally Identifiable Information to illicit financial gain. More information

Understand and Prepare

A Secret Service guide for Cyber Incident Response Planning outlining what actions organizations should take to cultivate an understanding of the technological and regulatory limitations, responsibilities, and resources available to them, and how to apply the acquired knowledge to their operations. This guide does not constitute legal advice and is only for reference purposes.

Respond