Are You Listening?

An Editorial by Brett Johnson, an Ex-Cybercriminal and current Consultant to the FBI

Brett is known as the original Internet Godfather, but he has gone straight and is a consultant and advisor to governments and major corporations all around the world, and is also on the SCARS Advisory Board.

In Brett’s own words:

We watch TV. We see a movie. Watching TV is passive. Seeing a movie? Active. Same with hearing and listening. Hearing passive. Listening? Active

Good cybersecurity? Try listening

I was one of the first people to speak about the Refund Fraud currently swamping merchants. I wrote an article on Linkedin October 6, 2016 warning about Refund Fraud. Early 2017, I keynoted the CNP Merchant Conference. I spoke about Refund Fraud and warned merchants this type of fraud was coming. I gave detailed advice on countering it. The response? Morbid curiosity, nothing more. No one listened. They all heard what I said, but not one single person or organizer listened.

I spoke about refund fraud for the next several months and then stopped. No one cared about it. I didn’t mention it again until the Quantico FBI CISO Academy 2019 and an agent suggested I bring it up. Turns out the FBI was the only group that had been listening.

I use Refund Fraud as an example. The Truth is I could say the same of Ransomware, Synthetic Fraud, Supply Chain Attacks, Stimulus Fraud, Identity Theft, Credential Stuffing, Outward Facing SMB Ports, Solarwinds, Colonial Pipeline, Kaseya, and every other online crime..

I’m not just talking about me. And I’m not talking about the “Consultants” or security companies who flock to the organizations attacked and convince these victims they can make everything right while lining their pockets.

In each instance there have been people sounding the alarms, warning, trying to get people to listen. Those people may have been employees, contractors, customers. Or they may have been security researchers, hackers, journalists, academics, law enforcement, or even former crooks. They didn’t do it for profit. They did it because it was the right thing to do.

In each instance of those people speaking out? They were heard, but none were listened to.

Think about a world where people would have listened to the warnings about Outward Facing SMB Ports and patched Eternal Blue and Eternal Romance. Notpetya wouldn’t have been much. What if the Solarwinds Execs had listened? Or the Colonial Pipeline Peeps? Imagine if people listened to experts about passwords or freezing credit. What about the effect of listening when it comes to Ransomware?

But let’s be honest–you gotta know who to listen to. Lot of people out there who have no idea what they are talking about. Make the mistake of listening to one of those and you will end up worse than not listening to anyone. So DYOR. Do. Your. Own. Research. Don’t just go by what they say. Ask for references. Look at their work. Talk to their peers. Don’t just take their word for it. Its on you to find out if they know what they are talking about. If someone is constantly telling you how great they are and bragging about their achievements instead of concentrating on the problem? Chances are they ain’t that great.

Once you find that person? Don’t just hear them. Listen to them.

SCARS Note:

Consumer Refund Fraud is a US$27 BILLION Threat

Revenue loss due to refunds and product returns in retail natural. However, a shocking percentage of the refund requests will be cases of retail refund fraud. According to a report from Appriss Retail, total merchandise returns accounted for $309 billion in lost sales for retailers in the US alone in 2019. $41 billion of that total came from online returns specifically.

It’s estimated that roughly 9% of total losses—$27 billion, to be exact—were the result of refund abuse. This is a 76% increase over the previous year. For every $10 in refund request you receive, roughly $1 will be a fraudulent request.

Think about that! Refund fraud costs every consumer $1 out of every $10!

But is like most avoidance education about frauds and scams. Who’s listening?