B2B Tech Talk with Ingram Micro
B2B Tech Talk with Ingram Micro

Episode · 3 weeks ago

The Psychology of Cybercrime


According to the FBI, 800,000 people fell victim to cyber crime in 2020. That’s a 69% increase over the previous year.

Why are cyber criminals so successful and what can we do to protect ourselves?

Shelby Skrhak talks with Matt Brennan, VP of Sales, U.S. West for SonicWall, about:

- The typical profile of a cybercriminal

- How threat actors use our brains against us

- Best practices to combat cybercrime

For more information, contact Stefan Buczak (stefan.buczak@ingrammicro.com) or visit sonicwall.com.

To join the discussion, follow us on Twitter @IngramTechSol #B2BTechTalk

Listen to this episode and more like it by subscribing to B2B Tech Talk on Spotify, Apple Podcasts, or Stitcher. Or, tune in on our website.

...you're listening to B two B tech talkwith ingram Micro, the place to learn about new technology and technologicaladvances before they become mainstream. This podcast is sponsored by ingramMicro's. Imagine next. It's not about the destination, it's about goingsomeplace you never thought possible. Go to imagine next dot ingram micro dotcom to find out more. Let's get into it. Welcome to B two B tech talk withingram Micro. I'm your host Shelby skirt talk and my guest today is mattBrennan VP of sales us west for sonic wall matt, welcome. Thanks for havingme excited to be here Shelby. Well, good. I'm so glad you're able to joinus because today we've got a really interesting topic. We're talking aboutthe psychology of cybercrime and those might seem like two seemingly disparatetopics. But really when you come down to it, I mean cybercriminals are pretty,pretty sharp and resourceful. So first off matt, tell us the typical profileof cyber criminal. Yeah, that's a really good question. And um I thinkyou're right. Yeah and I don't, I certainly don't want to say that normalcriminals are different than a normal non cyber criminals are different thancyber criminals but in a sense the actual business of cybercrime in myopinion is very different than the business of maybe just being a thief ora white collar type criminal or for that matter, it is more almost likekind of the mob or organized crime back in the day, a lot of people don'trealize, but the profile of a cyber criminal or a cyber criminal grouphonestly or is organized as many of our own companies, right? They treat Theirbusiness like any of us run our normal businesses. They work 9-5, many of themduring the week. They take off weekends. They have a structured leadershipplatform with executive levels and product managers and sales leadership.And that comes as a surprise Shelby to a lot of people when I explain that tothem, right? And within those time is money, right at the end of the day forbad actors, actors, whatever you want to refer to them as cybercriminals andthey will try for some time and if they're not able to, for example, hackyour password, right, Whether that's a personal account or your businessaccount, they don't waste a lot of time running their algorithms, they move onto the next one. Right? So when I say it's run like a business, in many casesit's no different than any of us approaching something, whether it's insales or finance or marketing, if it doesn't work, you should fail fast andmove on and it's very similar to that. So that's fascinating. It and then Iguess it makes sense that uh, you know, cyber criminals are going to use themost effective scams necessary, they're not going to use something that doesn'twork. They're going to pivot very quickly. So obviously this, uh, thiskind of play on people's emotions, people's thoughts, you know, justbasically, um, you know, where you see these criminals really hitting us, Iguess on our weakness points, uh, that it's fascinating. So let me ask youthen, what, what are some of those, I guess most common scams that you'vecome across in your role there at sonic wall. You know, there's many and mostof them Shelby, they start with some kind of email component to them. Right?It is very rare. Nowadays I'm gonna throw out a statistic. I may be off bya percent or two, but it's pretty darn...

...close at 95 of breaches start via email.Right? So that could be your boss or what looks like your boss emailing you.It could be a colleague of yours emailing you even stronger one thathappens a lot in our personal lives is you or I getting an email from amazonor Fedex or Bank of America or compass who happens to be my real, actuallyworks for. Right? So it's that notion of kind of the authenticity orperception of authenticity from a big brand they kind of call it referred toas a authority bias, right? Where it's, you know, somebody that you respect andor kind of a halo effect when it comes from some of these companies that youhold in high regard and that you do business with personally orprofessionally. There's also something we see a lot of, and I'm guessingyou've probably had this attempted to you or friends of yours as well,definitely. And it's fascinating to see the methods used. I mean, you know, youhear about some of the more common ones of looking at something that seems veryobvious. Uh, Prince is, uh, not really a prince is looking for, uh, for helpto, uh, yeah, help probate this will. And if you can just send somebody likethat one seems like an obvious one. But then there's those that you don't, youwouldn't expect. No. And I, um, it's interesting. I was at my son's soccergame saturday and I was talking to one of the other dads that, you know, it'skind of a chit chat. I don't know him that well. And so what do you do for aliving? What do you do for a living? And I explained to him the businessthat I was in and he said, wow, sure wish I talked to you two weeks ago andI said, what do you mean chris and, and he said, well, he said, um, one of myemployees and he's the ceo of a company. He said, one of my employees just wired$150,000 to who he thought was one of our vendors. And I said, you gotta bekidding me. And he said matt, you wouldn't believe the authenticity ofthis email, right. It had kind of my, you know, sort of stylistic things. Hesaid, I had a lot of times, you know, will type a portion of a sentence andthen type in three periods and then I'll kind of go on another thought. Hesaid it had that exact same Kind of tone and cadence to it. And sure enough,he said, uh making up names now, but bill wired $150,000 to who he thoughtwas a company that was constructing one of our new buildings. And I don't thinkwe're ever going to see it again. Right. And uh, he said in the email startedwith me asking Bill, hey, are you sitting at your desk? And, and he saidit almost kind of shocked him right? Like, well yeah, I'm sitting at my deskor did you think I was. So it kind of goes back to that psychology behind alot of this Shelby where instantly it's kind of like your dad or your mom oryour boss is wondering where you are, right, Are you at home? You know, yeah,you're sitting at your desk. I'm sitting here. Did you not get my emailwas the follow up one. Right. And he's like, yeah, I got your email, what'swrong? He goes, well, I, my understanding or so and so called meand said, you haven't wired the money. And instead of just picking up thephone and again made up names, Bill calling chris saying, hey chris did youneed me to wire some money. He just did it. Right. So it's again that like yousaid at the very beginning that psychology behind it and that'ssomething that we all fall victim to. I...

...don't know how many times a month mymom asked me if she should take this free gift card from best buy like nomom should because the second you click in it's gonna ask for you to log intoyour best buy account and I'm pretty sure you don't even have one right? ButI know you use the same password for almost all your stuff even though Itold you not to for years. So that's how they get you right. Yeah. Yeah.Well the sophistication is astounding really? Uh That's the thing I guessit's the complexity of it that makes it that makes us more susceptible. I meanfrom afar it's easy to say oh I I'd never fall for a phishing attack or acyber scam like that. But obviously people get breached every day. So I'mcurious more about this psychology then. I mean how are these threat actorsusing our brains against us? You mentioned the example of almost kind ofgetting somebody a little bit off their game already. You know they thinkthey've done something wrong. They're, you know they're already a little bitback against something might feel a little defensive or a little bit ohcrap you know I need to, I need to do act quickly. Sure that's not accidentalright? I mean they know what they're doing, They really do. And I mean, Iguess this isn't to make any of us feel better, but just to put some numbersbehind it shall be 800,000 people fell victim to cyber scams in 2020. That'saccording to the FBI And, and that was an increase of over 69% from 2019. Thatequated to $4 billion dollars in losses last year alone. It's a significantproblem in, it's the criminals really are kind of luring or luring us, right?Smart people assume we're both maybe in that category, um, into their traps,right? They take advantage of someone of the unconscious automatic processesthat really shortcut our decision making. And uh, in these, thesecognitive biases, a lot of people refer to it as our lizard brains, right? Itkind of causes us to misinterpret information and we make snap judgmentsthat many times irrational maybe or inaccurate. Right? So they realize thisand that day is a very general term. The good Attackers realized this andthey, you know, use those examples that I talked about corporate logos werefamiliar with, right? Bank accounts hijacking personal information, talkingas if, you know, maybe you would be fictitious lee my wife or my partner,you could be my boss, You could be my father, right? Oh, my gosh, dad's introuble, um, is sick and twisted as that is. Um, that's many ways how theyget you from an emotional standpoint and unfortunately not everyone is savvyenough to realize what, what is kind of truth and what is um, is a lie and youthen kind of get into this situation of getting emotions behind it and youdon't make good choices and uh, and that's really what we find happeningalmost all the time. It's not necessarily that they don't have theright tools in place. And when we talk about enterprises or small businesses,it isn't because they don't have email security or they don't have a firewall.It's um, it's almost always an operational thing. It's a, it's apersonal thing. It's a, it's a mistake for lack of better words by, by peopleum that are being kind of preyed on by by smart folks. You know, I've gottenemails from my ceo asking me to do...

...things and if I didn't know him well, Iwould potentially get kind of worked up and maybe act on it. Right. So, yeah.So, you know, you mentioned your mom, do you mind if I ask if if you are orany of your family members have had any close calls? I have personally. I wouldsay family members have fortunately, you know, knock on wood, none of themhave been irrecoverable. Right. Generally what they are or what it was.In my cases. I think many of us have an old, yahoo account maybe we don't useanymore or msN or God forbid. I think my father still has an AOL account.Right. But he doesn't check it. I can't tell you last time I checked my yahooaccount. But unbeknownst to me, whatever password that I used, you know,10 years ago or eight years ago I had used again right throughout the courseof the time and uh, and I really haven't changed that particularpassword. So in essence, people get emails from me that aren't coming fromme. I get notified by other folks or my folks. I mean other applications that Ihave that that password has been compromised. I don't know if you usegoogle chrome but you'll notice when you sign up for something now abouttickets to a football game from a vendor I never used before and itimmediately google chrome wanted me to not use a particular password becausethat password has been compromised. Right. So, so that's something that Ithink people should pay attention to. That's the most common one I seeamongst family and friends is then not subscribing to or using a passwordtechnology. Right? Like dash line is a great 11 password is another one oreven the encryption that Apple suggests on your phone or you know when you,when you log into a website because you're obviously much better off inthose instances. But most of what we see is that consistent son's first namehashtag 123 daughters. First name hashtag 123, you know, dogs, first namehashtag 123 and it doesn't take you long for people to realize that this isa pattern and then they run it against everything out there, whether it'sComcast 18 t who gmail, Disney plus etcetera And those are the kind ofthings that I see a lot and then it happened to me in the past. So from atechnical standpoint, I mean if and if any of your passwords are repeatedacross two different accounts because I think a lot of us do that even with thebest intentions, how does that work? I mean how are they possibly able to, youknow, to very just, you know, different accounts. You would never think thosetwo would be linked. How are they saying? Ok, well you use your addressfor this password and oh, I bet you're using it for this one. How does thatwork? So it's much simpler and easier and faster than you would imagine. Imean I would argue that if you and I listed out the top applications weaccess on a daily basis, we're going to have a heck of a lot of them that arethe same. Right. Whether that's HBO netflix, gmail linkedin, Venmo, Paypal,you probably have an account to all those. Right. And I just rattled allthose off and uh and I'm guessing that, you know, there's a certain amount ofapplications that the majority of us access and all they have to do is take,You know, I'm making up my email but Matt Brennan at gmail and then run thatagainst the top of 100 or in their case 500 most commonly used websites andapplications with that dogs first name half drag 123 and they're going to getinto probably 60% of that right? The...

...saving grace and we'll talk about kindof best practices. The saving grace right now is two factor authenticationum and that is so, so so important right now because if someone got myyahoo credentials and tried to log into my Apple tv or my iCloud account, it isgoing to ask them to input the code that they texted them. Right, Andthat's where you can really really protect yourself in making sure thatyou use two factor authentication from a professional standpoint first andforemost. Right. So companies businesses out there, that's somethingthat when they say, what is the number one thing that you recommend without ashadow of a doubt it is two factor authentication period. Right? It's notgoing to save everything Shelby, but if you are not using that shame on youshame on us because that's super important and that will prevent a lotof the next steps, which is what happens in the cereal that we justdiscussed. Well, so if that is, that's kind of the top top method that we havethe, you know, the tool that we have to help prevent what are some of thoseother best practices. Yes. So addition to two factor authentication Imentioned it but I would highly suggest from a personal standpoint you use apassword protector right? I rattle off nationally and I'd read a lot onepassword. There's quite a few out there when you're using Safari. If you're anApple person on your browser they'll suggest passwords. That's not a bad wayto go if you aren't willing to or to spend the nine bucks a year or whateverthe heck could cost for those. Um I would highly suggest that you don'trepeat the same password and I know that can become difficult andcumbersome and and but I would suggest at least don't use your gmail passwordfor your bank account right? Whatever you feel like is um the most couldleave you in the worst shape bank account, maybe your investment accountVenmo paypal things that are and I know I'm rattling off monetary things whenin most cases that's what's most important to people. All of thoseshould be different and none of those should be the same as your HBO max oryour netflix or your gmail right? So super super important if you're notwilling to get a password protector from a business standpoint I mentionedit I won't I'll say it 100 times to FAA but network segmentation there'sanother big one right? It's not as common anymore But when you look atsome of the biggest breaches that happened whether that was home depot ortarget or you know I could go on and on. They have their H. VAC system or theirpOS system on the same system as their customer database system. Right? Andthat is not a thing anymore really it shouldn't be. I'm sure there'scompanies out there that don't do that. But Costco Nordstrom's you know allthose big companies they're not they're H Vac system in their solar system isnot on the same network anymore as all of their customer information and allthe credit cards et cetera. Right? So network segmentation is huge as well.And then the simplicity of human interaction. If that gentleman chrisfrom the soccer game the other day. If it would have simply picked up thephone and call chris and said hey I just want to confirm that you want meto wire the $150,000 to the framing company chris would have said I have noidea what you're talking about and now that's over. So I know thatconsistently we do not pick up the phone in the society but even a text issufficient enough. Right? So make sure you know that you're communicating withthe other end of the line um on a...

...personal basis and verifying the askbecause almost always it's a monetarily or monetary I think. Well those are uhthose are great ways um that you know, we we can as companies protect, youknow, our broad systems but also you know protect our individual employeesand make sure that we're all using those best practices. Um as we as westart to wrap up this episode, we always ask our guests, where do you seetechnology going in the next year? I'm curious on a spin of that, where do yousee security technology going in the next year? It's a really good question.Um you know, they're calling this year the year of ransomware and uh I don'tsee it um subsiding anytime soon and I think it's so, so important for all ofus both personally and professionally too. Really think about some of thethings that we just talked about, whether that's two factorauthentication, network segmentation, another huge one shall be that I forgotto rattle off is training right? Train your employees. There's tons of thirdparty companies out there that that you can hire that will send fake phishingemails and see who bites on them and And help coach them accordingly. Sothat can't be understated. Is to make sure that your training your employeeson best practices and things for them to be aware of. Another one that Ifailed to mention shame on me is patching right? So many people look attheir cell phone and it suggests that you upgrade to the next Os don't wait,there's no reason to wait right? When you go into Europe store and it showsthat you have 84 apps that need to be updated, update those right now. That'sa personal thing at the same translates into your business. It mostly the I. T.Department is pushing these patches and they happen without you even knowingthem. But if you as an I. T. Professional or 90 securityprofessional or not patching on a consistent basis, shame on you, shameon us. So that's super, super important to do those things. So back to yourquestion where do I see technology, where do I see cyber security herecoming up? It all revolves around the shift in us not going to a physicaloffice anymore and we have to start treating our laptop right our home, thehotel, wherever you may be working more like security around your office. Right?And what I mean by that is when I used to go into the office I would log intothe network, I would be behind the firewall, you would have VPN and youwould be accessing things in a very safe manner. Right? That doesn't happenat your house that I'm aware of. It doesn't happen at my house. I'm alittle bit different. I have a firewall at my house but that's kind of mybusiness, but it's really important that people have endpoint security ontheir laptop. It's really important that people are using VPN technologyand are diligent about logging into it every day before accessing corporateinformation in most organizations shall be, they won't let you access thatinformation unless you're logged into the VPN. But that's really important.There's this notion of zero trust that is becoming kind of transition from abuzzword reality in that term really caught fire during the pandemic, whichis um, you really shouldn't trust any anything or anybody until it's verified.Right? And so it sounds a little bit...

...too, I guess Conservative. Right? Yeah,thank you. But it's better than the alternative, right? We can't be toosafe now, it's bound to happen. Um 60% of companies will be breached this year.That's a lot. Right. And got the statistic from security conference, Iwas at back in August and it said that 87% of security leaders believe theirorganizations are falling short. I mean that's a lot right? 87% of companiesare worried they're falling short in 60% of those companies We're going tobe breached. Um it's not good and then the average cost of a breach is $8.6million dollars for companies I don't know about, you know, it depends on whoyou work for but the companies can rebound from that. So In the threatactors that we started talking about from the very beginning, they'retargeting small business. In fact 43% of cybercrime is targeted to smallbusiness and the reason why they generally don't have as much money asenterprises to implement all these tools and these trains and all thethings we talked about right one or two person teams 100% right or none. Right,Bob's pizza with six locations probably doesn't have an id guy but they'retaking a lot of credit cards. So yeah it could be a scary thought thinkingwhat possible we'll certainly keep some I. T. And uh you know corner officeprofessionals up at night worrying about that stuff. 100%. So then as westart to wrap up for listeners who want to find out more that want to reach outand and talk to someone about you know maybe there specific security situation,you know what is possible, what how they can be protected? How would theyreach out? That's a great question. This is probably not going to fallunder best practices but if I get 100 emails I get 100 emails but you aremore than welcome to reach out to me on linkedin. You know Matthew Brennan umin my linkedin Islington dot com slash Matthew dash Brennan Uh-07 19508.You're also welcome to email m Brennan at sonic wall dot com which is a heckof a lot easier than trying to remember that ridiculous number. I just rattleoff and the fact that I even know it. So um but yeah I'd be happy to help orcertainly put you in touch with someone in our, in your local city, right? It'salways fun to work with people that live in your community and, and we havesales represent engineers and pretty much every NFL city across the countryor within a couple hours, so we'll come meet with you and talk to you.Excellent. Well matt, I surely appreciate your time and your insighttoday. Thank you so much for joining me. You bet it was great. Thanks two tonand thank you listeners for tuning in and subscribing to B two B Tech Talkwith ingram Micro if you like this episode or have a question, please jointhe discussion on twitter with the hashtag B two B Tech talk. Until nexttime I'm Shelby skirt Talk. You've Been listening to B- two B Tech talk withingram Micro. This episode was sponsored by ingram Micro's. ImagineNext B two B Tech Talk is a joint production with sweet fish Media andAnger Micro. To not miss an episode. Subscribe today to your favoritepodcast platform. Yeah,.

In-Stream Audio Search


Search across all episodes within this podcast

Episodes (331)