Are You Listening?

An Editorial by Brett Johnson, an Ex-Cybercriminal and current Consultant to the FBIFBI FBI - Federal Bureau of Investigation The Federal Bureau of Investigation (FBI) is the domestic intelligence and security service of the United States and its principal federal law enforcement agency. Operating under the jurisdiction of the United States Department of Justice, the FBI is also a member of the U.S. Intelligence Community and reports to both the Attorney General and the Director of National Intelligence. A leading U.S. counter-terrorism, counterintelligence, and criminal investigative organization, the FBI has jurisdiction over violations of more than 200 categories of federal crimes, including financial fraud.

Brett is known as the original Internet Godfather, but he has gone straight and is a consultant and advisor to governments and major corporations all around the world, and is also on the SCARS Advisory Board.

In Brett’s own words:

We watch TV. We see a movie. Watching TV is passive. Seeing a movie? Active. Same with hearing and listening. Hearing passive. Listening? Active

Good cybersecurity? Try listening

I was one of the first people to speak about the Refund FraudRefund fraud Refund fraud occurs when bad actors take advantage of a merchant’s return policy in order to profit or get goods for free. Refunding fraud is a twist on friendly fraud that is particularly challenging for merchants because there are no associated chargebacks, yes the losses are significant. currently swamping merchants. I wrote an article on Linkedin October 6, 2016 warning about Refund Fraud. Early 2017, I keynoted the CNP Merchant Conference. I spoke about Refund Fraud and warned merchants this type of fraudFraud In law, fraud is intentional deception to secure unfair or unlawful gain (money or other assets), or to deprive a victim of a legal right. Fraud can violate civil law (e.g., a fraud victim may sue the fraud perpetrator to avoid the fraud or recover monetary compensation) or criminal law (e.g., a fraud perpetrator may be prosecuted and imprisoned by governmental authorities), or it may cause no loss of money, property, or legal right but still be an element of another civil or criminal wrong. The purpose of fraud may be monetary gain or other benefits, for example by obtaining a passport, travel document, or driver's license, or mortgage fraud, where the perpetrator may attempt to qualify for a mortgage by way of false statements. A fraud can also be a hoax, which is a distinct concept that involves deliberate deception without the intention of gain or of materially damaging or depriving a victim. was coming. I gave detailed advice on countering it. The response? Morbid curiosity, nothing more. No one listened. They all heard what I said, but not one single person or organizer listened.

I spoke about refund fraud for the next several months and then stopped. No one cared about it. I didn’t mention it again until the Quantico FBI CISO Academy 2019 and an agent suggested I bring it up. Turns out the FBI was the only group that had been listening.

I use Refund Fraud as an example. The Truth is I could say the same of RansomwareRansomware Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system so that it is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies that are used for the ransoms, making tracing and prosecuting the perpetrators difficult. Ransomware attacks are typically carried out using a Trojan virus disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the WannaCry worm, traveled automatically between computers without user interaction., Synthetic Fraud, Supply Chain Attacks, Stimulus Fraud, Identity TheftIdentity Theft Identity theft is when someone uses another person's personal identifying information, without their permission, to commit fraud or other crimes. In both the U.K. and the United States it is the theft of personally identifiable information. Identity theft deliberately uses someone else's identity as a method to gain financial advantages or obtain credit and other benefits, and perhaps to cause other person's loss. The person whose identity has been stolen may suffer adverse consequences, especially if they are falsely held responsible for the perpetrator's actions. Personally identifiable information generally includes a person's name, date of birth, social security number, driver's license number, bank account or credit card numbers, PINs, electronic signatures, fingerprints, passwords, or any other information that can be used to access a person's financial resources., Credential Stuffing, Outward Facing SMB Ports, Solarwinds, Colonial Pipeline, Kaseya, and every other online crime..

I’m not just talking about me. And I’m not talking about the “Consultants” or security companies who flock to the organizations attacked and convince these victims they can make everything right while lining their pockets.

In each instance there have been people sounding the alarms, warning, trying to get people to listen. Those people may have been employees, contractors, customers. Or they may have been security researchers, hackers, journalists, academics, law enforcement, or even former crooks. They didn’t do it for profit. They did it because it was the right thing to do.

In each instance of those people speaking out? They were heard, but none were listened to.

Think about a world where people would have listened to the warnings about Outward Facing SMB Ports and patched Eternal Blue and Eternal Romance. Notpetya wouldn’t have been much. What if the Solarwinds Execs had listened? Or the Colonial Pipeline Peeps? Imagine if people listened to experts about passwords or freezing credit. What about the effect of listening when it comes to Ransomware?

But let’s be honest–you gotta know who to listen to. Lot of people out there who have no idea what they are talking about. Make the mistake of listening to one of those and you will end up worse than not listening to anyone. So DYOR. Do. Your. Own. Research. Don’t just go by what they say. Ask for references. Look at their work. Talk to their peers. Don’t just take their word for it. Its on you to find out if they know what they are talking about. If someone is constantly telling you how great they are and bragging about their achievements instead of concentrating on the problem? Chances are they ain’t that great.

Once you find that person? Don’t just hear them. Listen to them.

SCARS Note:

Consumer Refund FraudConsumer Refund Fraud Refund Fraud is a US$27 BILLION Threat Not to be confused with Tax Refund Fraud Revenue loss due to refunds and product returns in retail natural. However, a shocking percentage of the refund requests will be cases of refund fraud. According to a report from Appriss Retail, total merchandise returns accounted for $309 billion in lost sales for retailers in the US alone in 2019. $41 billion of that total came from online returns specifically. It’s estimated that roughly 9% of total losses—$27 billion, to be exact—were the result of refund abuse. This is a 76% increase over the previous year. For every $10 in refund request you receive, roughly $1 will be a fraudulent request. is a US$27 BILLION Threat

Revenue loss due to refunds and product returns in retail natural. However, a shocking percentage of the refund requests will be cases of retail refund fraudConsumer Refund Fraud Refund Fraud is a US$27 BILLION Threat Not to be confused with Tax Refund Fraud Revenue loss due to refunds and product returns in retail natural. However, a shocking percentage of the refund requests will be cases of refund fraud. According to a report from Appriss Retail, total merchandise returns accounted for $309 billion in lost sales for retailers in the US alone in 2019. $41 billion of that total came from online returns specifically. It’s estimated that roughly 9% of total losses—$27 billion, to be exact—were the result of refund abuse. This is a 76% increase over the previous year. For every $10 in refund request you receive, roughly $1 will be a fraudulent request.. According to a report from Appriss Retail, total merchandise returns accounted for $309 billion in lost sales for retailers in the US alone in 2019. $41 billion of that total came from online returns specifically.

It’s estimated that roughly 9% of total losses—$27 billion, to be exact—were the result of refund abuse. This is a 76% increase over the previous year. For every $10 in refund request you receive, roughly $1 will be a fraudulent request.

Think about that! Refund fraud costs every consumer $1 out of every $10!

But is like most avoidance education about frauds and scamsScams A Scam is a confidence trick - a crime -  is an attempt to defraud a person or group after first gaining their trust through deception. Scams or confidence tricks exploit victims using their credulity, naïveté, compassion, vanity, irresponsibility, or greed and exploiting that. Researchers have defined confidence tricks as "a distinctive species of fraudulent conduct ... intending to further voluntary exchanges that are not mutually beneficial", as they "benefit con operators ('con men' - criminals) at the expense of their victims (the 'marks')". A scam is a crime even if no money was lost.. Who’s listening?