Once dubbed the “Original Internet Godfather,” Johnson created the online criminal forum “Shadowcrew,” an organized network through which criminals bought stolen credit cards, Social Security numbers and more. Johnson’s fraud activity earned him a place on the U.S. Secret Service’s Most Wanted List. Now, Johnson advises Fortune 1000 companies on how to spot and prevent fraud. In SVB’s fraud prevention webcast, Confessions of a Fraudster, Johnson explained how to think from the fraudster’s point of view. Here are Johnson’s key insights:
Here’s how it works – start with identity theft
To access your financial accounts, cybercriminals first steal your identity. They start by creating a “Fullz,” or stolen identity profile that includes your name, address, phone number, Social Security number, date of birth, mother’s maiden name and any other access/personal data they can gather. If criminals don’t want to create these “Fullz” identities, they can easily buy them from the dark web for as little as $20 per individual, Johnson says.
Email compromise in six easy steps
Cybercriminals gain control of your email by using “phishing” techniques that mimic your official email domain. It looks like your email, but it isn’t. Once you click on the fake link in the email or respond to the phishing email itself, you have invited the fraudster to take over your device and send emails out on your behalf. The FBI estimates that $12.5 billion is lost each year due to business email compromise. The number of identified global exposed loss compromises has increased 136 percent between December 2016 and May 2018 (FBI Bulletin 2018). As Johnson says, criminal “…phishing and especially spearphishing (targeted phishing attempts) will get you eventually. It’s a bad lottery you don’t want to win.”
Account takeover for financial access
Once an email is compromised, account takeover (ATO) is a logical next step. Account takeover fraud occurs when a cybercriminal gains access to unique details of a trusted user’s online accounts by posing as the real customer using ill-gotten ID details.
Once criminals have this much detailed identity information and an email channel, they can
Hacking business payment and approval systems
Personal and business email hacks can easily lead to hacks of business approval and payment systems. And bigger account hacks can result in massive ATO fraud with higher potential payouts. Cybercriminals often specifically “spearphish” emails of high net-worth individuals and officers in charge of corporate payment approvals, hoping to make large, unauthorized payments. As Brett notes, “spearphishing” is now more than 80 percent successful.
Small businesses should be particularly vigilant. Forty-three percent of cyberattacks target small businesses, and 60 percent of small businesses that are compromised close their doors within months because the financial damages are simply too massive to bear (Small Biz Trends).
Take preventive steps
As Johnson warns, “Fraudsters like people who assume it cannot happen to them.” Their ignorance usually leaves them more vulnerable and often unaware when an incident occurs.
Here are ways to help avoid being victimized:
- Check your online financial account activity often
- Add two-factor authentication to all your accounts
- Change your passwords often, especially for email using high security formats
- Don’t use the same or similar passcodes for multiple accounts
- Avoid using public information in passcodes, such as your date of birth
- Change the privacy settings on your social media accounts to prevent strangers from viewing your personal or family information
- Use unique, unknowable information on your “personal questions” for account authentication
Preventive measures for businesses
Every business, no matter the size, should have a fraud prevention plan in place before an incident occurs. Employees should be trained on what to do, and the plan should be refreshed often.
Fraud prevention practices that can help support your plan:
- Enforce dual administrative approval on all accounts
- Segregate duties so that a fraudster can’t access multiple powers with one hack (e.g., payment approvals)
- Train your employees not to click unknown or even personal email attachments / links using company computers
- Keep systems patched with the latest upgrades
- Take advantage of monitoring tools
- Protect yourself from email fraud by “whitelisting” known contacts to the “Safe Senders” list in your email settings
- Practice protocols for breach control, and train your current and new employees regularly
- Consistently assess your fraud prevention plan for vulnerabilities
Take advantage of SVB’s fraud prevention and mitigation tools
- Online payments and ACH approval tool
- IBM Trusteer Rapport® fraud detection and mitigation software
- SVB Security Alerts and Notifications
- Fraud control services, like check fraud mitigation tools
- SVB’s complimentary risk assessment report — contact your SVB representative for details
As SVB CIO Nick Shevelyov advises, technology is a double-edged sword; it enhances our lives, but it can also make us vulnerable. Don’t give away your hard-earned gains. Stay vigilant, it’s worth the effort.
For more information
- Listen to Brett Johnson’s presentation in the full SVB webcast posted on SVB.com
- Read more about fraud prevention tactics in the SVB Fraud Prevention Center
- Read our latest fraud prevention articles at https://www.svb.com/trends-insights/perspectives/
Contact U.S. Government agencies and industry groups that can assist with identity theft and cybercrime prevention, including the following:
FBI Internet Crime Complaint Center. Ability to file a report to the FBI concerning suspected internet facilitated criminal activity
US Secret Service
Electronic Crimes Task Force mission is to protect and investigate areas of cyber banking and finance.
United States Computer Emergency Readiness Team specifically for cyber defense, incident response, and operational integration center.
National Institute of Standards and Technology implements practical cybersecurity and privacy through outreach and effective application of standards and best practices necessary for the U.S. to adopt cybersecurity capabilities.