It’s early August, 2015. While watching TV, I receive a call from a 347 area code phone number. Thinking it’s a business colleague of mine who lives in the outer boroughs, I answer.
Unfortunately, “Roy Callahan from the NYC Police Department” threatens me with a warrant for my arrest within minutes, and states that I need to turn myself into the local police department. So, I reach out to my friend Josh Linder. He states that it’s rampant in the region where he lives and similarly happened to him, but they threatened him if he didn’t comply by purchasing a $9000 Green Dot prepaid card.
This happens thousands of times every day. Law enforcement agencies (LEA’s) ranging from local municipalities to the FBI, and everything in between are overwhelmed. They can’t compete – bad actors are fast, smart, and ahead of the curve.
These criminals also know how budget, resource, and talent constrained the LEA’s are. The local ones are best at catching shoplifters and pulling over speeding vehicles, not tracking terrorists to their origin across state or federal boundaries. With little interest or coordination and no tools, over 99% of these scams go unresolved.
How Did They Find Me?
First, social networking has created a treasure trove of information. People entrust their name, address, phone number, work history, educational background, and social circles – to the public domain. This is where the risk lies, not the much-publicized hacks at retailers, banks, government agencies, and healthcare organizations.
However, the large exposures at retailers like Target, Michael’s and Home Depot, along with the more recent hacks at Anthem, United Airlines and the United States Office of Personal Management (OPM), should be of tremendous concern. This information allows perpetrators the ability to triangulate data, and build a rich persona of people like you and me.
Let’s put that in context. Tens of millions of records were exposed, which could be used to go far beyond extortion payments, and move to exploit physical vulnerabilities in executives and military personnel, or regular people.
How Quickly Will I Be Exposed?
According to a 2014 FBI scam alert, victims reported having money illegally withdrawn from their accounts within ten minutes of receiving a vishing call, and another of having hundreds or thousands of fraudulent withdrawals in the days following.
What Can I Do?
As an individual, it is best to be vigilant and use common sense. Regardless of what a “vishing” caller ID says, the U.S. Internal Revenue Service (IRS) will not demand money or account numbers. Don’t fall victim to Vishing’s evil cousin Phishing and click on links in emails which could take you to a malware site – spend an extra two seconds confirming that the email is actually who it is from, not just a familiar name.
Second, it’s best to protect your social profiles online. Facebook, LinkedIn, Twitter, and the trove of other tools have most likely already exposed you. Perform a simple Google search, then move to clean up the public aspects of your online persona.
Third, act like an enterprise to protect your employees as if they were your family. Large organizations have invested heavily in antivirus, drive encryption, email security, and next generation firewalls. None of this matters – phishing and vishing scams go right around these. You need training, ongoing education, vigilance, and technology which is smarter. A key approach to this is implementing continuous endpoint visibility on your devices. At Ziften, our software plugs security exposures to form a more resilient wall.
The battle for cyber security protection is consuming your resources, from your people to your budget. Threats are faster, smarter, and more targeted than ever before, and working their way around traditional prevention solutions and getting straight to the point; your endpoints. Once breached you have less than an hour before the attack finds additional victims within your organization. Time is of the essence, and since we can’t create more of that, we focus on maximizing continuous intelligence so your team can make the right decision, right now.
Today, people are so focused on fraudulent credit card charges, and organizations are locking down endpoints at a record pace.
More has to be done. The criminals are faster, smarter, more enabled – and outside the bounds of the law. While news will continue to come regarding the success of catching large-scale fraudsters and untouchable foreign nationals in China and Russia, there will be thousands of small-scale exploits on a daily basis.
At Ziften, we have one mission, to make endpoint security fast and easy for the end user to not only deploy, but manage and drive daily value. By combining real-time user, device, and behavior monitoring with powerful analytics and reporting, Ziften automatically empowers any organization to view, inspect, and respond to the very latest attacks.
Thanks to Josh Linder for his conversations on this topic.
Other Stats (from UK police):
- Cold-call scam artists are costing phone users £24 million ($37.5 million) annually
- The fraudsters convince people to release sensitive financial information
- Almost 60 percent of people have received a suspicious call over the last year
- Criminals claim to represent a range of respected financial companies