Hidden costs of check fraud include duplicate checks, back-office expenses, reimbursement difficulties, and the loss of customer trust, especially for smaller banks. Investing in fraud technology can help reduce these costs and preserve the financial institution's reputation.
In an era where digital transactions and technological advancements continue to reshape the financial landscape, the battle against fraud has reached its peak.
The financial industry must establish a new standard of security methods to combat this evolving threat. With increasingly sophisticated fraud schemes, advanced solutions are paramount.
A survey of financial institutions
14 IsTheGovernment FinallyRecognizing The Check Fraud Crisis?
The U.S. government is finally taking notice due to a rise in mail theft, with efforts to address the issue slowly gaining momentum, including proposed legislation and USPS initiatives.
unveiled the main challenges they face in the fight against fraud, emphasizing the need for collaboration and shared data among institutions to create a more resilient defense.
That's why we introduced FraudXchange, a groundbreaking consortium empowering financial institutions to combat fraudulent transactions. Featuring real-time fraud reporting, the ability to tackle multiple scams, shared
20
"Catching" Up With Frank Abagnale
A rare interview with the "father of social engineering" and his particular brand of fraud.
intelligence, and networking, FraudXchange provides financial institutions with the upper hand against fraudsters.
We are excited to announce our partner, ThreatAdvice, is releasing TAFraudSentry—an advanced solution to combat evolving check fraud threats. Utilizing sophisticated AI and image analysis technologies, TAFraudSentry effectively detects and prevents check fraud. By combining digital
06 Should I Really Be Scanning QR Codes?
08 Back In The Day With Check Fraud 10 Understanding Mail Theft's Role In Check Fraud 12 The Darkside of Artificial Intelligence 16 Behind The Screens
18 Other People's Money Investment Scam
image forensics with transactional analysis, it offers a robust multitiered defense against all forms of check fraud.
Both these solutions are essential tools in any financial institution's fraud-fighting arsenal.
FraudXchange
by James Bi, Orbograph
THE HIDDEN COSTS OF CHECK FRAUD
Check fraud has grown 2-3X since the start of the pandemic – with an estimated $45 billion in attempts with $7B in losses.
According to a news release from the Financial Crimes Enforcement Network (FinCEN): “In 2021, financial institutions filed more than 350,000 Suspicious Activity Reports (SARs) to FinCEN to report potential check fraud, a 23% increase from the previous year. That upswing continued into 2022, when the number of SARs related to check fraud topped 680,000.”
Additionally, through Q3 of 2023, there has been a total of 508,865 check-related SARs – showing little slowdown in check fraud this fiscal year.
While many financial institutions can calculate their losses in terms of funds, they are less aware of the other hidden costs associated with check fraud.
WHAT ARE THE HIDDEN COSTS?
In any business, there will always be costs associated that are not immediately apparent – but can very easily add up. When banks think of fraud costs, they typically bring up the funds
lost that affect their bottom line (I.e. a $5,000 fraud check is not detected, the financial institution reimburses customer and takes $5,000 off the bottom line). However, banking is no different than any other business and, in the case of check fraud, there are several hidden costs that need to be top of mind for financial institutions:
Duplicate Checks: Duplicate checks are one of the major issues facing financial institutions. A common scenario is an individual depositing a check via mobile deposit and then going to a check casher to cash the check. Not only does the bank face double losses if not detected,
there are double posting fees and other processing expenses.
Chargebacks, Returns, and Back-Office:
Financial institutions commonly rely on separate solutions to process Day 1 and Day 2 items, increasing costs and decreasing efficiencies within the back-office. In addition, many of these efforts involve manual research and corrections, costing time and money.
Fraud Claims Reimbursement: In a recent ABA Banking Journal Podcast, James Hitchcock, the ABA’s vice president of fraud mitigation, notes that one of the primary issues banks deal with is finding someone to contact from another bank when they are seeking reimbursements.
Paul Benda goes on to explain that “knowing where to send that claim” is one of the biggest challenges banks face -- especially small banks. How important is this step? Crucial enough that both the ABA and NACHA are responding by putting together their own Check Fraud Directories, which provide contact information for banks needing to file a check warranty breach claim with another financial institution. Financial institutions will spend valuable internal resources, including employee labor, to find and contact another financial institution. Communications back and forth – sometimes incorporating legal counsel – is necessary to submit and receive reimbursements. Let’s not forget that many of these can fail and end up as write offs by the bank.
Loss of customer: This is the hidden cost that is most impactful. Financial institutions value their reputation, and if their customers become victims of check fraud it’s likely that the bank will face negative feedback – warranted or not.
There are many stories where customers have reached out to news stations and publications for their assistance in
getting their money back. This is not only bad press for the financial institutions, but will lead to that customer – and possibly other customers – taking their business to another financial institution. This will also mean losses of deposits AND new business. While larger financial institutions are able to absorb these losses more easily, regional banks and credit unions are more affected when losing current and potential new customers.
FRAUD TECHNOLOGY: KEY FOR REDUCING HIDDEN COSTS
There will always be hidden costs associated with any process for financial institutions. However, technology is the most effective way to mitigate these costs.
As noted in a recent PYMNTS.com article:
“Fraud and financial crime solution providers must work with prospective customers to show how their investments in new technologies to combat fraud or financial crime can benefit bottom lines. They will also benefit from showcasing how their solutions address complex regulatory problems and reduce the costs that prospective business customers may incur due to reimbursing fraud-related losses. Businesses looking to mitigate those same issues will benefit from learning about such solutions and considering additional investments or upgrades to strengthen fraud detection and management. The latest solutions are not just about fighting fraud, however. They help vendors deliver intelligence to financial institutions, benefit fraud management and provide insights into consumer habits, economic stability, targeted solutions and services and more.”
By investing in fraud technology, particularly check fraud detection solutions like behavioral/transactional analytics
and image forensic AI, financial institutions are able to detect more fraudulent checks before they are posted. These solutions have proven to be effective, with a 95% detection rate.
This will enable financial institutions to mitigate and reduce hidden costs by detecting duplicate checks before posting, reducing the amount of chargebacks and returns, reimbursement claims, and the number of lost customers – both business and personal – while protecting the financial institution’s reputation.
by Natalie Suarez, ConnectWIse
SHOULD I REALLY BE SCANNING QR CODES?
Quick Response (QR) codes have become increasingly popular in recent years, offering a convenient way to access information or perform actions with a simple scan. However, as with any technology, there are potential risks involved. In this blog post, we will share a little history, provide a simple explanation of how QR codes work and explore the dangers of scanning QR codes and provide tips on how to protect yourself in the digital age.
Shall we begin with a little history lesson?
The birth of the Quick Response or QR code lies in the automotive industry. A Japanese engineer, Masahiko Hara, began developing the QR code while working at Denso Corporation’s barcode and development department. The purpose of
the research and development was to streamline Toyota’s production method. Due to character limitations of bar codes, Toyota needed a more efficient way to represent additional information that could be easily scanned. Hence, the birth of the first QR code in 1994. (1)
How does a QR code work?
In the simplest terms a QR code allows for high capacity encoding of data. Up to 7,089 characters can be encoded in one symbol and multiple symbols can be concatenated together to encode even more data. For a more technical explanation scan this QR code…just kidding… Visit the resources at https:// www.qrcode.com for additional information. (2)
How can this be bad?
Many people are unaware of the potential risks associated with scanning QR codes. This lack of security awareness combined with the QR code’s ability to encode a large amount of data makes it an ideal vehicle for cybercriminals (threat actors).
Some of the most common risks associated with scanning QR codes follow:
1.Malicious Code and Links:
Threat actors can encode a QR code to redirect an unsuspecting user to a phishing site that mimics a legitimate site, malware-infected downloads, or initiate unauthorized transactions. These malicious activities can compromise a user’s credentials (username and password combinations), financial information or other personal information that can lead to identity theft, financial loss or overall online safety.
2. Data Leakage and Privacy:
Scanning a QR code may require the user to grant certain permissions to the associated app or website. Some QR codes scanners may request excessive permission, such as access to your contacts, location, or other sensitive information. Do these requests make
sense, and do you really need an app outside of your smartphone’s camera?
3. Fake QR Codes:
Threat actors or jokesters can easily generate counterfeit codes and place them in public spaces or on legitimate products. Are you scanning QR codes for restaurant menus? Exercise caution and verify the authenticity of QR codes before scanning them.
4. Social Engineering:
Threat actors may create a QR code that promises a free gift or discount. Always be skeptical of anything that seems too good to be true and always verify the source before scanning any QR codes.
Falling victim to any of these QR code risk categories can compromise a user’s credentials (username and password combination), financial information or other personal information that can lead to identify theft, financial loss, business compromise and/or compromise overall online or physical safety.
How do I protect my business and myself?
As with all great inventions and technology, the QR code can be used for benevolent and malicious purposes. The question is “To scan or not to scan.” The advice from a cyber perspective is the same as advice for clicking on links in emails. Unless you know the sender and are expecting the link or QR code, you should not click or scan.
Some useful tips for protecting yourself and your business follow:
1. Use Trusted QR Code Scanners: Do you need anything beyond the camera on your smartphone? If so, stick to reputable apps and websites and carefully examine for an app or website that may be very similar a legitimate app or website. Read reviews, check ratings, and check permissions required before downloading any app or using a website to process QR codes.
2. Verify the Source: Before scanning a QR code, ensure it comes from a reliable and trustworthy source. And do not scan an unexpected QR codes from a verified source, unless expected. How do you know the source has not been compromised? Be cautious of codes found in public spaces or shared by unknown individuals.
3. Be Wary of Promotions: Exercise caution when scanning QR codes that offer freebies, discounts, or prizes. Be skeptical of anything that appears too good to be true. Always verify the legitimacy of any promotion before scanning or providing any information.
4. Stay Updated: Keep your smartphone’s operating system, apps, and antivirus software up to date to protect against known vulnerabilities and security threats.
So, should I scan that QR code? The most important thing you should do is be aware of the potential dangers that QR codes pose. By understanding the risks associated with scanning QR codes and following the tips provided, you can protect yourself from malicious code and other threats. Stay vigilant, exercise caution, and prioritize your online and physical safety in the digital age.
(1) From Japanese auto parts to ubiquity: A look at the history of QR codes - The Mainichi (2)QRcode.com
THE DAY
BACK IN WITH CHECK FRAUD
As a young child growing up, you probably heard the expression "Back In The Day" from your parents or grandparents. Grandparents would reflect on how simple the days were when they were growing up, with children playing outside and using their imaginations instead of staying indoors to play games on their iPads or cell phones. Not only have things changed in the way children grow up, but banking has also undergone significant transformations over the years.
To take a stroll down memory lane and reflect on "Back In The Day," we will travel back to a time before the widespread use of digital technology and the internet in the financial industry. One might think that we are traveling back to the 1920s or 1930s, to the simpler days of banking, but we don't have to go that far back. Let's go back to the 1980s, a decade that featured simpler banking before the introduction of debit cards,
mobile banking, internet banking, and so on. In the 1980s, customers had basically two forms of payment: cash and checks. Transactions heavily relied on paper documents such as checks and deposit slips. The number of checks written in the 1980s was more than double the number of checks written in 2022. However, financial institutions have reported more check fraud incidents in 2023 than in the 1980s. Many may wonder why.
As we all know, banking has evolved significantly over the years with technological improvements. In the 1980s, common methods of check fraud included forging signatures, altering payee names or amounts, and using stolen or counterfeit checks. However, in today's world, the methods of fraud have expanded. Now, fraudsters have various methods of conducting fraud, with the newest method being check washing.
by Starr Largin
Over the years, advances in technology have changed the landscape of financial fraud. Technological improvements have provided customers with a faster form of banking at their fingertips. With the advent of technology, the banking industry has undergone a significant transformation. Online and mobile banking, ATMs, electronic transfers, and digital payment methods have become the norm, providing customers with greater convenience, accessibility, and speed in their financial transactions. However, with new technology, financial institutions lost an essential and critical piece of banking: Know Your Customer (KYC).
Before online banking, most banking transactions took place in physical bank branches. Customers had to visit the bank in person to conduct most of their financial activities, including depositing money, withdrawing cash, and applying for loans. Banking relationships were highly personalized, with bankers often knowing their customers by name and maintaining a close working relationship
with them. Customers had limited access to account information, and their ability to conduct transactions was restricted to banking hours. Customers had to plan their visits to the bank. Based on the banking layout of the 1980s, financial institutions developed close relationships with their customers through tellers and bookkeeping employees.
Over the years, technological improvements like mobile banking, internet banking, and debit cards have changed the functionality of banking, making it more challenging for financial institutions to maintain personal relationships with their customers. However, to combat check fraud, financial institutions must overcome the loss of KYC. Artificial Intelligence (AI) can bridge this gap. AI refers to the development of computer systems and machines that can perform tasks typically requiring human intelligence. AI and Machine Learning can be used to flag potentially risky customers or transactions based on historical data and patterns. AI can be a powerful tool in the fight against check fraud by providing ad-
vanced capabilities for detection and prevention through various features:
Pattern Recognition – AI algorithms can analyze vast amounts of check transaction data to identify unusual patterns, signatures, or behaviors that may indicate fraudulent activity.
Image Analysis – AI can examine the visual elements of a check, such as signatures and handwriting, to identify forgeries or inconsistencies.
Predictive Modeling – AI can create models that predict which checks are most likely to be fraudulent based on historical data and trends.
Machine Learning – Machine learning models can be trained to identify anomalies and discrepancies in real-time, crucial for preventing fraud as it happens.
Real-Time Monitoring – AI can continuously monitor check transactions and raise alerts if it detects any irregularities, allowing for swift action to prevent fraud.
Customer Behavior Analysis –AI can create profiles of typical customer behavior and alert the financial institution when a transaction deviates from the norm.
To assist financial institutions in the overwhelming struggle with check fraud, ThreatAdvice has recently launched a check fraud solution, TAFraudSentry. Employing sophisticated AI and image analysis technologies, TAFraudSentry has been engineered to detect and prevent check fraud effectively. By combining digital image forensics with transactional analysis, TAFraudSentry offers a robust multi-tiered defense against all forms of check fraud. With TAFraudSentry, financial institutions will have the tools needed to overcome the loss of KYC, making them better equipped to fight against check fraud. For more information visit threatadvice.com
UNDERSTANDING MAIL THEFT'S ROLE IN CHECK FRAUD
Unite States. While consumers would most likely attribute this to “porch pirates” (where a thief steals packages delivered to a home), this is simply not the case. What is occurring across the US is criminals robbing Post Office “blue mailboxes’ and even mail carriers for the purpose of stealing mail, particularly paper checks.
According to an article from USA Today: “Between Oct. 1, 2021 and Sept. 30, 2022 (the Postal Service’s 2022 fiscal year), 412 letter carriers were robbed while on duty. That has increased to 305 incidents from Oct. 1, 2022 to March 31, 2023 (the first half of the current fiscal year), the Postal Service said in May.” Furthermore, the USPS has seen mail theft rise from 38,500 in fiscal year 2022 to more than 25,000 in the first half of fiscal year 2023.
What’s driving this massive increase in mail theft? The answer is simple: Check Fraud.
MAIL THEFT LEADING TO CHECK FRAUD
The primary driver of the increase in mail theft is paper checks. The goal for criminals is to either steal paper checks from blue boxes/mail carriers, or to pilfer the “arrow keys” from mail carriers that unlock the blue mailboxes.
Once paper checks are stolen, these criminals have two options:
1) Alter the checks themselves to deposit into a “drop account”
2) Sell the checks online via the dark web or other encrypted channel
The first option is simple. The fraudster will establish a drop account at a financial institution; alter a stolen check through various means like white-washing (using solutions like nail polish to wash the payee name and amounts); deposit the check – typically through mRDC or ATM, where a human does not inspect the physical check, and; transfer the money out of the account electronically.
This method is an easy and fast method for fraudsters to make quick money with very low risk.
The second option is more complicated. There is an entire “check fraud ecosystem” on the internet – typically through encrypted channels and the dark web. According to research by BlueVoyant, there has been an 500% increase in “check fraud IM groups” from January 2022 to February 2023. Furthermore,
by James Bi, Orbograph
there are more than 6000 stolen checks for sale per month through these channels.
The value of stolen checks have only increased over the past few years. According to David Maimon, an associate professor of criminal justice and criminology at Georgia State University and founder and director of the Evidence Based Cybersecurity Research Group, a personal check typically goes for $175, while business checks sell for $250.
The Evidence Based Cybersecurity Research Group finding from monitoring and tracking 60 online black market channels is astonishing:
“They began tracking stolen checks in August (2021), where they observed 1,639 checks up for sale on the black market channels. Monthly numbers have been rising dramatically since, peaking in January (2022) at 8,021. Maimon estimates monthly losses from these thefts could range from $10 million to over $30 million, though he warns the fraud they’re tracking is just a snapshot of what is likely a much bigger crime wave.”
Additionally, there are “services” available for hire to perform certain tasks such as washing checks, purchasing drop accounts, and walkers/mules to deposit checks. There are also fraudsters offering lessons - both via the black market and YouTube - on how to perform check fraud.
CURBING THE MAIL THEFT TREND: WHAT FI’S CAN DO
Financial institutions need to take an active role in curbing the mail theft trend. First, whenever a client is a victim of check fraud, the financial institution needs to report the crime to proper authorities and government entities. These authorities can actively work with the victim to find the perpetrator and bring them to justice.
On the back end, financial institutions are the last line of defense between the fraudster and their customer’s funds, and should be partnering with fintech vendors to deploy the latest technologies -- like artificial intelligence and machine learning -- that can effectively detect a fraudulent check.
These technologies include:
• Behavioral/Transactional Analysis: Monitoring the behaviors and transactions of an account to identify anomalous transactions.
• Image Forensic AI: Analyzing the images of checks to detect alterations, counterfeits, and forgeries.
• Payee Positive Pay: Matching payee, account holder information, and amounts to issuer files.
• Dark Web Monitoring: Monitoring the dark web and other channels for client account information and images of checks being sold.
These technologies can be integrated into a financial institution’s fraud review platform to ensure that their customers funds are safe.
Remember: financial institutions, law enforcement, and consumers all play a role in the fight against mail theft and check fraud.
THE DARK SIDE OF ARTIFICIAL INTELLIGENCE
Artificial Intelligence (AI) is to today what the internet was to the 1990s: A disruptive technology. AI is already changing the way we do business and the way we look at cyber risk. Although AI is not a new technology, the availability of generative AI capabilities, specifically Generative Pre-trained transformer models (GPTs), such as Open AI’s Chat GPT (1), Microsoft’s Turing (2), and Google’s Gemini (3), to name a few, have lowered the barrier to access.
Generative AI learns by ingesting a corpus of data and uses that data to generate new and unique data, that does not repeat the original data content. This is why generative AI models can produce new content from the data corpus ingested data (4). In the case of ChatGPT, the data corpus is the internet, so you can understand why the results may not always be accurate. Of course, there are additional technical reasons why the results may be inaccurate, but that is not the purpose of this article.
AI and generative AI capabilities offer
both an opportunity and a threat. In this article, we will dive into the dark side of AI and explore how GPT models are being used by cybercriminals.
Dark AI Models & Malicious GPT Use
Cybercriminals can and do abuse GPTs to engage with their victims. However, Dark AI models are specifically designed for malicious purposes, and are designed to automate and enhance cyberattacks, such as phishing, ransomware, spoofing, deep fakes, botnets, and password cracking.
Let’s explore some dark AI models and malicious uses for other GPTs:
1. FraudGPT is a tool to write malicious code and search for leaks and vulnerabilities (5).
2. WormGPT is an AI model that enables cybercriminals to launch sophisticated phishing and Business Email Compromise (BEC) attacks. (6) According to the Federal Bureau of Investigation Crim-
inal Complaint Center (FBI IC3), BEC is one of most prolific cyber-attacks and accounted for over US $2.7 Billion and losses (7).
3. DarkBERT is a more advanced model of FraudGPT and WormGPT that exists to lower the entry barrier for new cybercriminals (8).
4. GPTs to create malicious chatbots: Cybercriminals can take advantage of GPTs design as conversational models to create chatbots to engage with their victims. These chatbots can trick the victims into sharing personal information, investing in fraudulent schemes, click on malicious links or fall for other social engineering attacks.
EVERY TIME THERE’S A NEW TOOL, WHETHER IT’S INTERNET OR CELL PHONES OR ANYTHING ELSE, ALL THINGS CAN BE USED FOR GOOD OR EVIL. TECHNOLOGY IS NEUTRAL; IT DEPENDS ON HOW IT IS USED.
-- Rick Smolan, CEO, Against All Odds Productions, a cross-media organization
news story, Tom Hanks warns fans of AI deepfake used for advertisementYouTube
Mitigating the Threat
First and foremost, the best defense begins by implementing a defense-indepth strategy to detect and minimize these threats. Deploying tools with advanced telemetry backed by a highly trained Security Operations Center (SOC) and advanced threat researchers is instrumental in discovering and stopping these threats to mitigate and prevent damage, such as ransomware or data exfiltration. Defense in depth should also include:
1. AI Monitoring: Monitor the internal use of AI models for potential misuse or malicious activities. Implement mechanisms to detect and flag suspicious behavior or generated content.
2. Security Awareness Training –Educate your staff about the risks associated with AI-generated content and train them to recognize and report potential
threats, such as phishing, deepfakes or scams.
3. Policies – Implement policies and procedures to address the appropriate use of AI technologies and access within the business operations.
4. Advanced Detection Systems: Deploy cyber solutions that include advanced detection capabilities to identify and detect AI-generated malicious content, such as deepfakes, spam and malware.
5. Collaboration and Information Sharing: Foster collaboration between researchers, industry experts, and law enforcement agencies to share knowledge, exchange threat intelligence and develop effect countermeasures against AI cyber threats.
By implementing these measures, your organization can work towards a robust defense against these various dark GPT models provide a safer digital environment.
Conclusion:
While AI and specifically GPTs have im-
mense potential for positive impact, we must acknowledge and address the dark side of this technology. The emergence of the AI models outlined above as well as the ones to come, pose significant challenges to your organizations cyber posture. However, we can combat and mitigate these risks by adhering to defense in depth principles, implementing robust governance frameworks, enhancing our security measures, fostering collaborative efforts, and promoting and supporting ethical AI research and development to create a safer digital environment for your organization, your staff, and your clients.
(1) ChatGPT (openai.com)
(2) Microsoft Project Turing | Home Page
(3) Gemini - Google DeepMind
(4) Information Technology (IT) Glossary | Gartner
(5) New AI Tool 'FraudGPT' Emerges, Tailored for Sophisticated Attacks (thehackernews.com)
(6) WormGPT: What to know about ChatGPT's malicious cousin | ZDNET
(7) 2022_IC3Report.pdf
(8) 'DarkBERT' GPT-Based Malware Trains Up on the Entire Dark Web (darkreading.com)
(9) Increasing Threat of DeepFake Identities (dhs.gov)
by James Bi, Orbograph
IS THE GOVERNMENT FINALLY RECOGNIZING THE CHECK FRAUD CRISIS?
Check fraud is a major challenge for the banking industry. Since 2018, check fraud has increased 2-3X, with attempts estimated at $45B and losses at $7B. Financial institutions and their fintech vendors have been left to their own devices to solve the issue. The US Government has been slow to react to the issue and only this past year have they begun to take notice and “step up” to the challenge.
The main reason for the US Government finally taking notice: The rise in mail theft.The USPS reports that there have been 305 incidents of mailbox/mail carrier robberies from Oct. 1, 2022 to March 31, 2023.
Additionally, the USPS has seen mail
theft rise from 38,500 in the entire 2022 fiscal year to more than 25,000 in the just the first half of fiscal year 2023.
As with most issues, the US Government takes a more reactive approach. And, once there is a situation that cannot be ignored, they will continue to push the issue until they find a suitable resolution.
TIMELINE OF GOVERNMENT ACTION
The first major step taken was at a House Committee on Oversight and Reform subcommittee hearing held in Philadelphia, PA on September 7, 2022. This hearing addressed the rise in mail theft, with Frank Albergo, National
President of the Postal Police Officers Association, present:
“As other witnesses testified that mail-related crimes were rising, Albergo complained that Postmaster General Louis DeJoy and Gary Barksdale, chief postal inspector of the U.S. Postal Inspection Service, had stripped postal police of their powers and had gutted the uniformed force.
It was a policy of ‘defunding the police,’ Albergo said, adding he could not explain why the uniformed force called the Postal Police Officers had been decimated and restricted to protecting postal property.”
According to Mr. Albergo, postal police
staffing has shrunk 65% since 2022, with around 300 postal police currently active. This has considerably hindered their ability to properly protect the blue mailboxes and mail carriers.
This hearing was followed up on October 14, 2022, as U.S. Senator Sherrod Brown, D-Ohio sent a letter to the US Postal Service Board of Governors asking them to quickly take action on mail theft and postal robberies.
On May 10, 2023, the National Association of Letter Carriers published a statement, demanding “real, immediate solutions to make sure employees are safe from the moment we enter the trucks in the morning to the time we leave the station at the end of the shift.”
Recently, we’ve seen several members of Congress take action:
•On January 24, 2023, Congressman Ken Calvert (CA-41) reintroduced the Ensuring the Safety of Our Mail Act, H.R. 446, which aims to protect Americans from the rise in mail theft by enhancing penalties for convicted mail thieves.
•On April 6, 2023, Congresswoman Nicole Malliotakis (NY-11) and Congresswoman Grace Meng (NY-06) introduced the USPS Subpoena Authority Act -- bipartisan legislation designed to enhance the U.S. Postal Service’s (USPS) ability to crack down on postal crime.
•On May 5, 2023, Congressman Andrew R. Garbarino (R-NY-02) reintroduced the Postal Police Reform Act -- a bill to reverse a 2020 directive from the Chief Postal Inspector restricting Postal Police Officers to physical postal locations and preventing officers from fully executing their duty to ensure public safety within the nation’s mail system. Co-leading this legislation with Rep. Garbarino are Representatives Bill Pascrell (D-NJ-09), Ken Calvert (R-CA-41), and Eleanor Holmes Norton (D-DC-At Large).
Now, in an ironic twist, an October 29,
2023 article from Raw Story reports that Rep. Calvert’s very own leadership political action committee — Eureka Political Action Committee — experienced an “unauthorized expense” worth $9,900 in late August, according to a filing with the Federal Election Commission.
“Calvert’s committee told federal regulators that it believes someone stole a check while it was in transit in the U.S. mail, which the thief ‘recreated and cashed to an unauthorized entity.’
“The Eureka Political Action Committee filed a police report and a fraud claim with its bank, Wells Fargo, it told regulators.”
USPS ACTIONS NOT ENOUGH
One would believe that with all this new government pressure, the USPS would be motivated to make major changes to protect their mailboxes and mail carriers. However, critics of Postmaster General Louis DeJoy do not believe that enough is being done.
On February 9, 2023, Dejoy outlined the agency’s 10-year reform plan.
“DeJoy said USPS under the plan is focused on five key areas: improving operational precision, improving service reliability, reducing costs, increasing revenue, and ‘creating productive and enjoyable long-term career paths for our employees.’
“‘This new emphasis on not only doing things right, but doing the right things, the things that a modern service organization needs to do to survive in a competitive environment, is beginning to create energy, focus, and improvement across every function of our entity,’ he said.”
So far, the USPS has taken only one significant action on May 12, 2023, known as the “Joint Project Safe Delivery Initiative.” Included within the initiative replacement of 12,000 high-securi-
ty mailboxes in high-risk areas, and updating 49,000 antiquated arrow locks with electronic locks. It’s not known which areas will receive these updated security mailboxes, but one would imagine that criminals will adjust to stealing codes to unlock the mailboxes vs. obtaining a physical key.
It remains to be seen what further actions will be taken by the US Government and the USPS to protect business and consumers from criminals stealing their mail – and in turn, paper checks. It’s recommended that financial institutions take action immediately to increase their check fraud detection capabilities rather than wait for the government and USPS to find and implement a solution.
BEHIND THE SCREENS
Exploring Check Fraud In the Shadows of the Dark Web
by Starr Largin
Over the years the number of checks written has decreased. However, check fraud remains a persistent issue. Criminals engage in various forms of check fraud, including forged signatures, altered checks, account takeover, stolen checks, etc., however, fraudsters have taken a different approach to fraud with a technique that has become popular again known as check washing.
Check washing is a form of check fraud where a criminal alters a check to remove or modify the ink used on it, such as the check amount, name of payee, etc. Check washing can be conducted by using a simple chemical like fingernail polish remover to erase the information giving them the ability to fill in the desired information.
The first step in check fraud is to obtain a check. That can be accomplished using a variety of methods such as:
Social Engineering - Scammers can manipulate individuals into providing checks or check information through deception. Scammers may call an individual posing as a health insurance provider asking for their checking account information such as routing and account numbers. Stolen Checks – Fraudsters may steal checks from unsecured mailboxes.
Burglary – Criminals may break into homes, vehicles or businesses to steal checkbooks.
Insider Threats – An employee with access to checks or mail may misuse them for personal gain. We have seen this activity in postal workers obtaining checks that are being mailed and selling them on the dark web.
Lost or Misplaced Checks – Fraudsters may find lost or misplaced checks and use them for transactions. An individual may place a checkbook in the trashcan which is an open opportunity for someone to go dumpster diving. Online Marketplaces – Some dark web platforms sell
stolen or counterfeit checks. Fraudsters may sell checks through various methods, one being dark web. The dark web is part of the internet that cannot be accessed through a standard search engines like Chrome or Firefox. Accessing the dark web requires the use of an anonymizing browser called Tor. The Tor browser routes your requests through a series of proxy servers that are operated by thousands of people across the world rendering your IP address unidentifiable and untraceable. Traditional websites use a naming structure ending in .com or .co, but on the dark web websites end with .onion. Websites use a scrambled naming structure that create URLs that are difficult to remember. For example, a website address might be “uiwyuy6734chje1569ui. onion.
Personal checks may be sold for a set price of around $120-$150 per check. However, a business check may bring as much as $250 per check. If you purchase 100 or more checks then the price may drop to a low price of $80 per check.
Items for sale on the dark web marketplaces may be purchased in exchange for cryptocurrency. Utilizing cryptocurrency allows two parties to conduct a transaction without the identity of either party being identifiable. Cryptocurrency is a contributing factor in the growth of the dark web and the dark web is a contributing factor to the growth of cryptocurrency.
With the increase of check fraud, individuals need to implement precautions to keep their checking account information secure.
Tips to avoid check fraud:
•Mail checks at the post office instead of using stand-alone boxes or your mailbox at your house. Mailing checks from your home mailbox with the flag up is an open invitation for a fraudster.
•When writing a check, use a black gel pen
with indelible ink. That ink seeps into the check’s fibers making check washing more difficult.
•When you write a check, routinely check your bank account until the check clears to confirm that the check was cashed for the correct amount and the endorsement was the name of the payee.
•Never leave your mail overnight in your mailbox outside your home. If possible, check your mailbox frequently so you can retrieve the mail as soon as possible.
•When going on vacation, have the post office hold your mail at the post office until you return.
•When using an outgoing mail drop box, take it later in the day so the mail will be picked up in a short amount of time.
•Keep your checkbook in a secure place. Never leave a checkbook in your vehicle unattended.
•Be cautious about sharing personal and financial information.
•Shred old checks and checking account statements.
•Report lost or stolen checks immediately to your financial institution and law enforcement.
•Make sure to reconcile your account regularly and report any discrepancies to your financial institution.
•Stay informed about the latest check fraud scams to better prepare yourself. Take a stand against check fraud by implementing precautions to keep your information secure so that you are not the next check fraud victim.
OTHER PEOPLE'S MONEY INVESTMENT SCAM
Scammers will go to any length to steal your money and personal information,including using technology and publicly available information to impersonate someone else. By taking information from a public database of brokers and investment advisers, a scammer could pretend to be a legitimate investment professional, earn your trust, and steal your identity or convince you to send them money. A little bit of research can prevent you from falling for their schemes.
What is an imposter scam?
An imposter scam, sometimes referred to as “spoofing,” is when someone pretends to be someone else to trick their target into giving them personal information or money. These types of scams are not new but are becoming more complex as technology evolves. A simple imposter scam may involve a cold call where the imposter claims to be someone you might trust to trick you into giving them money for a “can’t miss” investment. In reality, your “investment” is just paying for the scammer’s lifestyle. More complex scams can use fake email addresses, websites, documents, etc., to create the appearance of legitimacy where none exists.
How imposter scams involving registered investment professionals work. Most investment advisers and brokers are required by federal, state,
and provincial laws to register with regulatory authorities and provide information about their education, professional background, customer complaints, and past legal or regulatory issues. Regulators publish this information for the public to research advisers and brokers before hiring a financial professional. The information allows investors to make informed decisions about whether any given registered professional is a good fit for their investing needs. In the United States, this information is free and available online via services called BrokerCheck and the Investment Adviser Public Disclosure (IAPD). In Canada, this information is free and available online at the National Registration Search.
Unfortunately, scammers have access to this information too. A scammer can do a registration search and find information about a well-educated professional with a sterling reputation, no customer complaints, and no regulatory issues. The scammer can then copy that professional’s information and create a fake email address and website, along with forged registration documents using the real professional’s name and likeness. Then the scammer will coldcall and email their targets, hoping that their fake website creates an appearance of legitimacy that tricks investors into handing over money and personal information.
What imposter scams look like. In a hypothetical scenario, Samantha Sterling has been an investment adviser and a broker for 25 years and is proud of her degree from a prestigious university, her numerous professional designations, spotless regulatory record, and the great work she has done for her advisory clients and brokerage customers. Scooter Scamster is looking to pocket other peoples’ hard-earned money by pretending to be someone else on the internet. Scooter thinks he can trick investors into sending him money by portraying himself as a real investment professional. Scooter goes to BrokerCheck and finds Samantha Sterling’s exceptionally sterling BrokerCheck and IAPD profiles and decides she’s a perfect professional to impersonate. Scooter even looks up a photo of Samantha on her firm’s real website and copies it. He gathers the information from her regulatory reports and her online presence and creates a fake, albeit convincing, email address, website, and doctored version of her BrokerCheck report. He replaces Samantha’s real contact information with the fabricated email and website addresses, along with a street address he randomly chose hoping no one will notice.
Scooter sends emails to as many unsuspecting investors as he can, offering extraordinary returns on investments with absolutely zero risk. He also includes a doctored
BrokerCheck report (which includes some careless spelling errors) and the stolen photo of Samantha to make the solicitations appear more legitimate.
June is an investor who receives one of Scooter’s emails and is intrigued by the huge returns with no risk. Luckily, June attended an educational event put on by her securities regulator and knew that she should do some research before she gives “Samantha” any of her information or money. June does a BrokerCheck and IAPD search to find Samantha Sterling’s publicly available information and notices that some of the information doesn’t match the email. June does an internet search for the address listed on the regulatory report included in the email and finds that the address is for a diner, not an investment firm. June then uses the contact information from the real BrokerCheck and IAPD reports to contact Samantha to ask if the investment from the email is real. Samantha is shocked and informs June that she did not send the email and must have been impersonated by a scammer. June and Samantha immediately report the scam to their securities regulator, who investigates and shuts down Scooter’s fraud before it even gets off the ground.
June is thankful that she paid attention in the investor education presentation that she attended, and even hires the real Samantha to help her invest for the future!
How to protect yourself from imposter scams
• Check legitimate registration sources and contact your state or provincial securities regulator to ensure you’re investing with someone authorized to engage in the activity. Go to nasaa.org to find contact information for each state securities regulator.
• In the United States, use contact information available from BrokerCheck (https://brokercheck. finra.org) and IARD (www.adviserinfo. sec.gov) to independently verify the identity of someone who solicits you to provide personal information or investment funds. Make sure you’re dealing with a bona fide securities professional.
• In Canada, investors can review information about investment professionals at the National Registration Search (https://info. securities-administrators.ca/ nrsmobile/nrssearch.aspx) and information about disciplined persons at the Canadian Securities Administrators’ Disciplined List (https://www.securitiesadministrators. ca/enforcement/disciplined-list).
• Look for typos, misspellings, and factual discrepancies that may appear in any investment solicitation. Does the contact information in the solicitation line up with the contact information available on BrokerCheck, the IAPD, or the Canadian National Registration Search? If not, that’s a big red flag.
• Do independent research instead
of trusting the information in the solicitation. June found out that the address from the solicitation was for a diner, not an investment firm. It could also have been a post office box, generic office building, or something less obvious than a diner. Reach out to the firm using the verified information from the real regulatory filing that you find independently.
• Remember: If something seems too good to be true, it probably is.
The bottom line
Scammers can create convincing facades to impersonate real professionals. Do independent research to make sure that you know with whom you are dealing. Contact your state and provincial securities regulator if you have questions about the legitimacy of a purported securities professional. These agencies can provide information about whether your investment professional is registered to buy or sell securities or offer investment advice, and whether they have any regulatory actions or other disciplinary events in their past.
To learn more, contact the ALABAMA SECURITIES COMMISSION
WWW.ASC.ALABAMA.GOV | 1-800-222-1253|
ASC@ASC.ALABAMA.GOV PO BOX 304700 MONTGOMERY, ALABAMA 36130-4700
"CATCHING" UP WITH FRANK ABAGNALE
Interviewed by: Steve Hines
CATCHING UP...
A
Rare Interview With America's First Social Engineer
Frank Abagnale is ThreatAdvice's current spokesperson. Steve Hines sat down with Frank where he shared interesting facts from his past and his thoughts on today's cyber world.
Catch Me If You Can covers your teenage years. What was your early life like?
I actually grew up just north of New York City in Westchester County in a little town called Bronxville. I was one of four children in the family, the so-called middle child of the four. I was educated by the Christian Brothers of Ireland in a private Catholic school called Iona in New Rochelle, New York, where I went to school from kindergarten to high school.
When I reached 16 years old in the 10th grade, my parents, after 22 years of marriage, decided to get a divorce. Unlike most divorces where the children are usually the first to know, my parents were good about keeping it a secret. I remember being in the 10th grade when the Father walked into the classroom and asked for me to be excused from class. When I came out in the hallway, the Father handed me my books and told me that one of the Brothers would drive me to the county seat where I would meet my parents and they would explain what was going on.
The Brother dropped me at the steps of a stone building. It said Family Court. I was a little young — didn't really know exactly what that meant. When I got to the lobby, I was ushered into the back of an immense courtroom where my parents were
standing before a judge. I couldn't hear what the judge was saying or my parents' response, but eventually, the judge saw me and motioned me to approach the bench. He told me that my parents were getting a divorce and he needed to know which parent I chose to live with. I started to cry, so I turned and ran out of the courtroom. The judge called for a 10-minute recess, but by the time my parents got outside, I was gone. In real life, my mother never saw me again until I was in my 20s, and my father actually never saw me again, ever. He died in an accident while I was in prison in France which is unlike the movie that had me going back and forth. That didn't actually occur.
After the day you ran out of the court, you never saw your father again?
No. I ended up on the streets of New York City. My father actually owned a stationery store in Manhattan on the corner of 40th and Madison. We all had to work in the store in the summer, so I made deliveries for my dad on a bike. I knew the city very well. I was comfortable in the city. I went to New York City, which was just a 30-minute train ride. But I soon realized I had to find a way to support myself.
I did have a little money in a checking account that my dad had set up for me from working. I started writing checks, and I found it very easy to go in and ask somebody to cash a check for me, and they did. They were $15, $20. But it then started to get more difficult. They started to tell me, "You don't have a bank account here. We can't cash your check for you."
One day I was walking down the street on Fifth Avenue and I saw an airline crew come out of a hotel. I thought to myself, "Boy, if I could get this uniform and I could become a pilot, then I walk in the bank as a pilot, that would give me such credibility." I finagled the uniform. I basically changed my date of birth on my driver's license. At 16, we had a driver's license, but back then they didn't have photos on them. I was actually born in 1948, but I
took the four and converted it to a three. That made me 10 years older.
I started going into the bank as the pilot and said, "Hey, I'm on a layover here. I ran a little short on cash. Could I cash a check?" Never had a problem. I quickly realized the power of that uniform. They weren't paying attention to me or the check. All they saw was the uniform, and I realized the power of that uniform.
Everything I did in that early career was because I was an adolescent. I had no fear of being caught. I had no fear of consequences. I didn't sit out in front of the bank with a $500 check and say, "Here's my plan. I'm going to go in the bank, cash this check. If they say this, I'll do this. If they do this, I'll do that." I just went in and did it. I always believe, to this day, that had I been a little older, 22, 25, I would have never done half the things I did, because I would've rationalized it'll never work, you can't get away with it. But because I was so young, it gave me the confidence to do a
lot of the things I did.
But even so, everything led to something else. Then I realized I could fly on the planes for free. I could stay in the hotels for free. Everything I took on, an impersonation of a pilot, a doctor, a lawyer, there was a reason behind it. It was not the desire to be a pilot, a doctor, a lawyer, but a means to get to my end goal.
So after you decided , "Okay, I've got to quit being a pilot because this is catching up to me," what made you decide, "Okay, it's time to do something different," and what did you do next?
It wasn't so much that. I had a lot of money, but I moved to Atlanta, Georgia into a singles complex called The Riverbend Apartments. On the application for the lease, one of the questions was occupation. I didn't want to write airline pilot, because the next question said employed
Abagnale was interviewd in the basement of Shipt's headquarters in Birmingham, Ala. in an old bank vault.
by, supervisor's name, phone number. I just wrote doctor.
But I had a very inquisitive apartment manager, so she said to me, "Oh, I see you're a doctor. What kind of doctor are you?" I just said, "Oh, I'm a medical doctor but I'm not practicing medicine right now. I left my practice out west to come invest in some real estate I have." "Oh, how interesting. Well, what type of medical doctor are you?" Then I figured being a singles complex, pediatrician would be pretty safe, so I said I was a pediatrician. Then I moved in. Everybody thought I was a pediatrician but I wasn't practicing. But then I met a real pediatrician, so I started reading up just to keep up conversation with him. Then he invited me up to the hospital where he worked. I met nurses and other doctors there. The next thing you know, he comes to me and says one of the doctors had a death in his family and they need somebody to come up for a couple of weeks and supervise a
shift. It's just an administrative duty, not operating or treating anybody, and could I cover the shift.
First, I tried to get out of it by saying, "Well, no, I can't do that. I'm not licensed to practice medicine in the State of Georgia, only in California where I had my practice." "Oh, this is an administrative capacity. They just issue a temporary certificate. You don't need to do that." I thought to myself, "Well, let me see if I can get away with this," so I ended up being the doctor.
Then at the hospital, I met a candy striper, which is a little different than what they show in Catch Me If You Can. Her father was the attorney general in Louisiana. Back then, pilots would go on furlough, so they wouldn't work for three or four months, but most of them all had lawyer backgrounds. They're entrepreneurs, because you only work 80 hours a month when you fly. It was very common to say, "No, I fly for Delta, but I've been furloughed for six months so I'm doing this till my furlough's over or they call me back."
So I say to this candy striper, "I went to law school, but I didn't practice law because I went to fly planes, and I'm on a furlough." And she replies, "Oh, you know, my dad's looking for attorneys. You should come to Louisiana and meet him." I went down and met her dad. He said, "Absolutely, I'd love to have you on the staff. Of course, you have to take the bar." Basically, I took the bar several times, and each time I memorized a lot of what I was taking or got wrong, and finally passed and then practiced law.
I was always smart enough to know that whatever I did, you could only do it for a period of time, but sooner or later they'd catch you. You had to shift gears and change to something else or eventually people would catch on.
So you used your personality and charm as a means to get people to maybe overlook some things they might not normally. Do you think that was, in a way,
a method of what we think of today as social engineering?
Absolutely, and that's why there are many writers who refer to me as “The Father of Social Engineering.” Of course, I never realized that's what it was, but here I was, 16, and said, "How do I get a pilot's uniform?" I basically placed a phone call to Pan Am's executive headquarters. The switchboard answered. I said, "I'd like to speak to somebody in purchasing." The clerk came on and I said, "Hi. My name's so and so. I'm a co-pilot with the company based out of San Francisco. I have a problem." "What's the problem?" "Well, we flew a trip in here yesterday. I sent my uniform out through the hotel to have it dry cleaned. Now the hotel and the cleaner say they can't find it. I have a flight in about six hours. I need to get a uniform." "Well, you know, you have to pay for the price of a uniform." "No, I know. I'll be happy to pay, but I didn't know what to do." "Well, you go down to the Well-Built Uniform Company on Fifth Avenue. They're our supplier. I'll call them and tell them you're coming and they'll take care of you." That's exactly what I did.
Again, never realizing it was social engineering ... but the more I did it, the more I realized, "You can get a lot of information from people just by talking to them on the phone." Keep in mind, this is way before computers and the internet and the things you could do today which make social engineering so much easier than when I did it.
Back then, to change your identity, you basically altered your driver's license or you had to make up some phony identification. Today, it is so much simpler to do. Because of the internet, you can change into hundreds of different identities. There was a lot more work involved in doing it back then. It always amazes me that you would assume what I did 50 years ago would be more difficult today, when actually, it's 4,000 times easier today than when I did it.
Let's take a perfect example. When I
started actually really printing checks, I needed a Heidelberg printing press. It was a million-dollar press back then. It was 60 feet long. It was 18 feet high. It required three operators. I spent eight months learning how to operate this press. There were color separations, negatives, plates, typesetting and chemicals to make plates. Today, basically, you sit down at a laptop, open it up and ask for a diagram of a check and a very sophisticated blank check appears on your screen. Then you look out the window and you see Delta Airlines' logo, so you go to their website, capture their corporate logo, put it up in the left-hand corner of the check. You pick a nice picture such as a jet taking off in the background of a Delta tail, and you put it in the background. Step and repeat and in 15 minutes you've created a beautiful four-color check on your screen.
Because we live in a too-much-information world today, all I have to do is call my victim. I call Delta Airlines, get the switchboard, say, "Yeah, I'd like to speak to someone in accounts receivables." Clerk comes on. "Hey, I was getting ready to pay a bill, but we would prefer to wire you this money. I need wiring instructions." "Oh, yeah, we bank at SunTrust Bank in Atlanta, account number 176853." Any bank, any company you call today and tell them you're wiring them money, they have to tell you all the instructions that you would put on a check, routing number, account number, bank name.
You go to the bank's logo on the website, capture their logo, put SunTrust on there, put in the MICR line, and then you call back to Delta, ask to speak to someone in corporate communications. They come on the phone. You say, "Hey, I was getting interested in investing, and I would like to get a copy of your annual report." They mail it to you. Page three is a signature of the chairman of the board, the CEO, the CFO, the treasurer and the controller. White glossy paper, black ink, cameraready art. You scan it. You digitize it. You put it on the check. It's amazing how technology has made these things so simple!
You've been working for the FBI for 43 years now, trying to help them catch people that do things like you used to do. What made you make that turn?
If I didn't tell you this, I'd be conning you or lying to you. People love me to say, "Well, you know, you were in prison, religion turned your life around, you found God, you were born again, you decided that prison rehabilitated you and now you're a good person." None of that happened. Being the opportunist I was, the FBI came to me, gave me an opportunity to get out of prison.
I just saw that as, "Well, this is a way to get out of prison. I'd much rather be out of prison." I took it, never dreaming about, "I'm going straight. I'll never do this again. I'll never break the law again." But then two things happened. First of all, I met my wife on an undercover assignment. I fell in love with her. She knew me as a totally different person. I even met her family as a totally different person. One day, I had to leave that assignment I was on and I broke protocol to tell her who I really was and how much I cared about her. She married me against the wishes of her parents and we’ve been married for 43 years with three wonderful sons. She trusted me. She believed in me. She had faith in me. I didn't have a dime to my name. I was a ward of the government. Basically, she turned my life around. Then when you bring a child into the world, fatherhood changes your life completely. You realize the tremendous responsibility you have for another human being. All of that was a big part of changing my life.
Secondly, when you surround yourself with 12,000 FBI agents who are truly the most ethical people, have tremendous character, love of country, love of family, that starts to rub off on you - their character, their ethics, their right and wrong. I think the combination of both of those things are what really changed my life.
Let’s talk about where we are today - how do you see cyber criminals and their ability to get away with crimes versus back in those days?
The big difference today is there are no con men anymore, because you will never see your victim, and your victim will never see you. In the old days, a con man, which stood for confidence man, was a person who dressed very well, spoke very well, had a lot of charm, and he was able to convince people to do things they probably wouldn't normally do. Today all that's gone. The person you're speaking to on the phone or through that email is sitting in Russia in their pajamas with a cup of coffee in their kitchen.
They don't really have a lot of emotion involved. Even in the old days, even a bad con man would eventually say, "Okay, I'm not going to take all this guy's money because I don't want to leave the guy desolate." Because he has a face. There was a little emotion involved. Now, these people never see you. They couldn’t care less. You're just someone on the other end, a voice on the other end of a phone or an email. That's where it has changed a lot. There is no emotion. It's very ruthless. They're just out to get whatever they can get from you, and that's a big part of what all these scams amount to.
The number of criminals has increased exponentially because it's so easy to do today. I used to teach in the FBI class about the Nigerian scam 20 years ago. It was by letters. They mailed them out. Someone would raise their hand and say, "Well, look, if they sent out 10,000 letters, who's buying all these stamps?" I would explain to them, "No, the stamps are counterfeit." They're just sending letters out hoping that of the 10,000 letters they mailed, one-tenth of 1% will respond. Today, I can send out 10 million emails, and again I'm back to one-tenth of 1% to respond. Technology has just made this so much easier, certainly made it global. We
used to deal only with criminals within the confines of our own country. Now we deal with criminals all over the world. Even if I know who you are, and I know what apartment you're in in Moscow, I don't have the ability to go arrest you, and I'm not going to get cooperation from the authorities in Moscow to arrest you. The person in Moscow feels pretty safe that nothing's going to happen to him.
What does the term “crime as a service” mean to you?
Crime on the darknet has become so commoditized that you can go on there and even if you don't have a technical acumen or capability, you can contract with somebody who does. They'll help you launch attacks and then you share the proceeds. Again, how easy to sit in a room and do something like that, versus going out, printing checks, going out, cashing the checks, the risk involved of cashing the checks. Today, you're able to get on and sell data and information, whether it starts out at $3 a piece or $10 a piece, or $1,000 for a set, and make a lot of money. Credit card information, et cetera.
Again, most is done globally so when they’re doing it, the chances of someone catching them and coming to arrest them are very slim. Today, we prosecute like one in every 700 identity theft criminals. The FBI does not even investigate financial crimes under $100,000. If they do investigate it over $100,000, it's up to the U.S. Attorney to prosecute. Most U.S. Attorneys have a benchmark of $250,000. A lot of criminals know, "If I stay under these thresholds, the chances of me getting caught, one, two, prosecuted, three, getting jail time for it is pretty slim." The risks have gone way down. The rewards have gone way up. It's become a lot easier to do.
So the chances of being prosecuted for these crimes today are much less than forty years ago?
Right. Look at the fact that I was a teen-
ager who did this, so I went to prison in France. I served time in Swedish prisons. I was extradited back to the U.S. and a federal judge said I was a youthful offender because I had committed all the crimes on U.S. soil before I was 21, but still gave me 12 years in federal prison. I served four of those 12 years before I was ever released from that prison. Then we read today that people get out after three months, six months, three years in prison. It's just absurd that not only is it easier to do, but there's very little risk.
If I told you, "Look, you can make $4 million but you'll have to spend 12 months in prison," you'd say, "Absolutely. Show me how to do it." There's really no deterrent, is what I'm basically saying.
We read about and hear about on the news the different cyber breaches daily. What is the profile of a typical cybercriminal? I know you being involved with the FBI probably deal a lot with China, North Korea, and different places like that. Who's committing all these crimes?
Many times, it's state-sponsored, or the state in the case of, say, Russia is turning their head the other way knowing that those criminals are committing the crimes, as long as they get information for them as well. They know it's going on, but they're not doing anything about it. The same could be said about China.
Then there are individuals who do this. As you know, I've always said that it's not really hackers who cause breaches. It's people. What happens is people don't do the right thing, or they fail to do the right thing, or they make mistakes and they're only human beings. They're the weakest link.
Perfect example, I live in South Carolina. Four years ago, someone hacked into the tax revenue office and stole 3.8 million tax returns of the citizens of South Carolina. That was everyone, including me. If you had paid your state taxes by check, they had an image of your check, so they knew where you banked, what your account number was, what check number you were on, how you actually signed your
check. If you paid by credit card or debit card, they had that information.
When that breach occurred, I got a call. I was in the FBI office in Phoenix, and I got a call from our local TV station because they knew I had been a victim, and they wanted a comment from me, knowing how much I've dealt with identity theft. I said to him, "Well, let me ask you this. What does the tax revenue office say?" "Oh, they said they did absolutely nothing wrong." I said, "That would be absolutely literally impossible. Somebody did something."
After a two-month Secret Service investigation, it was determined an employee took home a laptop they weren't supposed to, opened it in an unsecured environment. The hacker got in. Our then governor, Nikki Haley, former ambassador to the U.N., ordered that everyone be paid a credit monitoring service for one year. I didn't know the governor, but I sent her an email from D.C. and told her this would be a waste of money and the taxpayers' time. People who steal mass data warehouse that data, usually for three to four years. If you steal credit cards and debit card numbers, you have to get rid of them almost immediately. They have a very short
shelf life. But if I steal your name, your Social Security number, your date of birth, you can't change your name. You can't change your Social Security number. You can't change your date of birth. The longer I hold it, when I go to sell it, the more valuable it becomes.
First, you've already told them I got one year of credit monitoring service so they're monitoring my credit, so I'm not going to do anything for at least one year. That's why these breaches, there's a long period of time between the actual breach, and then people start to feel comfortable and say, "Well, nothing ever came of that," and then all of a sudden they start having issues. So much time has gone by they don't even relate it to that. "Well, that must have been from that Target breach a few years ago." They don't even think about that. They think it's something they did wrong - that they gave somebody information they shouldn't have given them.
The weakest link in that South Carolina situation was the employee who took home the laptop or mobile device and was on an unsecured network or whatever the situation was, and that ended up ... I can't even imagine what the cost, total cost,
would be to the state. If they did the credit monitoring, that’s a fortune. The notification would be a fortune. There are probably some legal issues that come up, and so really, in that case, I think it sounds like a perfect example of the weakest link being a person being lazy or uninformed one time, clicking on one thing, and it ended up costing millions of dollars.
The South Carolina tax commissioner contacted me and said, "How much can we pay you to come in and educate our employees about how important it is to keep this information safe?" I said, "No, you don't need to pay me. I'm a citizen of this state. I want to make sure my neighbors' and my information is safe." I made maybe six visits to our tax revenue office in Columbia. I worked with helping educate those employees.
But the employee in question who took the laptop home, no one ever told her, "This is what someone can do if you get in this uncontrolled environment and they get this information. They can get into the system. They can steal all this data." You have to educate people in their job, to explain to them, "You have an extremely important job, and your number one job is
to keep the information entrusted to the company by its clients, its customers, its citizens safe. That's your number one job." You have to teach them about phone calls that are using information to get information from you, and soliciting information, emails and how to read emails.
This is what impressed me so much when I first heard about ThreatAdvice. I literally said, "I don't know of any company that does this." I get asked all the time, "Well, where can we get this training?" I don't know anybody that does that kind of training, that's so badly needed, whether it be a bank, a corporation, a government, a mom and pop store.
To have somebody basically teach, in a very simple, easy to understand, not make it difficult and involved, that this is why it's important to keep information safe, this is how you keep it safe, this is when you know someone's trying to gain access to information, whether it be on the phone, on the computer. Again, that must be taught, just like seniors need to be taught what calls are fallacious and phony and what emails are phony. They have to be taught that. They're not going to just know that.
What are your thoughts about social media?
As you know, I've written three books on identity theft. I started writing about identity theft back in the '80s before anyone ever heard of identity theft. Basically, I always remind people if I go to Facebook, I only need two pieces of information about you. All the rest is kind of irrelevant to me. But if you told me on your Facebook page where you were born and your date of birth, that's 98% of me stealing your identity. That's all I need to know.
Now, if you were foolish enough to put a photo of yourself such as a graduation photo, driver's license photo, passportstyle photo, then facial recognition can be
used to take that photo and put it somewhere else, use it for identification, or literally snap a photo of you in the airport and through facial recognition like Find a Face and many other technologies that are out there, like PitPat. I'm able to basically track you down simply because your picture's on Facebook by using facial recognition. We complain a lot about people stealing our identities, but in the same token we keep telling people more and more about ourselves and then wonder why they stole our identity.
Tell me your thoughts on the cost and impact of a breach to an organization that is compromised.
There are so many things you can do. For example, if I breach a law firm, and I have all the data on all their clients, their clients' children, and their clients' grandchildren, and then I say to them, "Unless you pay me this amount of money, I'm going to release all of this data," there's a ransom side of it where I can extract money from people. There's a side of it just me taking that information and selling it to somebody else who will disperse it and use it against somebody. All of that is due to the cause of failure of you. You caused that breach to occur. That information got out there.
It's very important that companies, corporations, banks realize that you have to prevent crime. You can't rely on the government, the bank to protect you, or the police. You have to think ahead, and you have to be smart enough to make sure that you are educating your employees to deal with these issues every day. You can't just set it aside, saying, "Oh, that won't happen to me," or, "We never had a problem like that."
People bring that up to me all the time, and I say, "Well, let me ask you this. Do you have life insurance?" "Yeah." "Do you plan to die tomorrow?" "No." "But you have life insurance, right? You have home insurance?" "Yeah." "Your house going to burn down?" "Oh, no, I hope not." "But you
have it." It's the same way here. It's insurance against having that happen to you and happening to your clients, which you should be protecting your clients. There's a quote on my website from 1976 where I simply said that the restitution and the recovery of funds is so rare that the only solution is prevention. That's the same thing, today.
Prevention would be there's some software that can help you, but you would say the most important piece is just making sure your back doors, i.e. your employees and vendors and other ways, have enough knowledge to be able to not do or click on something they shouldn't and let the bad guys in.
What I like about ThreatAdvice is that it is educating people. It's not me saying, "Here's the best software, put this in and it'll catch most of these things you have to worry about," so your employees can be stupid about it because this software will catch everything, which is not going to happen.
ThreatAdvice teaches employees in a very simple, again, easy to understand, not difficult format, so once they grasp that, they're able to deal with these issues as they come along. But if employees never have that training, they would never even understand they’re being socially engineered or scammed.
Being breached can cost a company billions of dollars. Now I speak at a lot of insurance companies that are introducing cyber insurance. But when I go speak to them, I say to them, "I would not write this insurance unless you can assure me, as the policyholder, that you have educated all of your employees on how to deal with these problems, that you have systems in place to protect the company from having these problems." It is amazing to me that you'd want to go write insurance and not do that, because then if you have a loss, and it was the cause of an employee, that's because you didn't train your employee. Then the insurance company's
taking a huge hit.
It would seem to me it would behoove the insurance company to say, "Look, I'll cover this, and the fact that you do these things have to be in place or my policy is null and void." This is the same thing I've said to insurance companies 20 years ago when they were writing errors and omissions insurance, forgery insurance, fraud insurance. I said, "Look, you have to say to the company a bookkeeper can't write, sign, and reconcile. You have to separate those duties. You have to reconcile on a timely basis, every 30 days. If you're not doing this, and six months later you find a fraudulent check for $100,000 because you didn't reconcile, then you don't pay that claim." That needs to be in your policy, and that's the same with cyber today. I think more and more companies that want to buy cyber insurance to cover these accidents are going to see they're going to have to train their employees anyway because the insurance company is not going to insure them unless they can provide documentation that they've done so. If you have that documentation, that's going to go a long way to lowering your premium, or whatever that premium is, from that insurance company.
What about the breach notification law that all states have now? You've got to let your clients and customers and people that are associated with you know, "Hey, your information was stolen because of me."
That is an expensive proposition for sure and many companies don’t have a plan for that. Equifax is a good example of that. Then when it happens, they're all sitting there going, "What do we do? Let's not tell anybody. Let's wait 60 days, see if we can figure out what's going on," all of those things that get them in a lot deeper trouble and put them in a much more liable position. Companies need to ask themselves, “What's my plan if we do have a breach? What steps do I need to take?” Again, the most important thing would be, first, let's not have the breach, so let's take the necessary steps to prevent one. But yes, it costs the company millions and millions of dollars, not to mention reputation, and their trademark, or years they've been in business. They do business based on their brand, and how it destroys their brand from one little incident. Even if you don't put the money side of it, the destroying of the brand eventually destroys the company and the company's image.
What about forensic costs – getting professionals to come in and get a company or organization back up and running after a breach?
That is another substantial cost. That is why, if someone said to me, "Look, you can spend X amount of money, educate your employees," and here's another thing. If you say to me, "Here's Bank A, they have a great program in place where they educate all of their employees about
making their bank cyber safe," that is a tremendous value add to me as a consumer or a business person than Bank B that says, "No, we don't do anything like that. We don't have any programs in place like that."
Obviously, it is also a great value add to say, "We train our employees." A lot of times, people like to keep those things secret, like, "Well, you know, we really educate our employees about that. We have great programs in place. We test them constantly." They don't want to tell anybody that, and I say, "No, tell them because that's what sets you aside from everybody else." That's a tremendous value to me.
Have you seen, on the legal side, litigation relative to easy class certification? Have you see a proliferation of attorneys that are kind of going after these companies that have been breached?
Absolutely, and we're seeing more and more laws where the government is basically regulating and saying that you will be held liable if that breach was caused by a mistake you made or something you didn't do that you were supposed to have done. Equifax has hundreds of lawsuits against them that they'll eventually have to settle or pay out of court that could have easily been prevented.
It's very important to always look at prevention. What can I do to make sure
I'm not a victim? It's just like your house. How do I make sure I don't have a fire? Do I have smoke detectors? Do I have a fire extinguisher handy, that I don't keep things in my garage? It's the same thing in a business. What can I do to make sure I never have this problem?
One of them, and the most important of all, is to train your employees because they're the first line of defense, but they're also the weakest link, so that's the most time ... you want to spend your money and your time.
What do you see today as the top two or three targets, if there are a top two or three, for bad guys as a whole?
My personal opinion is I think in the next two or three years, you're going to see a breach of millions upon millions of search engines, so that I can say to the mayor, "Hey, I know this is what you look at on your computer, and I'm going to tell the world that unless you pay me this." Think of all the things people look at, whether it's medical, whether it's pornography, whatever it is, what they say on their computer, their emails, all that. I think we're going to see where it's not a half a billion, it's going to be a billion or more breaches of search engines.
Now I might not get money out of the average person if I say, "I know you're looking at pornography on your computer." But if I'm the president of a bank,
the mayor of a city, a politician, a chief of police, those would be prime targets who have a lot to lose if their reputation is compromised.
Do you, from an industry standpoint, find that one industry or two industries above all is the most lucrative for cyber criminals today?
If you ask me, “Who should be ThreatAdvice’s main customer?” without question it would be a financial institution. Any company handling somebody's money and keeping their information safe should be using ThreatAdvice. All companies absolutely should, but number one is the financial industry followed by the health industry.
Where do you see the whole cyberwar, going from now to five or 10 years from now?
I've always said that at a point, cyber is going to turn dark. As of now, cyber is all about making money and stealing data, which data is money. But if I can get the ability to shut your pacemaker off, if I can take control of your car, if I can get into your bank accounts and things of that nature, or even control some of the health issues you may have, that's where it becomes dark.
I can shut off an electrical grid. I can shut off a bank. I can shut off a lot of things. That's going to become more of a terror-
ist tool, more of a state tool to make the other country less effective. I think that's where cyber is going. Up until now, it's all been about money and finance, but it is slowly becoming a very dark tool to commit a lot of worse crimes.
I also think what ThreatAdvice provides is going to become not something you'd like to do or maybe you'd consider doing, it's going to become mandatory, because the government's going to get into more regulation of keeping this data safe, just as they've done in Europe. They're going to start mandating that if you have a company, you have to educate your employees about keeping that information safe, and you're going to have to be able to document that and say, "I've done that."
Again, let's say that you have done that. Think how far that goes if you were sued to say, "Well, I've done everything I can possibly do. I've put in the best systems. I've trained my employees. They can testify that they've gone through these programs." That's just a positive for you. That's why I'm so excited about working with ThreatAdvice, because I truly believe that is the key to helping cut down a lot of these cyber risks now and in the future.
