Do IT people overstate criminal activity?

Getting an honest picture of cybercrime

A world apart from a legal system

Ever been the victim of a cybercrime? What did you do? Call the police? Send a note to the FBI? Were these law enforcement organizations any help?

The FBI claims 85% of cybercrime is unreported. Why do you think this would be?

Let’s look at the lowest level: imagine you’re buying concert tickets for $300 on a social media marketplace. The supposed-seller sends screenshots of the tickets and a Venmo request. He asks for your phone number to transfer the tickets through a mobile ticketing system. You pay. No tickets. He then texts claiming the transfer failed, send the $300 and turns the tables further by asking if you are defrauding him. The person has your phone number and also likely your real name from your social media account and your personal connections. Suddenly you’re being harassed on your phone by what turns out to be a fake-named petty thief. Distracting at the least. But likely threatening – as you imagine all the reachable family members and friends, all the information posted.

And maybe you’ve Googled yourself and gotten to see how vulnerable your personal info is to anyone who wants to abuse it. Even if you’ve removed yourself from data brokers’ websites in the past, you may find the data has been renewed. These data broker sites show physical addresses, probable relatives, phone numbers, email addresses – just the sorts of things a criminal could use against someone for the purposes of getting the person to feel, what will it take for you to leave me alone?

Paying the ransom

This is the kind of feeling criminals bank on in deploying cheap ransomware¹. According to Verizon’s annual data-breach report ransomware payouts to criminals are down to a mean of $115,000. Criminals are always adjusting the sweet spot – calculating what they think they can get out of a small business. And as more smaller businesses refuse to pay, the criminals have responded with variants of ransomware, like extortionware: if you don’t pay to have your data decrypted, your stolen data (like customer or financial information) is released on the internet.

Per ZDNet, extortionware can apply far more pressure on companies to pay up, while they must also deal with restoration, cyberforensics, damage to their reputations, and potential legal consequences. Other chilling effects: once data is publicly posted other criminals can weaponize the data; organizations can also lose certifications in regulated industries.

The main point though is that there is no undo once an organization’s data is in the wrong hands.

See for yourself

The superficial evidence of cybercrime for organizations is phishing. Because tactics keep changing, even the best email defenses will let through a percentage of phishing emails. As I began writing I literally got two phishing emails in my inbox. And there are two filters before anything reaches my inbox – one on the mail server and one at my desktop’s email client. (And if I go through one of the spam folders – there are dozens of phishing attempts.)

Phishing attempts range from one that a friend fell for – a site he’d just been on seemed to be telling him that he needed to re-enter his credit card with a link – that he clicked. He entered the credit card info on the forged site and then realized what he’d done and immediately called the card company to cancel the card. Some are extortion attempts. Some are pretending to be friends in dire circumstances – send funds quick. Some are those Nigerian Prince scams.

I bring these up only to say that this horrible situation of people trying to steal from us literally bubbles up continually in our lives, on our phones, at our businesses.

Building callousness

When there is an extortion-ransomware attack at a hospital it gets eventually aired publicly. When there is a data breach at a vendor for an insurance company and you get a notice in the mail, this is another kind of bubbling up of criminal activity.

What effect do these continual breach notifications have on us?

In the 2016 RAND report on the effects of data breach notifications, the acceptance of help (usually via identity theft protection) from the breached organizations declines with higher education and youth: the more accustomed you are to the world of cyberattacks, the less likely are you to do more than shrug.

This is similar to the responses people display in literal war zones. In Irene Lopatovska et al’s 2022 study of Ukrainian children affected by the then-3-month-old war, the research group’s findings were that overall there were surface signs of resilience in the study’s subjects. In fact, contrary to the researchers’ expectations, calmness was the second-most-reported feeling. The researchers conclude with a warning that this calm exterior may be a useful mask to put aside addressing the weight of the trauma on the victims’ lives.

And while we are not literally having our homes destroyed by drones, our organizations are under continual attack – this we can glimpse with our own eyes in the phishing emails, and in things like:

• a live cyberattack map that allow an imprecise (VPNs often mask attackers’ origins, for example), but visual record of the onslaught
• in dark-web monitoring – that lets you know if an account under your organization’s domain has been leaked on the criminal dark web
• Notices of attempted failed logins – these are often criminals trying to guess a correct password

A physical analogy to a hard-to-see reality

US retailers are facing an onslaught of criminal activity. On the retailers’ behalf American Eagle’s Scott McBride recently testified to congress concerning the well-intentioned protections afforded criminals (where many thefts are considered misdemeanors making them too small to prosecute) in many states, and the results of those criminal-protecting laws:

McBride: when twenty stolen vehicles, carrying forty or more individuals, suddenly converge on a suburban department store, armed with implements of destruction from tire irons to firearms … this is no longer a simple ‘smash-and-grab,’ it is a coordinated attack with premeditated malice.

McBride was there to ask for better federal law enforcement protections. Still look at all the retailers’ self-installed deterrents – what remains on the open shelves at CVS versus what is under lock and key?

Now let’s jump back to the realm of computer networks, that because it’s a virtual environment few really understand. And instead of pairs of jeans (like American Eagle), in the name of convenience we’ve put all our money and client data in the anonymous, ambiguous Cloud.

Who are you really going to call if the money or data from this cloud-based, virtual-reality-with-no-borders is lost?

And similar to American Eagle’s testimony in the physical world, ransomware isn’t the work of lone hackers. Ransomware, extortionware and much of malware generally is the work of nation-state actors and criminal syndicates operating like businesses with customer service departments and affiliate models.

This is why IT people are insistent about the measures needed to bolster defenses to prevent the several bad things that are potential – and like virtual things, potential things are also difficult for the human mind to grasp – from happening in the first place.

And these are the reasons Bryley works with hundreds of New England clients, as it’s done since 1987. So if you feel it’s right to discuss your IT defense needs, please call 978•562•6077 or email Bryley’s Roy Pacitto or complete the form, below.

1 Ransomware is often sold (by nation-state-harbored criminals) to small-time crooks as Ransomware-as-a-Service (like you’d buy a license to dropbox). I’ve seen reported prices as low as less than $100/month.