In the 90s, smash-and-grab thefts at jewelry stores accompanied by security footage dominated the news more than foreign hackers and cyberattacks.
Seemingly overnight, everything changed. Suddenly criminals figured it out — you don’t have to use a gun to commit a crime anymore. You can rob people from far away — from another country even — without worrying about ending up in a shootout with a cop.
“There’s no new crime, but there are new ways of getting the crime to the consumer, the victim if you will, and that’s technology,” said Corporate Intelligence Expert Chris Mathers during the morning keynote at the 2018 ACFE Fraud Conference Canada. “Instead of people picking your pocket, they do it online. Extortion online? Yeah! These are basic crimes. You put lipstick on a pig, it’s still a pig.”
According to Mathers, instead of check fraud in Canada, there’s now email compromise. Instead of the seizure of physical money, we now have bitcoin: the currency of crime. Mathers said that estimated criminal profits from drug trafficking is $435 billion, while estimated criminal profits from cybercrime is $1.5 trillion.
Who are the new bad guys? They’re the same as the old bad guys, but the line between criminals and the intelligence service is often quite blurry.
To combat this ethical climate, his team does penetration testing for companies looking to shore up their security weaknesses. “A client, a very large health center, asked us if we would be able to break into their IT architecture,” Mathers shared. “My team hacked into the hospital computers and were able to get into the hospital records. Every, single thing.”
He said his team then got into the prescription matrix and realized they could easily change the numbers so patients receive the incorrect dosage of pills. “We didn’t changed anything, but we could have,” he said. The team was also able to turn off any appliances that administered drugs. “The problem is, as good as they are, there are people out in the world who are equally good, or better, at doing terrible things,” said Mathers.
Mathers’ team also does phishing tests for organizations that want to see who in the company is creating a threat to their security. They'll send an email that looks legitimate but that includes a bad link. They record who clicks on it and then do a training with the organization to teach them what not to do. Then, they conduct the phishing test again. Hopefully, less people click the bad link the second time around.
Mathers shared the latest common schemes:
UPS and FedEx phishing scams. You’ll receive an email that looks like it’s from one of these entities but contains a bad link. “You can't even get them on the phone, so they’re never going to email you,” said Mathers.
Greeting cards. Recently, greeting cards have become a popular phishing scam and 25& of all phishing scams are through ecards.
Business email compromise (BEC). The No. 1 scam in the world is BEC. Mathers explained that BEC started as a fraudster pretending to be the CEO. They would contact someone in the payables department. The email would say something like, “Gertrude, you’re the only one I trust. I need you to send $1 million to this address …" It’s become more sophisticated over time. Criminals will hack into your email and spoof your email.
Public Wi-Fi. “Using public WiFi is like picking up a piece of gum off the street and chewing it,” he said. Hackers use an easily purchased item called a Pineapple to spoof the public Wi-Fi. Once you connect to it, they have access to your data.
Passwords. By and large the biggest vulnerability is passwords. Do not use a real word or real name in any language for your passwords. “Brute Force” attacks will get them. Mathers recommends picking your favorite line from your favorite movie, taking the first letter of each word and turning that into your password. “Make some letters uppercase and some lowercase, throw a few ampersands in there and you have your new password,” he said. And with anything involving money, purchase a password keeper and use it. The password for your password keeper should be very complex. “Make it tougher so criminals go after someone else.”
How vulnerable are you or your organization to criminal activity? Remember that bad actors are sitting in the shadows, waiting to find your weak spot.