Webinar Recording: The State of the Scam
On April 21st, 2022, Senior Security Advisor at Living Security, Jenny Kinney, was joined by Aurobindo (Robin) Sundaram, the CISO for RELX, to discuss the state of social engineering scams in 2022 and how to keep your teams vigilant and aware.The number of cyber attacks conducted per week on businesses was up by 50% at the end of 2021, with predictions that this number will only continue to grow in 2022.
Why the rise in cybercrime? For one, the pandemic has had us all spending more time on our devices, and the more people online, the more scams we see. The objective remains the same—money, personal information, etc.—but the craftiest scams wear a new outfit every so often to hide the red flags we've come to expect. 🚩
In this webinar, Aurobindo and Jenny discussed the evolution of social engineering scams, including:
- Phishing, still the most common—and arguably the most successful—criminal tactic, and how it's changed through the years
- Recognizing and avoiding newer, growing, scams such as smishing, SIM swapping, MFA stealing, cryptocurrency theft, and more
- What to expect as scams continue to evolve, using deepfakes and other more sophisticated technology
- How to combine technology and human vigilance to better protect ourselves, our families, and our organizations
Here is the full transcript of the webinar:
Jennifer Kinney: Thank you again for joining us. I'm so glad you're here. My name is Jenny Kinney, and I am a client advisor at Living Security, and I am really excited about today's topic on the state of the scam. The number of cyber attacks was up 50% at the end of 2021, with predictions that this number will continue to grow this year.
Jennifer Kinney: As we all know, the pandemic has had us all spending more time on our mobile devices, and the more people there are online, the more scams we see. Today, we're going to be digging into cyber-based social engineering scams, including phishing, and how it's changed throughout the years. Newer scams, such as smishing, MFA stealing, cryptocurrency theft, and some swapping, and what to expect as scams continue to evolve. We're going to be talking about deep fakes and other more sophisticated technology. In the end, we're going to wrap up with some solutions on how to combine technology and human vigilance in order to better protect ourselves, our families and our organizations. A few housekeeping items before we get started. We want to hear from you. So to keep things interactive, we will have polls throughout the presentation. We're also aiming to save time at the end for some questions and answers. So feel free to add your questions to the chat, and we'll get to as many as we can. And we may take some throughout the presentation as well.
Jennifer Kinney: And we have a raffle for those of you who interact with us. So please engage. I mean, this is a good prize, AirPods Pro and AirTags to two attendees. That's pretty big stuff there. This presentation is being recorded and will be transcribed. And the recording will be sent to everyone who registered tomorrow, and please feel free to share it with your colleagues and other industry professionals that you think may be interested in this topic. We are all about knowledge sharing here. As we try to secure the world, speaking of which all of Living Security, previous webinar recordings can be found in the resources section of our website. Brandyn, will you drop the link to that in the chat so you can check them out to see if there's any other topics that we've already covered that you might be interested in. There's a lot of good information there. Some of it is industry-specific like higher education, for example. And I know we do have some folks from higher ed joining us today, and there's really helpful information for everyone on their security journey.
Jennifer Kinney: So take a look, bookmark them and listen to them or read through the transcripts when you can. Now I'd like to introduce today's guest speaker, Aurbindo Robin Sundaram. Robin is the CISO of RELIX, a parent company of LexisNexis and Elsevier, and several other companies. He's also a member of the Living Security Advisory Board. Robin's been working in the InfoSec world for over 20 years. I don't know if that's the exact number, maybe Robin, you can clarify that for us, but he is a trusted global cybersecurity expert. You can follow him on LinkedIn. Another link that Brandon's going to add to the chat is a link to his LinkedIn profile. You can follow him for cybersecurity advice, his general musings, as well as photos that he's taken during his vast worldwide travels. You're also welcome to follow me on LinkedIn, but I'm not as prolific a poster as Robin. I would recommend you checking Robin out. Robin, thank you for joining us today.
Aurobindo Sundaram: Hi Jenny. It's nice to be here. Thanks for the warm welcome. I'm looking forward to the conversation that we have with 150 different people working in cybersecurity awareness?
Jennifer Kinney: Absolutely.
Aurobindo Sundaram: Super stoked.
Jennifer Kinney: Yep, absolutely. So yeah, I thought that we would start out, I'm so happy you're here, Robin. Thanks for joining us today. For folks of you that don't know on the line. I actually used to kind of report up to Robin. So I'm glad that we remain friends now that I'm no longer working under the RELIX umbrella. But I thought we would just start by defining what we mean by scams in this context. As we know, scams and con artists have probably been around since the beginning of time, but now they have the worldwide web to leverage. Internet scams are fraudulent forms of content designed to trick and deceive. They involve the human element side of crime or social engineering, and we're all seeing them literally every day. So first we're going to talk about past and current tactics that criminals are using. So we put these together for you, and Robin, would you like to talk through these common tactics from the past and the current perspective and how you have seen things evolve?
Aurobindo Sundaram: Sure. Thanks, Jenny. Clearly phishing by mail, email is still the most common tactic, just because it's easy to find people's email addresses. It's easy to send out a blast of emails to 10,000 people. And even if one 10th of 1% of those people click on a link or reply to you or engage with you in a phishing scam, you're still doing really well, right? The cost of entry is really low, and the rewards are great. So phishing by email is still the most common tactic. We have seen though over the last couple of years, smishing and phishing. And so smishing is essentially the same thing as phishing, but you're doing it over SMS or text message. And phishing is when you're doing it over voice. We've seen much more of that, especially smishing. And that's because so many of us have mobile devices. We are working from home, we're on our mobile devices and tablets all the time. And so sending a text message is just about as easy as sending a phishing email.
Jennifer Kinney: Robin, I hate to interrupt you, but we do have an urgent request in the chat for somebody here, Ralph is a CEO and he has an urgent matter and he wants you to scan some gift cards and take some photos of gift cards as soon as possible. So if anybody can go ahead and work with Ralph on that, that would be great.
Aurobindo Sundaram: Yeah. That looks completely legitimate and someone needs to get on it right away. Drive to Walmart right now, pick up the cards, scratch them off, take a picture and send it to the person asking for it. It is such a wonderful example of the types of smishing and phishing emails that we see. And the funny thing is I see a couple of people laughing over on the chat, but a lot of people fall for this, right? If you're seven layers down in an organization and you get an email from the CEO saying, "Hey, Sam, or Alice or Bob, this is the CEO. I'm in a sales meeting. I need your help right away." Your first reaction is to respond and say, "Okay, what do you need?" And that's when the scam continues where they're like, "I'm in a sales meeting. I would like to get some bonuses. I want to keep it confidential. I trust only you, do it now, do it soon." And we've seen across the world, people falling for that sort of message whether it's on email or on text.
Aurobindo Sundaram: A couple of other tactics reality pretexting, we've seen this, I believe Jack Dorsey, the founder and former CEO of Twitter, his phone was essentially hacked in an attack named pretexting where someone called his phone company and got them to redirect Jack's phone over to their phone. And then they sent vulgar tweets for 15 minutes before they figured it out. And so that was more of a prank, but pretexting which we'll talk about a few minutes later, is another way people run scams against consumers. And then finally business email compromise, which is much more business-focused, not consumer-focused is where people use names such as the one that we just saw, use a CEO's name or a CFO's name, or a senior executive's name in order to pressure company employees into doing the wrong thing. Typically it is sending money to the wrong people, but it could be other stuff such as exposing sensitive information or getting more information for future attacks.
Jennifer Kinney: Thank you. Yeah. And in the chat, I'm seeing that there has been a lot of educational efforts from our audience about this because we are seeing such an uptick in smishing. I know that at Living Security, we have seen those as well. I believe Robin, you even got one from one of our co-founders, Drew Rose, didn't you? A lot of us got that smishing attack. I think you messed with them a bit, but we have a question about is there a way to block smishing attacks that you're aware of?
Aurobindo Sundaram: No. Honestly, I think I've been lucky. I shouldn't say this. I've been lucky that I don't get a lot of junk text messages or smishing attacks. And so when a message drops into my messages, there's not a hundred of them that I have to worry about or deal with. So my legitimate texts and illegitimate texts are about the same. I mean, I don't know specifically about AT&T, but several others, for example, T-Mobile already has a list of scam phone numbers, known spam phone numbers, which they will filter out. AT&T is most likely already doing this for you. And the ones that are getting through are probably a small amount of the ones they're blocking. I would suggest just dropping a note to AT&T customer service and saying, "Can you do any more?"
Jennifer Kinney: That's a good idea. So yes, we wanted to show the audience this infographic that just came out fairly recently from the Internet Crime Complaint Center, which is affiliated with the FBI here in the United States, talking about the different types of scams and what the most common ones are. One thing that I wanted to point out is that these are scams that have actually been reported. Of course, we know that not all scams are reported because of fear of being in the press negatively. And especially when we talk about romance scams, a lot of people who have been scammed in this way are just so embarrassed that they aren't reporting. We're going to talk a little bit more about reporting here when we get to the end of the presentation, but why is business email compromise so popular with criminals, do you think Robin?
Aurobindo Sundaram: Yeah, I think it's really because you can only rip me off for a couple thousand dollars, but you can rip my company off for tens of thousands of dollars, maybe millions of dollars if I'm going out and paying large invoices. And so we've seen attacks on Apple and Google and Facebook in the past where they lost tens of millions of dollars in business email compromise type attacks. And so there's just a lot more money floating around in corporate accounts than there are in personal accounts. And typically, if I'm an individual, as soon as the first thousand, two thousand, three thousand, five thousand dollar charge hits my bank account or my credit card, I'm going to cancel it. Typically with a corporation, they won't even notice it until it's at a couple million. And there's actually a really funny story about this. We don't have it on here and I wish we could find the link and pop it in for people.
Aurobindo Sundaram: But there was a person I believe at Yale University who defrauded the university out of millions of dollars over a couple of years. And essentially she did it just by being under the limit for automatic alerting. So the limit was $10,000, and like every day she'd be ordering 50 laptops, or a hundred tablets, all of them under like $9,000 and then she'd resell them or whatever else and take the money. And so they only noticed it several months later after several million dollars had been lost. I can guarantee that won't happen with you or me or anyone else on the call with their personal bank accounts and credit cards.
Jennifer Kinney: Yeah. I wouldn't have that dollar amount, for sure. But Wendy Battles from Yale is actually on the call today and she did confirm that, and Brandon just dropped the link to that news story. So thanks for finding that so quickly, Brandon, Brandon's going to be putting a lot of links in the chat today for you to quickly bookmark if you can. But one of the things that I wanted you to take a look at was the ic3.gov site, because it's very up--to-date on the most recent scams. And as I was looking through it in preparation for this presentation, I was pinging Robin almost every day. Do you think we should cover this? Do you think we should cover this? The scams out there, there's so many of them, it's impossible for us to even address all of them in an hour. So please do take a look at this so that you can stay up on the latest scams and educate your employees, friends, family, appropriately. So we wanted to talk about protecting against BEC.
Aurobindo Sundaram: Yeah. Very quickly, right? So some of these are just generally to protect against any sort of email-based scams, and that's around assume that your credentials will be stolen at some point or someone's credentials will be stolen. So use multifactor authentication wherever possible. Your email service should be filtering out 90 to 95% of the attacks against you, whether it's anti-spam, anti-phish, anti-impersonation, letting you know, hey, this person says they are John Q. Public, but really they're not, because this is a brand new email address, that sort of thing, to prevent those messages from coming in to start with. But imagine that eventually something's going to come through.
Aurobindo Sundaram: The best thing you can do is to have either dual controls or independent controls for financial transactions. Meaning I shouldn't be able to send a million dollars off on behalf of my company on my own. There has to be another layer of verification or alerting. And then of course, you're going to be helping your users by having them report phishing emails so that you can see if like what happened a few weeks ago, if the same person is targeting 20 employees, you want to be able to use two reports and go across your enterprise and find all the other 18 and delete them. There's a whole lot you can do about BEC, but these are sort of the most important ones I think.
Jennifer Kinney: Yeah. And hope that you don't have two insider threats working in tandem.
Aurobindo Sundaram: Well there you go, yeah.
Jennifer Kinney: So it looks like, and we're going to be talking about this a bit later. It's just important to have education for your employees on what to look out for. So in the reporting of the phish, et cetera, but then also strong technical controls on the back end. Okay sounds good. And then, yeah, I really like this infographic. If you guys want to find it on the IC3 website, we're going to talk more about romance scams here in a moment. So these are the phishing triggers that have pretty much been the same since the beginning of the phishing email. And a lot of this, again, just goes back to good old fashioned con artistry. Do you want to talk through these phishing triggers?
Aurobindo Sundaram: Yeah, very quickly. We won't read each one of these out to be honest, but I've always thought it's only three or four different triggers. Fear is one, and it's obvious over there. So the cyber extortions, I'm the CEO, I've hacked your computer, that sort of thing. Curiosity is another one, greed and charity, where they're like, oh, you can make a bunch of money so quickly. Or the other way is, oh, help the dogs out, help Ukraine out, help Iraq out, that sort of thing. And then finally all those romance-related scams or heart related scams. Where your child has been kidnapped, or if you really love me, you will help me out, those sorts of things. So there aren't many triggers that scammers use, but each of these is so potent that once you get sort of hooked on it, you will completely ignore reality going forward.
Jennifer Kinney: It's like they put you in a heightened state. And so you're not thinking as logically as you normally would.
Aurobindo Sundaram: Yeah.
Jennifer Kinney: Now I went to the National Cybersecurity Alliance conference last week in Scottsdale, and they talked a lot about the human aspect of scams and hacks and such. And there was a lot of emphasis on the human emotion. One guy was like, "Humans just act weird." And it's true. We have to understand that, we have to understand that about ourselves, our employees and those that we love when we're trying to educate them. And when we talk about this heart, the Secret Service was there and they spent a long time talking about how prolific romance scams are in, well throughout the world right now. And I don't know if you guys have seen the Tinder Swindler, but they can be very sophisticated. But a lot of them are actually targeting the elderly and those who are just lonely, especially with the pandemic hopefully in our rear view mirror, people were just lonely at home and they were more likely to be attacked. And we did put together some content in what we call a mini box of content that you guys are welcome to leverage. Please take a look.
Jennifer Kinney: And again, this is all about educating those that we know and love. So yeah. Thanks, Brandon. She just dropped a link to this free content for you to leverage, it's called a romance mini box. So if you're interested in learning more about how you can mitigate against those particular types of scams, please do check that out. Okay. And then I wanted to say, it looked like on our poll about 20% of the folks on the line admit to having been successfully phished, and whether that was a simulation or an actual real phish, I mean, don't feel like you're alone because what we know is, it's all about the emotion, sometimes moving too fast. It's very rarely about you just being uneducated or not knowing what's going on technologically. We often see our technology teams fall for just as many phishing simulations as we do let's say HR sales. So it's not about your technical acumen, it's literally about moving too fast and being susceptible to these triggers.
Aurobindo Sundaram: Hey Jenny, can we go back one slide real quick?
Jennifer Kinney: Yeah, sure.
Aurobindo Sundaram: Because someone made a comment and I want to kind of talk, oh, one slide forward.
Jennifer Kinney: Whoops.
Aurobindo Sundaram: Whoops.
Jennifer Kinney: There we go.
Aurobindo Sundaram: There you go. Yeah. So someone made a comment about lookalike domains essentially. And that's what I was trying to talk about with anti-impersonation. He's absolutely right because people will replace RELIX with R-E one X, for example, or RELIX with RELIX Group or RELIX Inc, or something of the sort. And that's another thing to look carefully for. And the problem is when you're looking at it on a phone early in the morning, they all look exactly the same. And so you really have to have other controls such as looklike domain detection or a tag of warning on your email that says whatever this may look like, it's actually coming from outside of your network. And so that's a really good point, lookalike domains are heavily used in these scams, especially on corporations.
Jennifer Kinney: Absolutely. So yes, just educate everyone to really scrutinize those domains. And then when you are checking your inbox, be vigilant, put on your glasses, wipe the cobwebs out of your eyes. Don't just do it first thing in the morning. Let's see. Okay. Thank you for that guys. Okay. We're going to go ahead and talk about current and then looking toward the future. So the near future here. So let's talk about crypto theft, and this is a really good example that you brought up Robin.
Aurobindo Sundaram: Yeah. So this is interesting. So crypto is just yet another IT system, and it's new and it has a lot of value stored in it in some form, whether it's Bitcoin or other stored value and attackers are targeting it. And just recently, a couple of weeks ago, more than 600 million was stolen from one of these blockchain technology crypto companies. And although they're still investigating what happened, all evidence, this is from their own blog, all evidence points to this attack being socially engineered, meaning they probably sent someone an email, someone clicked on an email, gave them a username and a password and then the bad guys got in and then went onwards to eventually steal this information. So really, there are different avenues to attack crypto, but the point is that crypto is new. Crypto is fresh. Crypto has a lot of money in it, it's like sort of like opening a bank with virtual money in it. And everyone's going to attack these immature often not well-secured platforms.
Jennifer Kinney: And I was surprised to learn last week, the Secret Service said that crypto theft is so much on the rise and there are an estimated one billion dollars in losses with crypto theft alone in 2021. And I found that to be staggering, we have a poll about to crypto or not to crypto, have you invested in any cryptocurrencies? I personally have not. It looks like so far the majority have not. How about you Robin? Have you invested in any crypto?
Aurobindo Sundaram: I have not.
Jennifer Kinney: Okay.
Aurobindo Sundaram: I have not. So I'm always curious when I see some of these ransomware notes that people write, they come in and they're like, oh, pay me three Bitcoin and I'll decrypt your computer. And I'm like, I have no idea how to buy a Bitcoin or how to get a Tor Browser. You might as well just have my data. So it is curious to me, but like you said, 50% of American males have dabbled in some way in crypto, so it's happening.
Jennifer Kinney: Yeah, it is happening. And what I've heard is that if you don't know how to pay in any kind of cryptocurrency, they have help desks, these [inaudible] actors have help desks. So they're like, "No problem. We'll just connect you to our customer service department." So it's actually big business.
Aurobindo Sundaram: Yeah.
Jennifer Kinney: Yeah. Sometimes their help desk may be more efficient than some of the others that we need from time to time. And we're going to talk more again in the solutions portion at the end. We're going to talk more about, for those of you who have invested in cryptocurrencies, we're going to talk more about how to secure your wallets, et cetera, in a bit. Looks like 40% are investing in cryptocurrencies. It's very interesting. Thanks for answering the poll guys. And we do have some chatter going on about phishing simulations. It is so embarrassing when us in InfoSec or in cybersecurity awareness get caught with a phishing simulation. Oh my goodness. I don't know if that's ever happened to Robin.
Aurobindo Sundaram: No, not me. I would never flunk a phishing simulation.
Jennifer Kinney: Okay. Okay. Sure. Okay. So you put together or found this at all things off, this graphical illustration of a man in the middle attack. Would you mind talking us through this and then why? Why is this happening? What's the purpose?
Aurobindo Sundaram: Yeah, this is, I mean, we are going to talk about pretexting in a moment, but this a marginally more sophisticated attack, but this man in the middle attack is really quite simple. So whether you have multi factor authentication turned on or not, if someone can send you a note and say, for example, we'll take an example here where they say, "Hey, your Facebook, account's going to be deactivated, and click here to keep it open." And if you're in a hurry, you'll click on that link. It comes to a Facebook page. It looks exactly like Facebook, the login page. So you type your username and your password. And then it pops up and says, "Oh, you've turned on one-time passwords, tell me a one-time password. And you're like, "All right, it's going to be blah, blah, blah." So what's happening in the backend is the attacker has set up the website to look exactly like, say Facebook, you type in your username and password. They forward that along to the real Facebook, the real Facebook says, "Wait a minute, you're coming from somewhere else. We're going to send you a one-time password."
Aurobindo Sundaram: So they send that information to you. You type that into the browser, into the fake web website. And then the bad guy takes that one-time password, types it into the real Facebook, and voila, they're logged in as you, you have no idea. All you've done is passed on your information to the middle part, right? So this phishing site over here in the middle, or right of the screen, you've been passing all your info there, that's been forwarding along to the real website, and boom, they have access, and now they can do all of the things you'd be able to do.
Jennifer Kinney: And how would you suggest educating our folks to prevent this kind of attack?
Aurobindo Sundaram: Well, typically what I tell people is don't click on links if you can help it, especially when these messages come in from your bank or from Google or Facebook or wherever else. Type the URL. You can go to facebook.com on your browser and then log in directly. And that's really the best way to handle it. The other way, of course, is when you click on this link and you go to a page that looks like Facebook, you generally should be able to tell either on the URL screen or elsewhere, that it's either not a trusted site or doesn't have encryption enabled, although typically more and more of these attackers set up encryption as well. But you should see in the URL screen that it looks like Faceb00k, or Facebook1 or whatever else, but the best advice really is type it into a browser.
Jennifer Kinney: Yeah. And I think it's really important to give this example to some of the older adults that we know that are still using Facebook quite frequently, that are not getting this education. I was talking about this a couple of weeks ago with a group of older adults at my church, because all of them are on Facebook and they're savvy in some ways, but may not know about these little tricks. So again, for those of you on the line who are friends with some more vulnerable parties like that, make sure they have this information.
Jennifer Kinney: Okay. I want to talk about deep fakes. Now, deep fakes have been around since the late 90s, believe it or not, but of course they're just growing in sophistication. They're starting to look better and better. And for some reason, Tom Cruise has been one of the biggest targets for deep fakes ever since the beginning. But just to have a little fun before we start talking about the more serious aspects and threats of deep fakes, I wanted to show you guys this quick little clip. It's just little over a minute long, but this is Bill Hader talking to Dave Letterman a while back. He's talking about the filming of the movie Tropic Thunder. Anyway, pay close attention to Bill's face as the video progresses. You'll see this chameleon effect of when he's impersonating these celebrities. It's Tom Cruise and Seth Rogan, you'll see his face just kind of morph into these celebrities. Again, it's a brief one, but I thought it would be fun to see this.
Bill Hader: Oh, it was amazing. We had like, when you do a movie, you do table reads, where like all the actors get together-
David Letterman: At the beginning of the production.
Bill Hader: At the beginning before anything you get together and you read through the script. And so it's like all these heavyweights, like Ben Stiller, Jack Black, Robert Downey Jr. Everybody. And at the end is like me. Like, hey, happy to be here, guys. And some other supporting guys. And then Tom Cruise walks in.
David Letterman: Oh my God.
Bill Hader: And even those guys are like, whoa. And he's super stoked to be there. He's like, yeah, oh boom. He's just immediately excited when he walks into a room. And so he comes over and he sits next to me. And I think he had been briefed on some of the supporting guys, but he was like trying to place me. So he sat down next to me and he is like, "I love your work." And I went, "Oh, thanks. I love your work too, Tom Cruise." Thanks. And I go, "Yeah, I'm friends with Judd Apatow and Seth Rogan. And they went to your house." He went, "Yes, yes, yes. They did come to my house." And I said, "Seth Rogan was like, it was amazing. He has like a bike track in his backyard. It's phenomenal." And I did a Seth Rogan impression and it was like I did a magic trick. Tom Cruise was like... And he points to me.
Jennifer Kinney: Yeah. So I think you guys are more talking about password managers in the chat right now, but let me know what you thought about that deep fake, because I just thought it was super creepy and such an example of how, if you have somebody that can do voices and do a good impersonation, how simple it can be to actually morph their face. Yeah Shannon, I thought it was so creepy too, where I just thought that it looked really convincing. Yes. And thanks, Brandon. She just linked to, oh, she just linked to an article on business email compromise. But yeah. So what we want to talk about now though, a lot of these deep fakes are done just for humorous effect, entertainment effect, but people are using them for much more nefarious reasons too. So Robin, talk about this example that you showed me last week.
Aurobindo Sundaram: Yeah, sure. We're not going to actually play the video here, but a few weeks after the Russia Ukraine war started, there was actually a deep fake or a video purportedly from Vladimir Zelensky, the president of Ukraine surrendering, basically saying, "Hey, this is too much, we've lost a lot. I'm advising all my soldiers to lay down arms." And so the picture on the left is just a screenshot of the fake. And then the picture on the right is the real president. And they look remarkably similar, right? Fortunately in this case, two things happened. One was that the deep fake was clumsily enough made. I mean, on the left, you can see he's got a gigantically tall neck, and he's generally very animated in conversations and briefings. And in this deep fake, he was just standing very robotically. And of course he's on social media so much, they noticed it immediately. It was flagged by the Facebooks and the Twitters and YouTubes of the world.
Aurobindo Sundaram: And he put out his own release saying that was a deep fake, don't worry about it. But you can imagine that in the future, these things will be much better, right? They'll they take a little bit of time, craft the message appropriately. If you can get 10% of the people to think that let's say the President of the United States is dead, what does that do to the stock market? What does that do to law and order, those kinds of things? Someone mentioned on the chat actually about audio deep fakes. And we have seen already last year, there was someone, a company that lost several hundred thousand dollars because of a deep fake where a CEO called a CFO and said, "Hey, pay this money." And they paid it. And it sounded exactly like the CEO.
Aurobindo Sundaram: So audio deep fakes are scary because you don't even have a visual reference. And when you listen enough, you can be like, yeah, that probably sounds like so and so. Video deep fakes are harder to do, but they're getting there. And I cannot imagine that in five years, you'll be able to tell a deep fake from real news, if you will. And that's what should concern us, just overall from political discourse, from public announcements, that sort of thing. And then of course that'll bleed on over to people directly scamming you or your grandmother or your bank.
Jennifer Kinney: Absolutely. And there's an article I found Kerry Tomlinson is a friend of ours, and she did an article on LinkedIn recently about how to spot a deep fake. Of course, the more education that we push of how to spot a deep fake, the more the criminals are going to take a look at that as well, and figure out how to make them more convincing and realistic. But yeah, please give everybody that article. And then we also posted the full article. If you want to see this video, we posted the article, I think it was King5.com where you can take a look at that. And we're going to be talking a little bit more about deep fakes and what the future may hold in a moment or two. In the meantime you were mentioning pretexting just a moment ago, Robin. So how is pretexting used with SIM swapping now as well?
Aurobindo Sundaram: Yeah, sure. So essentially this is a little more complicated and complex to do, but it's not super difficult. If you go Google SIM swapping, pretexting, you'll see either examples of it or how one might do it. This is actually a really good explanation of it, but essentially a fraudster gets some information about, say Jenny, right? And they have her phone number. They have her bank credentials, but they can't log in as her because they don't have a phone itself. And so pretexting is part two of this chart where essentially the fraudster would call in to the mobile operator. Let's say that it's AT&T, will either call in or go into an AT&T office with the fake ID, for example, and essentially social engineer the mobile operator to perform what's called a SIM swap. They'd say, "Hey, I dropped my phone and I lost my SIM. I've got a new SIM, please give me program my phone number (404) 555-1212 to this new SIM." The AT&T or whoever else will say, "Yep, got it. Done. You can now use your new phone."
Aurobindo Sundaram: And now suddenly, if you're the real Jenny, you're going to be seeing that your cell phone access is gone. You may not notice it because you're off on a hike or on holiday, but the bad guy now has full access to every message, everything your phone could do, they can do. And so now they can initiate a login to a bank, and they've stolen your password from some other breach for example, they put in your username, password, bank sends the one-time code to SMS. It pops into their phone, they then pop the one-time password in. They're you, they can do whatever you want. While you're completely locked out until you notice. And then you call in and then hopefully over the next hour, two hours, six hours, you get access back to your life. In that time, the attacker can do whatever they want.
Aurobindo Sundaram: So this is the example I was mentioning earlier that happened to Jack Dorsey, and has happened to several other celebrities where essentially they just pretext them, impersonate them, and then do all sorts of things like send prank emails, send requests for donations, requests for, I think there was one with Bitcoin actually, but someone sent messages maybe as Elon Musk saying, "Hey, I'll give you two Bitcoin to do X." And a bunch of people did that. So it's got a social engineering aspect, but they're not really social engineering you, they're social engineering one of your providers, and getting the SIM swap done. Not an awful lot you can do about it.
Aurobindo Sundaram: Of course there's one thing you can do, which is several phone providers now, or service providers now allow you to set a PIN on your account so that if certain sensitive operations such as SIM swapping or porting are attempted, they'll ask you for that PIN before they do it. If you have that capability, I would check with your phone company or phone service provider, if you can set that PIN, do it. Because even though none of us is probably being targeted, if one of those things where it's zero harm done to you, zero overhead, and it prevents you from being an accidental victim.
Jennifer Kinney: Absolutely. It just kind of goes back to MFA as well. Like of course it takes a couple extra seconds. It can seem inconvenient, but it's worth it in the end. So that's great advice. Thanks for that. Okay. Yeah, so some people are wanting to know about deep fakes and how to spot them. So Vince, thank you, I saw that you dropped an article in there and then we also added the one from Kerry Tomlinson on LinkedIn about how to spot deep fakes. Yeah. So don't put 01234 as your pin. Thank you for that. Okay. So moving right along, let's talk about the future of scams and cyber crime and what we expect to see.
Aurobindo Sundaram: Yeah. We spoke more of this like a moment ago, better deep fakes, right? So it is hard to do, but the technology gets exponentially better every year. And so just imagine if you could actually your child's real face and voice, or your mom's real face and voice on a phone screen with a phone video call coming from them saying, "I'm in trouble, I'm going to be arrested. Please send a thousand dollars right away." We had a similar issue in our own neighborhood here in Atlanta, where someone was called, and the attacker essentially said, "Hey, I've got your daughter here, your daughter, Pam." And then someone screamed in the background, "Please help me," or something of the sort. And then they told this person, "Stay on the line, go to the ATM, withdraw money and give it to us, or we'll ship Pam back to you in pieces."
Aurobindo Sundaram: And so they used one of those phishing triggers, a social engineering trigger, this one was fear. And they used that to get people to do things. So in the future, we might be like, ah, screw this. This is not real. But, if you saw your real child's real face and voice, you might think differently.
Jennifer Kinney: Oh, I'd be terrified.
Aurobindo Sundaram: Yeah, exactly, exactly. People were chitchatting on the chat about... Shoot, I completely lost my train of thought. Okay, nevermind what people were doing on the chat. Yeah. So it's something you need to worry about. The second piece is about longer lasting stealth attacks, which we've seen a couple here and there in the industry, which is where someone will gain access to your email, for example. And then they just sit quietly and they monitor your email until it's time for maximum impact. And what they'll do-
Jennifer Kinney: It's the long game, so to speak.
Aurobindo Sundaram: It's exactly the long game. And then they'll set up filters in your Outlook where email from certain people will wander off for them to look at, and then they'll reply to it and filter the replies back. And so you never even know what's happening until suddenly you realize you've approved payments for five million dollars, and all the interactions with your staff that were verifying it with you are all legitimate because the attacker is doing it in the background. You never see a thing until you see the bill. So essentially it's persistence, right? It's a long game and it's persistence. And we've seen it a couple of times. And especially in national security defense situations, I suspect that's what's going to happen. And then finally, Jenny, you're the one who brought this up, biometrics attacks. And many of us use CLEAR and other biometrics to login, or to get on planes. What's in those databases, how are they secured, if they're lost what can an attacker do with them? It's all kind of unclear.
Jennifer Kinney: And we were wondering if there's anybody that has any insight into biometrics and the security of that. Because I was telling Robin when we were prepping for this webinar, I was like, I use CLEAR at the airport because it's so convenient. But every time I do, I'm like, okay, so they've got my retina and they have my thumbprint. Maybe it's hashed on the backend and that's great. But if you can do a reverse hash for a password, who's to say that you can't eventually do a reverse hash for however they're storing that information. And I just don't know much about it. I don't know if anybody that's joining us today does. If so, please educate us, please educate us on that. And another thing I think when it comes to biometrics, I don't really trust CLEAR, even though I'm doing it anyways. But if there's a low tech, I'll give an example, Marisa, who you work with at LexisNexis, Robin, her daycare started using a fingerprint in order to get through the door instead of a PIN number. And so she was like, oh, this makes this seems sketchy to me.
Jennifer Kinney: And so she asked the folks that work there, what kind of security do you have? How do I know that you're protecting this information? And they said, "Oh, I'm sure it's fine. I'm sure it's fine." And so she's like, "No, I'm not going to give you my fingerprint." Looks like somebody just put in, is it Tom that just put in an article, a major third party breach of biometric data in the UK. Okay. I am going to copy this and look at it later because I don't know if you can summarize it for us, Tom, real quick, but I'm just wondering what data they got and if they were ever able to exploit that in any way. Anyway, something that I think we should all kind of have in the forefront of our minds for the future. Don't use biometrics unless you have to. Right. And so here I am using CLEAR. I'll let you guys know if I'm scammed later on. Crossing fingers.
Aurobindo Sundaram: Well, I mean, in some cases you don't have a choice. But you have to use biometrics of some sort. But yeah, I just briefly looked at that article in this, I mean, at the end of the day, biometric data is stuff that's a representation of a fingerprint or a retina and a hash, which you then compare. So if they have the hashes, now they can, in most cases replay the hash wherever you could use it. I mean, that's the whole story of every Mission Impossible movie is essentially biometric hash replaying or gouging out your eye. One is easier than the other. Hacking a system is a lot easier than gouging out an eye.
Jennifer Kinney: Yeah. And folks are trying to move away from passwords and I totally get it, but at the same time, it's like, I can change a password. I cannot change my thumbprint or my retina.
Aurobindo Sundaram: Yep.
Jennifer Kinney: So, okay.
Aurobindo Sundaram: Use with care. Yeah.
Jennifer Kinney: Yes, exactly. Exactly. Okay. Thanks for all the comments in the chat you guys. Okay. So let's just talk about some solutions as far as people process and technology is concerned, thank you for pulling this information together for us. Do you want to talk this through?
Aurobindo Sundaram: Very quickly, because I think we are starting to run a little bit low on time, but this is a report I-
Jennifer Kinney: We've got until the end of the hour, we've been taking questions as we go, so it's good.
Aurobindo Sundaram: Okay. Fine. So this is really just a chart I pulled up from our own systems about a quarter's worth of email coming into our systems. And once that get filtered by all the things we spoke about, malware, phishing, spam impersonation, blah, blah, blah, blah, blah. And so when you look at it, the blue pieces, all those blocks, that blueish green, greenish blue is technology related. And so technology can do a lot of work. And so 95%, 99%, whatever else, it can block the bad stuff, but then there's still a chunk that's delivered in yellow or orange. And most of that email is legitimate. There's probably several thousand that are not, and that's where the people and process pieces come in, that you have to train your people and have them engaged and whatnot. And then regardless of the errors that people may make, you have to have your processes that are resilient to the mistakes, that both technology and people inevitably will make. And that's sort of the synopsis of this whole thing. And it's really a pretty cute slide, to be honest.
Jennifer Kinney: Yeah. You did great with it.
Aurobindo Sundaram: Thank you. So yeah, if we move on, I think maybe the next slide really has more specifics, doesn't it, Jenny?
Jennifer Kinney: This one is about protective wallets. Let's see... yeah, we're going to talk about detect respond in a minute, but we did promise to give folks some inform on protecting their wallets. But before we move on to this, with the poll, I think this is interesting about what keeps you up at night. I'm so glad for you 10% who sleep like a baby and you have all confidence in your technical controls and your people. That's wonderful. So it looks like 21% of the others, they worry about gaps in technical controls. And it looks like the majority though are concerned about gaps in employee security practices. And that's exactly why we do these webinars. And it's exactly why at Living Security, we try to build really great educational content to fill those gaps in the employee security practices.
Jennifer Kinney: And again, the more we talk about educating families and taking things into your home lives too, I think that will really help people think about security from a holistic point. And so as they start to think about protecting their homes, their families, et cetera, they'll also be more adept at protecting your organization. What do you think about that, Robin? Do you agree with that?
Aurobindo Sundaram: No, absolutely. I mean the line between work and life and play has blurred completely. We're working from home, we're on our mobile devices, et cetera. So the more we can tell our families, ourselves on our personal phone phones, ourselves on our business phones, tablets, et cetera, to be secure, the more that flows into daily life. So I'm a big proponent of getting people educated on anything security related, and not just at work.
Jennifer Kinney: Yeah, absolutely. And then we have a question about NFTs. Have we seen much in the way of NFT scams and fraud? The latest that I've seen on NFTs just of last week is that they are really dropping in popularity. And there's a big disappointment recently when it comes to trying to resell an NFT. I don't personally, I haven't seen any scams yet, but I'm sure they're out there. I just haven't been following that closely. How about you?
Aurobindo Sundaram: I haven't either, but you're right. The guy who bought Jack Dorsey's first tweet for several million dollars tried to resell it, but is only getting like 250 bucks for it, which is a problem for him. But I do think the scams are going to be mostly on the crypto side, really, because you are going to be paying for an NFT with crypto in general, and a bunch of the process around NFTs, whether it's creating or selling or buying, there's a whole bunch of overhead. You lose a lot of money to the different people that you work with. And so you're already behind. And then as soon as you try to buy an NFD or sell an NFD, you're using a crypto wallet. So I don't think people are going to go after the NFDs. They're just going to go straight after the wallet. And that's why this slide is actually really important because it's the crux of it.
Jennifer Kinney: Right. And our content team is currently putting together some modules about NFTs and crypto theft that is going to be released in time for cybersecurity awareness month. So for those of you who are planning that now, you can reach out to us to get more information about that. But I agree with you guys. I saw Shannon Jones say that NFTs seem like a scam to begin with in and of themselves. And yeah, I'm not going to be investing any money in that myself. So let's talk about your wallets and how to protect them.
Aurobindo Sundaram: Yeah. Very quickly. So these are crypto wallets. They have real value, or at least virtual value. Because they're online, it's not like someone can mug you and grab them, but they can get onto your computer and steal them. And so there's a few tips that I picked up while doing research on this, because I'm not a crypto user today. One is about using MFA. That's really not optional. If you have a username and a password, expect it to be compromised at some point. And so you really should have multi factor authentication, but at the same time, if you have multi factor authentication, remember there's pretexting and SIM swaps and all that that can affect you. So one of the things that people are doing, especially the high value crypto wallets, is to keep an offline copy of their wallet, which is essentially sort of like a USB that you can keep your wallet on with most of the value on it.
Aurobindo Sundaram: And then you plug it in only when you want to use it, so that if your phone gets compromised, your computer gets compromised, you're still kind of, sort of, okay. Don't allow your phone to be ported. We spoke about this earlier, spread out your assets by using multiple wallets. There's no restriction on. So a lot of people that I've heard of have one big wallet, which is sort of mostly offline with most of their assets. And then they have half a dozen essentially burner or throwaway wallets where they have just a few bucks in it. And so if they lose it, so be it. So it's sort of a trade off between convenience and security. And then whatever recovery phrases there are for your crypto wallet, save it on paper. We've all heard the story about a guy who bought Bitcoin way back, didn't think about it, moved on with his life. 10 years later, he suddenly realizes he's worth millions of dollars, but he doesn't have his computer and his Bitcoin any longer.
Jennifer Kinney: That happened to a friend of mine actually.
Aurobindo Sundaram: Oh, did it? There you go. And that's literally, it's gone. There's no way to get it back. So save your recovery phrases on paper, keep it at home. It's no big deal. And then finally, really careful about being phished. I mean, in the end, this is money sitting on a wallet on your computer or your phone and people are trying to get to it, whether it's through romance scams or any of the other triggers of which we spoke. So there are a few different things you should be doing with crypto wallets, like we said over here, but most of our other advice in terms of phishing and scam protection hold for anything crypto related.
Jennifer Kinney: Okay. That makes sense. And so, yeah, we do just have a few more minutes. I want to make sure we do talk about further solutions about protect, detect and respond. We wanted to talk about these three functions out than this framework specifically. So when it comes to, of course we are all on the line because we're educators and we want our employees, et cetera, to know about these scams so that they can mitigate them. So educate with your phishing simulations, use engaging training modules and gamification, which is what Living Security is all about. If you have not seen our content, please reach out to us either on website or you could ping me on LinkedIn, whatever I can do to show you our content, it's extremely engaging and it will really help educate your employees. Use cross channel communications. Not everyone is going to read an email.
Jennifer Kinney: Some people are going to want to check out your internet. Some people are more into slack than email, et cetera. So use cross can communication so that you're really targeting all different kinds of learners and folks within your org. And then again, like we were talking about living security, we have family first content, which is just all about protecting, you know, the children in your life and the more vulnerable parties like older adults, for instance, use MFA throughout your enterprise, whenever it's available, and then effective anti-phish controls. Again, it's all about the education when it comes to protecting, it's all about education for the human element. And then also making sure your technical controls on the back end are as up to date and sophisticated as possible. And then phish-resistant processes, the dual controls, independent verification, et cetera, like Robin's already touched on. Is there anything else you'd like to add to the protect function?
Aurobindo Sundaram: We could speak for an hour on protect Jenny, but I think this is great for a flavor. And we can answer questions if we people have specific questions on protect and the next slide over.
Jennifer Kinney: Okay, great. So when it comes to detecting, you want user reporting capability. So that's when your users see a potentially malicious phishing email and other incident reporting. You want your tech processes to respond to user reports and other phishing campaigns. So if people are actually reporting, then you want there to be folks that are designated to respond. Financial outflow, anomaly alerting, will you speak to that Robin?
Aurobindo Sundaram: Yeah. So this is simple, right? So on your credit card, for instance, I have something set up for myself where any charge greater than $250, I get a text message and an email, and that's the same sort of thing people should be doing within enterprises as well, or even for themselves personally is look to set up alerts so that when something goes awfully wrong, $10,000 or more for a corporation for example, someone's alerted. So you can at least know and potentially be able to stop it. This doesn't stop like the Yale administrator who went on just under the limit every time, but it's fine. It's a trade off between convenience. You don't want to be alerted on every charge on your credit card, but you want to be alerted when you are potentially going to lose a lot of money. And at the same thing, everyone's got to figure out what that number is and what the workflow is when you find an anomaly.
Jennifer Kinney: That's great advice. And then when it comes to a reporting, for your enterprises, again, make sure you have internal teams that are at the ready, and then in the United States, if you want to report any of these scams to the FBI, there's a link to do that. IC3.gov. Again, I want you to go ahead and bookmark that site. I think it's really helpful. In the UK, there's the Action Fraud police website, and then in the rest of the world, just contact your local jurisdictions. I know we all have government entities that are looking out for this these days. So check those out and then respond. What do you want to say about respond?
Aurobindo Sundaram: This is a really important one. And I know you heard about it with the service last week as well. Please make sure if you're an enterprise, you have contacts with fraud management at the big banks that you use. And the reason is because if you get scammed, and if you can contact the bank within 24 to 48 hours, they and the FBI and the Secret Service can work to claw back all or most of money that's been illegitimately transferred, but time is absolutely of the essence.
Jennifer Kinney: That's why, you're echoing Tom. Yeah.
Aurobindo Sundaram: Oh yes. Brilliant, Tom.
Jennifer Kinney: Yeah.
Aurobindo Sundaram: Okay. Yeah. Yeah. So Tom is exactly right for people that are watching on chat. If you can get to them quickly enough in the the 24 hours, 48 hours timeframe, they can get back a chunk of your money for you. And that's a big deal. So knowing who to contact is going to save you the three, four hours that you spend Googling and trying to figure it out. So have that add the ready, so that as soon as your financial outflow anomaly alerting triggers, you do a quick triage and say, "Nope, we didn't mean to send $200,000 to Vietnam." Talk to your enterprise bank or the Secret Service contact that you have and boom, you're getting on average 81% back.
Jennifer Kinney: Yeah. And Hader, your point is bright. The last step would be recover when we're talking about in this framework, we were just talking about these three main functions today. Okay. So I think we literally have time for one question. I love Schitt's Creek, which is why I use Moira and David Rose here as our GIF. But if we have one question that we want to cover, maybe Nick, you may have seen a good one that we missed, or Robin, if you saw one that we may have missed.
Speaker 5: Jenny, there is one great question here from Matthew Farr, kind of talking about organizations that are bypassing the typical social engineering, and actually just trying to tempt employees and basically create insider threat. What can organizations do to help look out for insider threats in the form of social engineering?
Aurobindo Sundaram: Wow, that's such a great question. Because I don't think any company has solved that problem yet in terms of trusted employees on the inside. What I will recommend though, is the same kinds of things that we had here, which is financial outflow reporting, or alerting, so that if an employee goes rogue, they can only go rogue to a certain point. This is a problem, right? Because you're imagining that a trusted employee who knows all of your controls is now working to disrupt your system. The only thing I can think of is anomaly reporting and segregation of duties.
Jennifer Kinney: We actually have some Living Security content as well about detecting insider threats. So again, if you're interested in taking a look at some of our content and aren't already a customer, let us know, and we're happy to share that because yeah, insider threats are definitely something that all of us in the industry need to be cognizant of. Well, thank you so much everybody that joined. Robin, as always, it's such a pleasure to speak with you. Thank you for sharing all of your knowledge, dropping all these knowledge bombs on us. We certainly appreciate it. And yeah, so y'all join the community if you're not in it already. And we will see you all at the next Breaking Security Awareness seminar. Thank you.