Artificial Intelligence needs a police blotter. Wait, it already has one!

Click to visit the AI incidents database

Bob Sullivan

In our world of black and white, it’s difficult to be a tech skeptic without being labeled a Luddite. The Holy Grail is progress, so the thinking goes, and any pesky question asking threatens to stifle innovation. Do you want us to lose to the Chinese!?!?

It’s ok, I’ve been doing this a long time. Not so long ago, my nickname among CNBC bookers was “Big Data Hater.” You remember the age of Big Data, don’t you? If you don’t, it was yet another marketing moniker that took over the tech world for a few years, stoking stock valuations everywhere it went. A mini dot-com boom, if you will. Big Data, unfortunately, often became synonymous with Bad Data, which always gives bad results, no matter how much data you shove into the GIGO machine. Today, we call these Large Language Models, which sound much more sophisticated, but suffer equally from the same garbage problem.

This is part 2 of a three-part miniseries on Artificial Intelligence.
Read part 1: Disarm AI, yes, but the Pope was just getting started

Back then, I would protest with a glint in my eye — how can someone hate data? That’s like hating atoms! Some of my best friends are data!

I don’t hate data. Or tech. What I hate is thoughtless “progress” without discernment about side effects and collateral damage. And I really hate when the progress … is promised, down the road — soon! — while the roadkill piles up today. What’s the roadkill of this never-ending tech bubble cycle? Pension funds that are crushed when the bubble bursts. Workers who are laid off in the name of cost savings needed to offset investments. Kids who end up with addiction machines in their pockets because there’s no other legitimate business model for social media. Adults who’ve sacrificed every shred of human privacy so they can be stalked by ads for items they purchased last week. And so on.

Yes, the consequences are real, and they are here — even if the innovations are…just around the corner.

I’m not arguing that AI isn’t real. Already, it’s freed an entire generation from writing trite, jibberish-laden emails back and forth at work. AI can turn meetings that should have been an email into a summary of said email. That could be real progress — but let me know when those meetings are actually canceled.

Can AI do a great job of writing a meeting summary for people who weren’t really paying attention anyway? Yes, absolutely. Can it pull out that one critical moment in the meeting which most attendees missed…which might very well be what was left unsaid? Ha! (You’ll read about this in part three of this miniseries)

AI is great at writing code, getting rid of some of the grunt work of the digital age. It helps people with blank page syndrome get a start on papers and presentations. And it’ll do a fine job of summarizing large amounts of material for people in a hurry. A great application I read about recently involved practicing physicians who have scant time to read all the latest medical research. It can do these things today.

As for tomorrow — there seems good reason to believe AI will be great at finding needles in research haystacks, which could very well lead to amazing medical advances. I will be the first to cheer on this work. I’m sure I’ll need it someday.

But tech titans have a decades-long pattern of racing forward with innovations, intermediate consequences be damned. Of doing things simply because we can, not because we should — in fact, not even asking if we should. And, specific to my main work right now, of creating tools that are easy to abuse and darn near impossible to stop.

I am not a Luddite. I think tech does more good than bad. But I think in a playoff series, “good” wins in the 7th game, and probably in overtime. It’s often a close call. We can’t ignore the bad things that AI will do because it might slow progress a smidge. The best thing we can do is air every single one of these side effects and work to eliminate them. That’s how penetration testing has always been done. That’s the ethos of open source software. More than ever, we need to approach the coming age of AI that way.

That’s why I was so happy to learn recently about the Artificial Intelligence Incidents Database. It is what it sounds like — a list of mishaps caused by, or enabled by, AI. I recently interviewed one of its leaders, Harvard fellow Sean McGregor, for The Perfect Scam, a podcast I host for AARP. McGregor is the kind of plain-speaking genius we desperately need right now. We talked for an episode about a family who was targeted by an AI-generated photo of the family dog depicting him on an operating table, riddled with injuries from a car accident. (That was incident 1,478 in the incident database). Naturally, our conversation covered far more.

McGregor made this point: Early on, the database was full of (funny?) incidents about AI failing to work properly. But increasingly, the database is loading up on tales of fraud committed by criminals using AI. That might be the bigger problem, he suggests — the so-called dual use problem — as AI gets better at what it does, it gets better for the bad guys. I left our chat thinking my sarcasm about AI’s clumsy failures might very well be misplaced.

Whatever you do, don’t call someone a Luddite because they’re worried about the future. We do get to decide what kind of future we want; we don’t have to just accept what Elon Musk gives us. In fact, I’d argue, that’s a poor choice.

Tristan Harris from the Center for Humane Technology appeared on CNN this week and made a very sharp point about incentives. In the end, AI is going to become whatever the incentives nudge it to become. Right now, the only incentive on the table is shareholder value. That means AI will principally be used to eliminate labor costs. The End. But we have the chance to design other incentives right now. To reduce human suffering. To build more housing. To make mass transit far more efficient. Heck, to enable human happiness. Whoever told you that our society’s only goal is profit sold you a very shallow future. We can, we must, do better. An honest, real-time look at AI’s failings is going to be a big part of that.

2026 Cost of Insider Risks: Global

Leave a reply

Ponemon Institute is pleased to present the findings of the 2026 Cost of Insider Risks: Global study. Sponsored by DTEX, this is the seventh benchmark study conducted to understand the financial consequences of insider threats caused by careless or negligent employees or contractors, criminals or malicious insiders or credential thieves.

As revealed in this research, organizations face increasing costs to respond to insider security incidents. Since the 2018 study, the number of organizations represented in the research has more than doubled from 156 to 354 in 2025 and the average number of incidents discovered and analyzed in this research increased from 3,269 to 7,490 in 2025. The average time to contain the incident decreased significantly in 2025 to 67 days from 81 days in 2024. However, only 13 percent of incidents were contained in less than 30 days.

This cost study is unique in addressing the core systems and business process-related activities that drive a range of expenditures associated with a company’s response to insider negligence and criminal behaviors. In this research, we define an insider-related incident as one that results in the diminishment of a company’s core data, networks or enterprise systems. It also includes attacks perpetrated by external actors who steal the credentials of legitimate employees/users (i.e., imposter risk).

The first study was conducted in 2016 and focused exclusively on companies in North America. Since then, the research has been expanded to include organizations in EMEA and Asia-Pacific with a global headcount of less than 500 to more than 75,000. In this year’s study, we interviewed 8,750 IT and IT security practitioners in 354 organizations that experienced one or more material events caused by an insider.

The most prevalent insider security incident continues to be caused by careless or negligent employees.

According to the findings, 53 percent of incidents experienced by organizations represented in this research were due to employee negligence and the average annual cost to remediate these incidents was $10.3 million. Not as frequent are incidents involving criminal or malicious insiders (27 percent of incidents) and credential theft (20 percent of incidents). The average cost per malicious or criminal incidents is $4.7 million and the average cost for credential theft is $4.5 million.

As shown in this research, the cost of insider risk varies significantly based on the type of incident. The activities that drive costs are monitoring & surveillance, investigation, escalation, incident response, containment, ex-post analysis and remediation.

The following are the most salient findings from this research.

The negligent insider is the root cause of most incidents. The average number of negligent insider incidents is 13.8 in this year’s study and the average cost for each incident is $747,107. There are a variety of reasons employees can put their organizations at risk. These include not ensuring their devices are secured, not following the organization’s policies for safeguarding sensitive and confidential information and forgetting to patch and upgrade to the latest version.

Malicious insiders accounted for an average of 6.3 incidents and the average cost per incident of $742,125. In the context of this research, malicious insiders are employees or authorized individuals who use their data access for harmful, unethical or illegal activities. Because of their potentially wider access to an organization’s sensitive and confidential data, malicious insiders are harder to detect than incidents caused by external attackers or hackers.

Credential theft incidents average $842,462 per incident, an increase from $779,707 in 2024 and continues to be the costliest. The average number of credential theft incidents increased from 4.8 in 2024 to 5.3 in 2025. The intent of the credential thief is to steal users’ credentials that will grant them access to critical data and information. These attackers commonly use phishing.

Insider security incidents in 2025 cost more and their frequency is increasing. According to the 2024 research, 57 percent of companies experienced between 21 and more than 40 incidents per year. This year, 68 percent of organizations had between 21 and more than 40 incidents.

The research analyzed the impact security technologies and activities can have on reducing costs. Privileged access management (PAM) can save an average of $6.1 million and user behavior analytics (UBA) saves $5.1 million.

Technology and disruption or downtime are the most significant financial consequences when dealing with insider incidents. The research presents the average percentage of insider cost for careless or negligent employees, criminal insiders and credential theft according to the following seven consequences: Disruption cost (downtime), direct & indirect labor, technology, cash outlays, process/workflow changes, revenue losses and overhead.

The cost incurred by technologies (30 percent of the average cost of financial consequences) involves technologies used to respond to the insider incident includes the amortized value and the licensing for software and hardware that are deployed. Business disruption includes diminished employee/user productivity (19 percent of the average cost of financial consequences).

Companies spend the most on containment of the insider security incident. An average of $247,587 is spent to contain the consequences of an insider incident. The least amount of average cost is for escalation $39,728. The faster containment occurs, the lower the cost. If it takes more than 90 days, the average cost is $21.9 million. If it takes less than 30 days, the average cost is $14.2 million.

North American companies are spending more than the average annualized cost of $19.5 million on activities that deal with insider threats. Companies in North America experienced the highest average total cost at $24 million. European companies had the next highest cost at $18.6 million.

Health and pharma have the highest average activity costs. The average activity cost for health and pharma is $28.8 million. Technology and software are the next highest at $24.2 million.

Organizational size affects the cost. The cost of incidents varies according to organizational size. Large organizations with a headcount of more than 75,000 spent an average of $28.4 million over the past year to resolve insider-related incidents. To deal with the consequences of an insider incident, smaller-sized organizations with a headcount below 500 spent an average of $8.9 million.

Five signs that your organization is at risk

Employees are not trained to fully understand and apply laws, mandates, or regulatory requirements related to their work and that affect the organization’s security.
Employees are unaware of the steps they should take at all times to ensure that the devices they use—both company issued and BYOD—are secured at all times.

Employees are sending highly confidential data to an unsecured location in the cloud, exposing the organization to risk.

Employees break your organization’s security policies to simplify tasks.

Employees expose your organization to risk if they do not keep devices and services patched and upgraded to the latest versions at all times.

To read the full findings of this report, visit DTEX’s website by clicking here.

Criminals impersonate doctor with deepfake ads, sell supplements. Could you tell?

Leave a reply

Bob Sullivan

Dr. Maurice Sholas has a beautiful, challenging calling — he cares for very sick children. He takes on the saddest of cases, and works with families so kids with spina bifida or traumatic injuries can still “win” at life. For some, that means gaining the ability to visit the bathroom independently.

But lately, Sholas has been put in a no-win situation by artificial intelligence. His likeness was used to create a deepfake video hawking supplements — specifically targeting Black consumers. Try as he might, he still hasn’t been able to remove all the various videos that have landed on places like TikTok and Twitter.

So instead of caring for very sick children, the Harvard-educated New Orleans doctor now spends time fighting AI and learning about intellectual property law.

“What’s frustrating is that it costs money, time, effort, and relationships to protect something that should be intrinsically mine, ” he told me during our interview for The Perfect Scam podcast I host for AARP.

There’s been a lot of talk about the problem of Deepfake videos and politics — how activists might change an election by, quite literally, putting words into a leader’s mouth. I believe consumers have become relatively sophisticated at spotting the more outlandish fakes — President Trump wearing Pope garments, for example. On the other hand, fake ads — especially those involving less popular figures — can be harder to discern. And they might ultimately cause more damage.

Sholas told me he knows of at least one person who bought the supplements based on the fake videos. After telling his story on local television, a victim reached out.

Scholas is not identified in the video; his appearance is altered slightly, and a fake voice is dubbed onto it. But his lab coat nametag is visible.

There is very little a victim can do to get fake content removed from the Internet. Sholas first reached out to the account that posted the videos, which ultimately blocked him. The very tool used to abuse his identity was now being used to prevent him from defending himself. Initially, he says, social media companies ignored his complaints. Later, after the local story aired, some services took action, but by then, copies of the video had spread across multiple services. He consulted a lawyer and was redirected to a PR company.

“They said the best thing you could do is hire a PR firm basically to go out there and do a sweep of the internet and push positive content to counteract whatever misinformation is there,” he said. That kind of search engine optimization could cost up to $20,000, he was told. Instead, he has taken to posting a series of self-made content.

“When someone borrows, to use a kind word, or steals, to use a real word, it puts me at risk, it puts my medical license at risk, and it puts my livelihood at risk. And to protect all of that, there’s nothing I can do as a small guy but spend more money,” he said.

Fake video is far more pervasive on social media than most people realize, says Frank McKenna, chief fraud strategist of a company called Point Predictive. He’s also the author of the popular Frank on Fraud newsletter.

“I see these all over TikTok, all over Instagram, all over Facebook. They’re inundating people’s news feeds; the social media platforms I don’t think are doing enough to kind of control the problem,” he told me.

Dr. Maurice Sholas shows a reporter the deepfake videos he found. (WLTV.com)

NBC’s Al Roker was actually the victim of a similar deepfake attack about a year ago. You can watch his interiew about it at this link.

“I think people probably don’t realize how many deep fakes they’re seeing as they scroll through social media. From my experience, it’s at least half the videos that you’re seeing ….there’s some element of AI generation in those videos. And that’s only going to get worse,” he said. “The case will be that most of the content you’re looking at online is AI-assisted in some way … So people are going to have to get accustomed to the fact that they’re going to have to question pretty much everything. … These other celebrity deep fakes, I think, are going to surprise a lot of people, because they’re becoming more and more common.”

How hard is it to make fake videos like the ones that use Sholas’ likeness? Not hard at all, McKenna says.

“Using information off of YouTube videos, Instagram videos, or Facebook videos that you post, the criminals and scammers can take that content and put those into AI generating videos, and make you say anything that they want,” he said. “So just a few seconds of video can create these…they call them AI avatars, and they can basically make you sell vitamins or make you sell crypto investments and things like that. So it’s not hard at all, anybody can do it and a lot of scammers are.”

And, perhaps the most alarming part of this dark new trend — consumers are over-confident in their ability to spot fakes.

“The thing about AI deep fakes is 60 percent of the population thinks they can spot them, but in reality, I think a study … found that only .1% of people can actually identify those deep fakes,” he said.

Minimizing Security Risks through Effective Cyber Asset and & Exposure Management

Leave a reply

The purpose of this research is to gain insight into how organizations manage their cyber assets and exposures across the global attack surface through continuous discovery, prioritization and timely remediation. Ponemon Institute surveyed 617 IT and IT security practitioners in the United States who are involved in managing and addressing the attack surface across the IT footprint and are familiar with their organizations’ approach to measuring and addressing cybersecurity risk.

Discovering and tracking cyber assets involves using specialized tools to automatically find, catalog, and monitor all devices (on-prem, cloud, remote) in the IT environment, creating a real-time inventory to manage vulnerabilities, ensure compliance, and defend against threats, often using scanning, API integrations, and traffic analysis to map the complete digital footprint.

The primary systems used to discover and track cyber assets are cloud providers (49 percent of respondents) and Configuration Management Database (CMD) or IT Asset Management Platforms (ITAM) (44 percent of respondents). A CMD is a specialized database used to store information about an organization’s IT assets, their attributes and their relationships. An ITAM platform is used to manage an organization’s technology hardware and software throughout their lifecycle.

Not used as frequently are vulnerability scanners (28 percent of respondents). Vulnerability scanner tools automatically find security weaknesses in networks, applications and systems by comparing configurations/software against vulnerability databases.

Recommendations from the research to improve cyber asset and exposure management practices

Consolidation of assets and sensitive data improves the visibility into asset and sensitive data disclosed or left unprotected. Forty-five percent of respondents say their organization consolidates into a single view asset and sensitive data disclosed or left unprotected and accessible to unauthorized individuals or systems.

A unified cybersecurity platform offers benefits like centralized visibility, faster threat detection and response, reduced complexity, lower costs, and simplified compliance by integrating diverse security tools into a single system, providing a holistic view, automating tasks, and streamlining management, leading to a better security posture and operational efficiency.

The inability to identify missing assets requiring security controls is a risk with potentially serious consequences. Not identifying missing assets can cause financial loss, legal penalties, operational disruption, and data breaches. Unidentified assets can be stolen, misused or lost, leading to compliance failures and reputational damage. Proactive tracking, robust documentation, and strict protocols are crucial to prevent these consequences. Less than half of respondents (46 percent) identify assets that are missing and require security controls.

More frequent updates of asset inventories and discoveries of inconsistencies are needed to minimize security risks. Only 30 percent of respondents say asset inventories or CMDBs are updated or reconciled daily (13 percent) or monthly (17 percent) and 37 percent say the frequency of finding inconsistencies in asset and sensitive data exposed due to duplicate records, conflicting names and values is daily (17 percent) or monthly (20 percent). As a result of not regularly updating their inventories or finding inconsistencies, less than half of respondents (48 percent) are very or highly confident that their organization has a comprehensive up-to-date list of all its hardware, software and data assets. Q10

The lack of effectiveness in prioritizing risks makes remediation of security exposures or data misconfigurations difficult. Respondents were asked to identify the one biggest challenges in remediating security exposures or misconfiguration data. Twenty-six percent of respondents say risk prioritization is unclear and 24 percent of respondents say there is no clear ownership of the issue.

Contextual data in risk prioritization enriches basic threat severity scores (like CVSS) with an organization’s unique environment, business impact, and threat intelligence to focus on the most critical risks. It provides actionable insights by layering details like asset criticality (e.g., PII data), network exposure (internal/external), and exploitability to identify the most urgent vulnerabilities for remediation. This approach prevents security teams from being overwhelmed by data by applying business logic to identify high-impact threats, ensuring resources are spent effectively on what matters most to the business. Only 23 percent of respondents say contextual data is always used and 26 percent of respondents say it is used frequently.

The Continuous Threat Exposure Management (CTEM) is a proactive cybersecurity approach that combines vulnerability management, attack surface management and validation to identify, prioritize and fix security risks. Respondents were asked to rate the alignment between the CTEM framework and asset and exposure management practices on a scale from 1 = not aligned to 10 = completely aligned. Fifty-two percent of respondents say alignment with CTEM is very or completely aligned (7+ on the 10-point scale).

One of the greatest constraints to SecOps’ ability to manage cyber assets and security exposures is complexity in the IT infrastructure. Sixty percent of respondents say reducing investments in security tools and the complexity of their organizations’ IT security infrastructure is very or highly important.

Only 28 percent of respondents say their organization has a formal SLA for all highly critical or critical vulnerabilities and 27 percent of respondents say there are no formal remediation timelines or SLAs. Vulnerability Remediation SLAs (Service Level Agreements) are defined timelines for fixing security flaws. These agreements set expectations, prioritize efforts, and improve collaboration between security and IT teams to reduce risk efficiently.

Part 2. Key findings

In this section, a deeper dive into the research is presented. The complete findings are shown in the Appendix. The report is organized according to the following topics.

Discovering and tracking cybersecurity assets and exposures
Prioritization of security exposures is a challenge
Organizations’ approach to security exposure remediation practices
Cyber asset and exposure management practices

Discovering and tracking cybersecurity assets and exposures

A unified cybersecurity platform offers benefits like centralized visibility, faster threat detection and response, reduced complexity, lower costs, and simplified compliance by integrating diverse security tools into a single system, providing a holistic view, automating tasks, and streamlining management, leading to better security posture and operational efficiency.

Some 63 percent of these respondents say they have a unified platform that aggregates data from all sources. Fifty-eight percent of respondents use an internal script or a database/data lake that combines data from different tools.

To read the rest of these key findings and download the entire study, visit The Axonius website.

What’s an amygdala hijack? And why is crafting is a great cybersecurity tool?

Leave a reply

Bob Sullivan

The most dangerous hack is a brain hack. And criminals are getting very, very good at that. Meanwhile, I fear, the rest of us have spent precious little time learning to defend against brain hacks. Hopefully today’s piece will help a little. Today I’m going to discuss an important way to think about brain hacks — the amygdala hijack. And crucially, I speak with an expert who offers practical ways to calm your amygdala. Who knew crafting could be a fraud-fighting, cybersecurity tool?

Our brains were designed thousands of years ago, in large part to help us run away from large predators. Human brains haven’t really caught up to the digital age, and that fight or flight instinct is exploited by criminals constantly. There’s a warrant out for your arrest; there’s child porn on your computer; wire $2 million or you will be fired…and so on.

The key for criminals is to knock us off our game, separate us from our rational selves and shove us into our reactive selves — then tell us the only way to avoid the dinosaur chasing us is to buy a bunch of gift cards or shove money into a crypto ATM. You can tell people not to do these things in a classroom or an email a zillion times — those consumers will nod their head and maybe even remember those words in the rational part of their brains. But it won’t do a lick of good when criminals cook up just the right story at just the right time — grandma, I’m in jail! — and instinct takes over.

That’s an amygdala hijack, and it can happen to anyone.

Every time you hear the story of a terrible Internet crime and say “How could they fall for THAT? How could anyone in their right mind…” you are feeding the problem. You are an unwitting accomplice to these crimes. All this quiet superiority keeps us in the situation we find ourselves in. The implicit “they should know better” keeps us from investing in training and tools that counteract these very human attacks.

It’s all part of the trap we are falling into right now; we’re playing into the hands of organized cybercrime, and it shows. Fraud is skyrocketing at extraordinary levels, by any measure. Our grand tech tools are being used against us to feed crime gangs, foreign governments, and yes, terrorism. These crimes pay for North Korean missiles, for heck’s sake. We are counting on the most vulnerable people in our population to form the front line in this war we’re losing. Worse yet, these foot soldiers are fighting criminals armed with billions of dollars of research and even more valuable tech tools, and they have to “win” 100% of the time. We need a new strategy.

A big part of this will be understanding how brains work, and planning around that reality. To that end, I was thrilled to interview Austin Cusak recently. He’s an expert in behavioral science and a trainer at the FDIC. I’ve seen him give talks on amygdala hijacking before, so I was eager to interview him about that. You can listen to our chat at The Perfect Scam podcast — and I hope you will — but if podcasts aren’t your thing, here’s a transcript of our chat. This episode also includes an interview with a repeat romance scam victim, so we have an example to discuss. My chat with Austin begins at about 32 minutes. Don’t miss his amygdala calming techniques at the end.

Click play to listen or click this link

————-PARTIAL TRANSCRIPT——————

[00:32:07] Bob: We are in a different world, yes, but it’s a world we need to understand. We all have questions about how someone we know might become a victim of an ongoing long-term crime like this, how a person’s heart and mind can be well hijacked. And here to help us understand that much better is Austin Cusak. He’s Assistant Professor of Leadership Development at the FDIC. He’s an expert in behavioral science.

[00:32:35] Austin Cusak: A lot of us don’t realize that our brain right now is in the exact same configuration as its been for the last 35,000 years. And so our brain is very worried about snakes in tall grass, about sabretooth cats. It’s very worried about attacks from other tribes. So the brain is going to do whatever it can to be a good member of its tribe. So we are very tribal in that category. So the current configuration of our brain is not wired for social media, it is not wired for fraud from the inside. So that’s the first thing that happens to Anola is criminal is convincing her that they are part of her group, part of her tribe, a safe person first.

[00:33:29] Bob: Once on the inside, once a criminal gets a victim to feel like a member of the same team, the same tribe, then the criminal can get to work turning off the victim’s rational side.

[00:33:41] Austin Cusak: The easiest way to kind of explain why this is happening is, so Daniel Kahneman got a Nobel Prize for his work on why the brain does what it does, over 20 years of research, and he boils it down to these two types of thinking. And so I’m going share this as just like a simplistic way for us to understand a lot of these complex things. You are either doing fast thinking, or you are doing slow thinking. Neither is bad, it’s just that your brain is going to receive input and when it’s receiving input, it’s going to say, okay, am I in danger? And if you are in danger, or perceive some type of danger, it goes right to the amygdala and it says, fast thinking, I’m going to use the emotional reactions that I know. I’m going to poke through really quick this limbic region which stores our memories. Do I associate this with something bad? Yes. I run or I fight. And then there’s the slow thinking which is what we want to have engaged which is, there’s no immediate threat. I can now take my time, go out to the prefrontal cortex, think about associations, what kind of long-term planning do I associate with this? What kind of risk assessment might there be with this? So the brain’s going to go one or two ways. And so the criminal’s goal is to prevent Anola at every stage from having this slow, rational logical thinking.

[00:35:15] Bob: So criminals want to talk past the thinking part of your brain and talk right to the instinctual part.

[00:35:22] Austin Cusak: Okay, so amygdala hacking by the way that Goldman described it, is this immediately overwhelming emotional response that our brain is perceiving as a threat that is going to trigger the fight or flight and bypass our brain’s logic mechanisms. So it is, in fact, fast thinking. It’s Kahneman’s fast thinking. That is the hijack. I personally in my experiences, I expand the amygdala hijack to not just that overwhelming emotional response, but also the hijack of the slow, insidious relationship-building, trust-building, love-bombing. It is any actions that the criminal is taking to force the victim into fast, emotional thinking all the time. It is, that is the hijack. The hijack is I only want information being received through my eyes, my ears, my skin. All that information straight to the amygdala, emotional responses. That’s the hijack. That’s why we can’t see the red flags, that’s why we ignore things. That’s why the brain says, something’s fishy, but it would be too painful for me to actually explore that road. Too painful. I’m going to avoid the pain; my emotions feel this. And part of the amygdala hijack is creating lots of cognitive dissonance, which for a criminal is a very good thing. The criminal wants to create cognitive dissonance where there are these two competing thoughts in the victim’s brain because then they can provide the answer. They can have the emotions tied to that. That’s the hijack.

[00:37:19] Bob: And when our brains are hijacked, criminals can really get down to the business of grooming and financial manipulation. It is so hard after the fact to talk about some of these stories, to compress 18-months of manipulation into a few minutes of a podcast. Even the language we’re using is rational, and we’re talking about irrational things. It’s really important to understand that all of us, under the right circumstances, say and do things based on purely emotional or instinctual responses.

[00:37:51] Austin Cusak: I tried to talk with even some of my neighbors about this and her story, and I was very disappointed in their responses to it. Well she should have known better. So it really does, like we, we tend to very quickly move into that victim attribution or the attribution bias, like we should all know better. Now that scam and how that went down, it was kind the same playbook that they used, is that they saw the opportunity, it wasn’t an immediate, I’m going to ask for money, it was a slow, them impersonating someone. They did the same thing. But she was very–, she was wary, she didn’t send them money, but the tactics didn’t change that they, the brain still needs that stability. The brain still hopes that it’s going to happen someday. So when I heard the second story, like on first blush you hear that it happened to her a second time, and the first thing that we think of is, she should have known better. It’s that attribution bias. But then when you hear her explanation of it, and how that started to go down, and how they did it, you’re like, wow these, these people and whoever is creating these textbooks that they’re following, they’re very good. Like they are very good at what they’re doing, and think of it kind of like a car salesman, and I don’t mean to demean car salesmen, but there was, there was a time where I had a friend that was going to get a car, and they were like, ah, I’m going to win this negotiation. I’m going to talk them down, and in my head, I was like, wait a second. So you’re not a negotiator, you don’t have experience doing negotiations, and you’re going to go up against someone that does this all day, every day, and you think that you’re going to like conquer them? This is you against them. This is their job. This is the full-time thing that they do day in and day out every year making small tweaks, making minor things. That’s what these criminals do. They are masters at manipulating, they are honing their craft, they are making little tweaks here and there, so when she is reaching out, right, so this is, the brain needs closure. So that’s part of it is that she has this terrible thing happen to her, and our brains are wired to seek closure.

[00:40:13] Bob: While it might be hard to understand why Anola suffered a second romance scam, in some ways the first time set her up for the second. Remember she reached out in an attempt to warn a person she thought was a victim too. The man’s image was being used as a lure by criminals.

[00:40:29] Austin Cusak: That second criminal is looking at this as, she’s already in this very heightened emotional state. It is very easy for me to now trigger her fast thinking once again by pretending to be the person that she really hopes me to be, because she’s trying to do the right thing and I can take advantage of that.

[00:40:53] Bob: So in some ways, the fact that she was already a victim made her more likely to be a victim again?

[00:41:00] Austin Cusak: I don’t know if that’s every case. I’m sure that there is probably some research that has been done on that. I would say from my understanding of just behavioral science in general, yes, absolutely. Especially if she’s been in that state of fast thinking for a very long time, she does not yet have closure, she has not yet processed everything that has happened for her. The brain is going to reach and stretch, and want to have, ’cause she would still be in the state of cognitive dissonance, I’m assuming, in that moment; where I’ve got these two competing ideas, I need an answer. And that gives the criminal a very good opportunity to start to control that narrative, provide those answers, lead that person where they want it to be.

[00:41:51] Bob: And there is another powerful tool criminals use, they’re very good at appearing to have very intimate conversations.

[00:41:59] Austin Cusak: We’re looking at criminals that are very masterful at using cognitive empathy. They’re not feeling these emotions, but there is a thing called the dark impact where you can use empathy to very much manipulate other people. I would say that a lot of the tactics of dark empathy is exactly what the cult leaders are using to manipulate, to keep manipulation, and they get very good at it.

[00:42:25] Bob: Dark empathy is a new term to me.

[00:42:27] Austin Cusak: The dark empathy?

[00:42:28] Bob: Yeah.

[00:42:29] Austin Cusak: There, there’s quite a bit of research on it that you can kind of dig in in the leadership realm, and this is why I mentioned this because it’s going back to leadership development. When we are trying to develop leaders, sometimes, and this does not happen very often, but sometimes we do come across someone who is a textbook narcissist. And I don’t mean that in kind of the, ah, they’re narcissistic. I mean that they would top off if they took an assessment for narcissism. They are drawn to tactics of leadership, because at its core, a tactic of leadership is to positively influence others towards a common goal. I can remove that positively and just influence others towards a common goal. And so the people that want to manipulate, the people who want power, find that by studying leadership, by studying how to use cognitive empathy, by studying active listening, they study those same tactics which they can then use to move upward. They can then use to shift others’ behaviors. And that’s essentially what she ran up against.

[00:43:35] Bob: Meanwhile, the victims are in the throes of a crime and what feels like a very real romance. The end is an incredibly painful moment, so is telling people about what happened. Criminals use that to their advantage too.

[00:43:50] Austin Cusak: And so just like with a lot of people not reporting these things, or not talking about these things, is because we fear that we will experience more pain of rejection, pain of betrayal if we openly talked about these types of things with people. So we avoid that pain, and that is a normal thing, it’s just kind of a crappy thing, especially in regards to this. The criminals know this. They know that we are going to avoid those feelings of embarrassment because our, again, 35,000-year-old brain says, if I show myself to be a weak link, if I show myself to be someone who can’t be trusted by this group, I might get kicked out of the tribe, then I’m dead. So this is a survival tactic that the brain is going to constantly push is I must hide these things because this could lead to a problem with the tribe, but also, I’m going to avoid this because I know that this will experience, like I will feel pain if I go down this road. And so as we start to kind of approach that pathway, like that physical pathway, the brain’s like, nope, nope, I’ll do it another day.

[00:45:07] Bob: I don’t think we talk enough about the avoid, pain avoidance element to this, because it is very painful that moment when you realize, my money’s gone forever. That’s a very painful recognition.

[00:45:17] Austin Cusak: I think the threat of betrayal of the whole thing not being real. As a personal thing, I actually had a conversation with someone very close to me who was in a religion, and some stuff came out about the religion that kind of debunked some of the founding tenets of the religion, and they stayed in it. And I was asking them, why? Why stay in it? And it was understandable and it was very hard for me to listen to them because they’re much older, and they said, my entire life I believed this. My entire life. It’s part of my identity, it’s my community. If you took this away from me, it would break me.

[0046:03] Bob: Austin really wanted to drive home a point about these powerful tactics that criminals use. Some of them are used in traditional persuasion. He already mentioned sales tactics, but you might find some of these ideas in leadership training or management training which is part of Austin’s job at FDIC.

[00:46:21] Austin Cusak: I may be a very unpopular person for saying this, Bob, but a lot of the leadership tactics that we use is exactly what the criminals use. They use the same tactics but they use it for nefarious purposes. But influencing people, the tactics, the way the brain works, it’s the same. And so in, in some cases it is us saying, these are the things that we’re going to practice so that you can positively influence. And at the same time it is you need to be aware that these people are doing these things to you so that you can actually counter them, so that you can stop them, so that you can be on the lookout for. So in that world of leadership development, there is a surprising amount of crossover in terms of both helping people and manipulating and avoiding manipulation.

[00:47:14] Bob: So there are light and dark ways to use behavioral science, right?

[00:47:18] Austin Cusak: Cialdini has his book “Influence” and his book “Pre-Suasion,” and I’m going to throw out the disclaimer that things that I say are not representative of my agency. These are my own opinions, but I do want to point out that Cialdini has done a lot of great research on this subject, specifically on influence. And he even calls it out in his books about like the tactic is the same. You can use this. It is the knife that you can use to carve something beautiful or stab someone in the back, but the brain’s going to receive it the same way.

[00:47:53] Bob: It did strike me talking with Anola that the criminals did more than just appeal to her emotions, however. Remember, they showed her an account that allegedly had $4 million in it, so they were working to counter any skepticism she might have had.

[00:48:08] Bob: So it seems to me like they, they know how to play in the rational brain space as well.

[00:48:14] Austin Cusak: Yes, so, so that is, that is part of the ethos, pathos, and logos that has been used on us since Aristotle perfected by Plato, so we’re talking what 300 and like 48 BC that we had these three compelling means of persuasion. 3–, 347BC where it is essentially what is going to be the most compelling for you? Am I going to make an appeal to character, lead with an appeal to emotion and then follow it with just enough logic to make it plausible. Those three things, ethos, pathos, and logos, is the core of marketing, like all marketing is based on that. You see a car commercial and it is a basketball player who’s famous driving the car. That’s an appeal to character. So the use of logic, the use of data to reinforce is very compelling. But that is the answer to the cognitive bias. If it’s plausible enough, if it’s data and it’s plausible enough, or if they say, look, I have these bank accounts, why would I need your money? It’s plausible enough to answer and remove the cognitive bias. And that is the insidiousness of this entire thing is that I put like, I, the criminal, am putting my victim into fast thinking. They’re making emotional decisions. The second that they start to have this, and I can feel them starting to pull away, I reinforce it with lots of love, lots of dopamine. When they start to question it, I give just enough data, just enough of a logical response to, to basically shift away from these two competing ideas so they can only hold onto this one idea. I use time pressure, I use empathy, I, right, like I reinforce these things. And then, this is the thing that is really just err, is that they just inspire the shared vision, and then they reinforce it with this is our future together. This is the compelling image. This is the dream of what’s possible with us if this happens. This is the long-term interest. You are the only one that can do this. And they paint this big, shared aspiration.

[00:50:39] Bob: Feeling like you’re on the same team with that shared vision is also a behavioral trick that well-trained criminals employ.

[00:50:47] Austin Cusak: And so when you’re in alignment with each other, the principle of this is a psychological principle called homophily. And homophily is this idea that we really gravitate towards people who like the same things we like, who we perceive are part of the same group. So a great example of this, I play a lot of Dungeons and Dragons, I’ve been playing Dungeons and Dragons since I was 8 during the Satanic panic, where we had to hide it from my mom when me and my two older brothers did this. So if I meet somebody and they also play D&D, I instantly like them. They could be a terrible human being, but I’m now giving them the benefit of the doubt because they love a thing that I love, so therefore, they can’t be that bad. And that is that concept of homophily. So Pedro did that very well. And also, what the scammers did, and like she said, I am suspicious, right. So the cognitive processes are happening, he didn’t back out at that moment, he kept going. Even multiple times when in that relationship when she called him out on things, he weathered those storms. He talked her down. He convinced her otherwise. He got outraged. He threatened to walk. And that is really hard for a couple of reasons. One is because we crave that dopamine, we crave that oxytocin, and the threat of that being yanked away very suddenly, that’s going to hurt. And the brain is going to avoid pain. And this is one of the things that we don’t necessarily recognize, is that our brain is going to process physical and mental pain the same way in the exact same area. And it wants to avoid it. So that mental pain must be avoided. The brain says, can’t have this, don’t want this.

[00:52:45] Bob: Okay, so under all this knowledge of how our brains work, and sometimes work against our own interests, what can we do to better protect ourselves from an amygdala hijack? For starters, we could teach ourselves to be more understanding of victims. Austin has a lot of very practical advice for helping someone who you’re worried is under the influence of a criminal.

[00:53:08] Austin Cusak: When we suspect someone is ignoring these types of red flags, when they are stuck in that amygdala hijack, they are not in control of this. They have someone who is manipulating them and the self-acceptance that they are being manipulated is going to hurt. It is going to cause a lot of pain. So the first thing that we want to do with that person is to use our own cognitive empathy, because if we’ve not been through something similar, it can be very challenging to allow our emotions or even our compassion in. So cognitive empathy is, I’m going to listen, I’m going to get very curious, I’m going to try to ask questions, I’m not going to give judgment, and then this is probably the first thing that I would say. Approaching this as, I know someone that I suspect is being uh, is, is being manipulated by criminals. So this is that that’s the lens I’m looking at right now. That person needs to say, okay, before I give you any advice, I will always ask if now is a good time for me to share some advice or give you a thought. I always want to give that person the locus of control. It’s not that they’re not going to receive that information, it’s is now a good time? It’s, hey, I have a real concern that I need to talk to you about. Is now a good time for me to share that? That’s the first thing is you don’t let that person off the hook, you don’t say, oh, I’ve got some, I really want to share this. Is it okay for me to share it? Is now a good time for me to share it? Let them choose the time. We want them to have that control, ’cause oftentimes they know, they’re feeling that, and there’s that initial fear, the cortisol is spiking. The adrenaline starts to flow because the brain now feels, I’m in trouble, I’m in danger. So when we say, is now a good time for me to share some thoughts or give you some advice… if they say no, that is amazing. Okay when can I do this then? Let them choose a time or they’ll say I’ll come back to you. They always come back. I use this tactic frequently. Sometimes it’s a day, sometimes it’s two days, the person almost always comes back to me and says, I am now ready to talk about this thing. But you don’t want to try and force the flag on them when they are in that state of emotion.

[00:55:42] Bob: Getting back out of the highly emotional state, out of the amygdala hijacking often requires something Austin calls calming the amygdala, talking with empathy can help others, but you can do that for yourself too.

[00:55:56] Austin Cusak: If you do physical movement, you can also have a mental shift with that movement, hence the beauty of going and getting coffee. I can’t tell you, Bob, I do a lot of coffee at work, and the code for, hey, can we get coffee, it’s not really a, I need coffee, or I want to spend time with you, the code is, I really need to get a sanity check from somebody, and I don’t really want to ask, ’cause that’s embarrassing. But in the act of walking to the coffee and walking back, that allows the person to share the thing and calm the amygdala. The other thing is breathing. So there’s been a lot of research that’s done on the, the 4×4, the breathe in for 4, hold for 4, release for 4, hold for 4. And then there’s also a lot of research that’s been done on what’s called the 478, which is where you breathe in for 4 seconds, you hold for 7 seconds, and then you do this exhale for 8 seconds. Now the reason why these work so well is because when you are breathing in a normal way, you are cueing and telling the amygdala, I am safe. I am not in danger. So even if that cortisol is starting to spike and the adrenaline is starting to spike and your body is going into fight or flight, you can calm it. Some people are like, ah, I don’t want to breathe. So just go for a walk. Just, just walk and then talk and then say, hey, I want to share this with you. But that’s it, is that those are the very first steps that always work because we have to get that amygdala calmed down before we can share something with them.

[00:57:45] Bob: Amygdala calming doesn’t have to begin with a conversation though.

[00:57:49] Austin Cusak: When someone is suspicious that they might be stuck in one of these things, there’s a lot of advice online, it’s oh, walk away or do this thing, or put your phone down or take breaks; that can be really hard to do. My number one recommendation when I am working with someone who is in one of these highly emotional states, is to try and do a hobby, try and do an activity that allows you to get into flow a little bit, meaning that it is requiring some effort but not too much effort. As an example, I started painting miniatures, these little miniatures that I use for my games. My wife started playing pickleball. I know that some people really like to knit, taking walks. There, there are lots of activities that you can, when you are doing that type of activity that is requiring the brain to hyperfocus on something and it’s requiring effort, but not too much effort, just the, the right amount, right, being in the zone, getting in the flow, that is giving enough space for the brain to say, I’m not in danger, I am going to shift from the fast into the slow thinking. It’s the same thing. We want to try and find ways to move the brain more into this slow, analytical thinking.

Gas station hero stops crypto kiosk scams, again and again

Leave a reply

Bob Sullivan

Once in a while, a human being does the right thing and you wonder why it took so long

I’ve long held the opinion that the only real use case for cryptocurrency is fraud; we can debate that. Crypto kiosks, on the other hand, leave little room for discussion. These ATM-like machines you’ll find in gas stations and convenience stores just make it easy for criminals to steal hundreds of thousands of dollars from victims. They have little other purpose. No sane person would use the machines for a normal cash-crypto conversion; the fees are too high.

I talk to scam victims every week and for the past 18 months or so, nearly every story ends with a tragic scene of a victim shoving $100 bills into one of the Crypto ATMs. Generally, these are crypto novices who spend a half-hour or more nervously shoving their life savings into these machines, bills getting spat back at them like a misbehaving vending machine, as onlookers avert their eyes. Victims often believe they are minutes from being arrested on an outstanding warrant, or about to have all their cash stolen in some kind of bank conspiracy. It doesn’t matter why — they are being manipulated by crime gangs using AI tools, behavioral science, and teams of experienced worker bees.

But all that was no match for Eric Stewart, a gas station employee in small-town Tennessee who is a genuine digital age hero in my book. Not long ago, Eric noticed a woman named Ellen walk frantically into his store. She was chattering on her cell phone and looking around nervously for the crypto kiosk. She also had $6,200 in her hands. A few minutes earlier, Ellen had received a phone call from the county sheriff saying she’d missed a court hearing about her PPP loan, and there was a warrant out for her arrest. The caller knew exactly how much Ellen had borrowed through that pandemic-era program and demanded she repay half of it immediately — via bitcoin.

Eric didn’t avert his eyes, the way so many people do in the stories I hear. Instead, he stepped right in front of Ellen and confronted her. Here’s the scene, as told in our podcast, The Perfect Scam.

Eric Stewart: And that’s when I said, my very first question is, “Do you know who you’re talking to?” She said somebody said there’s a warrant out for her. A warrant? Yeah, and I said, “No ma’am,” I said, “No.” I said, “You can go to the police station. There’s no way that the money going to a Bitcoin machine is going, that’s not how you pay this. That’s not, that’s not how that gets paid. There’s, that’s not the form of payment that you would pay for something like this.”

Bob: And then Eric tries to be even more direct.

Eric Stewart: I was like, “Please, just hang up the phone. Just hang up the phone.” I said, “If it is a warrant, you can go to the police and ask them if there’s a warrant and everything.”

Bob: Ellen remembers looking up from her phone to listen to Eric.

Ellen: And then the manager came over and said, “Stop, that’s a scam. Don’t put any cash in that machine.”

Bob: Wow! That’s very dramatic.

Ellen: Yeah. The way I remember it, he, he just came over and said, “If they’re asking you to put cash in that machine, it’s a scam. Don’t do it.”

Bob: Wow.

Bob: So Ellen looks down at her money, back down at her phone, and tries to tell Karen what’s going on.

Ellen: On the phone I said, “The manager here is telling me this is a scam.” And she wasn’t even there anymore ’cause she could hear him talking to me.

So, Eric saved Ellen that day. And you can probably already guess, this wasn’t the first time. Eric often notices agitated customers on their phone headed for the kiosk in his store, and stops them. He does so in the gentlest way possible — after all, these people are scared and carrying a lot of money. In the episode, you’ll enjoy his homespun wisdom about how he does it. And you’ll enjoy his great accent. But more than anything, I hope you’ll enjoy his sense of decency and duty to his community. He’s so decent, he actually feels regret for the one woman he wasn’t able to stop in time because the store was busy.

While we wait for cities and states to regulate or outright ban these machines (many are!), and we wait for tech companies to do the right thing, we’re going to need a whole bunch more Erics in this world.

Below is a partial transcript of the episode, but I hope you’ll listen to the whole thing.

———————-PARTIAL TRANSCRIPT———————–

[00:14:34] Bob: It was a small moment in time, but it was genuinely a life-changer for Ellen.

[00:14:40] Bob: I wonder if you remember, maybe like her facial expression when suddenly it dawned on her that, that yes, this was a scam? Have, do you remember anything like that?

[00:14:47] Eric Stewart: Yeah. Her face did change. And as I’m sitting there, exactly I could see, you’re exactly right, her face did change when it was coming to her an understanding of things that me and her were speaking to, making her understand that this is a scam and bringing obvious steps into this. So yeah, her face went from like confused and oh my goodness, and like, you could see a little bit of shock and the realization in her face. But yeah, I could see the relief on her face too right there at the end when she was leaving. Oh, more or less like I probably don’t have a warrant on me. I can’t believe I almost got scammed, but also that I don’t have a warrant out for me, I’m not going to lose… I had to lose all this money, spend all this money on what she thought she needed to do. The relief on her face when she left was, was a huge difference from when I first had approached her.

[00:15:49] Bob: Not only does Eric save Ellen from having a lot of money stolen; he cares for Ellen’s fragile emotional state too.

[00:15:57] Ellen: I just felt so foolish.

[00:15:59] Bob: Oh.

[00:15:59] Ellen: Really, and Eric was like, “It just happened to two other people here this morning.” He told me that.

[00:16:05] Bob: Wow!

[00:16:05] Ellen: He just said, “It happens to everybody.” He said or, “It could happen to anyone. You don’t feel bad.” ‘Cause I was saying, I feel so foolish. (chuckles) I can’t believe I almost put $6000 in this machine, and so he was just really nice, a nice guy.

[00:16:21] Bob: Five minutes out of his day or whatnot, but it really was a life-changing thing for you, right?

[00:16:26] Ellen: Absolutely, absolutely. I love Eric. I don’t hesitate at all to go into Kwik Mart anymore; you know what I mean?

[00:16:33] Bob: Eric, rightly so, enjoys feeling like he’s done something for the community.

[00:16:38] Bob: That must feel great for you.

[00:16:40] Eric Stewart: Yeah, it does, it does. It really does, and I remember, I don’t think I said anything to my wife about it, till the end of the day I was, oh yeah, by the way… But to me it’s like, it’s just, ’cause the way I think about it, what if that was your family member? What if that was your grandma, your aunt, you know your mother, you know, your neighbor, you know your best friend? Why would you not, why would you not help another person in need, ’cause that is someone’s grandma, that is someone’s mom, aunt, sister, relative, neighbor; they’re all those things. And I wouldn’t, why would you not want to help that person, when it takes a couple minutes, that’s it.

[00:17:20] Bob: But he didn’t even realize the depth of the trouble he saved Ellen from until I told him. Ellen would have had to make monthly payments with interest to pay back that $6200 she borrowed from her HELOC.

[00:17:34] Bob: So she didn’t have that money. She had to take out a loan to have that money.

00:17:38] Eric Stewart: Oh wow.

[00:17:39] Bob: She would have had years of $200 a month payments or whatever in addition to everything else. You really, it’s a big deal what you did for her.

[00:17:47] Eric Stewart: Wow, that’s amazing. That makes me feel even better now. Hah. That’s awesome.

[00:18:52] Bob: Yeah.

[00:18:53] Eric Stewart: Wow, that I was able to help that, prevent that. Wow.

00:18:57] Bob: Yeah, she had a HELOC, and so she borrowed money out of the HELOC in order to get the $6000. That would have been a years’ long problem for her that you stopped.

[00:18:04] Eric Stewart: Yeah, and stress especially if she’s on a fixed income. I know she was a little bit older, I don’t know how old she is and or anything like that. I know a lot of people are just living off of one check a month trying to survive, and then that stress added more. Wow, that would have been a lot more stress, yeah, wow. I’m going, God had put me there on purpose, for that, at that moment. Absolutely.

[00:18:29] Bob: Maybe you can tell from Eric’s matter of fact tone of voice, this wasn’t his first crypto ATM rodeo.

[00:18:37] Bob: This isn’t the only time you’ve stopped other people from doing this too, right?

[00:18:41] Eric Stewart: That’s correct, yeah.

[00:18:42] Bob: How many do you think?

[00:18:43] Eric Stewart: Easily two more, easily two more after that. And the last one, he was, I assume a spouse, and I’d had done the same thing. And I said, “Sir, just…” He was fighting me on it. He really was. And he moved the phone away from his cheek, and I was seeing on there, I said, “Sir, your phone for caller ID says, ‘SPAM RISK.’ It says on your phone just ‘SPAM RISK.'” I said, “Please just hang up.” And he fought me too. He had walked out that door. I told his wife, I said to whoever she was, I was like, “Hey…” She said, “I’ve been trying.” I said, “Please, just hang up that phone. Just get that phone from him and hang it up ’cause I promise they’re not going to call back.” I think he; he didn’t do it because there’s not that many of those ATMs or machines around, those Bitcoin machines. There’s not a lot of them.

[00:19:33] Bob: How did Eric learn to be so attuned to potential crypto ATM scams? Well, he listened.

[00:19:41] Eric Stewart: How I learned about this was, I had a elderly customer, unfortunately it’s been a lot of elderly people, same scenario was happening, and a customer had said, told us, he goes, “Hey, whoever that is over there, she been over there talking to, that’s a scam, ’cause I could hear the conversation on the phone going back and forth. That’s a scam.” And so that’s how I got the information on figuring out how it’s a scam just learning from that right there. And I just used my intelligence and common sense and put things together, hey, y’all, okay, this is a scam.

[00:20:15] Bob: But the first time you saw this, somebody actually tipped you off that they had heard the conversation and it was a scam.

[00:20:19] Eric Stewart: Yes, sir. She actually fought me.

[00:20:22] Bob: Fought you. Wow.

[00:20:24] Eric Stewart: Yeah, yeah. “Ma’am,” to the customer and I was like, “alright, since I work here, I’ll approach her.” And she goes, “No.” I said, “Do you know who you’re talking to?” She goes, “No, but it’s okay. I know what I’m doing.” And I was like, “Well someone overhead and said that you’re, you know, that you’re being scammed.” I was like, “Do you truly know who you’re talking to on the phone?” And she really fought me. I sat there and asked her a couple of questions and tried to use red flags, I tried to use, I can’t remember the question was, a red flag question is I think there is something there, “If you don’t know who you’re talking to, do, are you sure you should be doing this and putting that money in there?” And luckily, her husband had been sitting out in the car. I don’t know; this was a great scammer, whatever he or she had told this lady to actually convince her husband as well. These people are super topnotch. It goes from you leaving your destination where you’re at, physically going to the bank and withdrawing this cash, probably with a bank teller because it’s a couple thousand. I don’t know what the limit is on the ATM, I’ve never pulled, tried to attempt to pull that much money out, and they go from the bank to the Bitcoin machine and this whole time this is fighting traffic on the traffic, could easily, we could be at an hour now, they’re on the phone.

[00:21:45] Bob: Yeah.

[00:21:46] Eric Stewart: By the time we get to the Bitcoin machine, that’s an hour conversation easily, you know, so when I left it, I told her husband, I said, “Hey, y’all, that’s a scam that’s going on with your wife and everything,” and he goes, “I figured,” you know. “You might want to stop her.” And he went in there. I don’t know what happened, ’cause I was leaving for the rest of the day and hopefully they didn’t go through, or the minimum.

[00:22:09] Bob: But she ultimately didn’t believe you. She believed the person on the phone.

[00:22:13] Eric Stewart: Yeah, yeah, that person was really good. Cause for her husband, for her to defy her husband who was with her as well, to go to the bank and had gotten that far. That person, unfortunately, they are really good at their job.

[00:22:28] Bob: Do you have, ’cause one of the, I think, really important things you’ve mentioned is that when somebody comes in and they’re upset obviously, and they’ve got a lot of cash in their hands, they’re nervous, and so you’re very careful with how you approach them, right?

[00:22:43] Eric Stewart: Absolutely. Usually they have a phone in their hand, if it’s females, it’s going to be in the purse. The gentlemen, unfortunately, he had those little envelopes that you get from the bank, and you could see it in his pocket hanging out a little bit. I understand there was a lot of money, so I easily give him the space and let him know I’m not trying to rob you or anything, but I let him know I’m aware of the situation and of what’s going on. But yeah, most of them are just, they’re on the phone just like everyone else is, and but when they get to the machine they find it really easy, it’s right next to the ATM machine, so this is just like an average person coming in on the phone, but I wouldn’t say that they was hanging, having the money in their hands and all that, but yeah, I definitely give him the space. I give everyone the space ’cause you don’t know, so some stranger’s walking up to you. And you had a machine that either you put money in or you take money out of, so obviously, you want to make them feel, I want to make them feel safe around me.

[00:23:44] Bob: So Eric has learned to approach potential victims with great care.

[00:23:49] Eric Stewart: And I try to pull a flashlight over their head, let them think, I try to let their mind, not me tell them, because me telling them is not going to mean nothing because these scam people are smart. But let me alert them and let their senses say “Hey, wait a minute.” I try to use easy language, understandable language because obviously there’s a lot going through this person’s mind; fear, anxiety, I’m pretty sure, a little bit of shock of “Hey, what is really going on?” So I’m sure this person’s feeling all these emotions so I try to make everything as simple worded, for them to understand that “Hey, yeah, you know what? Let me stop this and not do this.”

[00:24:35] Bob: You are natural at the psychology of the situation. We hear all the time when family members say, “That’s a scam” that people don’t listen. Because sometimes when you’re that direct with someone in that state of mind, they reject it, but you have described it as shining a light over their heads so they can figure it out themselves. How did you get so smart about psychology?

[00:24:55] Eric Stewart: I don’t know. Like I said, I’m a people observer, and uh, I was in management in the fast-food industry for many years.

[00:25:04] Bob: Aha.

[00:25:05] Eric Stewart: And I noticed every employee is different. Some, you don’t have to say nothing to, they just do a great job. Some, you have to pat them on the back. Some you just have to slowly guide them. And then others, you have to tell them, “Aw, man, that’s amazing. Great job!” ‘Cause they need to hear that. Everyone’s different in the workforce and just, so I observed that and just noticed that. And I guess I used that, me watching people, working with people, understanding how they work and I just use my intelligence to guide me through those situations, scenarios with them.

State of Third-Party Risk Assessments

Leave a reply

Organizations across many industries increasingly believe their Third-Party Risk Management (TPRM) programs are mature. The data in the ProcessUnity State of Third-Party Risk Assessments 2026 tells a more complex story.

While most organizations have established assessment processes, policies, and frameworks, the data from our 1,465 respondents uncovers that many have not achieved true program maturity, and the gap between perception and reality is growing.

That gap has a measurable cost. Organizations are experiencing frequent third-party breaches, prolonged assessment cycles, slow vendor responses, incomplete remediation, and persistent blind spots across their third-party ecosystems. In fact, organizations report experiencing an average of 12 third-party breaches per year, signaling that third-party risk is not an edge case, but a recurring operational reality. These outcomes highlight a critical truth: having processes in place is not the same as operating a mature, scalable, and effective TPRM program.

Ponemon Institute surveyed 1,465 IT and IT security practitioners in the US (632 respondents), Asia-Pac (402 respondents) and EMEA (431 respondents) who are involved in their organizations’ approach to assessing data risks created through outsourcing business functions to third parties. The purpose of this research is to gain insights into how organizations assess and minimize risks associated with both direct and indirect relationships with third parties. This includes identifying vulnerabilities and mitigating potential operational, reputational, financial and compliance risks.

On average, organizations have one data breach or security incident each month that was caused by a third party. Organizations represented in this research report they have experienced an average of 12 data breaches or security incidents caused by third parties in the past year. The two most serious consequences of these events were operational disruptions (64 percent of respondents) and financial loss (52 percent of respondents).

The following research findings illustrate the challenges of preventing third-party data breaches and security incidents.

Few organizations have a budget dedicated to their TPRM programs. Resources are important to supporting organizations’ efforts to achieve a proactive or optimized level of maturity. Only 37 percent of respondents say their organizations allocate funding specifically for the TPRM program. Of those organizations, the average annual budget is $3.1 million.
Reliance on manual and inconsistent assessments can result in a small percentage of third parties being assessed. Organizations have an average of 2,643 third parties in their portfolio and an average of only 36 percent of these third parties are assessed to determine risks and vulnerabilities.
The maturity of most TPRM programs is low. Fifty-two percent of respondents say their programs are reactive and assessments are still manual and inconsistent (30 percent) or ad hoc with only a few defined processes in place for third-party assessments. Less than half of respondents rate their TPRM program maturity as proactive which means assessments are standardized and repeatable for most third parties with defined policies, tools and remediation processes (29 percent) or optimized which is defined as the TPRM program being fully embedded in business operations using automation, advanced analytics and continuous monitoring to manage vendor risk proactively (19 percent).
The IT or IT security functions are most responsible for third-party risk assessments, not the TPRM team. To have an optimized and mature TPRM program, automation, advanced analytics and continuous monitoring is key. For this reason, many organizations may be assigning responsibility for assessments to IT security/cybersecurity (30 percent of respondents) or IT (22 percent of respondents). Only 20 percent say the TPRM team is most responsible for conducting assessments.
Assessments can be a drain on staff’s time and backlogs are a reality for many organizations. Outsourcing one or more assessment processes can be a solution to this problem. Forty-three percent of respondents say their organizations outsource part of the assessment process. Of these respondents, 59 percent say collection or monitoring is outsourced.
To understand the extent of third-party risks, more organizations should measure the TPRM’s effectiveness. Fifty-three percent of respondents believe their TPRM assessments are very effective. However, less than half of respondents (49 percent) measure effectiveness. Of these respondents, 49 percent measure the increase in assessments completed, 37 percent say the metric used is the percentage of complete/accurate assessments and 36 percent say the metric used is sufficient staffing.
Understanding the initial level of risk is a critical first step in a comprehensive third-party risk management program. This allows organizations to then implement appropriate controls to reduce third-party risk to an acceptable level.Fifty-two percent of respondents say their organizations use the inherent risk process to determine the frequency of third-party risk assessments. Of these respondents, 53 percent say they scope their assessment questionnaire or use a specific questionnaire based on the third-party’s inherent risk.
Most organizations use homegrown/IT built tools or spreadsheets as part of the assessment. Sixty-seven percent of respondents say they rely upon homegrown/IT built tools followed by spreadsheets (64 percent of respondents). Sixty-one percent of respondents say they use a GRC platform and 58 percent of respondents say their organizations use TPRM platforms.
Only 45 percent of respondents say their organizations use independent ratings of the third parties’ cybersecurity and risk posture as part of the assessment. Mostly used are SLAs (62 percent of respondents) and vendor documentation of their practices and policies to assess potential risks (51 percent of respondents).
Despite lacking trust in fourth parties, few organizations assess the risk. Despite not having complete trust in visibility into fourth parties that could impact their companies, only 42 percent of respondents say their organizations assess fourth-party or subcontractor risk (23 percent) or only for critical suppliers (19 percent). 38 percent of respondents either have no trust (22 percent) or only slight confidence with minimal assurance with significant doubts (16 percent). Only 31 percent say they are highly confident with complete trust in visibility. Further, only 41 percent of respondents say they receive alerts from third parties to any security incidents generated by fourth parties in the last 12 months. If they did, it was an average of 15 alerts were received in the past year.
Organizations are at risk because third-party assessments take a long time and often require further attention or remediation. Sixty percent of respondents say it can take 4 months to more than 12 months to complete just one assessment. Only 37 percent of respondents say it takes the team less than 8 hours (10 percent) or between 8 to 40 hours (27 percent). An average of 43 percent of third-party responses require follow-up or remediation and it can take an average of 6 days to remediate issues found during a third-party assessment with only one-third party.
Sixty percent of respondents say they wait for a vendor’s response to the questionnaire in 4 months to as long as more than 1 year. An average of 27 percent of third parties do not respond to questionnaires. Forty-five percent of respondents say they receive updates on changes in vendor risk posture only yearly (27 percent) or never (18 percent).
Due to the time and amount of effort because of mostly manual processes, 40 percent of respondents say they currently have a backlog of third-party assessments. The reasons for backlogs are incomplete information from vendor (67 percent of respondents), lack of vendor response (64 percent of respondents) and limited resources such as lack of budget, technology and in-house expertise (62 percent of respondents).
Only 16 percent of respondents say that 90 percent to 100 percent of the third parties that required remediation are completed. During the onboarding process, 44 percent of respondents say it is between 26 percent to more than 50 percent of third parties that require remediation activities to meet their security and privacy requirements. The primary reasons are resource constraints (66 percent of respondents), technical dependency on another team or provider (59 percent of respondents) and data access uses (58 percent of respondents).
AI tools as part of the TPRM program may help organizations deal with the challenges revealed in this research. Forty-four percent of respondents have either fully (19 percent) or partially adopted AI (25 percent) for TPRM programs. Only 19 percent of respondents say there are no plans to adopt AI. AI is seen to address many of the challenges faced in identifying risks and inefficiencies. Fifty-three percent of respondents say the primary benefit of using AI is that it frees staff for higher-value work. Other benefits are real-time intelligence to identify vulnerabilities (48 percent of respondents) and management of TPRM programs (42 percent of respondents).

Part 2. Key findings

This section of the report presents an analysis of the global findings. The complete research results are shown in the Appendix. The report is organized according to the following topics.

Background on Third-Party Risk Management (TPRM) programs
Threat assessment operating models and methods
Challenges in conducting third-party risk assessments
Regional differences

To read detailed key findings and the rest of this report, visit ProcessUnity’s website.

‘Sugar High’ — Is AI the Future of music, and work?

Leave a reply

Bob Sullivan

The next time you fire up your favorite streaming service, the music you hear might be made by a robot. Maybe you don’t care; you’re just looking for something to help you kill those 30 minutes on the treadmill. But you should care. The sound you might not hear is a canary in a coal mine that’s gone silent. If “human” musicians can be replaced by bots, so can you.

That’s why we’ve just released a new four-part miniseries on the future of music over at the Debugger podcast, which I host for Duke University’s Sanford School of Public Policy. Grammy-nominated folk singer Tift Merritt is our guide through this complicated cultural and economic story. The series is called “Sugar High.”

“I think that everyone is a little shell-shocked from streaming, and it’s very hard to get your mind around things getting worse than that,” Tift told me.

The vast majority of music fans don’t know how much streaming services have changed the economics of the music business, but Tift makes it crystal clear. The series follows Tift as she enters the studio to record her first new album in almost a decade — she’d taken time off to raise her daughter. She’s going to spend about $50,000 to make the record, a bargain by historic standards. But to earn out that advance, she’ll need about 10 million streams on a service like Spotify.

Ten million streams! Just to get back to …$0.

Tift Merritt is, as I explain in episode one, a huge success story. Don Henley covered one of her songs. She toured with Elvis Costello. She has several songs with millions of streams. Her record Tambourine earned a Grammy nomination for country album of the year. And yet, her ability to earn even a middle-class living as a working musician and mom is….well, it doesn’t really exist any longer.

There’s no arguing that tech has made more music available to more people, and it has made it easier for unknown artists to share their undiscovered talents with the world. That was always the promise of the Internet. But along the way, the path towards discovery has narrowed, as the spoils of the system have been siphoned off by tech companies.

“I remember in 2010 I put a record out and I got my first royalty statement and I realized what a huge impact streaming was on our economy. It was a fourth of what I usually got, and I realized that I could no longer live in New York City. I couldn’t afford it,” she said. “So…oh my God, shouldn’t I be a dental hygienist? This is a, an equation that is broken.”

But that problem pales in comparison to the storm clouds gathering around artificially-generated music. Artists and record labels alike are worried that “robots” — trained by ingesting decades of music recordings — will generate endless royalty-free ghost music. Those songs will fill listeners’ playlists, crowding out real art, leaving musicians like Tift without revenue streams.

That future feels overstated. Listeners will reject soulless music, won’t they? Like so much of today’s AI conversation, this debate is full of hyperbole and puffery, investment bubbles and doomsayers. One can imagine AI tools being part of human music creation, just as synthesizers and sampling have been used to make art. But one can also imagine large tech companies making the decisions that suit them, artists and art be damned.

One thing is certain: absent some other force, cost-cutting will drive the outcome. If AI ghost music is more profitable than real music, it will replace art and artists. Just as AI will replace lawyers, and journalists, and….every other kind of work that can be done cheaper by software. How do we prepare for this? How do we design outcomes that benefit society as a whole, rather than a small set of investors? It’s a conversation we need to have right now.

Of course, this conversation deserves far more nuance than I just gave it, so that’s why this miniseries is just the start of a dialogue. Later in the series, we’ll hear from Reid Wick of the Recording Academy of America (the Grammy people) and Jen Jacobson, Executive Director of the Artist Rights Alliance. We’ll be having more interviews at Debugger after we release this four-part miniseries. I hope you’ll be part of the conversation, too.

I do hope you’ll listen to this series by clicking play below, by clicking off to Spotify, or by finding it on your favorite podcast service. But if podcasts aren’t your thing, a transcript is available here.

Trends in PKI Security: A Global Study of Trends, Challenges & Business Impact

Leave a reply

Organizations are struggling to keep their Public Key Infrastructure (PKI) secure and reliable. The primary reasons are the difficulty in keeping pace with managing an average of 114,591 internal certificates, the lack of in-house expertise, the use of manual operations, legacy infrastructure and poor visibility.

Public Key Infrastructure (PKI) is a framework for creating, managing, and validating digital certificates that establish trusted digital identities for users and machines, (i.e., machine identities such as workloads, containers, IoT devices, and services) enabling secure communications and transactions through cryptographic techniques. PKI primarily uses public key (asymmetric) cryptography, though it often works alongside symmetric cryptography, to provide authentication, encryption, and digital signatures.

Few organizations have a high level of confidence in their PKI’s ability to meet compliance requirements. Respondents were asked to rate the effectiveness of and confidence in their organization’s PKI on a scale of 1 = low effectiveness/confidence to 10 = high effectiveness/confidence. As revealed in this research, high confidence in meeting compliance requirements is key to a strong PKI security posture.

Only 46 percent of respondents have high confidence in PKI’s ability to meet compliance requirements. Less than half (48 percent) of respondents rate the effectiveness of their PKI in protecting against outside attacks and insider threats by ensuring a secure framework for authentication, encryption and data integrity as very or highly effective.

As shown in the research, a shortage of in-house expertise is reducing the effectiveness of the PKI infrastructure’s ability to scale up with growing devices and workload. Only 47 percent of respondents say the effectiveness is very high. Enabling secure transactions has the highest PKI effectiveness (53 percent of respondents).

A Summary of the State of PKI Security

Public Key Infrastructure (PKI) is the backbone of digital trust, enabling secure communications and authentication for users, devices, and services. However, organizations today face mounting challenges in keeping PKI secure, reliable, and compliant.

Confidence and Effectiveness Remain Low

Most organizations lack strong confidence in their PKI’s ability to meet compliance requirements. Only 46 percent of respondents rate their PKI as highly effective for compliance, and less than half believe their PKI is very effective at protecting against threats or scaling with demand. The complexity of managing an average of over 114,000 certificates, combined with legacy systems and manual processes, undermines both security and reliability.

Key Barriers: Misconfigurations, Outages, and Visibility Gaps

The top obstacles to robust PKI security are:

Misconfigurations in PKI infrastructure (50 percent of respondents)
Unplanned outages from expired certificates (49 percent of respondents)
Lack of visibility into certificate inventory (38 percent of respondents)

These issues make it difficult to maintain compliance and increase the risk of security incidents. Legacy costs and risks, as well as failures in security, compliance, and audit processes, further complicate the landscape.

Manual and Infrequent Assessments

While 61 percent of respondents say their organizations regularly assess PKI security, most do so manually (53 percent) or via penetration testing (46 percent), and only a third conduct of these assessments weekly or biweekly. This infrequency leaves gaps where vulnerabilities can persist.

Real-World Consequences: Incidents and Outages

Poorly managed PKI and certificates have led to significant cybersecurity incidents:

Sixty percent of respondents say their organizations experienced exploits due to weak cryptography
Fifty-eight percent of respondents say their organizations suffered third-party certificate authority (CA)
Forty-three percent of respondents say their organizations reported server private key theft
Unplanned outages are common: 56% had outages due to certificate expiration or configuration errors, often stemming from manual tracking and renewal processes.

Staff Shortages and Operational Burdens

Organizations typically dedicate only four staff to PKI management, and just 42 percent of respondents feel they have enough in-house expertise. Over half (55 percent of respondents) struggle to keep up with the growing use of cryptographic keys and certificates, leading many (63 percent of respondents) to outsource to managed security service providers.

The Push for Automation and Unified Visibility

Automation is increasingly seen as essential. Fifty-one percent of respondents say their organizations use automated certificate management, citing benefits such as consistent task execution, faster certificate renewal and greater visibility and control. Unified visibility across environments is now the top strategic priority, according to 34 percent of respondents, followed by hiring qualified personnel and reducing PKI complexity.

Best Practices of High Performing Organizations

Organizations with high confidence in their PKI (“high performers”) are more likely to adopt AI for predicting certificate issues and preventing outages, maintain better visibility into certificate inventory and support PKI with in-house expertise and effective remediation processes. These organizations report fewer operational burdens and stronger security outcomes.

In summary, PKI security is under pressure from complexity, manual processes, and resource constraints. The most effective organizations are those investing in automation, unified visibility, and skilled personnel—transforming PKI from a source of risk into a foundation for digital trust.

Part 2. Key Findings

Sponsored by CyberArk, Ponemon Institute surveyed 1,833 IT and IT security practitioners in North America (567 respondents), EMEA (503), Asia-Pac (401) and LATAM (362) who are knowledgeable about their organizations’ use of PKI and certificates. In this section of the report, we analyze the research results. The complete auditing findings are presented in the Appendix of the report. The report is organized according to the following topics.

Securing PKI and certificates
The deployment and management of PKI and certificates
Best practices of organizations that have high confidence in meeting compliance requirements (aka high performers)
Regional differences

Securing PKI and certificates

Fifty-four percent of respondents say their organizations have little or only some confidence in their PKI’s ability to meet compliance requirements. The major reasons for the lack of confidence are misconfigurations in the PKI infrastructure (50 percent of respondents), unplanned outages caused by expired certificates (49 percent of respondents) and lack of visibility into certificate inventory (38 percent of respondents).

The biggest barrier to securing PKI and certificates are legacy costs and risks. Some 34 percent of respondents say legacy PKI costs and risks are affecting the security of PKI and certificates. Other barriers include the inability to have a centralized view of all internal certificate (31 percent), security, compliance and audit failures (29 percent) and dependence on manual certificate management (28 percent).

PKI security assessments are mostly manual and infrequent. While 61 percent of respondents say their organizations evaluate the security of their PKI infrastructure, only 33 percent of respondents say the evaluation occurs weekly (20 percent) or every two weeks (13 percent). According to Figure 4 the two tools most often used when assessing PKI security are manual (53 percent of respondents) and penetration testing (46 percent of respondents).

Assessing the effectiveness of processes for issuing, renewing, revoking and destroying digital certificates is used to determine the security of the PKI infrastructure.

According to 50 percent of respondents, their organizations examine the processes for issuing, renewing, revoking and destroying digital certificates to assess the security of organizations’ PKI infrastructure. This is followed by the evaluation of overall PKI architecture for vulnerabilities and potential misconfigurations (39 percent of respondents) and the review of procedures and protocols for managing data, responding to security incidents and training staff on PKI best practices (38 percent of respondents).

To see the rest of these key findings, visit CyberArk’s website.

Celebrating the 20th Anniversary of Ponemon Institute’s Cost of Data Breach

Leave a reply

Twenty years ago, companies increasingly became awakened to the very real threat that their sensitive and confidential data had been or could be targeted by a cybercriminal. It was clear that such an incident would not only jeopardize the privacy of their customers and business partners, but it could also mean significant financial harm.

When discussing a possible research project, our client asked if there would be any way we could calculate the cost of a data breach. The idea was that having such a calculus would be extremely beneficial in helping IT and IT security practitioners prepare for the possible consequences of a data breach, but also to convince the C-suite and board members to budget more money so that investments in technologies and staffing would be sufficient. In both instances, we have heard the research has succeeded.

Over the years, the research has evolved based on what we have learned from organizations that have been breached. In the typical study, we speak with IT, compliance and information security practitioners who are knowledgeable about their organization’s data breach and the costs associated with resolving the breach.

We are often asked, how do you calculate the cost? To calculate the average cost of a data breach, we collect both the direct and indirect expenses incurred by the organization. Direct expenses include engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services. Indirect costs include in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates.

In this year’s study, the global average cost was $4.4 million. Sixteen percent of organizations reported breaches involving attackers using AI, most often for phishing or deepfake impersonation, signaling an escalating AI arms race. U.S. average costs reached a record $10 million, fueled by the nation’s rising detection expenses and stricter regulatory penalties. In fact, more than one-third of U.S. organizations paid breach fines that averaged more than $250,000.

We hope you will download our 2025 report and look forward to hearing from you.

Click here to download the report.