How to π Recognizing π and π‘οΈ Protect π‘οΈ Your Business From Cyber-Fraud
Dave Erickson 0:00
One of your account managers says she got a strange email from the tax office requesting to verify some information about the company. Is it real, or is it a cyber fraud scam? On this ScreamingBox podcast, we are going to look at cyber fraud and how to protect your business from it. Please like our podcast and subscribe to our channel to get notified when the next podcast is released.
Dave Erickson 0:44
Every day businesses across the globe fall for cyber fraud scams. Some are scams that take advantage of processes. Others are social engineering attacks. Welcome to the ScreamingBox technology and business rundown podcast. In this podcast I, Dave Erickson and my knowledgeable co host Botond Seres are going to look for cyber fraud and see how to deal with it. With Jason Constain, Director of Javloc Limited. With over 25 years of leadership experience in safeguarding corporate assets, he has worked with some of the UK's largest banks to streamline operational fraud risk and enhance business performance through innovative strategies and advanced technologies, which allows them to navigate complex fraud threats while maintaining efficiency and growth. As founder of Javeloc, a consultancy that delivers cutting edge solutions in fraud risk management and business resilience, Jason has helped individuals and businesses stay ahead of emerging risks by integrating state of the art fraud defense systems, biometric authentication and artificial intelligence into their risk management frameworks. Jason is also recognized as a thought leader whose expert insights have been featured in The Wall Street Journal, Forbes, The Daily Telegraph and The Times. Jason, welcome to the podcast.
Jason Costain 1:58
Thanks,Dave. Great to be here.
Dave Erickson 2:01
So to start with, what was your first experience with cyber fraud?
Jason Costain 2:06
Well, I mean, cyber fraud for business, really was the bank I was working for at the time. This is going back to 2007-2008 was subject to a large fraud card compromise event, which was, lots of customers were seeing fraud on their accounts. It was all online shopping. Their card details had been stolen because they'd all shopped at a particular merchant that had been hacked. So the merchant lost a load of card numbers, customer names and addresses, and none of that was encrypted. Their IT security was weak, and as a result, the bank I worked out and lots of other card issuers in the UK, lost, you know, millions of pounds. So I think it was the first time, really, that, you know, a hacking event had led directly to a large, quantifiable loss event for banks. Prior to that, they've been hacking and they've been loss events for banks, but it was a bit of a dark art as to where the data was going missing. But just because of the profile of the hack and some publicity that surrounded the merchants, it got into the newspapers, and we were able to, for the first time, see cause and effect. So yeah, fascinating. And it was a large amount of data and a lot of money was lost.
Dave Erickson 3:23
So cyber theft and cyber fraud, they all kind of fit under this broad umbrella of, you know, cyber crimes, but cyber fraud is kind of unique, in a sense. Can you kind of talk a little bit about what cyber fraud is, and how it's different from other cyber crimes that that are implemented?
Jason Costain 3:45
well as well, I suppose I mean definitions wise, you know, I think people use different phrases in different ways. But when, when I think about fraud, I think it's increasingly performed in it, in the digital world. And, you know, you can kind of get cyber security issues that result in Downstream fraud. So I think there's this expression coming along these days, which is referred to as cyber fraud fusion. Sounds cool, but really what it is, it's the cyber sort of security guys in banks, particularly talking to the fraud guys who work in banks, because usually the two are linked. So for me, you know, digital fraud, online fraud, cyber fraud, it's the same thing. It's, kind of fraud that's carried out in a sort of virtual world that we live in, and increasingly, that's how we all do business. So as payments become real time, and as people get more comfortable with online shopping, remote activity, not meeting face to face, the more likely to engage in, unfortunately, with fraudsters who will attack them. And same for businesses as well, threats similar. So yeah, cyber fraud really is just that, digital fraud, which is enabled by technology and is usually perpetrated by people you never meet.
Botond Seres 5:01
I believe we are all familiar with some of the most common types of cyber fraud when it's let's just say it's not businesses being defrauded, but regular people like us, when someone calls us says that loved one is in hospital, needs money for treatment or something crazy like that, but I suppose you have more experience with how businesses get defrauded, and I was wondering if you can give us some overview of the landscape and maybe some of the most common vectors for it?
Jason Costain 5:41
Yeah, sure, sure, Botond. And I can talk about business and personal victims, so, but I'll talk about business, because that was what Dave led on in his brief but more than happy to talk about the stuff that's affecting personal people, individuals like us, you know. But I'd say that, you know, from a business perspective, you know, the main sort of threats really are things like, you know, hacking, data loss and, and, I guess, internal fraud, you know, some of the it's, I used to do some sort of loss scenario events in banks, and it always used to make, make me laugh was we would talk about how we might be defrauded. And there'll be lots to talk about the weaknesses that could be exploited that would lead to the bank losing money. But by far the biggest fraud threat the bank faced was internal fraud at the hands of its most senior staff. So you only have to look at the Enron scandal to look at how billions of pounds was effectively lost by Enron due to deliberate misreporting of financial losses. So before we get into the fraud by third parties. Probably the bigger threat is internal fraud in organizations, particularly. But yeah, if you're a business these days, you know you're looking at data loss and hacking, really, as key issues, also brand impersonation. You know, if you're a merchant or another kind of organizations, for example, delivery companies. I mean, how many delivery companies these days are being impersonated by criminals in order to commit scams, for example? So, yeah, I'd say for businesses, it's, it's, it's data breach is the big threat, and hacking, as it might be called, and that can be enabled lots of different ways. So you know, having up to date antivirus, having the latest patches on your software, training your staff, having backups of data, encrypting your data, password management, you know, building entry security policies, all that stuff's really important, but the real thing is just the kind of understand the latest MO that's being used against you and I'm just have a good thought for your culture. So I'll pause in a second Botond but what would save is any business owners listening to this, maybe micro enterprise or people they employ, and say, up to 50 people, you know, you need to just, you can do all the cyber kind of stuff I've just mentioned, but you kind of just need to walk around your company and look at the people you've got, and if you've got examples of culture right in front of you, so if you've got devices unlocked, people leaving data lying around on the desks overnight, people not challenging visitors to your business who are wandering around your office, a general propensity for your staff to click on stuff that's indications that you might have said all the right things in training, but your employees are actually really naive when it comes to the risk. So yeah, businesses can do a lot to improve their defenses, and I'll pause there for, for any questions Botond but yeah, I'll talk about business insurance in a second, because that's worth looking at. If many firms buy insurance for cyber security, but they really need to look at that, because they'll find when they come to claim, it won't pay out.
Botond Seres 8:47
Well, that can be said for all insurance in my personal experience,
Jason Costain 8:51
Well maybe, I mean, that's a good point, but I guess when you look at the exclusion policy for cyber insurance, it'll say things like, you must train your staff, you must have a data encryption, you must have patches on software that's up to date. So actually, the good practices that the insurance policy talks about that would exclude a valid claim are actually, are actually things you should be doing. So if you buy insurance, don't pay attention to those things you should be doing, you're wasting your money. And if you buy insurance and do pay attention to the things that they say should be doing. The chances are you won't need to claim. So the insurance is kind of worth doing, as long as you follow the that kind of, look at very closely at the accesses and the exclusions.
Dave Erickson 9:35
I mean, that's one of the challenges that the businesses have, especially small businesses, but also medium sized businesses and large businesses is building a security infrastructure for their processes and data that actually keeps them pretty secure and so that, that, I think, is one of those big challenges. Yes, you know, and it's kind of like a punch list. So where do you start? Where does a business start to look at? What do they what should they try to do first? Maybe you can talk a little bit about, if you were a smaller or medium sized business and you wanted to kind of secure yourself from possible cyber security or cyber fraud events, what are some of the things that you can do? I mean, obviously you touched on just having antivirus. But I mean, what other kind of infrastructure things can be done to help protect the data?
Jason Costain 10:32
Well, I mean, I'd say hiring a good IT manager is a great start, one who's got IT security experience. Because really, you know, you want somebody who understands the threat. You know, antivirus software, the latest patches on your software. They've got the latest versions, latest versions on your users phones, that kind of stuff, data backups, data encryption, and then getting on to, you know, physical security just is your door locked it, you know, when your cleaner comes in at night when you've gone home, are people leaving documents lying around. I mean, I've seen some companies I've worked for where there's medical records being left out overnight on desks, and you know that is the most sensitive data, if you if one of their clients, and yet it was left on the desk for me to read and I was stood near to the cleaner who's working for a third party cleaning company who has no data protection obligations, probably in their contract. So that kind of culture of leaving screens unlocked, leaving data lying around, not challenging visitors, as I mentioned earlier, that's indicative of potential broader issues in your firm. That's the stuff. That's the main tip Dave is even without the expert guidance is just have that walk around, look at your staff. You know, one of the, one of the biggest threats I see, of the issues at the moment I see affecting businesses, fake CEO type scams, where someone impersonates the boss. So if you're a boss, listen to this. Who will use whatsapp to message your folks in your finance team occasionally to make an urgent payment. Well, how likely your finance team could going to be to question that if they get a WhatsApp message from someone who pretends to be you? So by by the boss, kind of having that those behaviors that allow the paperwork to be lying on the desk that bring people in without signing them in, that leave screens unlocked, that text people after hours, asking for payments to be made or other urgent business things to be done via WhatsApp, you kind of create an environment where criminals can exploit it, because that's the culture that you've created. So business, you know, I kind of, CEO impersonation, invoice redirection, scams, hacking, they're all things which can, can kill you. And in terms of invoice redirection, I've seen businesses lose, you know, million pounds plus, you know, $1.3 million plus, just because somebody wrote in pretending to be one of the suppliers, and said, we've changed our bank account number the next time that supplier was paid, that the CEO authorized the payments, because it said the name of the supplier as they were expecting. It's just the underlying bank details have been changed so that that lost that business $1.3 million and the change of bank details was input into the the victim businesses online banking system by one of the most junior people in the firm who'd been given the admin task of updating bank details on the, you know, the the bank account login. They weren't given the privilege of sending payments, because that was the CEO's job. But the most junior person the firm had updated the bank details of one of the biggest pays that the firm paid. So the next time they made a payment of a genuine invoice that the CEO thought they were approving a large payment to their genuine supplier, and the money went to a impersonator, a criminal, and they got away with it. So sometimes that the most high risk activities can be delegated to the most junior member of staff. And do they really understand what they've been given and how to protect themselves? And do you understand what you've given them?
Botond Seres 14:17
Fun modus operandi that you mentioned there? Yeah, I think still one of the all time greats is that one person who just kept sending invoices to Google pretending to be some random supplier, and they just kept paying them because they didn't care.
Jason Costain 14:38
It's amazing, isn't it? I mean, it's I've seen fraud, frauds like that happen, and one, one of the best checks somebody could do honestly is, and I can't believe this person got away with it, if it's like the one you described both on that's just been in the newspapers, hasn't it? Big companies and small companies can be quite lax when it comes to checking receipts of invoices. It's seen. As a process rather than a threat. And you kind of need to look at it as a potential threat and therefore manage it as a highly sort of sensitive process, not just paper pushing. And you know, the example I saw was a member of staff submitted invoices to the company themselves, their own company they work for, and they even so it was a fake supplier, and it was the bank account that they were paying they put on the invoice was their own bank account. So they hadn't even gone to the trouble of hiding the bank details, finding a mule. But what they also did, and this is the killer Botond, this is the absolute killer isn't the same bank account they used to pay the fake invoice proceeds to was the bank account they got their salary into each month. So there's one takeaway from this call today for any business that makes payments externally, is just check your suppliers, bank account number and sort code with your staff account numbers and sort codes that you pay salary to. I've seen more than one business find internal fraud as a rule or that simple check, but it's a head slap moment if it happens to your firm, but you should be looking for that stuff straight away. And that, that example I'm talking about, they think they paid away three or 400,000 pounds, and before the bank, before the bank, before the company noticed that there was an incident on fraudster.
Dave Erickson 16:31
Yeah, somebody had to go through their vendors list say, Who is this vendor? What exactly are they supplying? Yeah, you know, and that's part of some of the processes that businesses, I think, can build to help right? So obviously, when a new vendor shows up on accounts payable, there should be a process that checks the vendor to make sure they're a valid vendor and et cetera. What are some of the other processes that businesses might want to, you know, implement to check things, or to look at things.
Jason Costain 17:04
Oh, I mean, I go through the list, Dave, it just reminded me of a great story. So there's something called Benford's law. So Benford's Law is a statistical law that human beings cannot make up random numbers. So we applied one firm of work that we applied Benford law to a series of payments that we knew were fraudulent because somebody had, somebody realized there was a gap in this firm where you can make payments, and they had to make up amounts for fake invoices and but human being will not randomly create An amount, you know, in terms of, say, $2,000.59 it human being will pick patterns. So benefits law actually spots patterns in, in numbers. So even applying benefits law to some of your payments, if you've got high volume payment processing firm, just, uh, you'll pick out unusual patterns, which are probably signatures of human beings making numbers up, rather than totally random numbers that happen. But yeah, things that that, that firms can do to check you, write around, you know, new beneficiary creation, payment sign off, having, you know, you might call it four eyes, or even six eyes, checks on some of your payments, on training your you know senior payment approvers that the it's not the amount you need to check, it's not the pays name you need to check, it's the underlying bank details you really need to be checking. In the UK now there's something called confirmation of payee, which will tell you where there's a payee name mismatch. But even that's not necessarily foolproof, because criminals have been known to open accounts in very similar names to beneficiary, genuine beneficiaries, and then get round confirmation of pay checks in that way, other countries don't have confirmation of pay yet. I think that's the case in the US. So yeah, staff training is another big one, Dave, and just terms of staff knowing how to look out for, you know, the high risk things like that phone call from a supplier, that text message from the boss, that letter from a supplier, anything that's changing bank details, is a big red flag, as are things like emails. You know, CV is a great one, but both I mentioned that example in the press. Earlier. But North Korean hackers are known to get jobs in software companies, and they will send a CV in some of those CVs will be to get the job to be the inside person. Other ones will just be a CV, CV with malware. So if you've got HR, if you've got HR team that deals with CVs every day, and you're telling your staff don't click on on documents you don't know where from, well, the chances are the CVs that you're getting there are from people you don't know, and you know classic tricks of all, like leaving a USB stick outside on the floor near where your staff go on the smoking and vaping brakes is likely to lead to that USB stick being carried in and plugged into the port on the side of the device. So again, speak to your IT manager and ask why your USB ports are enabled, and if you are using stick drives and portable hard drives. Well, who has them? Why do they have them? And how easy would it be for them to copy your entire sort of client database and take it home, for example. So locking things down is just basics, but it should be done. So yeah, probably stop there. There's loads of advice available on the internet, particularly US and UK, government's websites. I just look for, I just Google business fraud prevention, and you'll find a load more information.
Botond Seres 20:50
You know, the fun thing about USB is it's no longer just drives. Now they make malicious USB cables as well. So even if you train your staff to look out for suspicious drives. They might as well just pick up some USB C or some a A2 lightning cable, and it can, or might as well be malicious.
Jason Costain 21:12
Yeah, I've seen key loggers plugged into the back of USB ports, in, in PCs, in in one bank. That happens, it was, it was the cleaners have been in. They plugged a simple, well, it was actually a little pass through device. It was like a USB pass through device. It was tiny, plugged into the buttons, plugged into the back of the USB port that people wouldn't look at because it was in the back of a of a PC where they the PC tower was under the desk, so nobody would have noticed. And it was key logging. So it was key logging passwords and payment customer data, payment data, that kind of stuff, and that was inserted by a cleaning team. So, yeah, you're right Botond, you know, you can, you can get cables these days that just look like the real cable, but it's got USB capability, and also it might have a SIM card in there as well. So you can transmit the data back. You don't need to go and retrieve the cable. You can just get it to transmit stuff to you.
Dave Erickson 22:05
Yeah, the GSM in packages are pretty small nowadays, and it's like the card scan skimmers, right? This is a big problem, at least here where we are, where people are putting fake keypads and stuff over the real ones, and people are putting in their debit cards or their credit cards, and it's just scanning them and sending that information, whether it's at the gas pump or at a convenience store.
Jason Costain 22:33
And some of those, some of those devices, are incredible, aren't they, the level of workmanship that's gone into creating it, you know, an ATM skimmer. But you have seen a few of those. And you know, I one of the earliest ones. I saw was, it was kind of quite big, but it kept this strip went across the top of the the ATM screen, and he looked down at a camera. So looking at the the the card, they had a card skimmer as well as the camera and but the guide for switches camera on before he installed it, so you could see the guy installed on the camera. So, you know, quite often these these devices, when they're in place, will be retrieved. So bank staff have been warned knowing, certainly in the banks, I've worked at that if you see a skimmer in place, do not take it off. Call law enforcement, or, you know, head office for advice, because the chances are it's worth a bit of money to the criminals, and if you take it away, there's somebody watching it, you might want to get it back off you. So skimmers will be in place, but the criminals are realized they're worth and they want to put it in place and retrieve it so no one knows, because that way the first compromise will be when the cards misused, rather than a member of staff realizing they've had a skimmer attached for a few days.
Botond Seres 23:47
So how do you recognize a skimmer? Because I was always told to try to pull them off as the easiest way to tell that they are there. So if you're not supposed to touch them, how do you tell that they are there at all?
Jason Costain 24:01
Well, I didn't say not touching Botond. I'd say, if you do,
Botond Seres 24:07
leave it there,
Jason Costain 24:08
be careful who is over your shoulder. You know, if there's, if you're in a busy street and there's lots of people around and a police officer down, down the road, then maybe, if it's late at night and you're suspicious, I would just, you know well, be careful. But yeah, you ,I think the good thing is, with, with skimming devices, if your card is compromised as off the back of a skimmer, then the bank will know that you won't be the only victim. So if for reputable banks in the UK, particularly, they would refund you because they know that there's other victims. They've seen you as one of them. They'll know roughly when the skimmer was put on and taken off, and you won't be the only case. So it's, even if you, your card details are compromised, you're going to get a refund. So for me, it would be Why get involved? Yeah, but if you're curious Botond and you've got martial arts skills, then perhaps take it off.
Dave Erickson 25:06
I mean, it's, you know, it's just another thing that say, a retail business or other businesses need to deal with. They need to check their equipment and the stuff that they're using for, you know, taking payment transactions. You know, the danger for the business is if there's a card scammer, Skimmer on their business or on one of the ways that their customers use them, and then the customers get scammed, even if they get the money back from the bank, they're usually less likely to go buy from that retailer again, right? So the businesses really need to, kind of, help protect themselves, to make sure that if there is a device, obviously they call the police and get that taken care of they want to check because if they don't, and you know, their customers get scammed, will hurt their business in the long run.
Jason Costain 25:57
Absolutely and that, I think that but you made a great point, because that kind of reputation, brand management, some things that business really overlook. They don't understand the damage that a data loss event can have, like a skimmer being in place can have. And you know, for example, I see regularly, you know, SMS messages from supposed parcel delivery firms. You know, you can pay for SMS headers to be protected if you're a bulk SMS user, your brand name can be protected. You know, if you've got a phone number you dial out on you can pay for your phone number to go on a telco do not originate list. So these firms that are regularly spoofed, if it's parcel delivery or the phone calls, are being spoofed, they should be taking. They should be spending money on, on prevention of their brand being hijacked. And they can do I think there's probably a lack of understanding within some of these firms, parcel delivery companies, I keep picking on. But the obvious example, where do they not think it's damaging to their brand when so many millions of texts are being sent out in their brand name? No, it's because they're one step removed from the loss. Those texts are usually to you and I aren't be saying, Hey, we attempted to deliver a parcel. You weren't in, click here. But if you run that company, which is a parcel delivery company, and the SMS messages look like yours, then why aren't you paying for SMS header protection? Speak to your telco provider and they will put that in place for you. They might even do it for free. But if you're just sitting there thinking, well, there's nothing we can do, and hey, it's not our loss anyway, the money will, be, might be lost by some poor scam victim who gets suckered into sending a payment. You're part of the problem. And I think the UK, research has shown that by value, the biggest amounts of scam losses, where people send their own money to scammers. By value, the biggest origin is telephone. They start on the phone and by SMS, by volume, it's it. They start online. So you're an enabler of these type of scams. If youβre sending SMS messages out, and hey, don't get me started on SMS one time pass codes. That's something that should have been thrown away years ago. So if your organization's using SMS to communicate, if it's using SMS one time pass code, then you are part of the problem now, and I don't think it's too long before scam victims start to look at those type of companies for damages.
Dave Erickson 28:30
What are, what are some of the ways that you can protect for if you're doing outbound SMS messaging? What is probably the safest way to do that?
Jason Costain 28:39
I would say, build an app and message people from within the app. Don't rely on a telco delivery system that was never intended for anything secure so, because it can be spoofed. So that's the, that's the kind of strategic solution Dave. I've gone straight to strategy there. The strategic solution would be message your customers from within an app. Tell them how you're going to do it securely. Don't use SMS. If you have to use SMS because it's convenient and it reaches most people, then be aware your brand can be hijacked. And speak to your telco provider. Whoever you buy, your bulk SMS messaging capability off. Speak to them about SMS header protection. It's effectively like copywriting your brand name. So at least the SMS providers will take out of the system anything with your brand name on that sent by SMS that doesn't come from you. So you need to kind of stand there with your flag and say, This is my brand. I want to pay to protect it SMS providers. How do I do that? And let them take, take the spam.
Botond Seres 29:40
So all the brand names are misspelled in these, uh, messages.
Jason Costain 29:45
Correct Botond, yeah. But you know, if you got that kind of service, it will, it will look for near misses. It will look for similars. So, you know, it's not just about having a very specific exact match. It's about taking out people who are trying to impersonate you. So it's a bit like typo squatting of old. People would buy a website that look very similar to Citibank, and you might call it Citibank, but with citibanks Maybe, but they just hope people typo, do a typo, well, you know, Citibank have long since dealt with that by have paying for typo squatting services and site takedown and in similar way with SMS, you can pay for to copyright, effectively, your SMS brand header, and that service should also look out for people trying to impersonate your brand through slightly misspelled or variations or similar things. So I'd say, don't make it easy, pay for that kind of prevention. But longer term, move to messaging within the app, it's much more secure. You can control the delivery. You can maybe get people to face ID using the phone. You can also bring people through your phone and maybe capture your facial record yourself. That's quite sophisticated, but that's what banks are now starting to do in the UK, particularly is, you know that they're not relying on Apple face ID. They're relying on their own facial records, their own voice biometric records, their own device IDs, their own IP address of records to check that it's, it's you, you're still coming on your device from the IP address we know, and you're still interacting with the device in that way. So they're, even they've even got device biometrics. So if you're a bank customer in the UK, now you'll find your bank with a good bank. You find that they've long since dispensed with SMS one time, pass codes. They'll now ask you to authenticate a transaction by logging into the app. They're not relying on Apple, face ID or Android, they are or your phone's face ID. They're a lot. They'll bring you on, and they will check you against their own ID vaults, which will be face ID, voice ID, device biometrics. So you know, they're looking for the effectively, those organizations who are getting this stuff right now of bringing security in house to stuff that's within their domain and their control, because they've realized that you can't rely on a telco to deliver one time pass codes for secure services. And I think other organizations, not just banks, are going to wake up to this and are going to have to do something about it, because they are enabling scams to take place.
Botond Seres 32:22
I'm just glad that more and more companies use the standard authentication with RSA and codes that are generated every 30 seconds, I guess.
Jason Costain 32:35
Yeah, yeah, and Botond, I think it's great now with this, you know, it kind of I keep hearing articles about supercomputers are going to crack RSA encryption, and that might be the case.
Dave Erickson 32:47
I've been hearing that for 20 years,
Jason Costain 32:49
no, but, I mean, I've had, I've had these discussions with IT security guys in, in banks of work for and it's been and risk people, it's been amazing, because they'd say, Jason, we're implementing this new voice biometrics thing and you know, it can be spoofed, and sometimes it's only 99% accurate. And you're like, Guys, we're implementing this because we're replacing dates of birth and mother's maiden name and post code as ID. You let me implement it so we can eradicate that. But everybody's happy with dates of birth and postcodes and things, but they would start to raise queries these days around AI and, you know, synthetic voices and an encryption supercomputers breaking encryption. I'm just thinking, No way. Don't you look at, have I been haveibeenpwned.com you know that website you can put your email address in find out how many times you've been compromised and, yeah, good side, yeah, great. Great Site.
Botond Seres 33:53
you would not believe the best codes my bank uses on very, very sensitive PDFs every time they send them to me. It's, it's absolutely mad.
Jason Costain 34:03
Yeah, there you go. So again, you know, the the IT security policy totally undone by just weak deployments and human beings being human beings,
Dave Erickson 34:14
Yeah, they always say, in cybersecurity, human beings are the weakest link. And obviously, if you know the to go back to what you were saying about people using SMS headers and misspelling stuff, you know it's a great service that they can do that, the telcos can do that. I wish there was such a service for internet links, right? Because I can't tell you how many official messages I've gotten with official branding on it, where, when I go and examine the actual link they want me to click on, it's a misspelling of the brand. And you know, it's really I feel sorry for the people who, who aren't paranoid like me, who just click those links and then, then go there. Or once, only once, it happened to me, where I got an email from PayPal and I called them, and the minute I called them, the person's like, well, your computer's been compromised. We need to load some software on it. And at that point, I knew it was a scam, and I just hung up, right? But it was so real that it got me to at least call them, right? Yeah,
Jason Costain 35:23
Yeah. You know, I think Dave, you made a good point. But the answer for me is, you know, email systems that we use weren't designed for secure comms. SMS was not designed for secure one time pass codes. You know, if you look at the password reset, it's via email, isn't it, and that really worries me. So you know, two, two things, really, one for the us, the consumers, is have a really secure email password and do not use that password anywhere else on the internet because criminals expect you to, and that's one of the first things they'll check. Is that the password you use to buy your dog food online is the same as the email address password you use. So I'd say, have a unique password and something that's secure for your email accounts, and have switch on two factor authentication within that. So go and look for it in the Security Center, and it will just tell you what to do. The other thing you've is, if you're a business that sends emails or don't send emails, send a message from within your app. So you kind of need to build an app, if you don't have one, and message your customers from within that app. And therefore you can start to rely on some of this more secure endpoint protection on a phone. And also you can start to ID people to the standards that you choose not to the standards that Apple or Samsung use, or, well, email accounts, I mean, just you're relying on the password hygiene and protocols of a individual who doesn't give a monkey monkeys, quite frankly, account passwords. So, yeah, I'd say email account passwords got to be secure and don't use it anywhere else. Don't use it anywhere else. It's the key to the safe, isn't it?
Botond Seres 37:05
I mean, yeah, that helps a lot to have a good password for your email, but it doesn't change the fact that emails are fundamentally unsecure, like it is just sending plain text over an unsecured protocol. It's absolute madness to me that people use it for secure communication,
Jason Costain 37:26
Botond, you're spot on. And it's like in in 2007 or eight, maybe Gartner, who highly run out, you know, well regarded organization issues, you know, advice to the banks and other other industries around, you know, authentication, software and, and, you know, communication methods. They called SMS, and I put email in the same bracket, they described it as snake oil in terms of a secure messaging protocol. It just isn't. One couldn't agree more, but people think it is. So you're right to be really cautious, Botond and be like that at Harbinger a doom that you have been on everything I've said so far.
Botond Seres 38:14
The thing about email and SMS as a security measure, it's more security theater than anything. It's just like the TSA getting you to throw out liquids that are larger than 100 mils, like it's, it's not to actually prevent anything. It's to show you how safe you are and get you to calm down.
Jason Costain 38:36
It is therefore but I think I find that marketeers tend to love, you know, SMS and email, and it's the risk people in banks who need to really think, okay, where are your weaknesses right now? And if you did a proper analysis, you say it's static data, it's our use of SMS, it's our use of email, you know. And you've got to come up with strategic, what's your strategic solution? Because if you're relying on those things to securely do business, at some point, you will be targeted and you will lose money.
Dave Erickson 39:09
Yeah, I mean, even if you wanted to protect your network and have a secure network internally, the reality is, in today's society and workforce, BYOD, bring your own device, is part of the workforce, and trying to secure all those BYOD devices, I mean, it's damn near impossible. There's so many brands, so many platforms, so many anything, a lot of it, I think you hit on a really important point, and that is, and it's one of the hardest for companies, I think, to do, and that is training, right? Training your workforce. How do you be secure? How do you know you're going to bring your phone to work? Okay? How do you use it at work so you don't create a problem at work? And I think that that training is really kind of the key to a lot of that, correct?
Jason Costain 39:58
100% and again, if you're a senior person at that firm, the CEO, maybe just walk around your shop floor, if you've got it, systems and computer screens. How many staff have got the mobile phone on the desk and they're looking at their Instagram account or the news or whatever it is, and how easy would have been for them to photograph you know, a screen with customer data on it'd be extremely easy, and I know it happened in the US, but in the UK, during COVID, the bank I work for, it put a workforce of maybe at least 15,000 people at home within six weeks with their own devices. And that was impressive from an IT perspective that they could do 1000s of people. But what it made me realize was you can have all of the security you want in terms of looking at staff activity on your systems, but if somebody just decides to write down one customer who's wealthy, their name, address, account number and contact details, if, if they write that down on a piece of paper at home on the screen that's in front of them, and sell one of those a day to a criminal that's probably lucrative for them, and you will not be able to detect that. So it is a nightmare, and it is training that that that's required. There's also monitoring that you need to do to look for those patterns. But I would just, if it's a relatively small business and somebody listened to this program with those kind of concerns, I would just go and walk around and see just go and take a critical look at the people who work for you. What they do with the phone, where is it on the desk? What they do with the screen when they go on a toilet break. You know what they do with passwords in terms of Payment Authorization and sharing passwords, and if you get the wrong answers, it doesn't matter what it software, antivirus, stuff you've got, it'll all be undone.
Dave Erickson 41:59
There is some things happening that I think might be interesting in that sense. You know, here in California, a lot of the school districts now are banning phones from the classrooms, and the way they're doing that is they're setting up phone lockers, and so the students, when they come into school have to give their phone over, put into a secure bag, and it's put in a locker, and then when they leave school, they have to check their phone out. That may be something that businesses may be doing in the future for their office workers or people coming in. That might be a possible solution as well
Jason Costain 42:36
100% I mean, I've seen one bank of work that had cash census in was they were able to print their own bank notes approved by the UK bank of England, and they had million, well billions of dollars of cash. And the security was unbelievable. You would get weighed on the way in and weighed on the way out. Dave and the security guards had the, the authorities to search your bags. So I think when, when you can see the physical cash, security is taken a lot more seriously. Going back years, this is like going back to say, I don't know, at least 20 years back in my career, I can't go, I won't go any more accurate than that, because it will give away the place where it happened. But there was a member of staff who was the daughter of the local chief of police, and she was a, unfortunately unreliable employee. She went missing during one of her shifts. She worked in a call center environment, and it turned out on Monday morning, this was a Saturday this happened on Monday morning, we found out that she'd been arrested in the local branch of a bank in the town nearby, and what she was doing was trying to impersonate one of the customers who she'd just spoken to on the phone. So she'd stolen the customer's details and gone straight to the local town, to their bank to try and impersonate them to withdraw some cash. She'd been arrested by the police found with screen prints in a bag that belonged to the company I work for where she, her employer and the police released her on bail. As it turned out, I then went to speak to the security guys of the Office of building to say, don't let the person back in. Passes revoked. She was arrested for data theft and for impersonation of one of our customers. The security guard says, Oh yeah, we'll do Oh, you saw her on Saturday night, Sunday morning. So what time was that? He said, It was 2am. I said, Well, so what happened? So? Well, she came in at 2am and she went upstairs to the office, and then she was, she left about 15 minutes later with a like a document store boxing and one of the big archive boxes you get. And she left with that said, what was in the box? So we're not allowed to search, so hang on. A member of staff came in at 2am, went up to the office, and was left 15 minutes later with a with a with a, with document storage box, and you didn't feel comfortable searching. No, we've been told not to. HR won't let us because we get into trouble, particularly if it's a female member of staff. So it's like, wow. So we, you can imagine that the well that that raised a whole load of problems, and it turned out that lots of staff become the building now, 24 hour access. It was on, on the way home for a lot of staff from the local town. If they couldn't get a taxi, they'd walk there, get a coffee, sit in the staff room, wait for a taxi firm to take them home. So we had uncovered this whole thing of people accessing the building out of hours, and this whole issue of not challenging people, feeling not comfortable challenging staff. But if it had been a cash center with a lot of money, you can bet your bottom dollar that we'd have been doing a lot of checks. So again, I think just you gotta, you gotta look at your data as highly valuable, and you've got to look at, unfortunately, look at the activities of staff, and just look for something unusual happening. And you'll find, you find the issues earlier, potentially.
Dave Erickson 46:11
Well, you know, data is very valuable and becoming more valuable, and I think that's one of the reasons why you're seeing this proliferation of social engineering scams and others. I think now might be a good time to talk about AI and what is AI's potential. It has two potentials. One is it can help protect people from scams, and then the other one is, obviously, it is a tool that scammers are using to implement scams. How do you see AI fitting into the current situation, and how is it going to affect cyber scams in the future?
Jason Costain 46:56
I mean, I think it's good. It's a good call out Dave, and I think something that gets the attention of senior execs in banks is AI. So if you're the fraud guy in a bank and you want to kind of grab some more budget then mentioning AI threats is not a bad thing. What I would say there's some realistic, the reality is AI is not costing, you know, firms a lot of money from a fraud perspective, at the moment, it's more of a sound bite than an actual live threat. That said, you know, I'm starting to see examples of fake documents being created using AI, whether that's ID documents or you know utility bills, whatever it might be that they will definitely already be getting used to defeat, you know, ID processes and create synthetic IDs. There have been some examples of fake video and fake voices, but if you think about that, you know, I would have to go to a lot of trouble to clone Dave Erickson's voice in his face. And Dave Erickson's got to be a pretty good target and worth my while to do that, you know. So you might find, if you are a high net worth individual, or, you know, a business CEO, that you know, you'll be attacked first, because it's worth the investments. But that's quite a very well. That's a very specialist crime. So I think the kind of mass fraud using AI is, is not quite having a huge impact on individuals yet. I think it will be used to make scams appear more plausible, and we'll see a gradual increase in that. I think businesses first will get that kind of impact. So I think two big things, one is the synthetic ID issue, and AI you've been used to create fake documents. I do think I've been seeing AI used a lot in the last couple of years for carders, criminals who try and create synthetic card numbers and attack banks. So there's definitely AI being used in testing of transactions, car transactions, against banks, high volume attacks. So I think it's quite niche at the moment. I think as individuals, you don't need to worry too much. I guess that, you know, you might find criminals can easily clone, you know, son or daughter's face and voice, and try and convince Mom and Dad, it's them, but I think that's quite a specialist, a level of attack that is quite labor intensive. So until the tools become cheaper and easier, we can not lose too much sleep over it as individuals. At the moment.
Dave Erickson 49:38
How about for businesses? Do you think that AI will be a tool that they can use to stop scamming or recognize scamming?
Jason Costain 49:47
Oh, yeah, undoubtedly You only like Benford's Law, Benford's Law that I mentioned earlier, you get a you transit payment file for your suppliers from the last two years. Stick it in Excel, upload it to ChatGPT, and say, apply Benfordβs Law to these transactions. Tells me, tell me which ones look unusual or could be signs of humans made them up rather than being genuine. Chat GPT will run that query. You don't necessarily need an analyst, just make sure you're not putting personal data. Upload it into ChatGPT. Anonymize it first. So, you know, I think there's, there's things you can use an AI to do. Pattern detection is not a bad thing to do. And, you know, you might, for another one might be, you know, login, you know, remote login activity, take the file, download it. Chances are you can it's the analysis of that which, in the past would have required an exception report or somebody to look at it. And think, what do we need to look for? I think with AI Knight, you start to automate some of those jobs, you just need to start thinking, Okay, what's the data I have available to my organization and how can I use AI to pick out the needle in the haystack. And I think AI will help you do that. So, yeah, organizations will know where their big data sets are, and it might be payments to staff, payments to suppliers, bank account numbers, sort codes, logins, remote logins, time of day. You know, all those kind of things can be anonymized. They're just a data set, and you can apply AI to picking out anomalies, whereas in the past, you probably had to have somebody with access to analytics tools like SaaS and, you know, have a kind of analytical capability themselves to be able to do it. These days, you can kind of get the data yourself and upload it, but just make sure it's anonymous and not customer data that you're sharing with ChatGPT or Claude, whatever else you're using for your AI,
Botond Seres 51:47
yeah, but I do believe that it is now possible to use ChatGPT in a sort of a private session where it the data is not used to train it, and Also it's not retained, but I'm not sure about that.
Jason Costain 52:02
For example, you're a corporate user of ChatGPT because I've deployed the ChatGPT well under its guys as Microsoft as your So Microsoft is your package. You can get your own ChatGPT version. You might get ChatGPT4 even. You can get it ring fence, Botond so it's in your own part of the cloud. You put personal data, customer data, in there, it won't go anywhere else, so it'll go beyond the cloud to help you answer your question, what's my case of the World Wide Web wherever? But it's not going to share anything you don't want anywhere. You don't want it to go. So that's that's commercially available to people, but I just think your average work for average individual like us probably doesn't realize that you know when you're asking ChatGPT your question, it's a massive data giveaway opportunity if you're not careful, and if you've given your staff access to ChatGPT tools in your office, and you haven't thought about both on really good point about data loss, then how many your staff are asking ChatGPT questions they shouldn't. For example, here's the letter I'm about to send the customer in response to a complaint. Please check spelling and grammar. If that's got the customer's name and address on then you've got a data breach right there. So don't think people realize just how vulnerable ChatGPT is, and if you give staff on vetted access to it, then you've lost data potentially, but you can buy commercial solutions that's ring fenced, like I mentioned Microsoft one on.
Dave Erickson 53:30
Yeah, we do a bunch of AI work for healthcare. They obviously have HIPAA compliant regulations. And a lot of what we're doing, we're just using Llama because Llama can be installed on their servers as an individual instance, and all the data is kept within their environment. But yeah, businesses do need to kind of think about that. You know, if you're using ChatGPT for simple office stuff that doesn't involve customer information, you know, writing some marketing materials and stuff like that, it's perfectly fine, but once you start plugging in customer data, you're in trouble unless you have an instance that's running on a secure server or secure cloud instance.
Jason Costain 54:09
absolutely. Yeah. And again, with, with intellectual property, you might have a great business idea. You asked chat GP to help you refine it, or whatever it might be, you've given away your business idea. Yeah.
Dave Erickson 54:21
So Jason, maybe you can tell us a little bit about Javloc Limited and what you guys do and what kind of clients you basically work with.
Jason Costain 54:31
Yes, a Javlocβs, a fraud consultancy. So we provide fraud advisory services to primarily the banks, but also to small businesses and individuals sometimes. I do get contacted by scam victims, for example, and I help for free if they're trying to recover their money or understand what's happened. So people can go to my website, javlock.com look at the various sections that's applicable to them. I also have a blog as well that people can read, try and write articles that are interesting for peers in the banking industry and fraud prevention industry worldwide. So yeah. Final thing I'll say is the UK has been, has led the kind of charge in terms of innovation to prevent scams against both businesses and individuals. We've had real time payments since 2008 and I work for the one, one of the UK's biggest banks trying to stop scams. So we're pretty ahead of the curve when it comes to what's been going on in other countries, like Australia, Canada, Singapore, USA, in recent years. So those folks in the country can look at my website, get some advice and tips, and tap me up if they want any assistance in terms of what's affecting their bank and their customers right now.
Botond Seres 55:41
Well Jason, In your opinion, what is the future of fraud prevention?
Jason Costain 55:49
Botond, great question. I was just, I'm just about to write a blog on, on what would I call it? What do they call it? It's a fusion between fraud, cyber and AML, and that is fraud prevention, anti money laundering and cyber security teams in banks. In the past, fraud would be in its own silo. Fraud Prevention, AML will be in their own silo, looking at for unusual transactions and submitting SARS to the relevant authority, the Cyprus guys would be in their own silo. What needs to happen, though, is those parts of the firm have got to work together. Because, just giving a fraud example, in the old days, it used to simply be, you know, how much is the payment? Where is it going? A little bit of information about the customer sending it, that was enough to risk score the transaction of spot fraud, with the advent of scams and other things, it needs to be now what we call non monetary data. So that might be, you know, how much is a payment? Where are they sending it? You know, who is the customer in terms of their profile, when did they last log in? Where did they last log in? What device that they used, what other activity have we seen on their account in the last six or nine months? Then combine that with, you know, what money they received into their account? That's where AML comes in, and the turnover of their account in recent months. And then the cyber part of it might be, you know, where have we seen their data being traded on the dark web? You know, there's, there's a lot of Intel out there that banks can use, but they just haven't been bringing it together as much as they now need to, because the criminals don't look at the banks in those different silos they just attack. So if you're working for a bank, yet, the fusion between, you know, AML, broad and cyber threats is, is there an Intel payload that can be used? The challenge then is, once you've got all that Intel, how do you actually use it in near real time or real time to score payments to keep customers safe. So, yeah, I think it's a, it's a challenge for banks. Botond, but it's, it's about all the Intel you get. How do you bring it together? So the smarter banks out there, they've already moved their data to clouds using cloud computing and the power they've got off their own servers. They've got data lakes with tons of information and quite often, the fraud teams have got the biggest data set in the banks these days, and that needs to grow and grow. And what that means is you can then expose those huge data lakes to massive computing power using modern tools like Snowflake, Python, and they get the system to tell you where the red flag is, because human beings aren't able to spot it anymore, and get the system to tell you where the red flags are in real time, so that you can spot transaction fraud as it's happening. So then that's the future. Both on is a technical challenge, but I think you'll see those teams in banks working together a lot more closely. And folks who listen to this can look at my blogs and in the coming weeks, on LinkedIn and on Javac.com you'll see a blog appear about cyber fraud, AML fusion, you heard it here first.
Botond Seres 59:11
Jason, thank you so much for being on our podcast and helping us recognize and deal with cyber frauds. Well, we are at the end of the episode today, but before we go, we want you to think about this important question,
Dave Erickson 59:24
How are you going to protect your business from cyber fraud? For our listeners, please subscribe and click the notifications to join us for the next ScreamingBox technology and business rundown podcast. Until then, don't get fooled by cyber fraud.
Dave Erickson Outro 59:40
Thank you very much for taking this journey with us. Join us for our next exciting exploration of technology and business in the first week of every month. Please help us by subscribing, liking and following us on whichever platform you're listening to or watching us on. We hope you enjoyed this podcast, and please let us know any subjects or. Topics you would like us to discuss in our next podcast by leaving a message for us in the comment sections or sending us a Twitter DM till next month. Please stay happy and healthy.
Creators and Guests
