During the closing session of the 32nd Annual ACFE Global Fraud Conference, John Gill, vice president of education at the ACFE, spoke with convicted fraudster* Brett Johnson, who shared stories from his life as a cybercriminal. After being placed on the United States Most Wanted List, captured and convicted of 39 felonies, he escaped prison. Captured again, Johnson served his time and accepted responsibility.
In the excerpt below from the full transcript of episode 109, Johnson shares some advice for companies as cybercrime continues to evolve and grow. Download the full transcript in PDF form or listen to the episode at the bottom of this post.
John: We’ll stay with a larger issue, one thing I do think is interesting is the idea of organization because I think, at least in my generation, a lot of us, when you think of hackers, think of cybercrime, you think of somebody sitting in their mother’s basement on the computer, but it’s grown from that. Now, this is an organized industry. It’s organized crime. When we talked two years ago, we talked about ransomware. Now that’s made a big comeback recently. People are obviously extremely concerned about this, and they should be.
This has had a lot of economic impacts in our country and elsewhere around the world. I know you at least are keeping tabs on things like this. Can you give us some advice on how we can combat this, what we should be alert for or what should we know?
Brett: Sure. So let’s talk about ransomware for a second. We had Colonial Pipeline hit. They pay the ransom. We had JBS hit. They pay the ransom. We had the PGA hit a couple of years ago. They pay the ransom. When you pay ransom, what does that do? That tells the criminal, “Hey, this works.” Not only does it work, but it’s extremely profitable. First of all, how is ransomware deployed? Typically, it’s deployed by some sort of social engineering techniques, some sort phishing scheme, spearphishing scheme, maybe dropping a thumb drive in a parking lot and see who plug it in because they will. It’s looking at cybersecurity issues.
If you’ve got— and here’s a stat for you, 41% of every single router on the planet has a default password. Think about that for a second, 41% of every single router. I don’t care if it’s a bank router, they have the default password. It’s very easy to get access, very easy to get access. I was on a panel a couple of weeks ago that was talking about ransomware, and one of the ideas that was put forth was when it comes right down to it if your business is hit with ransomware, it’s a business decision on whether you pay the ransom.
No, no, I’m going to say if you if it gets to the point where you’re saying it’s a business decision on where you pay ransom, the problem is that you did not prepare properly as far as your security goes.
Here’s the thing, this is a fine line to walk. It is never the victim’s fault that crime happens. It’s always the criminal’s fault, always. It was not Colonial Pipeline’s fault that ransomware was deployed on their system. It’s not JBS’s not. It’s not the PGA’s fault. It’s always the criminal’s fault that crime happens, but if you live in a neighborhood where you know crime is huge, you probably want to lock your doors when you leave the house. That tends to be the problem with cybersecurity. More often than not, we see that companies really don’t worry about cybersecurity until they’ve been hit with an attack. They don’t want to put the money for it.
Typically, you have an IT department, and the IT department will come and say, “Hey, we need these tools.” Management will say, “Not right now.” It’s never a question of if you’re going to be hit. It’s a question of when you’re going to be hit. Usually, it’s a question of, well, it’s not your first time, is it? You just didn’t know about it before.
We have to get to the point where we take a proactive response to security. Everybody, I don’t care if it’s an organization or an individual, you have a place in the cybercrime spectrum. Everybody. If you have a business or an organization that makes money, a criminal can and will make money off that same business or organization. Understand your place on the cybercrime spectrum. The way that I will victimize you differs on who you are and what you do. For example, if you’re an individual, if you are the CEO of a company or you work payroll, the way that I will victimize you differs from if you’ve worked food service for 20 years. I’ll still victimize you. If you’re CEO or payroll, I may try to implement some sort of business email compromise scheme. If you’ve worked food service, I may set up new accounts in your name. I may try to commit HELOC loan or student loan fraud in your name, may do any number of things, I’ll still victimize you.
Same thing for a company. Does your company have data that I can breach the company, steal the data, resell in the black market, or is the data specific to the company? That will determine whether I try to steal the data and resell, or whether I try to deploy ransomware on the system. Understand your place in the cybercrime spectrum.
Also understand that most of these crimes are effective because of social engineering. What social engineering basically means is compromising the human. Tools tend to be very good, but you’re compromising the human. You’re sending those phishing emails, you’re relying on management not to trust their IT department. We see this time and again. That’s one of the things about organized cybercrime is the intel, the data among criminals is real time.
Criminals know if a company has changed fraud teams, if they’ve changed tools, if they’ve started using a new fraud tool, stop using an old one, that they’ve implemented some new security. If security is lacking, then they share that within their entire network, and these networks are millions of members large. The data is real time, the intel is real time, it’s always up to date, and it’s always about compromising the human. As such, we need to constantly be training the humans, but we also need to rely and trust the tools. The tech tends to be very good.
If you’re not implementing the proper tools, if you’re waiting until you’re hit, it’s wasted. I’m a firm believer, the French recently, the French insurers stopped paying ransomware. I think that’s one of the best things that could possibly happen, because at the end of the day, companies are not … unless they’re forced to implement proper cybersecurity, we’re going to continue to see these types of attacks.
We’re going to continue to see that idea, “Well, we’re okay right now, we’ve not been attacked.” Cybersecurity should be mandatory. Insurance companies need to stop paying ransomware. That will help force companies to prepare effectively on their security side, instead of…
To any company out there, I would say, instead of stockpiling Bitcoin, use that money to implement proper cybersecurity. That will be much more effective at the end of the day.
*The ACFE does not compensate convicted fraudsters.
SOURCE: ACFE Insights – A Publication of the Association of Certified Fraud Examiners