Preventing Cyber Attacks–Insights from a US Secret Service Agent

Episode 16 (00:35:34)
Subscribe

Transcript
Sonia Portwood (00:06): Hello, and welcome to this episode of Banking Out Loud. I'm your host, Sonia Portwood, chief sales and marketing officer here at PCBB. And with me today is my co-host, Nancy Ozawa. She is our SVP of marketing. Hi, Nancy. So glad you're on the call with me today. Nancy Ozawa (00:23): I'm glad to be here. I'm looking forward to today's topic. I think it's gonna be very interesting. Sonia Portwood (00:28): It is certainly a heavy topic. We're going to talk today about cybercrime. I know you talk about it within your organizations. Everybody talks about it. The regulators talk about it. It's all over the news. (00:43): Cybercrime costs financial institutions hundreds, if not millions of dollars every single year. That affects our shareholder value, it affects our salaries, it affects our bonuses, it probably affects just (laughs) about everything in the financial institution. And I wanna share a couple of numbers with you before we introduce our guest today. It's estimated that in 2023, organizations are going to be spending $188.3 billion to mitigate the risk associated with cybersecurity. (01:25): And then, if you do have a breach in your financial institution, it's estimated that it could cost around $5.85 million. That's a big chunk of change So without further ado, I wanted to introduce our guest for today's podcast. With us is Stephen Daugherty. He is with the Secret Service. Stephen, we're so happy to have you here today. Stephen Dougherty (01:53): Thank you. Uh, happy to be here. I'm always glad to get out and talk about this topic. Um, I sit with our Global Investigative Operations Center in Washington, DC, out of Secret Service Headquarters. And I help and oversee what we call the Business Email Compromise Mission Desk, where we essentially look at these type of specific crimes, how they all work together, um, who commits the crimes, how to make arrests, and then also how to disrupt and dismantle the networks and educate, uh, and spread awareness about the different cybercrime trends that are out there. Sonia Portwood (02:27): Stephen, so before we go any further, I, I know that there are some people that are really surprised that the Secret Service is involved in cybersecurity. Would you mind commenting on that for just a minute just to clear up any misconceptions out there? Stephen Dougherty (02:42): Absolutely. I'd love to level set here. So, the Secret Service, sometimes we are more known for our protective mission, but the Secret Service we actually have what's known as an integrated mission. And a lot of people don't know, we were actually formed back in 1865. Our goal back then was to protect and secure the US financial and economic infrastructure, and by doing that we fought, counterfeit currency. (03:05): At the time we were founded all the way back in 1865, about 60 to 70% of currency in rotation was actually counterfeit. So we went out, we worked with the communities to get all that counterfeit out and get real money introduced into the communities. And our mission has remained the same ever since is to really fight, secure and to protect the US economic infrastructure and, you know, as our mission has developed, cybercrime has... plays a huge part in it. (03:34): Pretty much every type of cybercrime that's out there is financially motivated in some way or in some point we use something that's financially motivated. So, the Secret Service has stepped in, , and we work large-scale cybercrime cases, and complex cybercrime cases as well. Sonia Portwood (03:50): Perfect. Thank you. We have a number of questions and topics that we wanna cover, but what do you feel is most important that we start with here today? Stephen Dougherty (03:59): Uh, I would say the thing that I wanna put out there is that everyone can fall victim to cybercrime, right? It doesn't really matter who you are. Um, cyber cri- criminals are going after our largest global corporations. They are going after nation states, governments, state, local, even up to federal governments., they are going after small and medium-sized businesses, non-profits, charities, churches, you name it, but they are also hitting individuals as well. (04:26): Um, individuals are being hit and losing money in, real estate business, email compromise schemes. Uh, cryptocurrency investment scams are very huge right now where individuals are losing a lot of money and we're still seeing romance scams, tech scams, and work-from-home scams really affect the individual consumer in the US economy. So our message that we wanna put out there first things first is that, hey, you know, this isn't for anybody specifically, We're talking to everybody here. Everybody is vulnerable. Sonia Portwood (04:54): Is there one more vulnerable than the other? Stephen Dougherty (04:56): Uh, I would like to say there is, but at the end of the day, there really isn't. So, our cyber criminals, the way the Secret Service looks at it is they are going after any financial transaction that they can get their hands on or any information that contains financial transaction information or personal identifiable information. So, really we see them and even, you know, our criminals will even say, "Hey, we're just opportunistic. We're going after whoever we can at a certain point." And they'll even take things like, a news event as sort of their modicum to commit cybercrime or reason to use their social engineering, what have you. So pretty much now we say everybody is pretty much at the same risk because everybody conducts a financial transaction and everybody has personal identifiable information. Nancy Ozawa (05:42): you're kind of intriguing me with all these romance schemes and the, the tech schemes and things like that. Can you kind of give me a couple examples that we can really chew into to really kind of re- relate to how this is happening? Stephen Dougherty (05:53): Yeah, sure. So the way our fraudsters work, um, I call it the enterprise business model, right? They have a whole complex web of different people they work with that do different things within the transnational criminal organization. One of those things is they need to develop information, kind of keep a steady flow of cash coming in so that they can work up to a bigger score. And they do that a lot through different things like romance scams. (06:18): So essentially they'll have somebody who, uh, targets people online and they use any of the dating profiles, social media, platforms they can to contact people. They convince you to enter into a long-distance romantic relationship with them and they first start to get you to share your money. So they'll say they're in trouble for something or they need some money for a project to get off the ground and they'll take your money. (06:43): Then after that, you know, they'll kind of start to bleed you dry, or, you'll start to not trust them, and they'll say, "Well, hey, the big contract award is coming in. Can you provide me with your bank account, you know, 'cause I'm on an oil rig right now, I can't access this money. Can it come to you, and then you send it to me?" (07:00): So our victim will provide a bank account that our bad actors can then use for money laundering. And actually, we see a lot of that come through smaller banks now. The bigger banks kind of get wind of that, um, they have a little more, uh, fraud applications in place to kind of prevent that or see that so our bad actors have turned to a lot of smaller banks, um, to use those especially older bank accounts at these smaller banks. (07:24): Um, and then with tech scams, it's actually a very similar thing. Tech scams run very similar to elder abuse scams, and that's what, what happens. So you're just sitting on your laptop, you know, reading the news or what have you, and you get a pop-up on your computer saying, "Your computer's infected, please call this number and we'll take care of it for you." You know, unwitting, you call the number, say, "Hey, I got this pop up on my computer," and they'll start working you through trying to fix whatever problem they see or found or created. (07:51): And in doing so, they'll either get you to expose your bank account details or they'll have you, make a payment and then come back and say, "Oh, well, we messed something up. We wanna give you a refund, but we can only do it via wire or ACH. Give us your bank account and we'll send it in." And then they convince you further to launder the money that way. Um, so those are two of the different ways that they go after and kind of use, we call it ancillary fraud schemes to support their bigger fraud schemes. Nancy Ozawa (08:18): Yeah, I see that a lot in Zelle is being used as a very similar way of that. Stephen Dougherty (08:22): Yep. Nancy Ozawa (08:23): Now, a lot of our listeners are inside banks. What kind of scams would they be seeing? Stephen Dougherty (08:29): so they would be more on the front lines of seeing the fraud in play at their bank. So they would be seeing, say somebody who has an account, a very long-storied account at that bank. All of a sudden they receive a very large wire that they have never done before. And then if they see the wire, then they'll see it move in certain ways that again would be not characteristic for that account holder to do. (08:53): oftentimes these bad actors are now using cryptocurrency. So what they'll do is they'll compromise, you know, an email account, they'll convince a business to send a large payment to the victim's account that they've created through a romance scam, what have you, and that money will come in and then they'll direct the victim to, get cashier's checks or tell them how to go to a, a Bitcoin ATM and buy Bitcoin. Stuff like that. (09:16): You'll start to be seeing out-of-character transactions for, the people that are banking with you. Um, other inside the bank sort of things, these guys love harvesting and getting good information and intel because there's a whole online ecosystem about buying and selling different information and access to bank accounts. Um, we have one bank where 200 bank accounts, um, had gotten leaked We don't know exactly how, but they were all sold on the dark web for access so that criminal actors can run money through them, for their cybercrime schemes. Sonia Portwood (09:49): let's pause just a minute and paint a picture for our listeners. What does a cyber criminal look like? Is it a certain demographic? Are they all 22-year-olds? Are they organized crime units? I mean, who actually are these criminals? Stephen Dougherty (10:09): Great question. So we classify cybercrime as transnational organized crime 'cause really that's what it is. And if you actually take the way we've looked at and researched these cyber criminal networks and overlay them with, you know, known transnational organized crime groups, they actually kind of mirror each other, which is very interesting. And you have people, so these are organizations, it's not just one-off actors here and there that are, you know, working and doing all this stuff themselves. They're buying services, right? (10:39): So say they need a bank account, they'll go on the dark web and buy it. And they're the ones doing all the phishing and releasing the malware that's compromising these email accounts. And so then they have all that access and then they sell that to somebody else or share that information for different parts of the profit being made off of cybercrime. (10:56): And it actually kind of spans all ages, right? You have sort of the younger operators who are sort of the on the ground guys committing the fraud, um, pushing out, again, doing the compromising, l- laundering the money. And then you have sort of the older part of the organization that's instructing these guys to do certain things. And, , you know, as people move up, it's, very much akin to actual organized crime and what those networks look like. Sonia Portwood (11:11:21): And can we assume that organized crime and these criminals themselves are in every country? Stephen Dougherty (11:28): Yes. back eight years ago, nine years ago, we knew sort of where they were based on the type of crime we were seeing. But now they've just spread all over, all over the globe, really. They're in every country in the US, in Europe, Africa, Southeast Asia, you kind of name it. They have either big-time actors there or part of the infrastructure for their criminal organization is in these countries. Sonia Portwood (11:51): Well, and this is just gonna get bigger. Would you agree? Stephen Dougherty (11:54): yeah. there's a lot of reasons why. One, it's very profitable. Um, I like to anecdotally share, I wanted to see how much it would cost me to set up and pull off one business email compromise incident, from start to finish. So I just did some research And I could buy a phishing kit for 50 bucks. So I would deploy the phishing kit against somebody's email I wanna compromise and know they have a lot of good information. (12:19): Say I wanna compromise a title officer at a title company. I deploy that phishing kit out, they click on it, it gives me their email address and password. I log into their email. I now know all of the upcoming real estate purchases and closings that are coming down. So then I pose as that title officer by setting up a spoofed email account, which that you can do for free, or you can do... set up a spoofed domain one letter off for like 8.99 a month. So I bought the phishing kit for $50. I have my spoof domain now for like 8.99 a month. So I'm $58, $59 into this. (12:54): Last thing I really need is a bank account. I need a trustworthy looking bank account that I can get a victim to send money to. So I did some research on how much that would cost. And I said, I wanted a seasoned, well-known bank account that won't get caught up with fraud detectors, that's, can easily move 50 to $100,000 without a problem. 200 bucks off the dark web, I could do that. I could find somebody who would give me that. (13:16): So for 250 bucks, I'm off and running on a BEC, scheme I could pull off, and the average loss for that BEC is 130 to $150,000. So the profitability and the return on investment is very, very high for these. Um, and so you're seeing these groups just kind of explode based on the amount of money they're making. Sonia Portwood (13:37): What does BEC stand for? Stephen Dougherty (13:39): Business email compromise. Sonia Portwood (13:42): Thank you. Thank you. Stephen Dougherty (13:48): Yeah, so that's just the type of crime where they compromise an email accounts, um, they take out, again, contemporaneous and privileged information, thinking that, you know, it's only somebody you'd be doing business with, like your lawyer, like your title officer, like your banker, like your wealth, uh, advisor, wealth manager, and they convince you to send money where you normally wouldn't, thinking it's for a legitimate purpose. Nancy Ozawa (14:04): So for less than 200 bucks, they can get basically get in the business and if they just win one score, they definitely recoup their money. Stephen Dougherty (14:12): Exactly. And you know, it used to take a lot of technical actors to do this, like you would need somebody who would know how to write the malware for the phishing kits and all that. Now, the reason why it's exploded is you have a lot of non-technical actors in the space, meaning you have people who don't need to know how to write that code. They just can buy it as a service, deploy it out, and boom. And other technical applications that we're seeing today, AI, um, machine learning, things to spoof different things that are out there allow these guys to act at speed. (14:43): Um, I do a demonstration when I do my, presentations on business email compromise and how I can use the generative AI platforms out there to write and send emails. Uh, uh, every second, I can do one a second, boom, tell it to do this, boom, tell it to do that, instead of sitting there having to spend 10 to 15 minutes to write each email. So you can really launch these attacks at scale now. Nancy Ozawa (15:04): And if they can somehow get access to some of these emails, that AI can learn that person's personality, how they write, and spoof them even more accurately than, uh, before. Stephen Dougherty (15:15): Yes. Yep. In fact, uh, I tried to teach it that one night. I was, I was messing around with one of the, the generative AI platforms. I'm not gonna mention which one, but I was working with a private sector partner who him and I kind of share threat intelligence back and forth. I wanted to make it sound folksy, and he was from the Midwest. So I actually said, "Hey, you know, in a Midwestern vernacular, write an email, requesting an invoice payment change." And it did it in an informal way, like, "Hey, friend, hope everything's good, just letting you know we sp- changed our bank account, send it to here instead." Real informal. And it was interesting to see that it would do that for me. Nancy Ozawa (15:54): So while a lot of us are using AI for good purposes, it definitely can be for them to use too. Stephen Dougherty (15:59): Oh, absolutely. In a way that makes them so much more efficient. Um, you know, I would say almost exponentially more efficient in launching their attacks. Stephen Dougherty (16:08): Yeah. and again, something I wanted to research to see if it was possible, and had my own deepfake made up. Sonia Portwood (16:14 ): What is a deepfake? Stephen Dougherty (16:16): So a deepfake is using AI or machine learning technology to copy somebody's voice, um, text or video of that person to make it sound like it's that person. so I decided to see what can be done for myself. And this is what was provided to me. You guys ready to hear it? Nancy Ozawa (16:37): Mm-hmm. Sonia Portwood (16:38): We're ready. Stephen Dougherty (16:39): Okay. Nancy Ozawa (16:40): You mean this entire time we've been talking to the deepfake is what you're just gonna say. Sonia Portwood (16:43): (laughs). Seep Fake Recording (16:44): “I've got a piece of funds transfer incident. I can't share details over the phone, so I will email you some details that I've learned and will request additional details to assist in our investigation. Please be on the lookout for an email in the next hour or so. Thanks.” Stephen Dougherty (16:58:): So that wasn't me. That was based off of about a three to five-second recording of my own voice. Um, so imagine what can be done with that to an unsuspecting victim. Nancy Ozawa (17:08): Yeah, that did sound very close to you. Stephen Dougherty (17:10): Yeah, when I did a presentation, it was for law enforcement only, and I played that. And there were a lot of people who were like, "Yeah, I would have definitely bought that as you." Stephen Dougherty (17:21): Like, hook, line, and sinker. So, you know, you co- you copy that in with, you know, a spoofed email, and now you have the voice backing up the spoofed email, and the world's our cyber criminal's oyster. Sonia Portwood (17:31): Stephen, um, the big cyber criminals make headline news. Stephen Dougherty (17:35): Mm-hmm. Sonia Portwood (717:36): And if they're caught they're prosecuted. Stephen Dougherty (4017:38): Mm-hmm. Sonia Portwood (17:39): What are the consequences for these small players? Stephen Dougherty (17:42): So really anybody involved., obviously depends on where they're arrested, what we can prove that they actually did. Um, but even consequences for small players can be years in prison. money laundering carries a maximum of 20 years. And so if you're caught on the money laundering side of things, obviously there's things that go into sentencing guidelines and, that determine exactly how much time you get. But, even,, lower level actors can still see multiple years in prison if we can tie them to or as a cog in the network committing the crimes. Sonia Portwood (18:11): So, We're not gonna leave the podcast without telling our listeners what they should do if, if, if a situation comes up or they're suspect of a situation. But before we go there, I wanted to ask you, what are the chances of getting your money back if you are victim? Stephen Dougherty (18:26): Mm-hmm. That's a great question. So, with that, we like to say time is money, right? Um, with the Secret Service, we run a rapid response unit from our GIOC, our Global Investigative Operations Center, along with supporting our field offices. Um, we have 42 different cyber fraud task forces around the world. And if you can reach out to us to within, you know, usually 72 hours is the long run. But if you can get to us within, you know, 12 to 24 to 48 hours, there's a good chance of getting money back. (18:55): Um, so going back to 2019 to present, we've gotten back about $320 million for victims, and that's going directly back to victims through bank-to-bank hold harmless process or seizure process, something like that. Um, but that's only about 30%, 25 to 30% of losses reported to us, 'cause a lot of times losses are reported to us, you know, a month later or, a week later, or sometimes even if it's reported in the right amount of time, the criminals are so good and so quick at moving the money where we can't get to it. Sonia Portwood (19:25): And those are individuals. What about those big players, like the ones that were held in the casinos hostage, for example? What are the chances of getting those huge dollars back when they pay a ransom? Stephen Dougherty (19:37): there are the abilities to retrieve ransoms, and federal law enforcement has been successful doing that in several different cases, um, where it's, it's bigger money that's lost. Because at the end of the day, we put a lot of effort and resources into tracing and locating funds, whether that's your fiat currency, or whether it's virtual currency. We try and we work as hard as we can to get that money and get it back to the victims. Sonia Portwood (20:03): Do you have any idea how much the federal government and our tax dollars are at work to prevent this type of thing and recover? Stephen Dougherty (20:11): I can't give a specific number on that because it's spread across so many different law enforcement agencies and different groups, not only law enforcement agencies, but regulatory agencies, uh, cybersecurity infrastructure agencies that are out there. We're all fighting this fight. You know, um, when we talk about a mitigation roadmap, we like to say make sure you have an incident response plan in place where you can call somebody, where you know somebody. We don't care if it's Secret Service. It could be, you know, another federal law enforcement agency. Uh, it could be state, local. (20:40): There's a lot of money that does go into this, into training, investigators. The one thing I like the Secret Service that we hang our hat on is that we run a program, actually an institute down in Alabama called NCFI, the National Computer Forensics Institute. And the Secret Service funds it, we run it, we provide equipment, and thus far we've provided training and other assistance and equipment to about 25,000 state and local, uh, officers, detectives, prosecutors, and judges. Sonia Portwood (21:10): Interesting. I think it'd probably be a, a good idea to remind everybody, if you are a banker listening on, on this podcast, you are required to go through training annually to be on the lookout for this, and I think that's probably going to be your best line of defense for your organization that you work in. It's not something that you should rush through. It's something that you should take your time and really understand the implications and the red flags that could possibly come up. And I would imagine it would not only help you in your job, but it'll help you personally, uh, in your own life to prevent something like this from happening to you. Stephen Dougherty (21:49): Yeah, that's a... that's such a great point. Um, you know, at the Secret Service, we try our best to locate and arrest the individuals, and we literally stop at nothing to locate and arrest these individuals. But this is a thing where we can't just arrest our way out . We need to, employ different techniques.. But also, that education and awareness surrounding these fraud schemes. (22:10): You know, if you know, see one of these happening in process and think, "Oh, this is what the Secret Service was talking about on that podcast. This is a fraud scheme, like, uh, and I'm gonna stop it." And then you report it and, we look into it, and discover that there's maybe five other victims involved and we're able to go and help those other victims as well, just because you took the time to get the education, training, and awareness out there that these exist and that they can be stopped. Nancy Ozawa (22:34): you know, we all attend all of these different trainings, but as you think of that training, is there anything that's maybe most important for us to be thinking about to, to see those potential red flags? 'Cause I'm sure sometimes the training might lag some of the newest examples, or maybe one piece is more and more important than we really are realizing. Stephen Dougherty (22:56): Yeah, I would say in these trainings, most importantly, have just one aspect of it that allows the individual person to look inside themselves and think to themselves, "Okay, something looks a little off about this, let me trust my gut." Or, you know, w- for an individual organization that does a lot of transaction and payment processing, maybe we should put in just another level of authentication or verification for these payments. It's having the training and awareness, but then building in little things to help you make sure you're looking at everything properly. (23:27): So you can do certain things like, spot the spoofed email where you're showing spoofed domains, or, there's a lot of different ways you can... employ the training and also gamify it that, allows people to retain the information in their head as they're going about their daily business. Nancy Ozawa (23:41): And I think one thing you said that really resonates is listen to your gut. Stephen Dougherty (23:44): Yes. Nancy Ozawa (23:45): If your gut tells you something's off, trust it and elevate it. Stephen Dougherty (23:48): Yeah. Nancy Ozawa (23:49): I mean, we got an email, uh one of the people on my team, supposedly from the president, to buy a lot of gift cards. Stephen Dougherty (23:56): Mm-hmm. Nancy Ozawa (23:57): And she thought that was strange, and she leaned into that gut sense and then raised the, the flag to somebody else. But, so kind of trust in your gut, I think that is, uh, a really common piece to, to think about. Stephen Dougherty (24:08): Yeah, and one thing, e- everybody should have in every training that should say, "You will never be asked to buy gift cards on behalf of the company." (laughs) Just put that in there, like day one, um, because, you know, that- that's an entry level type of s- of fraud scheme, right? And our threat actors like to go back to the well, We call it upping the exploitation factor. So, you know, they maybe got a thousand bucks out of this one employee for a, a gift card scan. And then, "Let me see if I can go back and trick them again. Maybe now I can use a phishing attack or further socially engineer them to give up more information or give up, further access to the banking infrastructure or what have you." Nancy Ozawa (24:48): Right. Stephen Dougherty (24:49): So always remember, if you can kind of start taking out the small stuff and educating on that, your employees, they'll recognize it and, and have a culture of reporting. Nancy Ozawa (24:58): Absolutely. Sonia Portwood (24:59): Yeah, to speak to one of the things, the... talking about your gut, it's always a good idea, if you have the authority within your organization to move money or give out money, whether you're a teller or you're working in the wire room, if there's any doubt, any doubt. I used to tell the tellers, "Shut the cash drawer. Don't send the money. and get somebody else involved." Stephen Dougherty (25:22): 100%. Yep. Uh, and always, you know, if you can have two eyes look at a transaction before it goes. these guys do mess up a lot of small details, right? So if you're seeing a number of small details that are off, you know, we talked a lot about name matching. When we get a lot of these in, we see that the names on the accounts are completely off. So for instance, you know, we know that the victim was thinking they were sending money to a business. However, it just went to an individual's account, you know, and the name matching was totally off. (25:53): And we understand that's a lot of work to undertake for a bank, but even just kind of start paying attention to things like that could, lead to some wires being returned or so- some things stopped So again, just when the little details start to seem off, that's a way to really question a transaction. Nancy Ozawa (26:07): And I would assume that certain businesses might be more vulnerable, uh, when they're in growth mode, when they're adding in new employees, or maybe several people have been laid off. So all of a sudden there's this transition of people's names. Do you typically see that with cybercrime? Stephen Dougherty (26:23): Absolutely. cyber criminals are very opportunistic. bad actors are gonna take advantage of that. compromise an email system or a hack or what have you, but they also really heavily rely on social engineering, um, to pull these off. (26:34): It's sort of a two-pronged approach where they're, you know, doing that attack to steal the good data, and then they're using social engineering to really drive it home to get that money out of you. So, ye- yeah, so if you're in a new role or you're taking over somebody else's role where you're not doing something that you're, regularly used to, ask questions, go slow, get it figured out. Sonia Portwood (26:54): Stephen, you had mentioned in one of our previous conversations something about individuals with dormant email accounts. Stephen Dougherty (27:01): Mm-hmm. Sonia Portwood (27:02): 'Cause I, I would imagine that there's a lot of people listening (laughs) that probably have more than one and one they never look at. Stephen Dougherty (27:07): Yeah. Sonia Portwood (27:08): Anything we can do to protect this? Stephen Dougherty (27:10): Huge, huge red- huge red flag, if you see a dormant email account, go active. Um, what our bad guys like to do is, they may try to phish you directly to get your email address and password, but a lot of times what they do is they go on the dark web and they buy these huge data dumps of email addresses and passwords that were involved in prior data breaches, right? And so if you have an old email address that you didn't have multifactor authentication set up on and could have been involved in a data breach, say, three years ago, but it's just been sitting there dormant, particularly in your business or your bank, our bad actors may try to get into that account. (27:44): And if it's not being monitored or if it's not being looked at, they could then start using that to commit fraud, whether that's to launch, again, more targeted phishing attacks or, email compromises or requesting money. I had one, um, where I do... we do what's called, uh, network intrusion run out, and I, I got the call to go out and meet with this victim who, um, they were owed a lot of money from different vendors and none of the vendors had paid and all the payments had gotten redirected. Well, they wanted to figure out how this happened. And so I'm looking at their email systems and I see that they had this one old accounts receivable email account that had been taken over. (28:23): Our threat actors had installed email rules to make it look like it was still dormant, to make it look like nothing was coming into it. And then they were just directing 136 different clients or different vendors to send their money to different places for their invoice payment. And it was just an old email account, they used it, took advantage of it, and 136 different times somebody was victimized. because of one dormant email account. Sonia Portwood (28:48): That could put somebody out of business. Stephen Dougherty (28:50): Uh, yes, yes, and that's... You know, we talk about the effects of cybercrime, um, and again, that's another reason, like, "Uh, why is the Secret Service in the room to fight cybercrime?" And to bring it back to that, you know, obviously our goal is to protect and secure the US and financial infrastructure. And if we have small and medium businesses going under out of business because they lost all their money to cybercrime, it's a huge problem. You know, just the effects on the economy there keep just ratcheting up, you know. So we're seeing money walk out of the economy and we have to fix that. Sonia Portwood (29:21): Well, thank you for everything you did. we've talked about a lot of different ways that cybercrime can happen. Can we box up the tips for being aware and preventing it? Let's just go through those tips one more time. Stephen Dougherty (29:37): Yeah, no problem. So, preventing it up front is keeping your software and your ecosystems as update and current as possible. These guys like to take advantage of old vulnerabilities, they'll keep trying different things that may still work. But if you get those updates in and can protect yourself multi-factor authentication on everything, right? What, uh... Anything that holds either, information or financial transaction information needs to have multi-factor authentication on it, and that includes email accounts. So have multi-factor authentication in place. (30:10): Then lastly, um, on sort of an organizational-wide level, have an incident response plan in place and know who to contact and what to do when something happens. Because we treat these at the Secret Service that it's not an if scenario, it's a when scenario. Like I said, our bad actors will target any financial transaction they become aware of. So, really have a practice incident response plan in place with a law enforcement contact in that, uh, incident response plan and make sure it's practiced. And if somebody leaves roles or moves positions or what have you, make sure it's updated, uh, continuously with that information. Sonia Portwood (30:48): Okay. And just to put a final point on it as far as who to contact. of course, you said they could reach out to the Secret Service, but you also said something about local law enforcement. Is it slower going through local law enforcement? And if you do call them, which unit are you asking for, cybersecurity? Stephen Dougherty (31:06): So, all of that depends on the local jurisdiction, right? Uh, and as to, you know, how big the department is, what they may have as resources. So in terms of reporting, we want you to have multiple options. So you can really very easily locate a Secret Service field office, it's just secretservice.gov\fieldoffices, uh, 24 hours a day, seven days a week, we have a duty desk that you can call and report these to. (31:30): Um, but if you wanna stay local, which, if you wanna stay local, please do that." Make sure you know who to reach out to. So call your local police department or call, you know, even your state, uh, PD and say, "Hey, you know, we're updating our incident response plan. Can you tell us who to call if there is a cyber incident or if we have a financial crime that we need to report," And usually they can point you in the right direction. But just having that and reaching out is great. (31:55): Um, and then finding public-private partnerships to be a part of. Um, FS-ISAC is a good one, uh, on a national basis, but usually locally there's different groups that meet, um, to, you know, share information. You know, local businesses, um, we even have them in our field offices, they're called our cyber fraud task forces, where it's actually a public-private partnership and, you can join it, again, just by reaching out to the field office and saying, "Hey, I wanna join this." (32:23): And we push out alerts of things that are going on, and, uh, they usually have some type of either quarterly meeting or at least once or twice a year to get everybody out and introduced. And that also contains local law enforcement as well, which is great. So, that's another way to make contact, for your incident response plan. Sonia Portwood (32:39): [inaudible 00:36:47]. Thank you, Stephen. Nancy, I don't know about you, but I did... the intention of this, this podcast was not to scare everybody, but to raise awareness and to give you some tools to help prevent this from happening to you. (laughs) I, I, I hope that everybody walks away with some information that they can use, or something they didn't know before that may help prevent this from happening to them or to someone else with their friends or their family. Um, what do you think? You think we did a good job of that? Nancy Ozawa (33:11): Uh, I think we covered a lot. And, Sonia Portwood (33:13): (laughs). Nancy Ozawa (33:14): ... I think Stephen giving us examples really will help me and the listeners realize all the different varieties of things that are happening out there. I'm still keeping in my head the... your comment, it's when, not if. Nancy Ozawa (33:26): So it really comes back down we've got to stay on our toes, we've got to stay educated, training as very critical, so that we, you know, anticipate, listen to our gut, and make sure that we don't fall victim to a number of these issues and examples. Stephen Dougherty (33:41): Exactly. Sonia Portwood (33:42): Yeah. Because that technology is gonna get better and better. Stephen Dougherty (33:45): Every single day. Sonia Portwood (33:47): Yeah. Nancy Ozawa (33:47): Yeah. Sonia Portwood (33:48): Well, Stephen, thank you so much for being here with us today. We really (laughs) appreciate this, is a... It was a lot of information, and there's so many different ways that, uh, we can fall vulnerable to this, but, but hopefully through listening to this podcast today, people can take away and maybe prevent this from happening. So we thank you very much for joining us. Stephen Dougherty (34:09): You're welcome, and, uh, thank you for having me out and letting me spread my message. Sonia Portwood (34:13): (laughs) Yes, sir. And to our listeners, thank you for tuning in. If you haven't already, make sure you check out the other episodes and subscribe so you'll be the first to know when our next episode drops. Also, we are always looking for suggestions on what to cover so if you have something in mind or you would like to be a guest, please let us know. You can reach out to us at bankingoutloud@pcbb.com. Until next time, take care everybody.

In this episode of Banking Out Loud, US Secret Service agent Stephen Dougherty joins hosts Sonia Portwood and Nancy Ozawa to discuss cybercrime and the Secret Service’s mission to protect and secure the US financial and economic infrastructure. Stephen shares examples of types of cybercrime, including business email compromise schemes, romance scams, "Pig-Butchering", work-from-home scams and deep fakes, and explains how technology tools, including AI, have made these schemes more sophisticated than ever. He also provides tips on when and to which law enforcement or relevant authority suspicious activity should be reported to.

Guest:
Stephen Dougherty
U.S. Secret Service
CID/GIOC
stephen.dougherty@usss.dhs.gov

Resources:
• US Secret Service Field Offices: https://www.secretservice.gov/contact/field-offices
• The Financial Services Information Sharing and Analysis Center: https://www.fsisac.com/
• Preparing for a Cyber Incident: https://www.secretservice.gov/investigation/Preparing-for-a-Cyber-Incident