B2B Tech Talk with Ingram Micro
B2B Tech Talk with Ingram Micro

Episode · 6 months ago

The Psychology of Cybercrime


According to the FBI, 800,000 people fell victim to cyber crime in 2020. That’s a 69% increase over the previous year.

Why are cyber criminals so successful and what can we do to protect ourselves?

Shelby Skrhak talks with Matt Brennan, VP of Sales, U.S. West for SonicWall, about:

- The typical profile of a cybercriminal

- How threat actors use our brains against us

- Best practices to combat cybercrime

For more information, contact Stefan Buczak (stefan.buczak@ingrammicro.com) or visit sonicwall.com.

To join the discussion, follow us on Twitter @IngramTechSol #B2BTechTalk

Listen to this episode and more like it by subscribing to B2B Tech Talk on Spotify, Apple Podcasts, or Stitcher. Or, tune in on our website.

...you're listening to B two B tech talk with ingram Micro, the place to learn about new technology and technological advances before they become mainstream. This podcast is sponsored by ingram Micro's. Imagine next. It's not about the destination, it's about going someplace you never thought possible. Go to imagine next dot ingram micro dot com to find out more. Let's get into it. Welcome to B two B tech talk with ingram Micro. I'm your host Shelby skirt talk and my guest today is matt Brennan VP of sales us west for sonic wall matt, welcome. Thanks for having me excited to be here Shelby. Well, good. I'm so glad you're able to join us because today we've got a really interesting topic. We're talking about the psychology of cybercrime and those might seem like two seemingly disparate topics. But really when you come down to it, I mean cybercriminals are pretty, pretty sharp and resourceful. So first off matt, tell us the typical profile of cyber criminal. Yeah, that's a really good question. And um I think you're right. Yeah and I don't, I certainly don't want to say that normal criminals are different than a normal non cyber criminals are different than cyber criminals but in a sense the actual business of cybercrime in my opinion is very different than the business of maybe just being a thief or a white collar type criminal or for that matter, it is more almost like kind of the mob or organized crime back in the day, a lot of people don't realize, but the profile of a cyber criminal or a cyber criminal group honestly or is organized as many of our own companies, right? They treat Their business like any of us run our normal businesses. They work 9-5, many of them during the week. They take off weekends. They have a structured leadership platform with executive levels and product managers and sales leadership. And that comes as a surprise Shelby to a lot of people when I explain that to them, right? And within those time is money, right at the end of the day for bad actors, actors, whatever you want to refer to them as cybercriminals and they will try for some time and if they're not able to, for example, hack your password, right, Whether that's a personal account or your business account, they don't waste a lot of time running their algorithms, they move on to the next one. Right? So when I say it's run like a business, in many cases it's no different than any of us approaching something, whether it's in sales or finance or marketing, if it doesn't work, you should fail fast and move on and it's very similar to that. So that's fascinating. It and then I guess it makes sense that uh, you know, cyber criminals are going to use the most effective scams necessary, they're not going to use something that doesn't work. They're going to pivot very quickly. So obviously this, uh, this kind of play on people's emotions, people's thoughts, you know, just basically, um, you know, where you see these criminals really hitting us, I guess on our weakness points, uh, that it's fascinating. So let me ask you then, what, what are some of those, I guess most common scams that you've come across in your role there at sonic wall. You know, there's many and most of them Shelby, they start with some kind of email component to them. Right? It is very rare. Nowadays I'm gonna throw out a statistic. I may be off by a percent or two, but it's pretty darn...

...close at 95 of breaches start via email. Right? So that could be your boss or what looks like your boss emailing you. It could be a colleague of yours emailing you even stronger one that happens a lot in our personal lives is you or I getting an email from amazon or Fedex or Bank of America or compass who happens to be my real, actually works for. Right? So it's that notion of kind of the authenticity or perception of authenticity from a big brand they kind of call it referred to as a authority bias, right? Where it's, you know, somebody that you respect and or kind of a halo effect when it comes from some of these companies that you hold in high regard and that you do business with personally or professionally. There's also something we see a lot of, and I'm guessing you've probably had this attempted to you or friends of yours as well, definitely. And it's fascinating to see the methods used. I mean, you know, you hear about some of the more common ones of looking at something that seems very obvious. Uh, Prince is, uh, not really a prince is looking for, uh, for help to, uh, yeah, help probate this will. And if you can just send somebody like that one seems like an obvious one. But then there's those that you don't, you wouldn't expect. No. And I, um, it's interesting. I was at my son's soccer game saturday and I was talking to one of the other dads that, you know, it's kind of a chit chat. I don't know him that well. And so what do you do for a living? What do you do for a living? And I explained to him the business that I was in and he said, wow, sure wish I talked to you two weeks ago and I said, what do you mean chris and, and he said, well, he said, um, one of my employees and he's the ceo of a company. He said, one of my employees just wired $150,000 to who he thought was one of our vendors. And I said, you gotta be kidding me. And he said matt, you wouldn't believe the authenticity of this email, right. It had kind of my, you know, sort of stylistic things. He said, I had a lot of times, you know, will type a portion of a sentence and then type in three periods and then I'll kind of go on another thought. He said it had that exact same Kind of tone and cadence to it. And sure enough, he said, uh making up names now, but bill wired $150,000 to who he thought was a company that was constructing one of our new buildings. And I don't think we're ever going to see it again. Right. And uh, he said in the email started with me asking Bill, hey, are you sitting at your desk? And, and he said it almost kind of shocked him right? Like, well yeah, I'm sitting at my desk or did you think I was. So it kind of goes back to that psychology behind a lot of this Shelby where instantly it's kind of like your dad or your mom or your boss is wondering where you are, right, Are you at home? You know, yeah, you're sitting at your desk. I'm sitting here. Did you not get my email was the follow up one. Right. And he's like, yeah, I got your email, what's wrong? He goes, well, I, my understanding or so and so called me and said, you haven't wired the money. And instead of just picking up the phone and again made up names, Bill calling chris saying, hey chris did you need me to wire some money. He just did it. Right. So it's again that like you said at the very beginning that psychology behind it and that's something that we all fall victim to. I...

...don't know how many times a month my mom asked me if she should take this free gift card from best buy like no mom should because the second you click in it's gonna ask for you to log into your best buy account and I'm pretty sure you don't even have one right? But I know you use the same password for almost all your stuff even though I told you not to for years. So that's how they get you right. Yeah. Yeah. Well the sophistication is astounding really? Uh That's the thing I guess it's the complexity of it that makes it that makes us more susceptible. I mean from afar it's easy to say oh I I'd never fall for a phishing attack or a cyber scam like that. But obviously people get breached every day. So I'm curious more about this psychology then. I mean how are these threat actors using our brains against us? You mentioned the example of almost kind of getting somebody a little bit off their game already. You know they think they've done something wrong. They're, you know they're already a little bit back against something might feel a little defensive or a little bit oh crap you know I need to, I need to do act quickly. Sure that's not accidental right? I mean they know what they're doing, They really do. And I mean, I guess this isn't to make any of us feel better, but just to put some numbers behind it shall be 800,000 people fell victim to cyber scams in 2020. That's according to the FBI And, and that was an increase of over 69% from 2019. That equated to $4 billion dollars in losses last year alone. It's a significant problem in, it's the criminals really are kind of luring or luring us, right? Smart people assume we're both maybe in that category, um, into their traps, right? They take advantage of someone of the unconscious automatic processes that really shortcut our decision making. And uh, in these, these cognitive biases, a lot of people refer to it as our lizard brains, right? It kind of causes us to misinterpret information and we make snap judgments that many times irrational maybe or inaccurate. Right? So they realize this and that day is a very general term. The good Attackers realized this and they, you know, use those examples that I talked about corporate logos were familiar with, right? Bank accounts hijacking personal information, talking as if, you know, maybe you would be fictitious lee my wife or my partner, you could be my boss, You could be my father, right? Oh, my gosh, dad's in trouble, um, is sick and twisted as that is. Um, that's many ways how they get you from an emotional standpoint and unfortunately not everyone is savvy enough to realize what, what is kind of truth and what is um, is a lie and you then kind of get into this situation of getting emotions behind it and you don't make good choices and uh, and that's really what we find happening almost all the time. It's not necessarily that they don't have the right tools in place. And when we talk about enterprises or small businesses, it isn't because they don't have email security or they don't have a firewall. It's um, it's almost always an operational thing. It's a, it's a personal thing. It's a, it's a mistake for lack of better words by, by people um that are being kind of preyed on by by smart folks. You know, I've gotten emails from my ceo asking me to do...

...things and if I didn't know him well, I would potentially get kind of worked up and maybe act on it. Right. So, yeah. So, you know, you mentioned your mom, do you mind if I ask if if you are or any of your family members have had any close calls? I have personally. I would say family members have fortunately, you know, knock on wood, none of them have been irrecoverable. Right. Generally what they are or what it was. In my cases. I think many of us have an old, yahoo account maybe we don't use anymore or msN or God forbid. I think my father still has an AOL account. Right. But he doesn't check it. I can't tell you last time I checked my yahoo account. But unbeknownst to me, whatever password that I used, you know, 10 years ago or eight years ago I had used again right throughout the course of the time and uh, and I really haven't changed that particular password. So in essence, people get emails from me that aren't coming from me. I get notified by other folks or my folks. I mean other applications that I have that that password has been compromised. I don't know if you use google chrome but you'll notice when you sign up for something now about tickets to a football game from a vendor I never used before and it immediately google chrome wanted me to not use a particular password because that password has been compromised. Right. So, so that's something that I think people should pay attention to. That's the most common one I see amongst family and friends is then not subscribing to or using a password technology. Right? Like dash line is a great 11 password is another one or even the encryption that Apple suggests on your phone or you know when you, when you log into a website because you're obviously much better off in those instances. But most of what we see is that consistent son's first name hashtag 123 daughters. First name hashtag 123, you know, dogs, first name hashtag 123 and it doesn't take you long for people to realize that this is a pattern and then they run it against everything out there, whether it's Comcast 18 t who gmail, Disney plus etcetera And those are the kind of things that I see a lot and then it happened to me in the past. So from a technical standpoint, I mean if and if any of your passwords are repeated across two different accounts because I think a lot of us do that even with the best intentions, how does that work? I mean how are they possibly able to, you know, to very just, you know, different accounts. You would never think those two would be linked. How are they saying? Ok, well you use your address for this password and oh, I bet you're using it for this one. How does that work? So it's much simpler and easier and faster than you would imagine. I mean I would argue that if you and I listed out the top applications we access on a daily basis, we're going to have a heck of a lot of them that are the same. Right. Whether that's HBO netflix, gmail linkedin, Venmo, Paypal, you probably have an account to all those. Right. And I just rattled all those off and uh and I'm guessing that, you know, there's a certain amount of applications that the majority of us access and all they have to do is take, You know, I'm making up my email but Matt Brennan at gmail and then run that against the top of 100 or in their case 500 most commonly used websites and applications with that dogs first name half drag 123 and they're going to get into probably 60% of that right? The...

...saving grace and we'll talk about kind of best practices. The saving grace right now is two factor authentication um and that is so, so so important right now because if someone got my yahoo credentials and tried to log into my Apple tv or my iCloud account, it is going to ask them to input the code that they texted them. Right, And that's where you can really really protect yourself in making sure that you use two factor authentication from a professional standpoint first and foremost. Right. So companies businesses out there, that's something that when they say, what is the number one thing that you recommend without a shadow of a doubt it is two factor authentication period. Right? It's not going to save everything Shelby, but if you are not using that shame on you shame on us because that's super important and that will prevent a lot of the next steps, which is what happens in the cereal that we just discussed. Well, so if that is, that's kind of the top top method that we have the, you know, the tool that we have to help prevent what are some of those other best practices. Yes. So addition to two factor authentication I mentioned it but I would highly suggest from a personal standpoint you use a password protector right? I rattle off nationally and I'd read a lot one password. There's quite a few out there when you're using Safari. If you're an Apple person on your browser they'll suggest passwords. That's not a bad way to go if you aren't willing to or to spend the nine bucks a year or whatever the heck could cost for those. Um I would highly suggest that you don't repeat the same password and I know that can become difficult and cumbersome and and but I would suggest at least don't use your gmail password for your bank account right? Whatever you feel like is um the most could leave you in the worst shape bank account, maybe your investment account Venmo paypal things that are and I know I'm rattling off monetary things when in most cases that's what's most important to people. All of those should be different and none of those should be the same as your HBO max or your netflix or your gmail right? So super super important if you're not willing to get a password protector from a business standpoint I mentioned it I won't I'll say it 100 times to FAA but network segmentation there's another big one right? It's not as common anymore But when you look at some of the biggest breaches that happened whether that was home depot or target or you know I could go on and on. They have their H. VAC system or their pOS system on the same system as their customer database system. Right? And that is not a thing anymore really it shouldn't be. I'm sure there's companies out there that don't do that. But Costco Nordstrom's you know all those big companies they're not they're H Vac system in their solar system is not on the same network anymore as all of their customer information and all the credit cards et cetera. Right? So network segmentation is huge as well. And then the simplicity of human interaction. If that gentleman chris from the soccer game the other day. If it would have simply picked up the phone and call chris and said hey I just want to confirm that you want me to wire the $150,000 to the framing company chris would have said I have no idea what you're talking about and now that's over. So I know that consistently we do not pick up the phone in the society but even a text is sufficient enough. Right? So make sure you know that you're communicating with the other end of the line um on a...

...personal basis and verifying the ask because almost always it's a monetarily or monetary I think. Well those are uh those are great ways um that you know, we we can as companies protect, you know, our broad systems but also you know protect our individual employees and make sure that we're all using those best practices. Um as we as we start to wrap up this episode, we always ask our guests, where do you see technology going in the next year? I'm curious on a spin of that, where do you see security technology going in the next year? It's a really good question. Um you know, they're calling this year the year of ransomware and uh I don't see it um subsiding anytime soon and I think it's so, so important for all of us both personally and professionally too. Really think about some of the things that we just talked about, whether that's two factor authentication, network segmentation, another huge one shall be that I forgot to rattle off is training right? Train your employees. There's tons of third party companies out there that that you can hire that will send fake phishing emails and see who bites on them and And help coach them accordingly. So that can't be understated. Is to make sure that your training your employees on best practices and things for them to be aware of. Another one that I failed to mention shame on me is patching right? So many people look at their cell phone and it suggests that you upgrade to the next Os don't wait, there's no reason to wait right? When you go into Europe store and it shows that you have 84 apps that need to be updated, update those right now. That's a personal thing at the same translates into your business. It mostly the I. T. Department is pushing these patches and they happen without you even knowing them. But if you as an I. T. Professional or 90 security professional or not patching on a consistent basis, shame on you, shame on us. So that's super, super important to do those things. So back to your question where do I see technology, where do I see cyber security here coming up? It all revolves around the shift in us not going to a physical office anymore and we have to start treating our laptop right our home, the hotel, wherever you may be working more like security around your office. Right? And what I mean by that is when I used to go into the office I would log into the network, I would be behind the firewall, you would have VPN and you would be accessing things in a very safe manner. Right? That doesn't happen at your house that I'm aware of. It doesn't happen at my house. I'm a little bit different. I have a firewall at my house but that's kind of my business, but it's really important that people have endpoint security on their laptop. It's really important that people are using VPN technology and are diligent about logging into it every day before accessing corporate information in most organizations shall be, they won't let you access that information unless you're logged into the VPN. But that's really important. There's this notion of zero trust that is becoming kind of transition from a buzzword reality in that term really caught fire during the pandemic, which is um, you really shouldn't trust any anything or anybody until it's verified. Right? And so it sounds a little bit...

...too, I guess Conservative. Right? Yeah, thank you. But it's better than the alternative, right? We can't be too safe now, it's bound to happen. Um 60% of companies will be breached this year. That's a lot. Right. And got the statistic from security conference, I was at back in August and it said that 87% of security leaders believe their organizations are falling short. I mean that's a lot right? 87% of companies are worried they're falling short in 60% of those companies We're going to be breached. Um it's not good and then the average cost of a breach is $8.6 million dollars for companies I don't know about, you know, it depends on who you work for but the companies can rebound from that. So In the threat actors that we started talking about from the very beginning, they're targeting small business. In fact 43% of cybercrime is targeted to small business and the reason why they generally don't have as much money as enterprises to implement all these tools and these trains and all the things we talked about right one or two person teams 100% right or none. Right, Bob's pizza with six locations probably doesn't have an id guy but they're taking a lot of credit cards. So yeah it could be a scary thought thinking what possible we'll certainly keep some I. T. And uh you know corner office professionals up at night worrying about that stuff. 100%. So then as we start to wrap up for listeners who want to find out more that want to reach out and and talk to someone about you know maybe there specific security situation, you know what is possible, what how they can be protected? How would they reach out? That's a great question. This is probably not going to fall under best practices but if I get 100 emails I get 100 emails but you are more than welcome to reach out to me on linkedin. You know Matthew Brennan um in my linkedin Islington dot com slash Matthew dash Brennan Uh-07 19508. You're also welcome to email m Brennan at sonic wall dot com which is a heck of a lot easier than trying to remember that ridiculous number. I just rattle off and the fact that I even know it. So um but yeah I'd be happy to help or certainly put you in touch with someone in our, in your local city, right? It's always fun to work with people that live in your community and, and we have sales represent engineers and pretty much every NFL city across the country or within a couple hours, so we'll come meet with you and talk to you. Excellent. Well matt, I surely appreciate your time and your insight today. Thank you so much for joining me. You bet it was great. Thanks two ton and thank you listeners for tuning in and subscribing to B two B Tech Talk with ingram Micro if you like this episode or have a question, please join the discussion on twitter with the hashtag B two B Tech talk. Until next time I'm Shelby skirt Talk. You've Been listening to B- two B Tech talk with ingram Micro. This episode was sponsored by ingram Micro's. Imagine Next B two B Tech Talk is a joint production with sweet fish Media and Anger Micro. To not miss an episode. Subscribe today to your favorite podcast platform. Yeah,.

In-Stream Audio Search


Search across all episodes within this podcast

Episodes (395)