Fighting off phishing.
Roger Grimes: If we were able to address just that one thing, which is to put down social engineering phishing, it would get rid of 70 to 90% of all cybersecurity risk, just fixing one thing.
Dave Bittner: Hello, everyone, and welcome to the Hacking Humans Podcast brought to you by N2K CyberWire. This is the show where every week we delve into the world of social engineering scams, phishing plots, and criminal activities that are grabbing headlines and causing significant harm to organizations all over the world. I'm Dave Bittner, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hey, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got some good stories to share this week, and later in the show, Roger Grimes, data-driven defense evangelist at KnowBe4. We're talking about his new book, Fighting Phishing, everything you can do to fight social engineering and phishing. [ Music ] All right, Joe, before we jump into our stories here, we have a little bit of feedback.
Joe Carrigan: Okay.
Dave Bittner: I'll lead things off for us here.
Joe Carrigan: Okay.
Dave Bittner: Someone named Tim wrote in and said, "Gents, thought you might be interested in me almost getting snagged today. Recently, I transferred investment assets from one financial firm to another. A few unique shares were non-transferable, and my financial advisor alerted me that I'd get a reach out from my former account, giving me next steps to liquidate those shares and resolve the issues. Well, I got the letter. It provides an 888 number to call. In my haste, I entered 800 instead."
Joe Carrigan: Interesting.
Dave Bittner: "Not paying attention to the automated opening, because who pays attention to the automated opening? I heard the name of the company I was trying to call, and then what I thought was an old promotional offer for households that had someone over 50 years of age. I opted for the negative option, as no one in my house has yet hit 50, but even so, it pushed me through to a very well-spoken and eager woman who, without pausing for breath, outlined a promotional opportunity for a medical alert fall device. The old, I've fallen and I can't get up promotion. I said, I'm sorry, but I must get to the wrong button. No one in my house is over 50. Without a moment of hesitation, she moved to the next part of her script. 'That's okay. There's still a chance that someone in your house could fall.'" I guess there's always a chance that someone in your house could fall.
Joe Carrigan: Right?
Dave Bittner: "'It's important to make sure you have a device in case of emergency. Let's get some more information.'" At that point, I hung up and redialed. The automated answer now is a completely different recording. Looked at the number versus my call history. I realized my mistake. The 888 number is the real company. The 800 number was a scam looking to take advantage of people who were trying to call their financial institution. These people."
Joe Carrigan: Yeah, these people.
Dave Bittner: Thank you, Tim.
Joe Carrigan: Yeah, that's maddening that that even happens like that.
Dave Bittner: Yeah.
Joe Carrigan: I mean, they're using the name of the company as well?
Dave Bittner: Yeah.
Joe Carrigan: So I think he should be telling somebody at his former financial institution's security organization about this and say, hey, someone's squatting on a phone number that looks like your phone number. You probably should try to go out and seize it.
Dave Bittner: Yeah, that's true because I guess Tim does know the number, because he knows the right number.
Joe Carrigan: Yeah.
Dave Bittner: I think I mentioned once on the show that something similar to this happened to me where I dialed the number on the back of one of my credit cards, a physical credit card I took out of my wallet to call the credit card company.
Joe Carrigan: Right.
Dave Bittner: You'd think that would be okay.
Joe Carrigan: Yeah.
Dave Bittner: But somehow I fat fingered the number and got somebody else who, sure enough, was pretending to be the credit card company. So they gobbled up I guess the numbers on either side of that number or, you know, whatever. They figured out how people are most likely to fat finger it.
Joe Carrigan: Yep. I think that if they're saying that they are the company that you're trying to call, then I think that those companies who are being spoofed here have good cause for going after these people.
Dave Bittner: It's just hard when it's international.
Joe Carrigan: Yeah, it is. But, you know, you can get the number locally. You can call the phone company and go somebody's using this. Give me the phone number. If they're saying this is my number, give it to me.
Dave Bittner: That's interesting. Yeah, yeah. All right, we got one other bit of feedback here, Joe. You want to read it for us?
Joe Carrigan: Yeah. This one came from an anonymous user or listener, not user but listener, who said, "Someone keeps impersonating me on LinkedIn and I cannot get LinkedIn to do anything about this." I am not surprised by that.
Dave Bittner: No.
Joe Carrigan: "I have an idea who's doing this, but I cannot get LinkedIn to get moving." So, you know, I'm thinking about this, and Dave, I got nothing on this because if you have a problem with LinkedIn impersonating a thing, unless you have a ton of money and can go out and buy a service like ZeroFox offers. You know, if you're a high net worth individual, you have that money, and you have that capability, they can go out. They have a relationship with them, but if you're just a regular person like you and me.
Dave Bittner: Yeah.
Joe Carrigan: I mean, even though we are podcast famous, Dave, and this person who reached out to me, I don't know what can be done here about this. Because if you talk to LinkedIn, you are essentially screaming into the void, as I like to say.
Dave Bittner: Yeah.
Joe Carrigan: They are just another big pile of garbage social media company.
Dave Bittner: Don't hold back, Joe.
Joe Carrigan: Yeah.
Dave Bittner: And it's getting worse, Joe. Today's episode, not brought to you by LinkedIn.
Joe Carrigan: It's getting worse. I will say this. I will say this. I started seeing a bunch of political posts on LinkedIn, which I think is something that is profoundly stupid to do.
Dave Bittner: Okay.
Joe Carrigan: It doesn't matter what side you're on the political spectrum. Don't put political stuff on LinkedIn. You're alienating somebody, and that's really not what you want to do on LinkedIn.
Dave Bittner: Well, I agree with you, but I think the problem is or maybe what caused this is that with the demise of Twitter, people, a lot of people looked to LinkedIn as the next place for them to do their social media.
Joe Carrigan: That's a terrible idea. Go back to go back to Twitter and yell into that void. You know, that's what you do.
Dave Bittner: Yeah.
Joe Carrigan: Don't destroy your network, you know, your business network. That's probably one of the most valuable assets you have. Anyway, I digress. Anyway, I found that you could block political content on LinkedIn.
Dave Bittner: Oh, that's good.
Joe Carrigan: Once I did that, I found that was very effective.
Dave Bittner: Okay, well, that's good.
Joe Carrigan: So LinkedIn does a good job there, but they are apparently not doing a good job with fraudulent accounts. So if anybody has any idea, we would love for anybody who knows how to penetrate the bureaucracy at LinkedIn.
Dave Bittner: Right.
Joe Carrigan: Or if there's any tools that that are out there that are low cost or free of charge, I would love to know about them.
Dave Bittner: Yeah. I wonder if there's some kind of magical incantation, like a word you can use to get their attention where they cannot ignore you.
Joe Carrigan: There's four words you can use, class-action lawsuit.
Dave Bittner: Yeah. I was thinking like either I live in the European Union. That might be one.
Joe Carrigan: Right.
Dave Bittner: And then, you know, more dark, I would say child sexual abuse material. Tat would get their attention. But then, you know, you're lying.
Joe Carrigan: Yeah, you don't want to be the one that cries wolf.
Dave Bittner: Right. Exactly.
Joe Carrigan: Especially with that wolf.
Dave Bittner: No, but I think, you know. But you know what? I was thinking about this before the show. I was looking over our show notes, and I was thinking about this very thing. And I think this is part of the problem with, again, these huge companies. If this were a company that was just doing business in my state --
Joe Carrigan: Right.
DaveBittner: -- or had its headquarters in my state, or dare I say, was even a company that ran at a human scale. I would say you could call your state's attorney's office or your state's, you know, Division of Consumer Affairs.
Joe Carrigan: Right.
Dave Bittner: And maybe get some relief from them, get them involved. You know, it's like our pal, Mallory Sofastaii.
Joe Carrigan: Right.
Dave Bittner: Our local, you know, news affiliate to be able to take some action on this, but you can't. There's no way to do that with a company at a global scale.
Joe Carrigan: Right.
Dave Bittner: It's really frustrating.
Joe Carrigan: It is. It is terribly frustrating.
Dave Bittner: Yeah. Well, good luck to our listener, and like Joe said, if somebody knows the secret to getting some action here, we would love to hear it, and we will share it.
Joe Carrigan: Yep.
Dave Bittner: All right. Well, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans@n2k.com. Joe, I'm going to start us off with our stories this week, and I have good news.
Unidentified Male: Good news, everyone.
Joe Carrigan: So finally, because my story is not good news.
Dave Bittner: Okay. Well, we'll have that to look forward to.
Joe Carrigan: Yes.
Dave Bittner: So there was a international global law enforcement operation that took down an organization called LabHost, and LabHost was a phishing as a service platform. So this was an organization where, let's say you fancy yourself a cybercriminal.
Joe Carrigan: Let's say I do.
Dave Bittner: And you've decided that phishing is how you're going to do your dastardly deeds.
Joe Carrigan: That's right. Very lucrative. Why wouldn't I do this?
Dave Bittner: Right. You could reach out to LabHost, and you could buy their services. You could buy a subscription because everything's a subscription now, Joe.
Joe Carrigan: Right.
Dave Bittner: You could buy a subscription, and they would offer you phishing kits that would let you do the things you needed to do, impersonate things like North American banks, you know, all that sort of thing, and so they would, basically, provide all of the behind the scenes infrastructure for hosting your phishing pages, for sending out the phishing emails, and everything you need to -- basically a turnkey solution to do this sort of thing. So as we're recording this, just in the past couple of days, Europol with partners all over the world, took this organization down. They arrested 37 people. They said that they have uncovered 40,000 phishing domains with 10,000 users worldwide.
Joe Carrigan: So there are 10,000 people out there that were customers of these guys?
Dave Bittner: That's how I read this. Yeah.
Joe Carrigan: Huh.
Dave Bittner: Yeah. Their real-time phishing management tool was named LabRat.
Joe Carrigan: LabRat.
Dave Bittner: Write your own joke.
Joe Carrigan: Right.
Dave Bittner: And it evidently could bypass multi-factor authentication. Australia took down over 200 servers. The folks in the UK, who I believe led this effort, they arrested four people. They say that LabHost earned about $1.1 million from subscriptions, and that they were responsible for the theft of 480,000 credit cards, 64,000 PINs, and over a million passwords. So, you know, I don't -- it's hard to know what the global scale of these sorts of things are and whether or not this is going to make a dent.
Joe Carrigan: I'm going to say that these numbers are probably low.
Dave Bittner: Yeah.
Joe Carrigan: That they probably cracked or are responsible for more than half a million credit cards and one million passwords.
Dave Bittner: Yeah. That's fair.
Joe Carrigan: I'm going to say that that's -- because they have amassed over $1.17 million. These are presumably subscriptions.
Dave Bittner: Right. Exactly.
Joe Carrigan: From 10,000 people.
Dave Bittner: Yeah. And they've been in business since 2021, so about three years.
Joe Carrigan: Okay.
Dave Bittner: Yeah.
Joe Carrigan: So they were doing all right.
Dave Bittner: You know, I mean, it's a -- I was going to say a respectable business. No, it's not that.
Joe Carrigan: No, it's not.
Dave Bittner: It's a business. It's a sustainable business, I guess, is the way to put it. I guess the other thing that strikes me about this is that it seems as though these folks were in the reach of Western law enforcement.
Joe Carrigan: Yeah.
Dave Bittner: So think about all the people who are up to this sort of thing who are not within the reach of Western law enforcement.
Joe Carrigan: Right.
Dave Bittner: You know, the usual suspects.
Joe Carrigan: Yeah.
Dave Bittner: Russian countries, folks in China and so on and so forth. North Korea.
Joe Carrigan: North Korea, India.
Dave Bittner: Yeah. The usual places. But, you know, good news. I mean, I think if something like this can cause the folks who are considering doing this to think twice or have them looking over their shoulders, you know, I think this is a good effort. So I applaud Europol and the rest of the law enforcement agencies who are involved with this, and hopefully, it makes a dent in this kind of thing.
Joe Carrigan: I hope it does.
Dave Bittner: Yeah. All right. That is my story this week. Joe, what do you have for us?
Joe Carrigan: Dave, my story is not good news. Like I said earlier, my story is, frankly, just awful.
Dave Bittner: Okay.
Joe Carrigan: And this story was sent to me by Euclid on LinkedIn, and Brandian also sent it in through our web portal, I think.
Dave Bittner: Okay.
Joe Carrigan: Sent us an email somehow, anyway, and it's about a woman named Loletha Hall. She was shot and killed by a scamming victim. So this guy shot her when she showed up to her house, or his house, rather, thinking that that Ms. Hall was part of the scammers network.
Dave Bittner: Okay. So let's back up a step. Can you walk us through, like, tell us the tale of what was going on here?
Joe Carrigan: Yes. So what happened is this 81-year-old man named William Brock has been getting fraudulent phone calls from scammers demanding money, and they were threatening him for weeks leading up to this event. And then on the day of the shooting, one of them called him telling him that a relative was in jail, and they demanded money from him and then placed an order via Uber for someone to collect a package from his house.
Dave Bittner: Oh.
Joe Carrigan: Right? Ms. Hall accepted the Uber job as an Uber driver.
Dave Bittner: Okay.
Joe Carrigan: And when she got there, Mr. Brock thought this is one of the scammers, pulled out a gun, and an altercation ensued, and Ms. Hall is now dead, and Mr. Brock is now facing murder charges.
Dave Bittner: Yeah.
Joe Carrigan: This is terrible all around. There is no good outcome here for anybody involved. But I wanted to talk more about the inner workings of how this happened. If you want to go out and read this story, you can see it online. It's a tough read.
Dave Bittner: Okay.
Joe Carrigan: It's not easy to get through the story, but really, what is happening here is that it's only possible because of this product from Uber called Uber Connect.
Dave Bittner: Okay.
Joe Carrigan: Uber Connect is, essentially, using Uber as a courier service.
Dave Bittner: Right.
Joe Carrigan: So Uber started as just having taxi service from one place to the next. Then they did Uber Eats.
Dave Bittner: Right.
Joe Carrigan: And now they're also doing Uber Connect.
Dave Bittner: Okay.
Joe Carrigan: Right? Which I guess it's a good, you know, it's a good adjacent market for them to move into.
Dave Bittner: Sure.
Joe Carrigan: But I have a friend who's an Uber driver.
Dave Bittner: Okay.
Joe Carrigan: And before the show, I called him, and I told him I was going to talk about this story on the show, and I asked him if it's okay if I asked him about this and tell about it. He gave me some insights that I'm free to share, I should say.
Dave Bittner: Okay. All right.
Joe Carrigan: And I said, do you use Uber Connect? Do you do Uber Connect for any of your rides? He says, no, I don't, but one time somebody summoned me as an UberX, which is just a guy with a car that drives around, right?
Dave Bittner: Yeah.
Joe Carrigan: And I showed up, and somebody just put a package in the back of my car and they said, see you later. And I was like, aren't I supposed to take somebody? He said, no, you're supposed to take this package. And he says, I got an order for an UberX, which means I'm supposed to give someone a ride. And they said, well, can you deliver the package? So he delivers the package.
Dave Bittner: Right.
Joe Carrigan: Right? And he says he's going to this place, and he decides for himself if he gets into the parking lot of this place and there's no one around, he's just leaving. But as soon as he gets in the parking lot, there's someone there waiting for him. They open the door. They take the package out. They say, sorry about the confusion. I didn't mean to order an UberX, I meant to order an Uber Connect.
Dave Bittner: Okay.
Joe Carrigan: And he takes the package, and he leaves. His next Uber rider, and the next two Uber riders after that, are on the phone with people, and he overhears them saying something about the smell of weed.
Dave Bittner: In the car.
Joe Carrigan: In the car.
Dave Bittner: Okay. Gee, I wonder what was in the box, Joe.
Joe Carrigan: Right. So he gets out. Sure enough, the back of his car reeks like weed. He had to get it cleaned out. It took two days for the smell to dissipate.
Dave Bittner: Okay.
Joe Carrigan: So essentially, it looks like Uber Connect is just Uber's drug running service.
David Bittner: Well, I mean, not exclusively, but you can see how it would be handy for that.
Joe Carrigan: Right. Absolutely. So we talk about these scams. Like a couple weeks ago, we talked about the place in the Philippines, the scam center in the Philippines, where people were essentially enslaved to run these romance scams. These kind of situations are no different. When someone shows up at your house to pick up something you're being scammed out of, that's probably not the scammer.
David Bittner: No.
Joe Carrigan: The scammer is going to send somebody.
David Bittner: No, certainly not. I mean, it's a mule, right?
Joe Carrigan: Right.
David Bittner: I mean, yeah.
Joe Carrigan: The scammer is going to send somebody over for exactly the reason of avoiding what happened here.
David Bittner: Right.
Joe Carrigan: Where, you know, unfortunately, Ms. Hall did not survive the event. You know, I don't know what the solution here is, aside from people being aware that if you're being scammed, that, first off, pulling a gun on somebody who's scamming you is probably not a good idea, to say the least.
David Bittner: Yeah. Yeah. Taking the law into your own hands is essentially what Mr. Brock is accused of doing.
Joe Carrigan: Right. Right. We could have a whole gun rights debate, but that's not what this is about.
David Bittner: Yeah.
Joe Carrigan: This is about people being exploited as part of this system, this scamming system, and they're exploiting Uber, which I'm not going to say Uber shouldn't have this service. I can absolutely see that this is a legitimate service.
David Bittner: Sure.
Joe Carrigan: But, you know, when you're in the middle of a scam, you've got to think the person you're dealing with may also be a victim. Like I said before, it could be, it's victims all the way down. And I don't even know how many layers of insulation there are before you actually get to the person who is the actual evil mastermind behind everything.
David Bittner: Right.
Joe Carrigan: Before there's somebody who's actually guilty of a crime.
David Bittner: Well, and I think about, you know, again, the poor victim of this, Loletha Hall, who was the woman who was shot and killed. She's just, you know, minding her own business, doing her job --
Joe Carrigan: Trying to make a couple extra bucks, right?
David Bittner: Right. She shows up not knowing that Mr. Brock has had this history with these scammers. He's probably fed up.
Joe Carrigan: Yeah.
David Bittner: He's been put into a heightened emotional state because the scammers told him that a relative was in jail.
Joe Carrigan: Right.
David Bittner: So he's probably not in his right mind. You know, let's just, I mean, that's plausible anyway.
Joe Carrigan: Yeah.
David Bittner: And so Ms. Hall walks into an altercation she wasn't expecting, obviously, she didn't deserve.
Joe Carrigan: No.
David Bittner: And it leads to this tragedy.
Joe Carrigan: Yeah.
David Bittner: What I wonder is like, does this also speak to a lack of vetting on, say, Uber's point of view? Or is it just the fact of a cost of doing business that sometimes people are going to have a burner phone and a stolen credit card, and they're going to sign up for Uber.
Joe Carrigan: Right. I thought about that, too, and that's exactly what I what I think this situation is. It's a burner phone and a stolen credit card.
David Bittner: Yeah.
Joe Carrigan: And, you know, there's probably no way to trace this back to an individual. There probably isn't any real information in that Uber account.
David Bittner: Right. No, it's just it's just awful.
Joe Carrigan: It is.
David Bittner: You want to say, we want to remind people, like you said, to have empathy for the folks you may cross paths with in the course of a scam. But it's also like, did -- I don't know, did Mr. Brock know that he was being scammed at this point?
Joe Carrigan: I would say he did. Although --
David Bittner: Who knows?
Joe Carrigan: I think that's what he said to the police as well.
David Bittner: Okay.
Joe Carrigan: There's quotes in there about the sheriffs or the deputies that said he volunteered a bunch of information when they got there.
David Bittner: Sure. Sure. All right. Well, we will have a link to that story in our show notes. And again, if there's something you'd like us to consider for the show, you can email us. It's hackinghumans@n2k.com. All right, Joe, we're going to switch gears here and it is time for our Catch of the Day. ( Soundbite of Reeling-in Fishing Line ) [ Music ]
Joe Carrigan: Dave, our Catch of the Day comes from Robert, who writes, "This seems like a scam, but I'm not sure where it would lead. It looks like some other people have gotten an email like this, too, but mostly different URLs, companies applying to register names, but interestingly enough, the address seems to be the same in at least the scam I received and a couple of others." So thankfully, Robert only sent us a picture of the email he received.
David Bittner: Yeah.
Joe Carrigan: Not text. So it's in Infoonity, Infoonity. It's from -- it's Innfunity.
David Bittner: I think it's about Infoonity.
Joe Carrigan: Infoonity. All right. Well, it goes like this. "Dear Sir/Madam, this email is from China Intellectual Property Office, which mainly deal with Chinese brand name and domain name, et cetera. Here we have something to confirm with you. A company named Tepta International Limited was applying to register Infoonity as its Chinese brand name, some domain names. But after our audit work, we found that the keyword are the same as your company name. Because this registration will determine the ownership of the brand name, we need to check with you whether your company has authorized Tepta International Limited to register the Chinese brand name and those domain name and whether you have dispute about this registrations. If you authorize this, we will finish the registration as per our duty. If you did not authorize, please contact us by email in time so that we will handle this issue better. Thanks for your cooperation. Looking forward to your prompt reply. Best regards, Delbelio Xiao." And then it has a phone number and says that he's from somewhere in China. Yeah. So what do you make of this?
David Bittner: I don't know. First off, perhaps Infoonity is a real domain. That's possible. Robert might own like infoonity.com. I don't know, and maybe we're outing Robert here. I hope not, but it could also just be a random string of characters that somebody threw together to try to make something that sounds good. But a lot of this information on domains is public information. Just use WhoIs. I'm not sure. Okay. I just went to infunity.com.
Joe Carrigan: Right.
David Bittner: It's information security awareness for beginners. Explore Infoonity's content designed to elevate your security posture, email scam, phishing deep dive series. The plan is to release fictional but specific examples of email scams. This is useful for people in the workplace who need to stay safer from email scams. It's still being decided if this will be a free or paid series. If this is a free series, then it may be used to help advertise the online measured security analysis consulting project that, as of,writing is being worked on. I don't know what's going on here, Joe. Is trying to pull a fast one on us?
Joe Carrigan: I have no idea. This doesn't make any sense to me. So maybe we'll get some follow-up from Robert or some somebody else knows what's going on. I would say do not respond to this email. Do not respond to this email. This is almost certainly a scam, and there's nothing to stop anybody from registering the same domain name with these two letter top level domains.
David Bittner: Yeah. Yeah, and I mean, yeah. They don't need your permission to do that anyway.
Joe Carrigan: Right.
David Bittner: Right? If they're in China, you're here. You have no recourse if they do. So it wouldn't make sense for a Chinese domain authority, if the China Intellectual Property Office even exists, it wouldn't make any sense for them to reach out to you.
Joe Carrigan: Right.
Dave Bittner: I don't know. I don't know where this leads, if it even is a thing, but I don't know. There's a lot of odd things about this. What I don't know is what Robert's relationship is, if anything, to Infoonity. I mean, Infoonity seems to be some kind of startup that's aiming to do information security awareness.
Joe Carrigan: Right.
Dave Bittner: So I don't know.
Joe Carrigan: I don't know either. I don't know. Don't respond. Don't respond. It's only going to try to get more personally identifiable information out of you and probably ask you for a credit card number to assure that some protective service is installed. It's a racket.
Dave Bittner: Yeah. Who knows?
Joe Carrigan: Yep.
Dave Bittner: All right. Well, again, we would love to hear from you. If there's something you'd like us to consider for our Catch of The Day, you can email us. It's hackinghumans@n2k.com. [ Music ] Joe, I recently had the pleasure of speaking with Roger Grimes. He is the data-driven defense evangelist at KnowBe4. We're talking about his new book, Fighting Phishing, Everything You Can Do to Fight Social Engineering and Phishing. Here is my conversation with Roger Grimes.
Roger Grimes: Well, for one, I just never have come across a source that literally had everything in one place that someone could use to fight social engineering and phishing. That's really what it came to. You know, for every type of cyberattack, you need to create three major types of defenses, and that is policy things, which is, you know, that's like telling people, make sure you lock your desktop when you walk away. Make sure that you don't give your email away to people that send you an email, you know, that sort of stuff. You have policies that set particular types of expectation and behaviors. Then you have technical defenses, which are things like your firewalls, your content filtering, your antivirus, your endpoint detection and response software, that sort of stuff. That's really great. That's the stuff that we try to stop bad things from getting to end users, but no matter how great your technical defenses and policies are, there's always some amount of phishing and social engineering that's going to get to the end user. And so they have to be trained to be able to recognize that they're being socially engineered, how to appropriately mitigate it, which sometimes is just delete it. Other times it's report it, and in a corporate environment, making sure that they certainly report it, you know, appropriately report it, so that IT or IT security knows that it's going on.
Dave Bittner: Can you help us kind of level set here? I mean, I think for folks like you and me, who are kind of in this every day and thinking about it and talking about it, we have a certain level of awareness. But for someone who's not at all in cybersecurity, just, you know, doing their day-to-day work at their job, using their work computer, that sort of thing, where is their head when it comes to this kind of stuff? Is this on most people's radar?
Roger Grimes: You know, I think everybody is aware of social engineering and phishing. I think most people aren't aware that social engineering and phishing is involved in 70 to 90% of all successful data breaches. So I think people are aware of it. They certainly, you know, you're getting those weird texts to your phone. You're getting scam phone calls, you know, trying to offer you maybe a car warranty or something like that. You're seeing the emails. You're seeing the weird website things that tell you maybe that you need to update your software when you know that you already have. So I think everybody is kind of aware of it, but most people aren't aware of just how important it is. If we literally, because social engineering phishing is involved in 70 to 90% of all successful data breaches, if we're able to address just that one thing, which is to put down social engineering and phishing, it would get rid of 90, 70 to 90% of all cybersecurity risk, just fixing one thing.
Dave Bittner: Do you think that's something that is realistic to aspire to?
Roger Grimes: Yeah, I mean, I don't know if you -- I don't think you're going to be able to get rid of it altogether. You know, it's like saying that you can get rid of all crime, but I think you can more appropriately. The problem is, is that the average entity doesn't spend 3% of their resources to fight it, and it is that fundamental misalignment that it's the largest method of cyberattacks, and that we literally don't respond in telling people how to recognize it and defeat it that allows it to be so successful for so long. It's been the number one method for over three decades and it continues to be. We keep treating it like it's part of the problem when it really is the majority of the problem. Nothing else is even close. The thing that comes in next best, as far as causing the largest number of cyberattacks, is patching and/or having unpatched software and firmware. And that's responsible are involved in about 20 to 40% of attacks, and social engineering and unpatched software oftentimes go together. Those two things together, fighting social engineering, patching your software and firmware, if more companies did them, it would get rid of 90 to 99% of the risk that most organizations face, but yet, altogether, most organizations don't spend 5% of their budget to fight it. And like for social engineering, they don't spend 3% of their budget. And then they wonder, like they throw their hands up going, well, we can't beat it. There's always going to be somebody in our company that can be socially engineered. Well, I'm not sure if that's true if you're spending something more than 3% of your budget to fight the number-one problem by far.
Dave Bittner: How do you recommend that organizations dial in the various tools they have at their disposals here? I mean, we talk about policies, education, and then technical strategies. How do they go about turning those knobs?
Roger Grimes: Well, you know, I think first you have to communicate to senior management that social engineering and phishing is the number one problem by far, so they can free you up to make resource decisions, to buy the right things, to have the right policies, to get the right amount of education. Most companies in this world don't even educate people to fighting social engineering, and the ones that do, that actually have a security awareness training program, only do training once a year, which is the same as almost not doing it. The reality is you need to have it far more frequently, like at least training once a week, simulated phishing campaigns at least once a week, and the nice thing about the simulated phishing campaigns is you train somebody to say, well, you know, you shouldn't do this or do that. And then you can send a simulated phishing test and see who in your organization, you know, already has the education or learned from the education and doesn't click on the phishing test. And then people that do still click on the phishing test, they get more immediate training. So that's one of the nice things about simulated phishing is that you can immediately identify the people that need more training and the people that have enough training right now.
Dave Bittner: How do you measure success with a program like this? How do you know that your investment is paying off?
Roger Grimes: I mean, ultimately, it's that, you know, your company doesn't get compromised due to social engineering or phishing. That's really the ultimate goal is that you can say that either we're not compromised, or we don't have people clicking on real phishing tests. You know, so like with our software, you can measure something we call the phish prone rate, which is the rate at which people will click on a link within a simulated phishing email. Well, when the average company customer comes to us, about a third, sometimes much more, sometimes 40, 50% of their employees will click on a phishing link. I mean, even the emails that we craft to do the original kind of base test, the average IT person looks and goes, nobody is going to click on that. You know, it's obviously a phishing email. It misspells our company name, and still everybody clicks on it. By the time they get the appropriate training and simulated phishing tests, you can get that down easily to 5% versus 30 or 40 or 50%. And, you know, most of our customers that are following what we say, which is monthly training and monthly to weekly simulated phishing, they get it down to like 1 or 2 or 3%. You know, and that's really what we have to do is appropriately focus the right amount of resources in the right places, you know, to put the right defenses in the right places in the right amounts against the right things. And that includes fighting social engineering and phishing. And again, even better patching, like everybody knows you're supposed to patch. I mean, we've heard -- all of us know that. But there is a reason why unpatched software and firmware are still involved in about a third to 40% of attacks, and that's because we're actually not concentrating well enough on making sure we do have those patches in a timely manner, and we're just not focusing correctly on the right things in the right amounts to stop it, or else we would do a far better job. Instead, ransomware and other threats run rampant, and we throw our hands up and, you know, people conjure these visions of these uber-smart hackers and, you know, you'll never be able to keep them out. That's not so much the problem is we're not doing the basic things that we've known we've had to do for three decades. We're just not doing well enough. It's almost like we're not even trying at times.
Dave Bittner: You know, certainly generative AI has caught everyone's imagination, and I'm wondering, from your perspective, how has this changed the game, if at all? Or are you seeing the phishing campaigns growing more sophisticated or where are we with that?
Roger Grimes: Yeah, for sure, AI has created more realistic phishing and phishing attacks. There are people that are falling to AI-generated social engineering and phishing attacks every day. I think one of the most notable ones recently was this guy that secretly transferred $25 million to these social engineers, and the social engineers used AI to generate members of his own team attending a Zoom call to convince him to transfer $25 million. So his team members didn't attend the Zoom call. It was all fake generated. He said he was even suspicious of the request at first, but when he had all of his team members tell him that he needed to do it, just went and transferred this $25 million. It sounds insane, but, you know, it just depends on the circumstances and the motivations and stuff. Now, my issue with AI, I think AI is a game changer paradigm. It's going to change everything in the world, not even just computers. Everything we do is going to be improved by AI, some assisted AI agent assisting people that help us and create products and stuff like that. It is also, sadly, going to increase cybercrime, but the question is, we don't really know how much. Let me say again that social engineering is already involved in the 70 to 90% of all successful data breaches. That's without AI, and now we have AI added. So no one knows how much worse it's going to make it be, let's suppose that cybercrime already is 100 miles tall. Is it going to make it another mile worse or, you know, another 100 miles worse? We don't know, but what I will say is that AI is going to make cybercrime worse in some percentage. But at the same time, like in social engineering, whether it's AI generated or not, once you're aware that audio and video over the Internet and stuff can be faked, the message when someone's telling you to go make this $25 million, you know, payment that you didn't think you're going to make, well, if you have the right policies, that just can't happen. That person, if you have a certain set of policies that say that there needs to be an appropriate invoice, and there has to be accounts payable checks and accounts receivable, and if not, you'll get fired, that person that's being told to make a quote-unquote secret $25 million payment is not going to do it. And, you know, most phishing attacks have two traits with them. Let me say most, not all, but the first is that they arrive unexpectedly. You weren't expecting it, and somehow you get a request to do something. And that request is asking you to do something that you've never done before, at least for the requester. And those two traits are going to stay the same for most social engineering and phishing attacks, whether or not it's AI generated or not.
Dave Bittner: What's your advice for folks who are looking to better protect their family members? I'm thinking of, for myself, I have an elderly father who, as he slows down in all the age-appropriate ways, sometimes I can't help thinking that he's kind of a sitting duck out there, you know, for these folks who are targeting folks in his position. Any advice there?
Roger Grimes: Yeah. Well, I mean, so kind of what I've said from the beginning, which is you really need to tell them that most of the hacking is done through social engineering. That you cannot trust anybody, whether they call you, you meet them in person, whether they email you, message you. You literally have to teach everyone, including your loved ones, including your elderly loved ones, that any call, any request from somebody that you don't know personally, and you're not meeting them in person, the rest of it can be fake. The phone can be fake. The internet can be fake. Email can be fake. The SMS call can be fake. The person that sounds like your best friend or your grandchild on the phone, it can be faked. And so you have to educate them about how all of that can be faked, how you can't trust anything remotely, you can't trust a lot of things even in person, and to have a healthy level of skepticism. The number one thing you can do is teach yourself, your loved ones, your family, your friends, your co-workers, to have this healthy level of skepticism about any request that has those two traits, arrives when you weren't expecting it and is asking you to do something strange that you've never been asked to do before, at least for that requester. And if you can communicate that, that, hey, there's all this fraud out there. There's all these people that can fake being other people. You can't even trust, if it's my voice. If it arrives unexpectedly, and it's asking you to do something that you've never done before, at least try to verify it using some other method that you trust more before you perform that action. [ Music ]
Dave Bittner: Joe, what do you think?
Joe Carrigan: Dave, I like one of the first things he talks about here, is that for every threat, you need three types of defenses, and I would say this is generally across the board with everything. You need these. You need policy defenses. You need tech defenses, and you need defenses for your people, and the best way to do that is training.
Dave Bittner: Yeah.
Joe Carrigan: Something we frequently forget as cybersecurity practitioners, is that not everybody lives and breathes this stuff like we do. They're not steeped in it every day, just trying to get their jobs done. Now that being said, that is kind of the reason that, as Roger points out, 70 to 90% of the successful breaches have some social engineering element.
Dave Bittner: Yeah.
Joe Carrigan: So if we could fix that part of the problem, we could easily stop the majority of breaches, right? If you think about the cybersecurity or the cyber kill chain, right?
Dave Bittner: Right.
Joe Carrigan: You know, everybody likes to say, we have to be right all the time, and the bad guys only have to be right once. No, they don't have to be right once. They have to do a bunch of different stuff to win the fight, to get inside, and there's a lot of different opportunities along that path to stop them. And of course, if you can stop them at the social engineering part of the attack, then you can eliminate 70 to 90% of your attacks. Now that's simple, and it is that simple, but it's not that easy, right?
Dave Bittner: Right?
Joe Carrigan: Those are two different things. A simple solution is not necessarily an easy solution.
Dave Bittner: Right.
Joe Carrigan: So Roger makes an excellent point that we keep treating this like it's part of the problem, but the fact is that social engineering is the majority of the problem. It is the biggest single component that's present, or I should say, it's the component that's present in the most number of attacks. The second-most number, he points this out, the second-biggest thing that's present in the most number of attacks is patching, you know, patch management failures.
Dave Bittner: Right.
Joe Carrigan: And that comes in at like 20 to 40%, so like well below half. And we're not spending enough security budget on security awareness training to know what this looks like, to know what social engineering attacks look like, and I agree 100% with Roger. I say this frequently in my talks, that training once a year is almost as good as not doing it at all. You are definitely checking a box to comply with something, in my opinion.
Dave Bittner: Right.
Joe Carrigan: You need to be doing this training much more often, and the reason you need to be doing that training much more often is because you need to think about how people remember things and the time horizon of the last time you trained them. If that last training was like six months ago, that's not in anybody's head anymore.
Dave Bittner: Yeah, it has to stay top of mind.
Joe Carrigan: It's gone, but if you keep it in front of them every month or every two weeks or every week, and it doesn't have to be a big time suck every time you do it. It can be small little increments every single time that can add up to about the same time they would spend in the annual briefing. So think about that. You can absolutely measure the success of your program and companies like KnowBe4, who is our sponsor, by the way, and have these ways that you can see how well you're doing, and it's interesting that the more frequent your training, the better your results are, the more resistant to the attacks your people get. That's kind of just saying that the data says what I just said.
Dave Bittner: Yeah, right?
Joe Carrigan: But truly, the best measure of success is nothing happening, which is, again, part of the big problem in cybersecurity is that when we're successful, nothing happens.
Dave Bittner: Right. We spent all this money, and nothing happened.
Joe Carrigan: Yep, you're welcome.
Dave Bittner: Right.
Joe Carrigan: You didn't have to get on CNN and explain anything.
Dave Bittner: Right, right.
Joe Carrigan: That's the way you spin it. It all comes back to the basics, though. You know, we're still talking about security awareness and patch management. You know, still, a lot of companies are not doing these two things, and there are other things you can do as, well that, are, essentially, very basic that I think that just gets lost in the weeds. We all like to look at the new shiny product, right?
Dave Bittner: Yeah.
Joe Carrigan: The one with all the lights and the bells and the whistles. How do you communicate this? How do you protect people in the office and even people who are not in the office? I think Roger has an excellent summation here where he talks about a healthy dose of skepticism whenever you see communication that has two traits. He makes it very simple with just two traits. He says, you're not expecting the communication, and it's an unusual request.
Dave Bittner: Yeah.
Joe Carrigan: If you're not expecting this unusual request, then it's probably a scam.
Dave Bittner: Right, right. Big old alarm bells going off.
Joe Carrigan: Yeah. You should be like, slow down. We're not good.
Dave Bittner: A-oo-gah! A-oo-gah!
Joe Carrigan: Right.
Dave Bittner: Yeah, absolutely. All right. Well, our thanks to Roger Grimes for joining us. Again, his new book is titled Fighting Phishing, Everything You Can Do to Fight Social Engineering and Phishing. We do appreciate him taking the time. [ Music ] That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Elliot Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpie. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening. [ Music ]
