What Hackers Don’t Want You to Know About Cybercrime
Presented By Tom Kennedy, CFP®:
Ten years ago, cybercrime was chiefly relegated to nation state attacks. After the Target attack of 2013, the amount of cybercriminal activity has steadily skyrocketed. Today, cybercrime is enormous business for criminals. Many experts agree that in 2019 cybercrime was estimated to be a $1.5 trillion industry, making it the 13th largest economy in the world.
We recently interviewed James Morrison, a former FBI agent and cybersecurity expert about the cybercrime world. He gave us some shocking statistics, information, and trends that hackers don’t want you to know about cybercrime.
Anatomy of cybercrime
The shocking truth is that without knowing anything at all about technology, it is possible to buy a cyber-attack online. Cybercriminals often purchase lists of email addresses on the dark web. These lists comprise addresses that were stolen, or where people clicked on a link which validated their email address as belonging to a legitimate user.
A cybercriminal can then contact a ransomware company on the dark web where they can buy a ransomware attack for cheap. Even larger enterprise attacks are for sale such as those levied on municipalities and hospitals, though the cost is considerably more.
These criminals usually use cryptocurrency to pay for the attack “kit” because it is virtually untraceable, as tainted funds are mixed with other money to disguise the source. But this is the dark web, so how can a company doing business be trusted? These nefarious companies are ranked on the dark web based upon their “reputation”, much like shopping on eBay or Amazon. Those with a higher reputation have proved they will deliver what is promised.
Lest you think you can go browse the dark web by searching for it on Google, these organizations are only visible through a series of encrypted proxy networks such as Tor or I2P, making it very difficult for law enforcement to discover where their servers are or who might be running them.
How a ransomware attack works
A cybercriminal buys a list of emails and a packet or kit from a ransomware company on the dark web. The company then sends out phishing emails to the purchased email addresses. Out of 100K emails, for example, an estimated five percent, or roughly 5,000 will click on a link and become infected with the ransomware packet. They will then be notified that they are locked out of their data and to get it back, they must pay the ransom. Of those 5,000, approximately 1,000 people will pay to get their data back. Whether they get it back or not is questionable.
To see how lucrative this cybercrime is, let’s suppose that if those 1,000 people were to pay $400 each to get their data back – and that number is considerably low. You can see how easily the cybercriminal can make $400K. Even if the ransomware company’s fee is 40 percent of the ransomware’s revenue, they have still made $240K from an investment of just a couple hundred dollars.
Ransomware is so lucrative, in fact, that drug cartels placed themselves directly in the mix. With money and language barriers removed and the use of cryptocurrency, these cartels are luring sophisticated hackers to create another income stream. The cyber cartel industry has officially surpassed the drug trade industry. According to Cybersecurity Ventures, cybercriminal activity is anticipated to become a $6 Trillion dollar industry by 2021.
Everyone is a target
According to Morrison, an astounding one in 20 people click and open every link or attachment they are sent. The number one rule that people should remember is that everybody is a target. Small and medium sized business (SMB) and companies are at a higher risk, though, because they often don’t have the IT staff on hand, or they lack the budget to inoculate themselves. Real estate, for example, is very reliant on email and electronic signing of documents, making them very exploitable. With such a soft underbelly, a full 60 percent of ransomware hits SMBs.
These are the latest tools for cybercriminals:
Mobile. Individuals are not immune if they avoid using desktop. Similar ransomware threats are focusing on mobile phones. The cybercriminal steals the data first, locks the victim out of their data, and then sends a note telling them to pay.
Sextortion. Cybercriminals may even threaten to shame the victim on the internet with their personal data. Frequently, these criminals gain access to explicit photos and engage in “sextortion” to extort money from those who wish to protect their reputation.
Public Wi-Fi. Public hotspots are not the place to open new accounts or access your bank or investment accounts. Some of the sites you reach may be spoofed, leaving you open to sharing your personal details.
Smishing. Similar to phishing emails that try to trick you into entering personal information or login credentials, short message service (SMS) phishing performs much the same function, but using messaging and texting instead. Morrison pointed out that over 90 percent of attacks start with smishing, a technique where cybercriminals send text or private messages that dupe people into revealing personal information or login details, or that provide links they click which sends their device malicious packets.
Best Practices to avoid cybercrime
Financial advisory firms often receive messages that a client is requesting money. According to Kris Maksimovich, President of Global Wealth Advisors, “Our policy is to always verify withdrawal or transfer requests in-person or by phone with our clients, email or text is not acceptable. Also, by partnering with a large broker-dealer like Commonwealth Financial Network, we take advantage of their encryption and robust security measures when it comes to storing a client’s personal data.”
Prevention. While putting people into jail is important, evolving technology and sophistication of the attacks means it is not currently possible to catch all the criminals. Taking precaution is the key to prevention:
- Don’t click on any links or attachments on emails, social media or text messages. None of these can be trusted
- Use public Wi-Fi in a very limited way, such as while using a trusted app on your phone that you already own. Keep in mind that free apps hold little incentive to spend money on protection
- If you need to send or receive an attachment or link, put a password on it. You can use programs like Microsoft Word where you can password protect a document. Then send the password through a text message or phone it to the recipient
- Never send a credit card, social security number, username, or password to someone by email. No legitimate company should ever need these details by email
- If you receive a strange message, particularly one asking for a Social Security number, username or password, always validate the source first
Email. Emails are not protected. They are sent out among general internet traffic. By rewording a previously sent email, it can look legitimate to the receiver. Cybercriminals have been known to get into computers and swipe copies of previous emails, posing as someone you know.
Cloud-based services. Many people wonder if cloud-based services can be trusted? While there have been data breaches with cloud-based services, when it comes to security, you get what you pay for. Be cautious with free versions of software. The security built into free versions is not as robust as in paid versions.
Two-factor authentication (2FA). Security and convenience are divergent. It may be less convenient, but it is certainly necessary to keep your data more secure. If all you must do is click a link to access a document, it’s not very safe. If you must receive a password by text to access a document, that’s a little more secure. Make certain you turn on 2FA or multi-factor authentication security wherever possible.
Offline data storage. When people lose data to cybercriminals it’s usually the pictures and videos that are missed the most. Buy a USB drive and store all your photos, videos, income tax returns, and important documents on it. Then keep the drive removed from computer until you need it.
Backup your computers. You should routinely backup your computer to the cloud or to an external drive that you keep unplugged the rest of the time. This will enable you to gain access to your data, even if you are the victim of ransomware.
A word about password security
According to our interview with Morrison, we learned that the top three most commonly used passwords are:
Not far behind the top three passwords are names of children, pets, and significant dates like birthdays and anniversaries. Though we know we must protect our passwords, much of this information is made available on our social media pages without us even thinking about it.
Additionally, the special security questions required by companies designed to add additional security against cybercrime often include things like a mother’s maiden name, father’s middle name or favorite teacher. This information is easy to find on websites like Ancestry.com or on social media where distant relatives working on your family tree may leave it open to the public, exposing these details.
With so much of this information openly available online, make sure you don’t use real information for passwords or security questions. It’s best to lie and use made up information, but you’ll have to keep track of what you use.
Do not use the same password for multiple accounts. It’s better to write the list down and store it in a safe place than to use the same password. You can buy a password manager, or app, to store all of your passwords. If you are not computer literate, you can appeal to your children or grandchildren to help you setup an account. Many of these companies spend millions of dollars to keep that data secure, which is more than we have available to spend to keep our own data safe.
What should you do if you become a victim of ransomware?
The threat of ransomware is our new reality. We’re so interconnected that we can be victimized online unless we are conscious of what we’re doing. Just like when you cover your PIN at the ATM, you should use the same premise when online. Consider if what you’re doing reveals too much information about yourself. If the answer is yes, rethink what you’re doing and look for a different path.
- Be cautious about what you read online. The internet is untrustworthy, and we must test and validate everything we read
- If you become a victim of ransomware, visit a trusted local IT company who can reload your computer from scratch and pull your data from backups
- The FBI keeps a database of these crimes and would like you to report if you become a victim of a cybercrime to their Internet Crime Complaint Center at ic3.gov
- Finally, if you receive an email or text message that threatens your life, call 1-800-CALLFBI immediately so that the FBI can deal with that real-time
While nobody deserves to have their data compromised, stolen, or sold on the dark web, the threat of being hacked is a very real one for most of us. The key to staying safe is to use vigilance and common sense.
Tom Kennedy is a financial advisor located at Global Wealth Advisors 520 Post Oak., Suite 450, Houston, TX 77027. He offers securities and advisory services as an Investment Adviser Representative of Commonwealth Financial network®, Member FINRA/SIPC, a Registered Investment Adviser. He can be reached at (832) 649-8111 or at email@example.com.
© 2020 Global Wealth Advisors
Back To Blog