Todd Wade CISSP MBA, CISO and author, talks to Johanna Hamilton AMBCS about his latest book Cybercrime: protecting your business, your family and yourself – and how personal and professional cyber safety are one and the same.
If you teach people how to defend themselves personally on their home devices on their mobile phones and to protect their families they carry these habits into the workplace. Protecting yourself, at home, becomes “how am I going to protect the company assets?”. It’s recognising the same emotional techniques, the same persuasion methods, because they don't change, there’s always a crossover.
What made you write the book?
I wanted to show how cybercriminal methodologies used are nothing new. It's only how cybercriminals attack that is new. Individuals and businesses are not prepared well enough for these new attacks. However, once someone understands the underlying methods cybercriminals use, they will have a better chance of recognising the attacks when they happen regardless of how they happen. I also wanted to show some of the new ways cybercriminals attack victims that many people do not know about. These are the reasons why I wrote to book.
Here is one example: Many key members of our staff and senior execs were getting targeted on their home phone numbers and their home email addresses. Cybercriminals had researched who all these people were on LinkedIn or other social media. What people don’t realise, is it’s very easy to find someone’s email and phone number online.
So, they know your title. They can assume your seniority. They know your home phone number. They know your email address and so they can now begin doing targeted attacks. One such attack is for business email compromise attacks.
“Just 4% of these attacks are done technically, where the company’s actually breached – but in 96% of cases, it’s done through social engineering.”
You're seeing a convergence now of home and work, because now it really doesn't matter to them where they get your attention at. And the attack is beyond any security tools you'll have. This is why we need to get people to start thinking about this. It’s only going to get worse as we continue as technology advances. There's an old NSA saying that attacks will always get better, never worse.
The changing face of fraud
I understood cyber crime was bad and I knew it was growing – but I was floored at the scale. I started really going deep into this on techniques and how criminals were finding their victims. The vast majority of financial losses online are either cyber frauds or cyber extortions. I go through both types – so within cyber fraud, there's impersonation fraud, advance-fee fraud, investment fraud and identity fraud. For cyber extortion it is extortion and sextortion.
Social media and large Internet platforms are one of the key attack vectors for these criminals – and they've been found to be complicit over and over again. In my book, I use different cases that show how cybercriminals use these companies to find victims.
The book is about shining the light on how new technology is being used to attack you. We're used to the fraudster, a high pitched salesman or criminal we meet in the street. You're not used to it on Facebook, you're not used to it on a Soom call. How often do you get physically attacked, face-to-face? More likely, you’re getting mugged online.
Some of the extortion is being directed at businesses. Obviously, ransomware is the big one, but people don't realise it’s beyond ransom – there's a whole other range of extortions that cybercriminals are running on businesses and individuals, very successfully.
Why is it so easy to defraud people online?
It's proven as humans we cannot tell when someone lies to us. As human beings we default into trust in each other. This is why it's so easy for criminals to manipulate you – to manipulate their victims.
And there's a whole range of persuasion techniques I go through in the book, along with ways to recognise these when they're being used on you to defend yourself against them. What can be backed up with proof? What can be verified?
It’s like the rockstar candidate – on paper, they’re the best you've ever seen, but when it comes to verifying their content, nothing matches at all. Look at the evidence, not what is being said to you. What can be backed up? What are you going to believe?
Fraudulent advertising next to genuine companies
Starling Bank, one of the leading banks and digital banks in the US, boycotted Meta/Facebook and Instagram this year, because their ads they were running were being run next to investment fraudulent ads.
Which.co.uk did a great analysis. They invented a fake water company and made really spurious claims such as if you drink the water, it will reverse your age, make you lose weight... they invented a bunch of crasy stuff. No problem, they were able to run Facebook ads. They had a Facebook page that had 500 likes after a week of these claims. They placed Google Ads with no problem making the same dubious water claims. People were directed to a fake water company.
The government will protect us, right?
The problem in the UK, as in the US is that it’s not regulated. Ofcom is regulating advertising on the TV and radio, and not doing enough to regulate online advertising in the same manner. Big platforms are improving efficiency, improving automation – but with that comes a trade off that they can't do the checks and balances. They can't provide the necessary protection for consumers, their customers.
Less than 2% of cyber crimes get reported to the police. Less than 1% are ever investigated and prosecuted. So the criminal lives in a different country where there's no extradition, and no one is coming after them. There are some cases where Interpol makes progress, but it’s a drop in the ocean. There's just no deterrent for criminals.
Are romance scams business scams?
The FTC went after the largest online dating platform, Match.com because they said they could prove that 25 to 30% of the subscribers are fraudulent – and they can prove that Match know this. What kind of company does this?
In romance scams, a victim might lose say £10,000. But then the criminal will get in touch to offer them their money back if they help them to find new victims. “Be like a reference for us” or whatever else it might be, so these people go from being victims to being criminals themselves.
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
With sextortion attacks, people are persuaded to perform sexual acts on camera for someone they have met online. The entire encounter is recorded by the criminal. The criminal then threatens to send the recording to all their contacts – everyone at work. The employee will go to greater lengths to stop that recording getting released to co-workers, and that’s a huge company risk.
Cyber extortion comes in many forms. The FBI put out a warning recently about virtual kidnappings. Lets say you get a call that says it’s from a trusted number – say your mother’s phone number – but then there’s a man’s voice with a muffled frightened sounding woman in the background. He says he has your mother and he’s going to harm her unless you pay. You will most likely be in an instant emotional state. In that emotionally charged state, they can perform magic on you.
If there’s anything they can make money on, they will. They're getting slicker, they're getting more targeted, and so when they come at you, it's not random. It’s planned. Meticulously researched. And if the payoff is larger, then they’ll go the extra mile to scam you.
As IT professionals, we can all spot a phishing attack, can’t we?
People are used to attacks on emails, but they have a much harder time trying to spot an attack on WhatsApp. They’re not expecting it, so they have a harder time. It could be on a Teams call or a Soom call.
There’s an example of a head of HR being contacted by the CEO of a company via WhatsApp and the CEO is saying “look, I'm just heading to a meeting. And I am under a huge amount of stress because of our backers and our investors. A lot is riding on this meeting and I completely forgot my gift certificate voucher I was going to give to our investor. Can you just do me a huge favour, get go ahead and get these gift certificates then send me the codes? I just need three £100.00 gift certificates.”
Sounds plausible and there is some urgency, so the head of HR sends the codes. And then he escalated it and got her to do another nine more before she stopped. Everyone gets caught out in the right moment at the right time and it’s just being in that emotional state.
Start-ups are always looking for money
There was a cybercriminal operation running out of Eastern Europe. They’d contact start ups posing to be an investor and would say “I love your product. I'm going to invest £10 million into it”. So, the start up is ecstatic and will do anything to get that money. What happens next, is there's always a due diligence between the two partners.
The investor will pay for half and the company pays half – but sometimes the company will pay 100%. So the fraudster says, “I have a preferred due diligence company that I would like you to use”, so the start-up pays all the fees. Afterwards, the investor suddenly decides not to invest. It's estimated the scam has cost start-ups in excess of $30 million.
People don’t want to report it, but businesses do, right?
Unless legally required, businesses overwhelmingly do not report cyber crime attacks, because there's no upside for them to report it. If they fall victim to an advanced fee fraud or business email compromise, they're most likely not going to catch the culprit and they don't want to take the reputational hit, so they just don’t do it.
People often don’t realise how data breaches impact them. Here is one example. Odds are, one of your old passwords has been stolen as part of a company data breach. It is now available for cybercriminals to use.
They are taking all the databases with passwords, correlating them with email addresses, and they're sending out, en masse with threatening extortion emails. And to prove it, on the emails, they list your password. While most of the email is not true, the fact they have your old password in the email, gives the email some authenticity. It can cause people to take the email seriously when they shouldn’t.
In over half of business email compromise attacks, criminals are using free mail accounts like Gmail, so there's nothing technical there. They've done their research. They know who to call. They know who to persuade. Often it’s money transfers to think you’re doing some sort of business transaction to transfer money to a fraudulent account.
Just 4% of these attacks are done technically, where the company’s actually breached – but in 96% of cases, it’s done through social engineering without any technical breach and without any systems being compromised.
Is it the same in the UK as the US?
The methodologies are the same, so it really doesn't matter where you're based. All of the examples I use are US and UK and the resources I’ve listed are for each country, but the theory is 99% the same.
Obviously there will be some variation on the topics and subjects that they'll use, but it's localisation and localisation happens in every single country. Attacks are tailored to that individual and that locality.
What’s the best advice you can give?
Many people who read this book are worried about becoming a victim, or are recent victims. I give advice to prevent and recognise attacks. I also include steps to take to recover if you are unfortunate enough to become a victim.
You keep reading over and over again about long passwords and multifactor authentication. These are good practices to follow but the truth is when you're in the crosshairs of these cybercriminals they are not enough. The cards are stacked against you online, but if you understand the basics, it doesn't matter what new technology is invented to come at you, you'll have a better chance of recognising and avoiding an attack.
If there’s one piece of advice I would give is if you feel something isn’t right or find yourself in a sudden emotional state, take a deep breath and do not immediately act or respond. It’s important to get yourself out of any emotional state before making any decisions. Then talk to someone you trust, it could be trusted co-worker or family member.
The main thing to do straight away is to bring it out into the open. Get help. Don’t let it escalate.
About the author
Todd Wade is a chief information security officer. He has over 20 years of experience working with cybersecurity and technology. He has led the information security departments for multiple financial services and technology organisations. He is passionate about championing cyber risk governance and empowering organisations to protect themselves against cybercriminals.