The state of workforce passwordless authentication

Enterprises continue to feel threatened in the pandemic with many feeling targeted, and this along with remote work and associated loss of productivity from password problems is driving increased adoption of passwordless technologies. Going forward organizations are extremely bullish on adopting passwordless authentication.

The purpose of this research is to understand the state of workforce passwordless authentication, the motivations and results when organizations transition to the use of passwordless authentication. Based on the experiences of organizations represented in this research, passwordless authentication can help remediate many concerns around cybersecurity posture caused by password and traditional MFA authentication approaches, sustained cyber threats and pandemic shifts to greater remote work.

Organizations that have adopted passwordless authentication say the main motivation was to improve the end-user experience and operational efficiency. The growing remote workforce also influenced these organizations’ decision to adopt passwordless authentication.

A key takeaway regarding economic efficiencies is that the use of passwordless authentication can reduce the financial consequences of attacks involving employees’ passwords and help desk costs due to password problems or resets by an average of $1,871,780 over a two-year period.

With sponsorship from Secret Double Octopus, Ponemon Institute surveyed 663 IT and IT security professionals in the United States. All respondents are familiar with their organizations’ approach to employee authentication and have some level of involvement in managing and making decisions about their organizations’ IT security strategy.

The following findings reveal the state of workforce passwordless authentication, its drivers and benefits: 

  • Phishing attacks are pervasive. Phishing is the number one password-based attack according to 63 percent of respondents. An average of only 44 percent of all phishing emails are detected. 
  • The shift to a remote workforce during the pandemic is driving the adoption of passwordless authentication. Fifty-five percent of respondents say their organizations use passwordless authentication for at least some use cases. Of these 55 percent of respondents, 79 percent say a growing remote workforce influenced passwordless adoption. 
  • Remote working negatively affects employees’ and help desk productivity. Another reason to adopt passwordless authentication is that 75 percent of respondents say password authentication issues because of remote working has increased employee downtime. Seventy-four percent of respondents say it has decreased the productivity and increased the stress of the help desk team. 
  • Organizations stand to save significant costs in both breach-related financial expenses and productivity with passwordless authentication. 
  • Adoption of passwordless authentication is gaining traction. Forty-five percent of respondents say their organizations exclusively use conventional passwords. However, of these respondents, 66 percent of respondents expect to adopt passwordless authentication in the next six months (33 percent), within the next year (21 percent) and within the next two years (12 percent).

Part 2. Key Findings

 In this section, we provide a deeper analysis of the research findings. The complete audited findings are presented in the Appendix of this report. The findings are organized according to the following topics.

  • Concern and vulnerability run high with respect to password-related cyber threats
  • Remote work shifts are driving passwordless authentication adoption amidst security and productivity challenges
  • Passwordless authentication cost savings totaled an average of $1.9M over 2 years per organization
  • Opportunity and optimism remain high around passwordless authentication

Concern and Vulnerability Run High with Respect to Password-related Cyber Threats

The most prevalent password-based attacks are phishing. Some 63 percent of respondents say their organizations had attempted or successful phishing attacks in the past two years.  However, according to the research, cybersecurity teams can detect an average of only 44 percent of phishing emails. Seventy-one percent of respondents say phishing emails and employees’ misuse of passwords is increasing the risk of a targeted and successful attack.

 Organizations also experienced ransomware (57 percent of respondents) and credential stuffing or dictionary attacks (57 percent of respondents).

Remote Work Shifts Are Driving Passwordless Authentication Adoption Amidst Security and Productivity Challenges

 The remote workforce is decreasing organizations’ security posture.  According to 60 percent of respondents, a remote workforce reduces the security of the cloud infrastructure, makes connections to the domain less secure (56 percent) and increases the attack surface (49 percent).

The help desk is not immune from password authentication problems created by remote working. Some 74 percent of respondents say productivity has decreased and increased stress significantly (40 percent) or decreased productivity and increased stress (34 percent) of help desk workers.

 Passwordless Authentication cost savings totaled an Average of $1.9M Over Two Years

 Passwordless authentication significantly reduces the economic loss due to attacks involving employees’ passwords. Organizations with conventional authentication methods averaged $5.6 million in total economic loss from attacks involving employees’ passwords over the past two years vs. $4.2 million in organizations with passwordless authentication. Respondents were asked to include IT costs, downtime, lost business, damaged reputation, fines and legal fees, stolen proprietary data and ransoms paid in the total cost.

Opportunity and Optimism Remain High around Passwordless Authentication

In this section, only organizations that have adopted passwordless authentication are represented. In the context of this research, authentication is defined as the process of verifying the user’s identity by asking for a secret (e.g., password) possession of an item (e.g., USB dongle) or inherent attribute (biometrics). Passwordless authentication is any authentication method that does not require users to know their password.

Most organizations are still dependent upon traditional passwords at some level. However, 55 percent of respondents say their organizations use passwordless authentication for most or all use cases (11 percent), some use cases (19 percent) or only for specific use cases (25 percent).

Almost half of respondents rate the user experience and security of passwordless authentication far higher than conventional passwords. Respondents were asked to rate the quality of the user experience using passwordless authentication and conventional passwords on a scale from 1 = low quality to 10 = high quality. They also rated the security from 1 = low security to 10 = high security. Figure 15 shows the 7+ responses on the 10-point scale.

We found that 47 percent of respondents rate the quality of the user’s experience with passwordless authentication as high. However, only 26 percent of respondents rate the quality of conventional passwords as high.

To read the rest of this study and view the accompanying charts, visit DoubleOctopus.com

Facebook accused of enabling fraud, claims ‘immunity’ in court filing

Bob Sullivan

When we talk about Facebook’s bad behavior, it’s easy to get bogged down in the details. Don’t. We should focus more on the outright fraud enabled by its platforms.

There’s been near constant talk about Facebook’s misbehavior lately, reaching a new crescendo after whistleblower Frances Haugen told Congress the firm knowingly makes software that hurts kids.  But as Haugen herself pointed out this week, regulators risk talking themselves into circles as they get bogged down in the details about how to react to Facebook’s various transgressions.  Debate on Section 230 could easily last into the next century, I think. And Facebook’s role in the 2016 election? Well, that’s destined to fill up talk radio show hours with never-ending prattle.

That’s why I wish there were much more focus on the outright fraud that Facebook enables. The case there is much more clear, as a the pillowcase-couch above suggests.

Facebook’s advertising platform got some of the attention it deserves this week after a story by Donie O’Sullivan at CNN showed the social media giant has taken payment for anti-vaxx ads, including a set that compared the U.S. vaccine program to the Holocaust. Facebook has publicly taken the stance that it has not contributed to anti-vaccine sentiment in the U.S., but anti-vaxxers have contributed to Facebook’s bottom line, the report found. Unsavory? Sure. Illegal? Probably not.

Look deeper into Facebook ads, and you’ll find far more dubious activity.  Earlier this year, I reported on a lawsuit filed in California that alleges Facebook has earned billions of dollars from advertisements it knows, or should know, are fraudulent. The social media giant makes it easy for criminals to target consumers who are not only likely to click on certain kinds of ads, but also likely to follow through with purchases, the case claims.  The firm is “actively soliciting, encouraging, and assisting scammers,” the suit claims.

Many of these highly-targeted ads on Facebook and Instagram promise consumers great deals on novelty products that seem specifically-tailored for them. Instead, credit card payments go to firms — many based in China — that never send the item or send something worth only pennies.  Criminals are using Facebook’s algorithms to micro-target victims, or as I like to say, to hack people. And steal their money.

The lawsuit seeks class-action status, and contains only allegations. But a Better Business Bureau report published this week by Steve Baker ads to the evidence that Facebook’s empire is built with the help of fraud, much of it originating in China.

BBB solicits complaints from Internet users through its Scam Tracker, and said on Thursday that the largest target of these complaints — 40% of the total – involve victims of online ads found on Instagram and Facebook.  While deceptive ads theoretically violate Facebook’s terms of service, the firm doesn’t seem to care much.

“Consumers tell BBB that Facebook and Instagram are often not helpful in addressing violations
of their own policies when consumers receive nothing at all, counterfeit goods, or items that were inferior to what was advertised and purchased,” BBB wrote. “These encounters often take place after seeing enticing social media ads placed by operations in China.”

Many of the crimes are blatant and obnoxious. A Canadian anti-fraud official told the BBB that he
has seen “accounts of people buying a cordless drill online but only receiving a screwdriver from China.”

The accusations in the lawsuit, and the BBB report, are not new. Buzzfeed News reported one year ago that internal Facebook research found 30% of ads placed in China violate the site’s terms of service.  The story also quotes a Facebook employee saying the company intentionally looks the other way, fearful that a crackdown might slow the flow of dollars from China.

Facebook told Buzzfeed for that story that it invests heavily in keeping deceptive and low quality ads off its site — given the scale of its ad business, that is no doubt true. But it also seems obvious the firm still isn’t investing nearly enough to fight fraud.  Last month I wrote about a disturbing example of criminals forcing victims to make “hostage-style” videos endorsing scams in a desperate attempt to regain control of their social media accounts. If Facebook hired enough people to assist consumers who were in trouble, there’d be no such desperation.

Another key piece of the puzzle revealed by the BBB study: Facebook and Instagram play a key role in connecting scammers to victims who weren’t even shopping online. BBB found that victims
who were not actively looking for a product, but lost money in the transaction, began with Facebook or
Instagram 70% of the time.

And all this fraud causes collateral damage, too. Many small businesses see their photos and product descriptions copied by criminals and used for deceptive ads.  Often, consumers blame the small businesses when they discover the crime. One art dealer in Dallas says he’s spent hours per week fighting this kind of copyright theft, and Facebook was quite unhelpful.

“Facebook will not take down these obviously related ads, but instead forces him to challenge the
ads one at a time,” the report says.

And victim consumers who report fraud in an effort to prevent future crimes told BBB they often don’t get results. One purchased a table based on a clever video that popped up on his Facebook feed. When he received nothing, said he contacted Facebook dozens of times about this fraud, and “they responded that the video did not violate their policies. The ad remained running for several months,” the BBB report says.

Fraud trend stories like this are always tricky: For years, credit card processors would respond to every story about online fraud by saying the actual fraud rate at e-commerce sites was very small, far less than one percent. That was cold comfort to victims, and it was also hard for external observers and policy-makers to evaluate. How much fraud is too much? At what rate should additional safeguards — safeguards that would add friction and probably impact revenue — be required?   Has fraud on Facebook reached that point? I cannot say. I can say the  Department of Homeland Security has warned that “e-commerce business models have a variety of new actors that aid, abet, or assist the transactions, including payment processors, social media websites, and online marketplaces.”

And I can say that Facebook simply doesn’t answer the phone when there’s an ongoing crime on its platform. Their online process for dealing with a serious consumer problem, such as an account takeover or a fraudulent ad, is severely lacking. Users should be able to get immediate help with issues like that. You’ll often hear defenders of the firm say that kind of support doesn’t scale. To that, I’d say that means their business doesn’t scale. If they can’t operate without enabling fraud, and can’t quickly help victims, their business model is fatally flawed.

The BBB tells me that Facebook did not take the opportunity to respond to its report. Facebook did not respond to my request for comment, either.  It did respond to the California lawsuit, however. With this straightforward defense: We are immune!

“The Court should dismiss all of Plaintiffs’ claims with prejudice because the Communications Decency Act, 47 U.S.C. § 230 (“Section 230”), shields interactive computer service providers such as Facebook from liability arising from content created by third parties,” the motion for dismissal says. “Plaintiffs have not—and could not—allege any facts that take their claims outside a plain and straightforward application of that statutory immunity.”

Section 230 reform is a multi-tentacled beast and my own opinions on what to do about it are still evolving. But I interviewed a law professor recently who told me that blanket immunity always causes problems, and this example makes it pretty clear.  Facebook is saying it’s not responsible for fraud it enables by matching criminals with victims because it has been granted immunity by Congress. That kind of license for bad behavior sounds chilling to me.  And the next time a Facebook spokesperson says the firm cares about fraud, remember that this defense.

The 2021 State of Industrial Cybersecurity: The Risks Created by the Cultural Divide between the IT & OT Teams

A primary challenge to improving the security of organizations’ Industrial Control System (ICS) and Operational Technology (OT) environments, as revealed in this research, is the need to overcome the cultural and technical differences between OT and IT teams. Ideally, organizations should work toward establishing a unified IT and OT approach to addressing the threats and closing the gaps in security that leave organizations vulnerable to cyber attackers. Sponsored by Dragos, Ponemon Institute surveyed 603 IT, IT security and OT security practitioners at the C-level, managerial and director level in the United States. All are familiar with cybersecurity initiatives and ICS and OT security practices within their organizations.

In the context of this research, OT represents the programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). Examples include industrial control systems (ICS), building management systems, safety control systems, and physical access control mechanisms.

ICS encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system components such as programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures. An ICS consists of combinations of control components that act together to achieve an industrial objective.

The cultural divide between IT and OT teams affects the ability to secure both the IT and the ICS/OT environment. Because of the lack of alignment between an organization’s cybersecurity policies and procedures with OT and ICS security objectives, only 35 percent of respondents say their IT and OT teams have a unified security strategy that secures both the IT and OT environments, despite the need for different controls and priorities. Only 39 percent of respondents say IT and OT teams work cohesively to achieve a mature security posture in both the IT and OT environments.

The risks created by the cultural divide between the IT & OT Teams 

  • Fifty percent of respondents are optimistic about the future of their ICS/OT cybersecurity program. However, only 21 percent of respondents say their ICS/OT program activities have achieved full maturity and emerging threats drive priority actions. A fully mature program also means C-level executives and the board of directors are regularly informed about the efficiency, effectiveness, and security of the program. Twenty-nine percent of respondents say their organizations are in the late-middle stage which means C-level support, adequate budget, risk assessment and a cross-functional team of IT and OT SMEs work together cohesively. 
  • As the frequency and severity of attacks increase, organizations are struggling to keep ahead of these threats. Sixty-three percent of respondents say their organizations had an ICS/OT cybersecurity incident in the past two years. 
  • For the first time, this research calculates the cost of one cybersecurity incident in the ICS/OT environment. The average cost per cybersecurity incident research is $2,989,550 (the calculation is shown in Table 1 of this report). An average of 316 days is spent to detect, investigate and remediate the cybersecurity incident. Based on the use of a threat hunting and incident response team that averages six IT and IT security personnel, it costs an average of $963,168 to detect, investigate and remediate the incident. The fixed costs including the replacement of equipment, downtime, legal and regulatory fines total $2,026,382. This equals the average total cost of $2,989,550. 
  • The majority of respondents say senior management lacks an understanding about the cyber risks in the ICS/OT environments. As a result, not enough resources are allocated to defend the ICS/OT environments. Paradoxically, according to 56 percent of respondents, the primary blocker for investing in ICS/OT cybersecurity is that ICS/OT cybersecurity is managed by the engineering department, which does not have security expertise followed by 53 percent of respondents who say ICS/OT security is managed by an IT department without engineering expertise. 
  • The Director/Manager of IT and the VP of Engineering are the functions most respondents in this study report to. However, by far the VP of Engineering is most accountable for the security of the ICS/OT program. Only 12 percent of respondents say the CISO is most accountable for the security of ICS/OT program. Further, only 35 percent of respondents say someone responsible for ICS and OT cybersecurity reports IT and cybersecurity initiatives to the board of directors. Of these respondents, 41 percent say such reporting takes place only when a security incident occur.
  • Only 38 percent of respondents say the security safeguards in place to protect the ICS and OT environments are covered during board meetings and only 36 percent of respondents say the effectiveness and efficiency of security programs and measures are presented.
  • Cultural and technical differences must be overcome to have OT and IT teams work cohesively. The challenges often are not caused by a competition for budget dollars and new security projects (only 32 percent of respondents). Rather, it is the cultural and technical differences between traditional IT-specific best practices and what is possible in OT environments, such as patch management and unique requirements of industrial automation equipment vendors that cause conflicts between these two functions (50 percent and 44 percent of respondents, respectively).
  • Only 46 percent of respondents say their organizations are effective in gathering intelligence about threats to the ICS/OT environment and 45 percent of respondents say their organizations are effective in discovering and maintaining an inventory of all devices attached anywhere on the OT network throughout the asset lifecycle.

To read the full report, visit, Dragos.com. 

She donated to help a friend get a kidney; then., she was forced to make a ‘hostage’ video

Bob Sullivan

A California woman who thought she was helping an old friend pay for a kidney transplant has been caught up in an Instagram hacking scheme with a nightmarish twist —  criminals drained her bank account via Zelle and then forced her to make a hostage-style video endorsing a get-rich-quick scheme in an attempt to get some of it back.

I found her “hostage” video online, which was posted by an Instagram account containing hundreds of similar videos endorsing a scheme promising 1,000 percent% on investments; many seem to be coerced.

Makaylah Lervold wrote to me on Friday desperately seeking help getting a refund after her bank account was hacked and criminals sent themselves about $3,000 of her money. The hack followed a chain of events that began with an old friend reaching out over Instagram messages saying he’d finally found a kidney donor match after a four-year search.  Lervold had met the sick friend several years ago at work, but hadn’t stayed in touch, though she was aware that he was indeed seeking a transplant.  His search was public; I’ve been able to confirm it through local news coverage.  Lervold said she messaged with the writer, whom she now knows was an imposter, and agreed to take a phone call from a hospital representative who would provide instructions on how to contribute.

She sent $1,000 to the caller’s account via Zelle, thinking it was a donation. Instead, the money was sent to a criminal’s account. The caller gleaned enough information — she asked for Lervold’s authentication codes — that the criminal or someone else was able to transfer nearly $3,000 more out of Lervold’s account through a series of additional Zelle transactions.  Lervold provided a screenshot of those transactions to me. Then, using stolen credentials, someone hacked into Lervold’s Instagram account and locked her out. The criminal subsequently threatened Lervold with more financial crimes unless she produced a video endorsing an investment scheme.

“Hi everyone. It’s Makaylah,” she says in the video. “I’m just here. I want to let you know about a huge opportunity. I just invested $1,500 with [name removed] and she turned my $1,500 investment into $15,000. Don’t miss out on this opportunity. I’m so grateful. Thank you [name removed]. Hit her up. She will invest your money. And turn it into a huge profit. You won’t regret it.”

Other videos on the “investment” Instagram account page contain similar messages. The account has more than 1,500 followers and has made 1,700 posts, dating back well into last year.

Posing as an old acquaintance, I contacted the hijacked account that originally belonged to Lervold’s sick friend, offering congratulations for finding a kidney match. The response came quickly: “Thank you so much sweetheart and I was about to ask you if you’d be interested in making some extra money.” Then later in our exchange, the imposter wrote, “Can you help me out $300 until tomorrow morning. I was short on a bill…I’m actually at the hospital.”

That victim declined to respond to a request for an interview.

Joseph Cox at Motherboard reported last week on a victim who was also forced to make a hostage-style video after being coerced into a bogus bitcoin investment. It’s unclear if these incidents are related, but my concern is the compelling tactic of forced video endorsement.

Lervold said the experience was terrifying.

“I’m so distraught…it was really scary,” she said. They drained all the money that I had saved for my wedding in June. It’s devastating. …  They forced me to make a video just like the last video they posted on my friend’s hacked account. …  They said if I didn’t do it they would completely drain my account. It was the scariest situation I have ever been in.”

Worse yet, when she contacted me, the criminals were using Lervold’s hijacked account in an attempt to scam her friends, she said.

“Now they are trying to scam my friends and inviting people from my Instagram to our wedding and are asking for money,” Lervold said.

She provided me with screen grabs of a dialog between a friend and the hacker in which the criminal offers to invite the friend to the wedding…then tries to convince the friend to send in money for the investment scheme.

“Did you see my ad? I actually made $15k from the investment. I posted it,” the message from the criminal, posting as Lervold, says. “Was wondering if you’d like to tap in.”

Last week, I reported that there was a large increase in consumers reporting that their Instagram accounts had been attacked by hackers. This complex scheme…involving trusted friend relationships, and hopping from one hijacked account to another, armed with intimate knowledge of each hacked victim…shows why hacked Instagram attacks can fetch nearly $50 on the digital black market.

Lervold said she reported that her Instagram account had been hacked to Facebook late last week; she has not yet heard back from the company. On Facebook, she can be seen pleading for friends to unfollow her Instagram account and asking them to report it as fraudulent so they would not be deceived by her video.

Monday afternoon I reported her account to Facebook’s media relations deparment, along with the account hosting the hostage videos.  Facebook has not yet returned my request for comment, but by Tuesday morning, Lervold’s account and the account hosting the hostage videos were both taken offline.

“Apparently each scam is different,” Lervold said. “They were messaging me already knowing I was (the kidney patient’s) friend. Which is why they knew I would donate. Other people they have used this investment scam saying they can turn a certain amount of money and turn it into a huge profit. Like the videos. You can turn $1,000 into $10,000. They took over my account and are asking people for money to help with my wedding. They must have read personal messages and are using that to get to my Instagram friends…the read back years in my messages.”

Eva Velasquez, CEO of the Identity Theft Resource Center, said her agency has been tracking the large increase in Instagram scams.  She said she was very concerned about the hostage video trend.

“It’s a new twist on ransoms,” she said. “Instead of asking for money, they are asking for videos.”

Her message to the public: Don’t make coerced videos. Paying the “ransom” doesn’t work.

“Do not make these videos endorsing something to get your money back or your account back because it’s not going to happen, you’re not getting it back,” she warned.  “Just walk away from the account.”  Work through the social media companies to get account access restored she said, admittedly an “arduous process.”

She warned that victims would suffer even deeper emotional consequences than those who send money to criminals — because their accounts and their words can be used to scam friends.

“When you add a layer that you were an instrument of victimization involving people you know and love, who are part of your personal network. that just adds another layer of emotional grief,” she said.

Velasquez also reminded users never to share authentication credentials — including two-factor text message codes  — with anyone.

I’ve decided that those SMS codes should no longer be used; it’s time that users switch to an authentication app for two-factor needs.  There are too many stories about criminals accessing text messages through hacking or coercion.

The Impact of Ransomware on Healthcare During COVID-19 and Beyond

Larry Ponemon

The purpose of this research is to understand how COVID-19 has impacted how healthcare delivery organizations protect patient care and patient information from increasing virulent cyberattacks, especially ransomware. Prior to COVID-19, 55 percent of respondents say they were not confident they could mitigate the risks of ransomware. In the age of COVID-19, 61 percent of respondents are not confident or have no confidence.

Sponsored by Censinet, Ponemon Institute surveyed 597 IT and IT security professionals in HDOs. In the context of this research, HDOs are entities that deliver clinical care and rely upon the security of third parties with whom they contract services and products. These include integrated delivery networks, regional health systems, community hospitals, physician groups, and payers.  Click here to visit Censinet and download the full report.

Our findings correlated increasing cyberattacks, especially ransomware, with negative effects on patient care, exacerbated by the impact of COVID on healthcare providers. We also analyzed steps that HDOs are taking to protect patient safety, data, and care operations to determine what is working since so many respondents have been victims of more than one ransomware attack.

Ransomware attacks on healthcare organizations can be a life-or-death situation.

The onset of COVID-19 introduced new risk factors to HDOs, including remote work, new systems to support it, staffing challenges, and elevated patient care requirements. There’s been a great deal of media coverage on the rise of cyberattacks such as ransomware both within the healthcare industry and beyond. This research focuses on the healthcare industry to understand the extent to which HDOs are being targeted and ascertain the impact of those attacks. Both are covered in-depth in the key findings section of the report.

Over the last two years, 43 percent of respondents say their HDOs experienced a ransomware attack. Of these respondents, 67 percent of respondents say their HDO had one and 33 percent of respondents say they experienced two or more.

These attacks risk patient safety, data, and overall care availability. Respondents report that ransomware attacks had a significant impact on patient care, reporting longer length of stay (71 percent of respondents), delays in procedures and tests (70 percent of respondents), increase in patient transfers or facility diversions (65 percent of respondents) and an increase in complications from medical procedures (36%) and mortality rates (22%).

HDOs forecast that the number of contracted third parties will increase by 30 percent over the next 12 months

Driven by cost containment, regulatory directives and the demand for accessible, higher-quality patient care, HDOs have shifted to the digitization and distribution of health information. Moreover, medical devices, whether in patient rooms or labs, rely on network connectivity for operations and maintenance.

Nearly all of the technology components described are not developed by the HDO. These include software, services, and hardware development from organizations known as third parties. This study revealed that the average number of third parties that organizations contract with is 1,950, and this will increase to an average of 2,541 in the next 12 months.

Third-party products and services are a necessary and critical part of the HDO IT blueprint, but each brings another set of risk factors to the table. Some risks are inherent to the third party such as secure operating systems and other software in medical devices. Other risks involve how the HDOs deploy and use third parties, including storing protected health information (PHI) on cloud-based systems that weren’t meant to support it. In either case, the risk created by the third party or the HDO use of the third party needs to be managed. The burden is on the HDO to perform assessments throughout their relationship with the third party (e.g., procurement, implementation, usage, updates, termination, etc.).

Third-Party Risk Management is Hard, and COVID-19 Made it Worse

This research also looks at the capabilities and maturity of HDOs to manage third-party risk, both before and during COVID-19. According to only 44 percent of respondents, controls critical to assessing third-party risks are only partially accomplished in HDOs. Only 40 percent of respondents say their organization always completes a risk assessment of its third parties prior to contracting with them. However, 38 percent of respondents state the assessment findings are ignored by leaders.

Re-assessments are another critical part of third-party risk management and are not conducted as often as required. More than half (53 percent) of respondents say re-assessments are conducted only on-demand or on no regular schedule.

Recommendations for Mitigating Ransomware and Third-Party Risks

According to the findings, healthcare organizations are less prepared to deal with third-party risks. Following are recommended steps for HDOs to take to protect patient safety, data, and care operations.

  • Invest in workflow automation, resources, and processes to establish a digital inventory of all third parties and PHI records. An HDO must know the number and location of PHI records that are accessed, transmitted or stored by third-party products or services.
  • Increase overall risk coverage of third parties by leveraging automation to conduct more assessments. The average number of third parties that organizations contract with is expected to increase from 1,950 to 2,541 over the next 12 months. However, only 40 percent of respondents say their organizations always complete a risk assessment prior to engaging with a third party. If their organizations conduct an assessment, only 38 percent of respondents say their leaders always accept their recommendation not to contract with them.
  • Allocate resources and funding to re-assess high-risk third parties. Currently, only an average of 32 percent of critical and high-risk third parties are assessed annually, and only an average of 27 percent of these third parties are re-assessed annually.
  • Increase efforts to secure medical devices. Only 36 percent of respondents say their organizations know where all medical devices are. Only 35 percent of respondents say they know when a medical device vendor’s operating device is end-of-life or out-of-date. Only 29 percent of respondents say they know the non-planned expense of medical device operating system patches.
  • Ensure critical steps for identifying and mitigating third-party risks are in place. Sixty percent of organizations represented in this research had a data breach in the past two years, resulting in an average of 28,505 records containing sensitive and confidential information compromised. According to the research, organizations can only partially evaluate the various threats targeting their assets and IT vulnerabilities. They also lack the capability to continuously monitor vendor risks.
  • Assign risk accountability and ownership to one role. The ability to execute an enterprise-wide risk management strategy is affected by not assigning accountability and ownership to one role.

Click here to visit Censinet and download the full report.

Fix Facebook now: Let users opt-out of its addictive algorithm

Bob Sullivan

It’s the news feed, stupid. The algorithm.

You’re probably going to read 1,000 things about the recent Facebook whistleblower hearing, so I won’t belabor the discussion. I have just one point I’d like to drive home. But first– I will say I’m sad that, after all this time, journalists from all over give prominent placement to the disinformation published by Facebook about Facebook — The New York Times felt the need to put the firm’s misdirection statement about the hearings in the fourth paragraph of its story about the hearings, showing journalists have learned little about the way both-sides-ism is abused in the information age.   I won’t repeat it here, but suffice to say the company just attacked the message without disputing any of the messages.

I’d like people to focus on something simple and often overlooked when it comes to the harm Facebook’s apps cause in the world: Control of the news feed.   Witness Fraunces Haugen talked quite a bit about Instagram and Facebook’s use of “engagement-based ranking” for items that appear before users.  You can’t pick what appears on these apps, not really. Facebook picks. And it picks the most extreme, most manipulative, most addictive content it can place in front of you. All the time.

Facebook has spent billions of dollars hacking you. Researching you. Picking you apart. Finding your weakness. And then feeding it. Like candy bars with too much sugar, or better yet, opioids that ease the pain just enough. Well, nearly enough, but not quite. So, you must come back for more, and more, and more.   To one man, it’s angry Trump content. To a young woman, it’s workout videos. Still another gets climate change outrage, or posts about the Latin Mass.  Facebook doesn’t care.  Like an evil creature from a science-fiction movie, it finds your weakness and exploits it. To feed the ever-hungrier beast inside.

This is “engagement-based ranking,” as Haugen called it.  And when we like or share these addictive things, we “give little hits of dopamine” to our friends.  Like a nightmare digital drug gang — *shiver*

Users have forever asked for a simpler way.  They want control of the news feed, or the way Instram picks images to display.  Consumers have forever wanted a simple page full of close friends’ posts.  Babies, weddings, the occasional professional announcement.  This request has been denied over and over by Facebook.  In fact, the company has stopped outside firms from creating plugins that would enable just that simple feature.  Why?    Haugen explained: Engagement would fall. Clicks would drop. Revenue would fall.

Facebook claims the reason is something else: User-directed feeds would be full of spam and other annoying content. That reasoning — Facebook-i-an NewsSpeak — is so bogus I hesitate to repeat it.  We all deal with spam, every day. We could handle it on Facebook and Instagram in exchange for ending the tool’s ever-increasing, artificial intelligence-fueled addictive algorithm.

So as Congress and other law enforcement ponder what should happen now, here’s my wish list of one: Require Facebook to let users opt out of the algorithm.  Or, as  Haugen suggested, end Section 230 protections for algorithm-programmed content farms.  If they pick the things we see, they should be responsible for them. I’m not saying this would fix every problem. But it sure would fix a lot. And it could happen….immediately.

It’s not that hard to fix. We’ve just failed…so far.  Tim Sparapani, another former Facebook employee, told me that last year in my “Original Sin of the Internet” podcast. It’s more true than ever now.

 

The 2021 Global Encryption Trends Study

Ponemon Institute is pleased to present the findings of the 2021 Global Encryption Trends Study, sponsored by Entrust. We surveyed 6,610 individuals across multiple industry sectors in 17 countries – Arabian Cluster (which is a combination of respondents located in Saudi Arabia and the United Arab Emirates), Australia, Brazil, France, Germany, Hong Kong, Japan, Mexico, Netherlands, the Russian Federation, Spain, Southeast Asia, South Korea, Sweden, Taiwan, the United Kingdom, and the United States.

The purpose of this research is to examine how the use of encryption has evolved over the past 16 years and the impact of this technology on the security posture of organizations. The first encryption trends study was conducted in 2005 for a US sample of respondents.  Since then we have expanded the scope of the research to include respondents in all regions of the world.

Since 2015 the deployment of encryption has steadily increased. This year, 50 percent of respondents say their organizations have an overall encryption plan that is applied consistently across the entire enterprise and 37 percent of respondents say they have a limited encryption plan or strategy that is applied to certain applications and data types, a slight decrease from last year. Following are the findings from this year’s research:

Strategy and adoption of encryption

Enterprise-wide encryption strategies increase. Since conducting this study 16 years ago, there has been a steady increase in organizations with an encryption strategy applied consistently across the entire enterprise. In turn, there has been a steady decline in organizations not having an encryption plan or strategy. The results have essentially reversed over the years of the study.

Certain countries have more mature encryption strategies. The prevalence of an enterprise encryption strategy varies among the countries represented in this research. The highest prevalence of an enterprise encryption strategy is reported in Germany, the United States, Japan and the Netherlands. Respondents in the Russian Federation and Brazil report the lowest adoption of an enterprise encryption strategy. The global average of adoption is 50 percent.

The IT operations function is the most influential in framing the organization’s encryption strategy over the past 14 years. However, in the United States the lines of business are more influential (305percent of respondents). IT operations are most influential in Sweden, Korea and France.

Trends in adoption of encryption

 The use of encryption increases in all industries Results suggest a steady increase in all industry sectors, with the exception of communications and service organizations. The most significant increases in extensive encryption usage occur in manufacturing, hospitality and consumer products.

 The extensive use of encryption technologies increases. Since we began tracking the enterprise-wide use of encryption in 2005, there has been a steady increase in the encryption solutions extensively used by organizations.

Threats, main drivers and priorities

Employee mistakes continue to be the most significant threats to sensitive data. The most significant threats to the exposure of sensitive or confidential data are employee mistakes.

In contrast, the least significant threats to the exposure of sensitive or confidential data include government eavesdropping and lawful data requests. Concerns over inadvertent exposure (employee mistakes and system malfunction) significantly outweigh concerns over actual attacks by temporary or contract workers and malicious insiders.

The main driver for encryption is the protection of customer’s personal information. Organizations are using encryption to protect customers’ personal information (54 percent of respondents), to protect information against specific, identified threats (50 percent of respondents), and the protection of enterprise intellectual property (49 percent of respondents).

A barrier to a successful encryption strategy is the ability to discover where sensitive data resides in the organization. Sixty-five percent of respondents say discovering where sensitive data resides in the organization is the number one challenge. Forty-three percent of all respondents cite initially deploying encryption technology as a significant challenge. Thirty-four percent cite classifying which data to encrypt as difficult.

Deployment choices

No single encryption technology dominates in organizations. Organizations have very diverse needs. Internet communications, databases and internal networks are the most likely to be deployed and correspond to mature use cases. For the fourth year, the study tracked the deployment of encryption of IoT devices and platforms. Sixty-one percent of respondents say encryption of IoT platforms devices and 61 percent of respondents say encryption of IoT platforms have been at least partially deployed.

Encryption features considered most important

Certain encryption features are considered more critical than others. According to the consolidated findings, system performance and latency, management of keys and enforcement of policy are the three most important encryption features.

Which data types are most often encrypted? Payment related data and financial records are most likely to be encrypted as a result of high-profile data breaches in financial services. The least likely data type to be encrypted is health-related information and non-financial information, which is a surprising result given the sensitivity of health information.

Attitudes about key management

How painful is key management? Fifty-six percent of respondents rate key management as very painful, which suggests respondents view managing keys as a very challenging activity. The highest percentage pain threshold of 69 percent occurs in Spain. At 37 percent, the lowest pain level occurs in France. No clear ownership and lack of skilled personnel are the primary reasons why key management is painful.

Importance of hardware security modules (HSMs)

The United States, Germany and Japan organizations are more likely to deploy HSMs. T United States, Germany and Japan are more likely to deploy HSMs than other countries. The overall average deployment rate for HSMs is 49 percent.

How HSMs in conjunction with public cloud-based applications are primarily deployed today and in the next 12 months. Forty-one percent of respondents say their organizations own and operate HSMs on-premise, accessed real-time by cloud-hosted applications and 39 percent of respondents rent/use HSMs from a public cloud provider for the same purpose. The use of HSMs with Cloud Access Security Brokers and the ownership and operation of HSMs on premise are expected to increase significantly.

The overall average importance rating for HSMs, as part of an encryption and key management strategy in the current year is 66percent. The pattern of responses suggests the United States, Arabia (Middle East) and the Netherlands are most likely to assign importance to HSMs as part of their organization’s encryption or key management activities.

What best describes an organization’s use of HSMs? Sixty-one percent of respondents say their organization has a centralized team that provides cryptography as a service (including HSMs) to multiple applications/teams within their organization (i.e. private cloud model). Thirty-nine percent say each individual application owner/team is responsible for their own cryptographic services (including HSMs), indicative of the more traditional siloed application-specific data center deployment approach.

What are the primary purposes or uses for HSMs? The three top uses are application-level encryption, SSL/TLS, followed by container encryption/signing services. There is a significant increase in the use of database encryption 12 months from now.

Cloud encryption

 Sixty percent of respondents say their organizations transfer sensitive or confidential data to the cloud whether or not it is encrypted or made unreadable via some other mechanism such as tokenization or data masking. Another 24 percent of respondents expect to do so in the next one to two years. These findings indicate the benefits of cloud computing outweigh the risks associated with transferring sensitive or confidential data to the cloud.

How do organizations protect data at rest in the cloud? Thirty-eight percent of respondents say encryption is performed on-premise prior to sending data to the cloud using keys their organization generates and manages. However, 36 percent of respondents perform encryption in the cloud, with cloud provider generated/managed keys. Twenty-one percent of respondents are using some form of Bring Your Own Key (BYOK) approach.

What are the top three encryption features specifically for the cloud? The top three features are support for the KMIP standard for key management (59 percent of respondents), SIEM integration, visualization and analysis of logs (59 percent of respondents) and granular access controls (50 percent of respondents).

 Read the full Global Encryption Trends story at Entrust’s website.

 

Facebook earns billions from scam ads, lawsuit alleges

Bob Sullivan

Facebook profits from advertisements it knows, or should know, are fraudulent, a federal lawsuit filed in  California alleges. The social media giant makes it easy for criminals to target consumers who are not only likely to click on certain kinds of ads, but also likely to follow through with purchases, the case claims.  The firm is “actively soliciting, encouraging, and assisting scammers,” the suit claims.

Alleged frauds include ads for products that never ship, or are substantially different from what is advertised. Fraud rates for some types of ads are as high as 30%, the suit claims.

Not only does Facebook look the other way when such ads are placed, but it has actively recruited suspicious sellers through conferences and other means, the case claims. Lawyers for the plaintiffs seek class-action status for the case, and claim there are potentially millions of victims and Facebook has earned billions of dollars.

Facebook did not immediately respond to a request for comment about the lawsuit (I’ll update the story if needed).

Tech companies have faced allegations they profit off fraud enabled by their platforms for a long time. Journalists have been writing about fake Google Maps businesses for at least seven years.  Instagram fraud had its day in the sun back in 2018. The firms make money off disinformation, too. Recently, I searched for “Can I get the vaccine from my doctor” on Google and was presented with a long list of anti-vaxx links and products for sale.

There have long been questions about how hard these services work to correct these problems. “More than a third (34%) of people that reported a scam ad to Google said it was not taken down while just over a quarter (26%) said the same had happened with Facebook, according to a study published by British consumer group Which?” BusinessInsider has reported.

The recent Facebook case, filed in August, alleges negligence, breach of contract, and breach of covenant of good faith and fair dealing. It builds on the work of several journalists who have written about Facebook ad fraud in recent years — most notably Zeke Faux’s story in 2018, which includes details from a Facebook ad conference that Bloomberg attended; and a Buzzfeed story from last year, titled Facebook Gets Rich Off Of Ads That Rip Off Its Users. 

The California lawsuit claims that “Facebook’s sales teams have also been aggressively soliciting ad sales in China and providing extensive training services and materials to China-based advertisers, despite an internal study showing that nearly thirty percent (30%) of the ads placed by China-based advertisers — estimated to account for $2.6 billion in 2020 ad sales alone — violated at least one of Facebook’s own ad policies.”

It also cites increased social media advertising fraud complaints, driven most recently by stay-at-home orders during the pandemic. “In October 2020, the Federal Trade Commission (“FTC”) reported that about 94% of the complaints it collected concerning online shopping fraud on social media identified Facebook (or its Instagram site) as the source,” the case notes.

Facebook denied to Buzzfeed that it profits off fraud. It told the news site: “Bad ads cost Facebook money and create experiences people don’t want. Some of the things raised in this piece are either misconstrued or missing important context. We have every incentive — financial and otherwise — to prevent abuse and make the ads experience on Facebook a positive one. To suggest otherwise fundamentally misunderstands our business model and mission.”

But it’s hard to deny the incentives large tech companies have to look the other way when companies are paying them millions of dollars to get finely-tuned ads in front of users.

In the lawsuit, plaintiff Christopher Calise says he spent about $50 to buy a car engine assembly kit and never received it. He reported the ad as fraud to Facebook, and the social media company took it down, but the alleged scam firm was able to re-place the ad using a slightly different name soon after.   Plaintiff Anastasia Groschen says she responded to an ad for a child’s activity board. When a simple puzzle arrived instead, she complained to the company, only to be instructed that she’d have to pay to ship the puzzle back to China.

The lawsuit seeks monetary damages for all impacted members of the class, and wants the court to force Facebook to make immediate changes to the way it patrols ads.

Phishing costs have tripled since 2015

Ponemon Institute is pleased to present the results of The 2021 Cost of Phishing Study sponsored by Proofpoint. Initially conducted in 2015, the purpose of this research is to understand the risk and financial consequences of phishing. For the first time in this year’s study we look at the threats and costs created by business email compromise (BEC), identity credentialing and ransomware in the workplace.

The key takeaway from this research is that the costs have increased significantly since 2015. Moreover, with the difficulty many organizations have in securing a growing remote workforce due to COVID-19, successful phishing attacks are expected to increase.

We surveyed 591 IT and IT security practitioners in organizations in the United States. Forty-four percent of respondents are from organizations with 1,000 or more employees who have access to corporate email systems.

The following findings reveal that phishing attacks are having a significant impact on organizations not only because of the financial consequences but also because these attacks increase the likelihood of a data breach, decrease employee productivity and increase the likelihood of a business disruption.

The cost of phishing more than tripled since 2015. The average annual cost of phishing has increased from $3.8 million in 2015 to $14.8 million in 2021.The most time-consuming tasks to resolve attacks are the cleaning and fixing of infected systems and conducting forensic investigations. Documentation and planning represent the least time-consuming tasks.

Loss of employee productivity represents a significant component of the cost of phishing. Employee productivity losses are among the costliest to organizations and have increased significantly from an average of $1.8 million in 2015 to $3.2 million in 2021. Employees are spending more time dealing with the consequences of phishing scams. We estimate the productivity losses based on hours spent each year by employees/users viewing and possibly responding to phishing emails averages 7 hours annually, an increase from 4 hours in 2015.

The cost of resolving malware infections has doubled total cost of phishing. The average total cost to resolve malware attacks is $807,506 in 2021, an increase from $338,098. Costs due to the inability to contain malware have more than doubled from an average of $3.1 million to $5.3 million.

Credential compromises increased dramatically. As a result, organizations are spending more to respond to these attacks. The average cost to contain phishing-based credential compromises increased from $381,920 in 2015 to $692,531 in 2021. Organizations are experiencing an average of 5.3 compromises over the past 12-month period.

Credential compromises not contained have more than doubled. The average total cost of credential compromised not contained is $2.1 million and has increased significantly from $1 million in 2015.

BEC is a security exploit in which the attacker targets employees who have access to an organization’s funds or data. The average total cost of BEC’s exploits was $5.96 million (see Table 1a). Based on the findings, the extrapolated average maximum loss resulting from a BEC attack is $8.12 million. The average total amount paid to BEC attackers was $1.17 million.

What is the cost of business disruption due to ransomware? Ransomware is a sophisticated piece of malware that blocks the victim’s access to his/her files. The average total cost of ransomware last year was $5.66 million, and the average percentage rate of ransomware attacks from phishing was 17.6 percent.

Employee training and awareness programs on the prevention of phishing attacks can reduce costs. Phishing attacks are costing organizations millions of dollars. According to the research, the average annual cost of phishing scams is $14.8 million, an increase from $3.8 million in 2015.

Respondents were asked to estimate what percentage of phishing costs that could be reduced through training and awareness programs that specifically address the risks of phishing attacks targeting the workforce.  The cost can be reduced by an average of more than half (53 percent) if training is conducted.

Part 2. Key findings

Loss of employee productivity represents a significant component of the cost of phishing.
The average annual cost of phishing has increased from $3.8 million in FY2015 to $14.83 million in 2021. As shown, productivity losses have increased significantly from $1.8 million in 2015 to $3.2 million in FY2021. Please note that information about BEC and ransomware was not available in FY2015. In the current study, we estimate an annual cost of phishing for BEC at $5.97 million and ransomware at $996 thousand.

Employees are spending more time dealing with the consequences of phishing scams. The range of hours is less than 1 to more than 25 hours per employee each year. We estimate the productivity losses based on hours spent each year by employees/users viewing and possibly responding to phishing emails. As shown, each employee wastes an average of 7 hours annually due to phishing scams, an increase from 4 hours in 2015.

As discussed, the costliest consequence of a successful phishing attack is employees’ diminished productivity. Here we assume an average-sized organization with a headcount of 9,567 individuals with user access to corporate email systems.  Based on an average of 7 hours per employee we calculate 65,343 hours wasted because of phishing.  Assuming an average labor rate of $49.5 for non-IT employees (users) we calculate a total productivity loss of $3.2 million annually, an increase from $1.8 million in 2015.

An average of 15 percent of an organization’s malware infections are caused by phishing scams. Respondents were asked to estimate the percentage of malware infections caused by phishing scams. The estimated range is less than 1 percent to more than 50 percent. The extrapolated average rate is 15 percent. As discussed above, the cost to contain malware is estimated to be $353,582 (see Table 1).

The likelihood of a malware attack causing a material data breach due to data exfiltration has increased since 2015. In the context of this research, a material data breach involves the loss or theft of more than 1,000 records. Respondents were asked to estimate the likelihood of this occurring. The probability distribution ranged from less than .1 percent to more than 5 percent. The extrapolated average likelihood of occurrence is 2.3 percent over a 12-month period, an increase from 1.9 percent.

The total cost attributable to malware attacks caused by phishing scams more than doubles. The total cost to resolve malware attacks is $807,506 in 2021, an increase from $338,098 in 2015.

Phishing costs due to the inability to contain malware have more than doubled and represents 11 percent of the total cost of phishing.  Malware not contained is malware at the device level that has evaded traditional defenses such as firewalls, anti-malware software and intrusion prevention systems. Following are two attacks caused by an active malware attack that are difficult to contain: (1) data exfiltration (a.k.a. material data breach) and (2) business disruptions. The total cost of malware not contained has increased from $3.1 million to $5.3 million.

A malware attack resulting in a data breach due to data exfiltration could cost an organization an average of $137.2 million. The following formula is used to determine the probable maximum loss (PML) and the likelihood of such an attack:

What is the cost of business disruption due to a malware attack? Respondents were asked to estimate the PML resulting from business disruptions caused by a malware attack. Business disruptions include denial of services, damage to IT infrastructure and revenue losses. The distribution of maximum losses ranges from less than $10 million to $500 million. The extrapolated average PML resulting from data exfiltration is $117.3 million, an increase from $66.3 million.

How likely are business disruptions caused by a malware attack will affect your organization? Respondents were asked to estimate the likelihood of material business disruptions caused by malware. The probability distribution ranges from less than .1 percent to more than 5 percent. The extrapolated average likelihood of occurrence is 2.1 percent over a 12-month period, an increase from 1.6 percent in 2015.

Visit Proofpoint’s website to download the entire 2021 Cost of Phishing Report

Hear how an FBI agent conned a con artist; got him to fly to the US for prosecution

Bob Sullivan

How do you catch Internet con artists? Well, you con them.

Alan, who lives near Washington D.C., had traveled to Dubai and to Ghana thinking he was helping a princess gain access to her multi-million dollar inheritance.  Before his fever was broken, Alan — not his real name — sent about $600,000 to a man named Eric and a woman who called herself “Precious.”  By the time the FBI got involved, it was too late for Alan’s money.  But Alan did have a photograph of the two criminals, taken in Dubai.  When a rookie FBI agent named Mike saw that, he decided there might be just enough evidence to pursue the criminals through cyberspace.

He had one big problem, however. Agent Mike — we’re protecting his identity — couldn’t fly to Dubai or Ghana and arrest them. He had to get them to fly, willingly, to the U.S.

You don’t often get to hear an FBI agent talk about chasing after online criminals. And rarely do stories involving $600,000 sent overseas to criminals have a happy ending. But in this recent episode of The Perfect Scam, I pull back the curtain on a remarkable piece of crime-fighting and a relentless pursuit by one very determined agent.

Listen to this episode by clicking here, or by clicking the play button below.  Below that, a partial transcript appears. It’s a two-part episode. You can hear part 2 at this link, or hit the second play button below.

———-PARTIAL TRANSCRIPT—————-

 

FROM PART 1

[00:06:25] Mike: Yeah, it’s almost heartbreaking, because when you read the transcripts, you can see how the victim actually thinks it’s real. I mean he’s actually saying things like, “Well when can I meet you,” or “Can you send me more pictures?” The scammer usually almost always just returns to, “Oh I love you so much,” et cetera, et cetera, you know, “How are you?” that kind of thing. And it’s just so one-sided in terms of the victim is like actually trying to have a relationship, but the scammers are just uh clearly have an agenda on their mind. And then uh, it will, you know, usually transition then to, “Oh, hey something terrible just happened. My mother just got into a car accident,” “We’re overseas for the moment,” or “My, my dad’s uh late on his rent,” or “I’m late on my rent,” or something like that. “Can you just send me, MoneyGram me uh, 500 bucks, ” or something like that.

[00:07:13] Bob: But those smaller asks are just the beginning of the crime. Soon, Precious starts to tell a much bigger story to Alan.

[00:07:21] Mike: One thing that happened, which I’ve come to realize this might be a common thing for scammers from Ghana, is that the uh the women, in this case, Precious, eventually will let the victim know that, “I am actually an African princess, I’ve actually inherited millions of dollars’ worth of gold, it’s back overseas in Ghana, and here’s my lawyer,” you know. In, in this case Precious had a lawyer named Eric, and other, other scammers will introduce other like a, they’ll, they’ll almost always introduce a second player, um, like a second figure. And then the lawyer will come in, in this case, Eric, with a very formal sounding, uh you know, email signature block and very formal sounding, uh, language and write, you know, big, long paragraphs, with very lawyerly sounding text to say, “I understand, Alan, that you’re here to help Precious. Uh, that’s a great thing that you’re doing. And in order to have her, you know, receive her inheritance of millions of dollars which will help her and her family, you need to start paying,” you know, this and that for legal documents, for shipping fees, et cetera, et cetera.

[00:08:40] Bob: So far, this looks like a crime that FBI agents unfortunately see pretty often, but as Mike keeps reading, he confirms one of his chief suspicions. That trip to Dubai and Ghana, that means the crime went a whole lot farther.

[00:08:55] Mike: Eventually, I think the reason to get Alan on a plane was so that he could meet the supposed lawyer, Eric, in Dubai so that they could sign some legal documents towards the uh, the release of the gold.

[00:09:08] Bob: And what did he actually sign when he got to Dubai?

[00:09:11] Mike: It was just, you know, something that you could drum up on Microsoft Word in 10 minutes.

[00:09:16] Bob: So this, this was still all just a, a movie scene that they were playing out for him. Um, well did you see the part of the discussion where he said, yes, I’ll, I’ll fly, I’ll get on an airplane? I mean, that must be amazing to see in black and white.

[00:09:30] Mike: Yep, we saw that. I think it must have been several months into their, the scam where he actually got onto the plane, if I recall correctly. But uh yep, they met in Dubai. That was actually one of the reasons why I decided that we could probably take on this case, because he had actually gone overseas, and he actually met these people in person, at least Alan could pick them out from a lineup, for example.

[00:09:55] Bob: He could pick Precious and Eric out of a lineup, if ever there were a way to get them into a lineup. But maybe even more important, there’s pictures.

[00:10:06] Mike: Yeah, so they meet in Dubai. It’s Eric and Precious. It’s uh, an African man and a Caucasian woman claiming to be Eric and Precious, and they have Alan pay for the hotel, they have Alan pay for the meals, everything. In fact, I think there’s this picture of Alan with uh, Eric and Precious in like, it looks like a Chili’s or something in the Dubai airport. It was one of the first times that we actually saw the scammers for real when, uh Alan shared that picture with us.

[00:10:34] Bob: Okay, yeah. Now before we go on, you have a picture of them at, of the three of them at a, at a Chili’s in Dubai?

[00:10:40] Mike: I, I don’t know what restaurant it is, but it looked like, you know, uh there’s, there’s a few more pictures of them at the uh, the Dubai airport, so you know, it’s just pretty good uh proof that corroborates the story.

[00:10:53] Bob: That’s, I’m almost, I’m kind of amazed that they were brazen enough to pose for a picture like that.

[00:10:58] Mike: You know, it’s um, sometimes I think about that, too. So I think from the perspective of a scammer, it’s really a risk/reward calculation they have to make because uh, when you’re trying to scam these folks, if you, you know, obviously, you know, it’s a romance scam, so your victim wants to meet you because you guys are supposed to be in love. So if you never meet with the victim, obviously they will start to get suspicious after a while. And there’s only so much that you can keep the victim on the hook for, there’s only so, so much money you can squeeze out of them. However, if you take the risk and you actually meet with the victim, and you have the uh, I guess the props to show that this is actually a true story, then you’ve got the victim hooked for even more, right. Now he knows it’s real.

(MUSIC SEGUE)

[00:11:43] Bob: Mike says the three of them looked pretty jolly in the photos, like they’re on vacation together.

[00:11:48] Mike: Eric and Alan, just kind of posing, big smiles somewhere, it must have been somewhere in Dubai, if I recall correctly. And then, when we saw pictures of Precious, she was indeed a Caucasian young woman. She must, she must have been in her mid–, she looked like she was in her mid-20s. Eric looked like he was a bit older, probably in his 40s, but you know, the pictures that Precious had been sending to Alan via Skype were, you know, pictures of just gorgeous women that you find on the internet, right, and it was pretty clear that the Precious in real life was not the same.

[00:12:26] Bob: Eventually, the group gets down to business. But they don’t stay in Dubai very long.

[00:12:31] Mike: After signing these documents for the uh, supposed gold, Eric kind of suddenly proposes to Alan, “Hey why don’t I take you to Ghana so that you could actually see the gold for yourself, and so that you can actually see all of Precious’s inheritance, so that you know it’s real.” And then um, the real reason that Eric’s doing this is because he wants to get Alan on some more scams that he has waiting for him back in Ghana. From there, Precious actually goes back to her home country; we found out later that was Ukraine. Eric, I think he just takes Alan’s credit cards, and he just buys tickets for them to go from Dubai to Ghana.

[00:13:08] Bob: And when they get to Ghana, Eric puts on quite a show for Alan.

[00:13:12] Mike: Pretty shortly after they landed, Eric takes Alan to what sounds like some sort of compound or some sort of building that he has, and inside is what Alan described as some sort of safety deposit box. Unfortunately, there was no pictures uh really from, that describe this, so I don’t, we don’t really have a good visual on it, but it looked pretty official. Uh, Alan, you know, Alan described that there was like a bank guard there, and there were some other folks there, and so, you know, Eric does the whole “bring forth the gold” kind of thing. Alan describes um, the guards bringing over I guess a chest of, you know, gold bars, and uh Alan picked one up, and, and he said it sure felt like they were pretty heavy, so it must be gold.

[00:14:05] Bob: Wow, and but to Alan’s estimation, it was maybe millions of dollars’ worth of gold?

[00:14:10] Mike: Yeah, that’s what Eric was claiming the whole time. That was part of the story, so…

[00:14:14] Bob: Of course, Eric has another reason to bring Alan to Ghana. He wants to introduce Alan to another criminal with another elaborate story.

[00:14:23] Mike: Eric kind of uses this opportunity to, to introduce a, another scam. It’s another scam that we’ve heard of before, it’s sometimes you call it like, uh I’ve heard it referred to as like a kind of a washing the money scam, or the black money scam. There’s different variations of it, but really what it amounts to is a magic trick that is really impressive in the moment and really uh hooks your victim. And what Eric does is he says, okay, great, now you’ve seen Precious’s gold. I’d like to introduce you to another person. This person here is Daniel. Daniel’s about 18 years old. You know, he’s also some sort of African nobility. And Daniel’s there, and he’s smiling and he’s, you know, playing the part of a, a poor 18-year-old kid, and Eric’s just trying to help him out too, just the way like he’s trying to help out Precious. And Daniel has inherited a large quantity of, of sheets, uh, you know, just like you’ve seen those sheets that are uncut at the Treasury Department. But these sheets are worthless unless you start cutting them, and once you cut them all, then they’ll be worth millions, but uh, the way to cut them is, you can’t just use scissors. You need a chemical that only, Frank, the other character, he uses introduces guy, Frank. Frank was kind enough to bring it, so let me show you how it works. Puts the chemicals in a bowl, pours water over it, mixes it all up, and then he dips one of these sheets into the bowl, and you know, before Alan’s eyes, the sheets separate into the separate individual $100 bills. So, just like that, we made 400 bucks. And so Eric says, you know, it’s as simple as that, so if we want to start getting Daniel’s uh money, then we need to start paying money for the rest of the chemicals from Frank.

—-FROM PART 2—–

[00:04:24] Mike: Plan C was, you know with Alan’s permission, and also his wife, too, we, we kept the wife in the loop the entire time. I didn’t want her to feel like she was being excluded, but I asked them if they’d be willing to, you know, take some pictures of Alan in the hospital undergoing, well, post, uh, his medical procedures, and to go back to Eric and Precious and say, “Hey, you know, my health is really declining. I really want to help you, Precious, so uh, here’s proof that I can’t go overseas and see you. Why don’t you guys come over here, and we can do things like, I’ll put you in my will,” and so Precious will have, you know, $10,000 a month in perpetuity or something like that, or, or uh, I got a, another, another ruse that we started coming up with was, we had Alan say, “I’ve got a really rich businessman man and he’s really looking to invest in uh, in Africa, you know, and Africa’s the next place to invest in, especially with uh, raw minerals, and you, you seem to know a lot about gold, so yeah, this, yeah this rich businessman wants to meet you. He wants to talk about gold.” So we kind of started coming up with stories to uh, you know, scam Eric and Precious and Daniel with.

[00:05:40] Bob: It strikes me that it’s a good thing you work for the FBI. Otherwise you’d have another career that might not be as wholesome.

[00:05:46] Mike: Oh, (laugh). Well, sometimes you’ve got to think like scammers to catch them, so.

[00:05:52] Bob: Mike has to really work to open the door to the US for Precious and Eric. One of the most important steps, getting the State Department to issue a visa.

[00:06:01] Mike: We were kind of playing multiple stories at the same time, and I think the pictures of Alan, uh, you know, in the hospital, they were effective, but what was even more effective was we were telling Alan to ask Eric like, “Hey look, go to the Embassy in Ghana, apply for a visa, just get that process started,” and then I actually started kind of going behind the scenes, and I started, uh, talking to some reps at the State Department to say, like, hey look, we’re going to, we’re trying to set this up now, you know. This person, Eric, which I, you know, by that time we had kind of identified who Eric really was, he’s a criminal, he’s a, he’s a subject of an investigation, there’s an active FBI investigation on him. Here’s what, here’s kind of what’s going on. Basically I said, “I need you to give him a visa.”

(MUSIC SEGUE)

[00:06:51] Bob: Meanwhile, Mike is coaching Alan on what to say to Eric and Precious. They lay it on pretty thick.

[00:06:57] Mike: We had Alan say, “Hey, you got your visa, because my friend, my rich friend pulled some strings with the government.” That was the story that we were spinning towards him, and then we were saying, “Okay, well now my rich friend really wants to talk to you about gold, so he’s going to buy you a plane ticket.”

[00:07:11] Bob: Even after Mike gets the State Department to play along, there are still a whole lot of steps before Eric and Precious might actually get on a plane and land in a US airport where they can be apprehended. Would Eric even show up for his visa appointment? What if he got cold feet right before boarding the plane? You’d think Mike might be worried by these things, but he says he wasn’t.

[00:07:32] Mike: You know, it wasn’t really so much nervousness, I think, uh, just the way that we think here, we always have plan A, plan B, plan C, so this plan that we were setting forth, even though it was plan C, which is now plan A, we still had backup plans, you know, in place, so I knew that if Eric never really came here, or if uh, he never followed up on his visa appointment. We had other ways, you know, it’s just, you know at the FBI we just, we, time is on our side. So something would have come eventually. Like, for example, the UAE would have told us who these people really were. And so we could have, you know, these investigations drag on for a while, and eventually something would have broken, so I wasn’t um, part of me was like, there’s no way he’s actually going to do this. But even, and even if he didn’t, that would be okay, because this investigation will still be going forward.

[00:08:22] Bob: But, to the surprise of many agents involved, the plan works. Eric gets his visa and gets on a plane headed for Dulles Airport outside Washington DC.

[00:08:33] Bob: So it worked, okay. Are, are you there at the airport when they arrive?

[00:08:36] Mike: Yep, yes, it’s myself and a few more agents, and uh, um, you know we kind of confirmed with the Department of Homeland Security that he did indeed board the flight. We actually bought his plane ticket for him. And so we knew exactly when he was arriving. As he’s going through the immigration queues, one of the uh customs and border protection officers was with us, had kind of taken us behind the scenes at the airport. We saw him just going through. I think he had like a blue suit on, and uh, he had like one of those neck pillows. He looked very tired, obviously. We kind of pulled him out of the queue. We told him to sit in a, a place that’s called secondary inspection, uh with CBP at the airport. We just kind of looked at his uh travel documents again, just to confirm that he really was the person we were looking for, and we kind of went to him, kind of broke the bad news.

[00:09:34] Bob: What was the, the expression on his face when you did that?

[00:09:36] Mike: I think he was very tired. He was very jetlagged. He was very like, uh just absolute resignation. No fight, no denial, just okay, sure. Take me.