This guest blog post comes from Scott E. Augenbaum, a retired FBI Supervisory Special Agent and Keynote Speaker.
Author of “The Secret to Cyber Security, A Simple Plan to Protect Your Family & Business from Cyber Crime.”
I joined the New York Field Office of the Federal Bureau of Investigation (“FBI”) in 1988 as a support employee. In 1994, I became a Special Agent where my focus was on domestic terrorism, white-collar and hate crimes, and computer crime investigations. In October 2003, I was promoted to Supervisory Special Agent in the FBI’s Cyber Division, Cyber Crime Fraud Unit.
During my decades with the FBI, I interviewed and interacted with over one thousand victims of cybercrime, each of whom affected me personally. I learned that one of the most common elements about cybercrime was that many good, smart people became unwitting victims.
Since retiring from the FBI in early 2018, I offer Cyber protection strategies to individuals, groups, and businesses. By sharing my life’s journey investigating cybercrime, I want everyone to acknowledge the risks, and I try to make it simple by breaking things down to what I call the “Four Truths About Cyber Security.”
Truth One – Nobody expects to be a victim.
Truth Two – Once cybercriminals steal your money, the chances of a full recovery are slim to none. If the money is out of your bank account or already converted into gift cards, neither the bank nor the credit card company are responsible for helping get the money back.
Truth Three – The chances of law enforcement bringing cybercriminals to justice is challenging at best. Even with digital clues such as emails, social media accounts and 1-800 numbers, tracing the crime back to the actual perpetrator is practically impossible. And if you think that following the money trail is a viable strategy for recovery, more times than not you are led to foreign bank accounts that are subject to rules, regulations and treaties that can result in it taking years to access bank records. By that time, the criminals will be long gone.
Truth Four – Most cybercrime incidents could have been prevented without spending money on products, services or even needing a technical background. All that is needed is empowering the end user with a couple of key pieces of information and no-cost preventive action plans.
Crime has changed quite dramatically since the time I started as a Special Agent some 28 years ago, however a few things have stayed the same. When I was a new Agent, I was assigned to investigate white collar crime (WCC) which consisted mainly of wire/mail fraud investigations. Wire Fraud is easy to explain as it involves a subject using deception to trick the victim out of money. This always involved some form of communication such as the telephone, fax machine, or letter.
Investigating WCC was not always complicated and involved a couple of steps. Interview the victim, work with a federal prosecutor, follow the money, and bring the criminals to justice. By the late 1990s America OnLine (AOL) was becoming mainstream and millions of people were communicating with total strangers in chat rooms and via email. As more and more people purchased home computers, criminals found fertile ground for their fraud schemes. Advance fee schemes, investment fraud, and crimes against children investigations became an everyday occurrence for me. A Federal Grand Jury subpoena served on an Internet Service Provider (ISP) was my investigative technique to identify the person behind the keyboard and bring them to justice for their criminal activity.
In the beginning of 2000, the face of cybercrime changed from the teenager hacker in his basement to a new sinister threat. The threat actors were now located overseas, financially motivated and had ties to transnational criminal enterprises. A Grand Jury subpoena is worthless in commanding a foreign ISP to provide the identity of the cybercriminal and there were no cyber laws in foreign countries at the time. Most of the host governments were not concerned when their local criminals were targeting U.S citizens and in many cases the criminals were recruited to work for these same governments.
In 2002, the FBI formed a Cyber Division in Washington DC and a National Cyber Strategy to address the growing threat of Cybercrime. Today there are dedicated FBI Cyber Task Forces in all 56 Field Offices around the United States and there are Cyber Agents located in 78 embassies around the world. Despite the apparent changes, social engineering is still the weapon of choice in most cybercrime scams. First it was phishing emails and now text messages with a simple message appearing to come from your bank stating your account is overdrawn and all you need to do is click on a link.
Today’s electronic communication is occurring in many different channels outside the world of email, text, and telephones. We are using Teams, Zoom, and Slack to have real time communication with our colleagues, clients, and vendors. The lines are now blurred between our personal life and business life as social media is one of the most used communication channels for employees. How many different social media accounts is the average person using at any time?
As a Cybercrime Prevention Trainer, I continually reinforce my message to think before you click and think before you act, and the importance of becoming a “human firewall.” However, that only goes so far because as a human I’m dealing with adversaries who do not sleep or rest, never take a day off and will try and try until they’re able to trick me. I know I need to be careful on email, texts, and telephone calls and in a perfect world I think I can “handle” these platforms. But it is only getting more difficult as my communication is moving to dozens of other platforms.
The pace of communication is speeding up while the level of distraction also increases. The human mind is not a machine, and it’s not trained to pick up on sophisticated social engineering tactics. On any given day, circumstances at home or at work can create the level of stress and distraction to get past the human firewall and convince someone to click or take an action they otherwise wouldn’t.
Training will always be an important part of inoculating any organization against the risks posed by cybercrime. But technology will also need to play a part. Social engineering’s basic tactics haven’t changed much, but the volume and sophistication have increased. New advances in machine learning can help close the gap between training and the human propensity to click.