Q: Cybercrime seems to hurt all of us. What might the future of cybercrimes look like?
Jeff Lanza: Cybercrime is so unique because it affects so many different types of people and companies. For example, a gigantic global shipping company whose ships are in the middle of the ocean can be literally crippled by a ransomware attack. Cybercrime can also affect a retiree who is on their home computer and connecting with someone who’s trying to get them to buy gift cards, or to fix a problem on their computer that they don’t really have.
Cybercrime can range from nation states to governmental military organizations to someone hacking on a small island in the middle of the Atlantic Ocean. Unfortunately, a lot of cybercriminals are out of the FBI’s reach. Because they are not within the jurisdiction of law enforcement agencies around the world, these criminals are not going to be extradited to the United States to face charges and there are no consequences or deterrents. So the crimes continue.
As for the future, I think ransomware is the next variation of cybercrime as criminals try to mutate around our defenses. They are holding companies’ files hostage and, in some cases, exfiltrating those files and holding them for ransom until money is paid. I think we may even see cybercrime protection as a service offered by criminals – meaning, you pay us money and we’ll make sure you don’t get hacked.
Q: If my data is accessible online, am I compromised or not?
Lanza: The information that you put out on social media can be used to build a profile of you by criminals, and every piece of information could be used to potentially steal your identify. I once had a financial advisor’s client get their bank account hacked and they wondered how the cybercriminals overcame the two-factor authentication the bank had in place – those codes that were sent to the phone as additional measures to prevent bogus or fraudulent logins. Well, the criminal had done SIM card swapping. They got the phone number of the victim switched over to their own phone by calling up the cell-phone provider and convincing them that they were the legitimate phone owner. They were able to answer challenge questions and birth dates because a lot of people put that information on social media. So anything we put out there is potentially liable or capable of being used against us. For fraud protection, we have to be careful what we put on social media.
Q: How has the Covid-19 pandemic impacted the digital world and network security?
Lanza: Creating a secure work-from-home environment is the issue. Because outside the company firewall you have less protections. Maybe you have non-secure wireless networks in a home or you’re not using a virtual private network (VPN) to help secure your work transactions and communications. You might click on a phishing email and download malware or go to a website and you get a drive-by download and that malware infects the network.
I think an important component of securing us during these pandemic times is a lot of good education and telling people how important it is to avoid links in emails from unknown or suspicious senders.
Q: It seems like the financial industry is highly proactive in cybersecurity. But is it exposed to more risk?
Lanza: Here’s an example of risk and what can happen. In 2016, the biggest fraudulent wire transfer in history affected the financial industry when the Bank of Bangladesh was victimized. Their money was being held at the New York Federal Reserve Bank in New York. On a weekend when cybercriminals knew there would be less oversight, they stole the login credentials of a bank employee and ordered a wire transfer of $100 million to a third party outside of the Fed.
The cybercriminals had all the credentials they needed to do the transfer. But it would have been a billion-dollar transfer if one of the criminals hadn’t spelled a word wrong in one of the transfer requests. Someone at the Fed saw the misspelled word and stopped all further wire transfers until they got it figured out.
So this type of crime can occur on a big level, but can also occur in financial advisors’ accounts, because email accounts are being hijacked by cybercriminals. They simply change the beneficiaries, routing number, and account number to their bank account. Even if a financial advisor were to call and verify the wire transfer, they may not verify the specific instructions and then the money goes to the criminal’s account. So the rule is, always verify wire transfers by phone and the specific instructions regarding those transfers.
Q: Banks have improved online authentication, so is it more difficult today to hack into bank accounts?
Lanza: Cybercriminals started stealing bank login credentials years ago. So banks got better at preventing accounts from being hacked by forcing customers to use strong passwords and stepping up multi-factor authentication when they didn’t recognize the login attempt from a computer that the bank hadn’t seen before.
But then the criminals mutated and changed their ways and started committing “business email compromise.” This is when they hijack email accounts or set up domain names that look like the company’s name – only there is an extra letter in the name, or they switch letters around, and people don’t notice. A lot of money has been lost this way. That’s why having alerts on your bank accounts is really important, so you’re notified when money moves.
Q: What is your recommendation on handling a ransomware situation?
Lanza: Do not pay the ransom for three reasons. Number one, you are not guaranteed you are going to get your information and the encryption key back. Generally, you will, but there is no guarantee. Second, if you pay, you are tagged as a payer, and you might get hit again. Third, a lot of times when someone pays ransom, that money can be used to fund other criminal activities – like human trafficking and terrorism activities – and criminals generally generate money to fund big operations by doing ransomware attacks. So you may be encouraging other illegal activity by paying ransom.