In this Q&A, David Murphy, People’s United Advisors Regional Wealth Leader for Massachusetts and former military and U.S. Special Operations Command leader in counter-fraud and counter-terrorism initiatives, speaks with two cybersecurity professionals. Donald Codling, the owner of a cybersecurity and data-privacy firm, is retired from the FBI, where he was a Cyber Team leader for more than two decades. Scott Pierce is a Connecticut State Police Detective assigned to the FBI Task Force in New Haven.
David Murphy: We all know that cybercrime has become a sad fact of modern life. Of the various scams and plots out there, Scott, which do you think is the most invidious?
Scott Pierce: I’d start by saying that losses from cyber fraud are increasing at a startling rate. I guess that’s not surprising in a world filled with “Smart” devices—not only phones but cars, TVs, and even refrigerators. Tons of personal and business information are available to criminals contemplating e-mail scams, credit-card scams, romance scams, and a whole lot more. But my vote for the most nefarious is ransomware, a plot in which criminals hijack and encrypt data, usually of businesses, and demand money to unlock the computer files. For example, a mid-size construction-services in Connecticut recently lost all the data it had stored on its customers, vendors, and employees, not to mention its good reputation, which is probably its most important asset. The thieves demanded a million dollars to release the files.
David Murphy: Wow. Did they pay? And could they have prevented becoming a victim?
Scott Pierce: In that case, the company wound up handing over $250,000. Our general advice is to alert the authorities and not pay, but of course, victims have to make that decision for themselves. The problem with paying is that you open yourself up to escalating demands and re-victimization. But you can almost certainly keep ransomware off your system. We believe that maintaining off-line back-up of all your data could foil more than 90% of ransomware attacks—basically, put the criminals out of business. Multi-factor authentication would add further protection. In fact, requiring two or more layers of authentication to log in to a device is one of the most powerful tools we have for fighting cybercrime.
David Murphy: When I think about all the data we’re trying to protect, I’m reminded of a term I learned in my military days—"digital exhaust.” That’s the data footprint that we all establish. Don, how serious is that issue, and who’s taking malignant advantage of it?
Donald Codling: It’s a huge issue. Many people have an image of a cybercriminal as a teenager in the basement of his parents’ house. There are a few of those around, but these days, most cyber fraud is committed by professional criminals, who may work with other criminals in gangs. And often, they’re not satisfied with just victimizing you, but trade or sell your data on the dark web; lists of private data have become a currency among cybercriminals. Appropriately enough, those lists are called suckers’ lists.
As to digital exhaust, I recently picked an upscale ZIP Code in the area—06878, which is in Riverside, Connecticut. The average annual income in the town is about $665,000. I also found out that one of the residents had recently bought a very valuable painting from a local gallery for more than $100,000—and I got the name and telephone number of the resident’s personal assistant who handled the transaction. If I were so inclined, I could now pretend that I was from the gallery and call or e-mail the buyer with what would seem like great news. “We just got an incredible painting,” I’d say, “and since you’re such a valued customer, we’ll give you a special price of—whatever—before it goes on the market. Just wire us the money, and it’s yours.” That’s exploiting digital exhaust.
David Murphy: Remarkable. How long did it take you to get all that information on the buyer?
Donald Codling: I actually timed it: about seven minutes. I think 47 key strokes on my computer. And most exploitations of digital exhaust can be foiled by following an elementary rule: Never send money to anyone without checking on whether he or she is who they say they are. It’s obvious, but the scammers are excellent at what they do, and they succeed every day. By the way, the same thing goes with anyone who says to a victim, “Give us $5,000, and we’ll help you get your money back.” They’re all scammers.
If you are victimized, go immediately to law enforcement—probably starting with your local police, who may elevate the case. If you have cyber insurance, the company may reimburse you; you may even get some of your money back from your homeowner’s policy. And go to www.ic3.gov, which is a central website for people reporting cybercrime. You’ll be able to fill out the right forms immediately.
David Murphy: I’d just add that although the stereotyped victims of cybercrimes are elderly, there are no age boundaries on those who fall prey. In fact, Millennials are proving quite vulnerable—no doubt because they’re on-line so much. Let me also ask some questions that I think are top-of-mind for our clients. Like, are payment apps such as Apple Pay and Google Pay secure?
Scott Pierce: Yes, and even more so than physical cards. These apps require dual authentication, and of course, they’re run by strong, reputable companies.
Donald Codling: If you’re interested in payment apps, Venmo and Zelle, and others are also highly secure. But stick with well-known names. Best of all may be payment platforms offered by high-quality financial institutions.
David Murphy: Speaking of which, People’s United Bank offers all of its personal checking account clients free access to a platform we call AlwaysChecking. It’s a digital identity protection service that covers the bases. It will monitor your full digital footprint, and your family’s, including non-Bank information too, such as your e-mail addresses, Social Security numbers, drivers’ licenses, and social-media accounts. We’re proud of the protection that it provides. Talking about protection, is signing up with a Virtual Private Network, known as a VPN, a good idea?
Scott Pierce: I definitely recommend VPNs, which give you the added comfort of working on a private network tied to your devices but free from the prying eyes of cyber criminals. Google and Apple, for example, have excellent VPN capabilities, including extra password security, data encryption, and two-factor authentication. Firefox browser also has a strong VPN option built into its site. The key, as in everything related to cybersecurity, is to do your research. Make sure you have confidence in the program and the company that developed it; look before you leap.
David Murphy: One final question: Particularly with the holiday season beginning and with on-line sales proliferating in the pandemic, can we feel safe buying on-line from Amazon, Walmart, and other major retailers?
Donald Codling: Yes, these companies have made on-line selling into a science. But I’d mention two caveats: One, make sure that you’re on the right site. If you mistype the URL, you might just wind up in a scammer’s lap. Second—and this applies to not only retailers but any other websites you rely on—if you get an e-mail telling you that something’s wrong with your account and you need to verify information with them, delete that e-mail immediately. It’s almost surely a scam, and one that will surface in force during the holiday shopping season. If you have questions about one of your accounts, go to the appropriate website, not via an unsolicited e-mail that purports to be from the company.
Sometimes, all you need to avoid becoming a victim of cybercrime is to slow down and check what you’re doing against your own good sense.