Consumer protection careers: Fraud, identity theft and social engineering

[00:00:00] CS: Today on Cyber Work, our guest is Adam Levin, a 45-year veteran of consumer protection, security awareness and phishing education. Adam joins us to talk about his career in fraud, privacy and identity theft, as well as his all new podcast, What the Heck with Adam Levin. Do not miss this episode of Cyber Work. It's got something for everyone.

But before we start, I want to point out your attention to an all new ebook published by Infosec. It's titled Developing Cybersecurity Talent and Teams, and it's free to read if you just go to infosecinstitute.com/ebook. It collects practical team development ideas for industry leaders sourced from professionals from Raytheon, KPMG cyber, Booz Allen, NICE, JPMorgan Chase and more. Did I mention it's free? It still is. Infosecinstitute.com/ebook. And now, on with the show.

[INTERVIEW]

[00:00:54] CS: Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of infosec professionals and offer tips for breaking in or moving up the ladder in the cybersecurity industry. Adam K. Levin is a nationally recognized expert on cybersecurity, privacy, identity threat, theft, fraud and personal finance, and has distinguished himself as a fierce consumer advocate for the past 40 years. Former director of the New Jersey Division of Consumer Affairs, Levin is the founder of CyberScout and the cofounder of credit.com. He is the author of the critically acclaimed book Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves. Adam it was also the host of a new podcast called What the Hack with Adam Levin, which is a really new and interesting take on the genre of the it happened to me style hacking and phishing tails. I’ve listened to the first couple episodes already, and I'm very excited about it.

So we're going to talk to Adam today about his decades of consumer advocacy work, his dedication to personal safety and privacy online, and a whole lot more about this new podcast. Adam, thanks very much for joining me today. Welcome to Cyber Work.

[00:01:59] AL: Chris, thanks so much for inviting me.

[00:02:01] CS: My pleasure. So I always like to start the process here, because we have a lot of listeners who are just getting started in cybersecurity. And we like to sort of figure out how our guest first got involved in security and how far back the interest goes. Unfortunately, your LinkedIn page is exceedingly detailed. So I want to focus in on three things that I think get us into the topic at hand. From 1977 to 1982, you were the Director of the New Jersey Department of Law and Public Safety, Division of Consumer Affairs. In 1985, you are cofounder of credit.com, a highly respected credit education and consumer advocacy company. And in 2003, you founded CyberScout, an identity threat theft, education and resolution identity management and data breach response company. I know I used a few of those back in the day. Given these past vocations, a podcast about getting hacked, phished scammed or being targeted for identity theft seems like a natural progression. So can you tell me what first brought you to working vigorously for consumer protection and educating against credit fraud and identity theft as your life’s goal?

[00:03:02] AL: Absolutely. Well, I started with the New Jersey Division of Consumer Affairs way back in 1977. And the governor appointed me then. Actually I'd begun working there in 1976 as Director of Special Projects. And I've come from a family that was always very public service-oriented. My godfather was the United States Senator. My father was always very involved in both politics, government service, as well as philanthropic activities. So it's kind of like something that I grew up in. And I believe in it very much because I think there are so many people that are being taken advantage of by the bad guys. I was very involved when Elizabeth Warren created the Consumer Financial Protection Bureau. I'm old line consumer protection. I go all the way back to where Michael Pertschuk shock was with the Federal Trade Commission and Joan Claybrook was National Highway Traffic Safety Administration. So it's sort of that philosophy.

We created credit.com in 1993, ’94, went online the end of ’94, to really have one place where people could go to get education, protection, advocacy, and then ultimately morphed into products and services. It was originally supposed to be a book and an infomercial, podcast. That was a little bit before its time. But my operating partner at the time came to me and said, “There's this new thing called the Internet.” And he said, “I just got us the domain credit.com by swapping a hard drive for it.” An $1800 hard drive back in 1994.

And then in 2002, when I took over operations of credit.com, I was approached by people that were part of a legal services company and they said, “We really would like to bank a bit on the J.C. Penney credit card portfolio. We think that our bid is going to be too high. We need something to make it more robust. We've been hearing a lot about this thing called identity theft. And possibly, you could help us since you're in the credit business. And there is a tie in between credit and identity protection. See if you can find somebody for us.”

And I looked around at that time with my operating partners, and nobody was doing it right. There was a marketing company. There were some insurance brokers. There were companies that were involved in investigations, but nobody had a company that could help people put their lives back together again after they'd been a victim of identity theft.

So very, very briefly, we went to this conference in Texas, IAFCI, International Association Financial Crimes Investigators, which were all part of, and I run into the Secret Service, the FBI. We sit down with them. We talk to them about what we want to do. And the Secret Service agent said to me, “If you can do that, we will love you forever.” And it's the first and only time I was ever hugged by a Secret Service agent.

[00:06:14] CS: I wouldn't wait for the second one.

[00:06:15] AL: No. But the whole point is that when dealing with identity theft, it is a life-altering event. Now, in the old days, the victim wasn't even considered the victim. In the old days, the retailer was considered the victim. In the old days, insurance companies didn't even want to think about it. In fact, the point that was made to me with the first insurance company that I visited to talk about what we did, at that time, identity theft 911, then IDT 911, then CyberScout. What they said is, “”Why are we even in this? We didn't do it. The banks did it. They should be paying for it.” So there's been a quantum shift in the way people think about identity theft and the fact that now, a victim really is a victim.

[00:07:07] CS: Right. So there was there was sort of a perception at the time that the bank was insufficiently safe and should therefore sort of eat the costs or something like that?

[00:07:15] AL: Yeah, it was that the reason why you were a victim is you must have done something wrong.

[00:07:22] CS: Oh, sure. Okay.

[00:07:23] AL: And then when your credit card was run up by somebody who took over your account, the bank needed help and –

[00:07:30] CS: The bank was compensated, but you were just – It was a lesson for you to be learned not to –

[00:07:35] AL: No. You were guilty until proven innocent. And going all the way back to my consumer affairs days, I remember that a third of all complaints we had related to credit, a third of all complaints, and not insufficient number. I mean, not inconsequential number of those are related to identity and other things. And this was all, by the way, back in 1977.

[00:08:02] CS: Right. Now, obviously, you're pointing it out here. But you've had the opportunity to see fraud and scams over the course of decades. Can you tell us sort of on a sort of tactical basis how frauds, or scams, or tomfoolery of this type has changed since the 1970s? Obviously, the tech has changed a ton. But at the heart of it, are the tactics similar or have the things we will or won't fall for changed with the times as well?

[00:08:27] AL: I think the kinds of scams that are going on actually have their roots way back when. They're just packaged differently. I mean, if you think about it, in the old days, what you used to worry about is you'd go into a public place, and someone would pick your pocket. Now, you go into the digital public place, the cybersphere, and somebody is trying at every turn to pick your pocket. The old thing is how does someone either try to convince you that you owe them something, or you should be afraid of them, or they're somehow tied to something official? And oftentimes, that's used as a way to socially engineer you into doing something that you shouldn't do. So tactics has changed. Maybe the words have changed, but the music is not that much different than it was in the old days.

[00:09:27] CS: Yeah, I think when I was right out of college in ‘96 or ‘97, I got a call at my at my place of work saying there's something wrong with your credit card. Can we have your credit card numbers. And just because I didn't know any better, I put my card, gave them the numbers, hung up. Within like three seconds went, “Oh, no. I've made a terrible mistake.” Called my company. They still managed to put a ding on my on my credit rating. But I feel like that's still an identical tactic now. They still get a lot of juice out of just randomly calling or putting it online and saying, “There’s something wrong with your accounts. Give us your number so that we can check it for you.”

[00:10:04] AL: Well, first of all, to put it in context, there are four kinds of hackers, or let me say threat actors, because there are many good hackers that are not the bad guys. So you have state sponsored, which is kind of new. I mean, there's always an espionage, but this is a whole new way. You have for-profit, and think of Target, and Home Depot, and so many others, and the whole ransomware gang now. It's all it's all about profit. You have cause related hackers. Some people say that the Sony hack was caused. North Korea had a feather up. It’s about the movie. However, now we're also learning that's one of the ways that North Korea finances its operations is by ransomware attacks and selling on the dark web. And then you have the because I can hacker. And that's people who are trying to show off within their community. And it is a big deal if you bag and elephant isn't we're. Not good for the public, but for a hacker, it enhances their standing within the community. And then you have what I call the pantheon of phishings, which is phishing, which is dear cardholder, dear member, dear policyholder, spearphishing, dear Chris. Phishing, it's when you get the magic phone call that someone wants you to believe they're from the IRS, or your bank, or a charity, or where your work, because there are deep fakes now. And then there's SMSing, SMS text-based phishing, where you get the magic text, which could be anything from click here to find out where you get your COVID test a where you get your vaccine. Or your account has been frozen. If you wish to thought, you need to re-authenticate yourself, click here.

That's really sort of where we are in a nutshell. Those are the kinds of things that people have to be wary of. Now, this is on top of the fact that breaches, leaks, all of that, have become the third certainty in life behind death and taxes, because we've had billions of files have been exposed in all of these different breaches that have occurred. And now even with ransomware, or the old days, someone would show up at your digital doorstep. You would get the skull, the clock ticking back from 90 hours, the threat that your life was over unless you paid them, at least your digital life. And you pay. They go away.

Now, they don't necessarily go away. They steal the data. And while you're paying, and you're not even sure you're going to get it back, they're off selling it in the dark web. And on top of that, they're going to the people whose data was in the database that was breached and they say to them, “Hey, what's it worth to you that we don't put, like, for instance, plastic surgery patients? We now put your before and after pictures on the web?

[00:13:16] CS: Yeah, it's pretty gruesome, for sure. And yeah. Yeah, I mean, those are – That is a quite a few things to be terrified about. And we've covered a bunch of them on the podcast here. Can I ask, have you ever had any personal experiences with being defrauded, scammed or spun around circles by identity thieves? Do you have any?

[00:13:37] AL: I've actually had some personal instances way back when I was young and somewhat dumber than I am today. And I fell for some things. And it was very embarrassing. And see, that's one of the important things that people have to understand, is it's not a question of if, but when. We are all going to be victims of some form of identity theft or cyber incident. And therefore, the best way to help all of us is to be open about it. It’s not like you have to post your name in the New York Times on the front page. But it's very important to be open about it, because first of all, it's a cathartic experience. And when you talk about it, it's almost like therapy. But more importantly, you're also helping to educate other people who may not have experienced what you experienced. But boy, will they experience all the negative side effects of what you experienced if they become a victim.

[00:14:34] CS: Yes. And I think there's also this – This is something we deal within our industry within cybersecurity and people who are dealing with security awareness for large companies is a lot of a lot of people have the notion of like the human is the weakest link in the chain, which technically true, that a human is the one that’s clicking the pizza coupon or re-upping their account incorrectly or whatever. But at the same time, we're all going to be weak link in the chain at one point. So the idea of sort of blaming people, “Oh, what did you do? Stand here and sit in your mast or whatever,” is not helpful. And yeah, if you tell your friends whatever, “Oh, yeah. I got hacked. Someone took $200 out of my bank account and spend it at Nike or whatever,” like a lot of them probably have the similar stories to you and say, “Oh, yeah. That happened to me too. Sorry about that.” And it reduces the stigma, but also, like you said, it makes it sort of universal in the sense that it's coming.

[00:15:34] AL: And we have to realize, we'll get to the whole work at home thing later, but we have to realize that hackers, or bad actors, they play on the fact that we're distracted. And why are we distracted? We all have day jobs. We're either working for somebody, running a company. We're involved in raising our kids. Now with work at home, making sure they get educated sometimes incorrectly on the same device that we need for work, philanthropic activities. That's our day job, getting an education. But to a hacker, we are their day job. And I think as long as people understand the fact that you're facing off against somebody whose only mission in life is to figure out how to transfer your wealth to themselves one way or another.

It’s just like I was involved in election security, actually in the past election. And one of the things that became very, very clear is you're dealing with, for instance, a small rural county in a small Midwestern state, and they suddenly realize they're facing off against Russia. Now, I mean, that's not a fair fight. And so many people have the attitude. They look in the mirror and go, “I’m me. I mean, why would anyone care about me? I'm just a regular person.” But what people don't understand is you may see you in the mirror. But when a hacker sees you, they see Jay Z and Beyonce. They see Adam Levine. You're a star. Why? Because you got what they want. You have data, financial information, login credentials, for instance, where you work. So it may not be about you. It may be about your spouse, your boss, your philanthropic organization that you work with. You could be the tributary to a larger River.

Perfect example, they hacked into Target because they hacked into the HVAC subcontractor who had access to the Target chilling units. And they use that access to crawl into Target, get into the point of sale system and get into its databases. So just remember, it isn't always about you. But you can do a lot to make sure that you're protecting those you love and where you work, and those organizations with whom you have relationships by doing your fair share. It's called shared responsibility. Business isn’t and doing enough. Government isn't doing enough. Consumers, unfortunately, aren't doing enough. But that's because so many don't know what to do, which is kind of the point of everything that I've been doing is to try to make them more aware of the threats and ways they can better protect themselves.

[00:18:17] CS: Yeah, so let's talk about – I mean, obviously, we talked about your history, which is great in your previous organizations. But I want to talk about What the Hack with Adam Levin here. The podcast is live now. There's, as of this morning, I think the third episode just went up. And I've heard the first two. Our listeners should be able to hit their favorite podcasting device and check out these several episodes with you and your cohosts, Beau Freelander and Travis Taylor. So what was the impetus for starting this podcast? And how did you assemble this particular team as your cohosts?

[00:18:45] AL: Well, this is a team that I've been working with for many years. We have a site adamlevin.com, which is sort of a cyber education destination site. Beau and I wrote the book Swiped together, how to protect yourself in a world full of scammers, phishers and identity thieves. We wrote together for ABC, CBS, Huffington Post, a lot of the Oregon Ink. So we have a long standing track record. Travis has been doing our technology for years. He's lovingly referred to as the voice of God on the podcast, because he has a voice two octaves lower than God’s. And so we have a long history of working together and totally crazy chemistry between the three of us. And we've been at this a very, very long time. So there's a real comfort level between all of us. And the whole goal is to have fun. I mean, look, it's a very serious issue. But at the same point, it's all about making this subject accessible to human beings as opposed to somebody floating in a cloud over your head and you're trying to figure out what they're saying. And I found in the years I was Head of Consumer Affairs, I made about 1500 speeches. And I always found that if you injected humor into the speeches, people were always listening. If you just droned on and on, you'd lose them. But if you were saying some funny things, they'd always be listening for the next line. And somewhere between the lines, they'd also be learning a great deal. And so that's really what our goal has been.

[00:20:23] CS: Yeah, yeah. I need to make a note for myself. I need to be funny more often. For those of us and for those people who haven't heard the podcast yet, can you give us a taste of what you'll hear when you tune into What the Hack? What's the format of the show and what types of listeners is it aimed to?

[00:20:38] AL: Well, the format of the show is just three guys having a conversation. It's almost like cyber Car Talk, the car talk with NPR. And we usually talk about an issue of the day, the week, the month. And then we bring on a guest. It is someone who has had some form of identity incident. And we talked to them about what happened, what they did, how they felt. Ways that they work to try to remediate the situation. And then we give people tips as to the kinds of things they can and should be doing in order to make it harder to do them what was done to the person that we're talking to. As well as general tips about also what business and government can do too.

[00:21:28] CS: Right. Yeah, the first two episodes are very specific. Like the first one, the guest was sort of trolling like [inaudible 00:21:36] a forum and got sort of – Was in the sights of the wrong person. And the second guest received a card for unemployment benefits that she hadn't applied, but didn't give it any thought because I haven't applied for them. So why should it be here? And so I like that, in both of those, like you have a very – Like the topic is a very sort of simple elevator pitch you can tell someone about, “Oh, you should hear this episode.” And it can be sort of conveyed in a sentence. They’re like, “Oh, that sounds interesting, or whatever.”

So in researching these episodes, like how far forward are you in terms of researching cases and stories for future episodes? Are you like working through hack theft or fraud stories that you've known for years? Or are these actively being solicited by listeners or community members? And without giving too much away, do you have any future episodes that you're particularly excited to tell us about?

[00:22:28] AL: Well, we have. We have some – I mean, actually, the newest one is very interesting. It's about a fellow who's a journalist, a respected journalist who was hacked by the Iranians when he was going in to do a story. But that really wasn't his story. His story is that he received this crazy email that an amazing number of people got. I got 15 of them myself. Some folks that I've talked to, they've received many of them, men and women. It's a sextortion plot. That's where it basically says, “Hey, you go to different websites for certain things that may not be acceptable in certain parts of the community. And we just happened to be in one of them. And we managed to use our access in the one we ran to crawl into your computer, take over your camera, take over your email, and we know what you were watching. We have videos of you as you were watching, and you we're having a good time. And oh, by the way, pay us a lot of money, or we're going to send it to your friends and contacts.”

And this is something an awful lot of people have gotten, and many people get scared to death, because they can't remember half the time with the sites they visited or someone that might have been using their computer visited. And now they're scared to death that possibly somebody has something on them, and they pay. And we try to say to people, “You're not alone. This happens to a host of people. And it's highly likely it didn't really happen to you. But they're playing on the fact that you think it might have happened to you.” And so, again, we try to use that as a learning experience.

And we have other shows coming up that talk about elderly people. I happen to be a bit elderly myself. I’m 72. And things that they get a call about a technology scam. They're going on a website using a Mahjong app to play with their friends and somebody got in there before them. People, somebody, who just wanted to buy a boat, because it was that time of the year and they wanted to buy a boat, and they got sold a bill of goods and they fell for it.

We even have somebody on there that thought that he might be hacked, and sometimes in life you're not hacked, but you think you've been hacked. So we talk a bit about that. And then we have a couple coming up actually already into the next season about someone who fell for a cat phishing scam, and then someone whose information was used in a fake profile as the basis for someone else to launch a cat phishing scam. So I think a lot of this stuff will sound familiar to people, but they'll find the twists in the stories pretty interesting. Including also a CIO of a company, the company suffered a ransomware attack. And how did they feel the exact second in the middle of the night that they got the phone call from their tech department saying, “Houston, we have a problem.”

[00:25:39] CS: Yeah. Now, are you sort of structuring these around the idea that each one sort of covers a different specific type of fraud? Like would you ever like reject an episode if it's too similar to a previous one? Or are you just taking all the pitches you can come up with at the moment and trying them all out?

[00:25:59] AL: Well, actually, I find that something could sound similar to something else. But when you really get into the facts, you find out it really wasn't. As well, as we sort of get into the personality and the lives of the people that we talk to. And, really, the folks we've talked to, they've had just fascinating lives and the things that listeners would identify with, “Gosh! I've done that. Or I do that. Or that happened to me.” So I kind of think that pretty much every story has its own arc, is it we're. And we like to explore all those different arcs and get people involved in the process. And we do have fun along the way.

[00:26:42] CS: Oh, yeah. And I think, also, the more that people recognize, like you say, recognize themselves in another person. And, “Oh, that's my background. I'm an artist,” or I run marathons, or what have you, like I think that does help. Like you said, with humor, that also helps to sort of make it stick. Like, oh, this isn't just something that happens to dignitaries or my grandmother.

[00:27:05] AL: And again, if you think of the environment we're living in right now, post-COVID, I hope to God, that's post-COVID, and all of the things that happened to us during COVID. Because these threat actors, what they do, the bad guys, they basically take something which everyone is familiar with and everyone's waiting for something about, and whether it's the stimulus program, or PPE, or tracing, or updates on COVID, unemployment, compensation scams, job searches, charities, cat phishing, work from home scams, tech scams, business email compromised scams, you've heard so much about them. And then something happens and it triggers something. Or there's a total national disaster and everybody's being asked to kind of chip in one way or another. So when you get the call, the text, the email, it doesn't sound very logical. Or it's tax time, and you're hearing from the IRS, and you say, “Oh, well, I guess I don't want to hear from the IRS. But it's tax time.” But it's not the IRS. So they will take something and then they will use – The new thing is now people are receiving child tax credit payments from the government. And scammers are now using that as an opportunity to twist people by saying, “Hey, you want to get to the head of the line? Or we can get you registered faster. Or maybe we can get you more money.” And who would turn down that opportunity? Except it's a scam.

[00:28:42] CS: Yeah, and the fact that all these things are accelerating so quickly. Again, if you're at home all the time, you can't discuss things with your IT department or whatever, like you said, you’re making you said, you're making all these split second decisions. They're preying on the fact that, “I have to choose now,” or I'm checking my email at 11:45 at night and I'm already kind of tired, then that's how you sneak in there. But I think the work from home thing has just made it – It's just completely eroded the line between our work life and our home life. And so you're always like stuck making these decisions that all feel like matter of life and death right now.

[00:29:18] AL: Well, and especially when you're working from home, too often you have situations where you're juggling schedules. So half the time you can't figure out what you're doing, because you're in the middle of five different things. In many cases, in many families, children are sharing devices with their parents. And I have a little nine year old. And the bottom line is they can be a weapon of mass destruction within a household by clicking on the wrong link or falling for something that when you look at it objectively you go, “You know, I could see where a kid would fall for that. I can see where an adult would fall for that.” So that's why we have to make certain adjustments. And that's why we have to be extra careful, because at this particular moment of distraction, there's vulnerability. And there's nothing that a hacker, or a scammer, or a bad actor loves more than vulnerability. They always say, “If you're having a romantic relationship, vulnerability is something that's sweet.” Unfortunately, when you're dealing with a bad actor, vulnerability is a nightmare. It's not sweet.

[00:30:26] CS: No. It could be the end of everything. Oh, our company, Infosec, provides cybersecurity training online and in-person. And germane to this conversation, we also offer security awareness training, including phishing simulators that IT departments can use against their employees to let them sort of safely sort of feel something like this, as well as a suite of educational videos. And we recently just partnered with Chooseco, who did the Choose Your Own Adventure books, to do the sort of interactive learning modules. And so while we understand that hacks and break-ins and more can happen to human error, we're quick to not make human beings feel like they're the weak link in the chain, as I said before. It's going to happen to all of us. And what you do next, and whether you're embarrassed about it will determine the speed of recovery and the lessons learned.

So you give a lot of good advice on the podcast throughout the thing, but especially at the end, it comes down to simple things, two-factor, have a credit checking, all these things. To repeat some of that, what advice do you have for people in 2021 using their computers for work and/or play, wanting to do the right thing, but always feeling a little trepidatious about the bad guys lurking out there? What should we be watching for? What's hot and fraud right now? What tricks consistently work? And what sort of blanket advice do you have to sort of bring the fear down a little bit?

[00:31:45] AL: Well, the first thing I say is that, you know, if you're feeling paranoid, you're justified in feeling paranoid. They really are out to get you. And there's nothing they love more than getting their hands on their user ID and password in order to get that to crawl into your company or into your home life. So I always tell people, and this goes for companies too. And we can take it separately. But for people, it's really the three M’s. How do you minimize your risk of exposure, reduce your attackable surface? Not easy with 20 billion plus Internet of Things, devices tracking us, and following us, and knees dropping, whatever? How do you monitor so you know as quickly as possible that you have a problem? And then what's your plan to manage the damage?

So for consumers, it's everything from, as you had mentioned, strong password protocols. Get a password manager. Do not share the same password that you have across your entire universe of websites. And for heaven's sakes, don't use your password that you use in your private life for your business, because that could prove to be a total disaster. Don't click on links or open an attachment unless you know where it's coming from. Don't worry about picking up the phone and calling your boss and saying, “I know this is going to sound crazy. But did you really send that to me?” Just like now, if you're going to wire money, because you're purchasing a property, they tell you in brokerage statements and things, real estate brokerage statements, call and confirm this is the right place to wire the money, because they've had a lot of people who fell for that. It also means if someone contacts you by phone, for instance, never authenticate yourself to someone who contacts you. I don't care who they say they are. Find out who they think they are or claim they are. Independently confirm that's who they really are. And then call the number directly of the agency or if it's your financial institution, the number in their back of your credit or debit card. And if they start asking you who you are, at least then they're doing it for your protection as opposed to for your exploitation. It also means freezing your credit. It also means shredding. Humble shredder is still meaningful as long as it's not a ribbon cut shredder, for those of you that saw the movie Argo.

In addition to that, the second M, monitor. Get your credit report. Actually look at it. And what's important is don't look at it for what you did. Look at it for what you can't remember you did, because you may find it wasn’t you. Track your credit scores to make absolutely sure that they don't take a sudden precipitous drop that you can't explain. Sign up for a financial – It's called transactional monitoring. This is where financial institutions and credit card companies for free notify you anytime there's activity in your account. You'd be surprised at how many credit and debit cards are sold by zip code. Designed to evade bank tracking systems, but won't evade you, because you were there, or not, as the case may be.

When you get an explanation of benefit statement from your health insurer, read it. We actually worked with a woman, 72 years old, who lived in New York, and on the same day from opposite sides of the country was billed for a sperm viability test and a pregnancy test. Also more sophisticated forms of credit monitoring that include dark web monitoring, and instant “me, not me” alerts that notify you not three weeks after the fact. But hey, someone's trying to open an account right now using your social security number. Is that you? Yes or no?

And the third M, which I think is equally critical, and a lot of people don't know this, is that many insurance companies, financial services organizations, and employers have programs now to help people through cyber incidents and identity incidents. And sometimes it's a perk of your relationship with the institution. So contact your insurance agent, your bank rep, or the HR department where you work. Say, “Do you have a program that helps me protect my identity? Or helps me with a cyber problem? Am I in it? If not, what do I need to get in it? And what's it going to cost?” You'd be surprised it's not expensive as you would think. And a significant percentage of employers are now offering it to their employees, because they don't want distracted employees. They don't freak out employees. That becomes a non-productive employee. And more importantly, if their employee gets hacked and their credentials just happened to be the same as they used for the company, it protects the company against having what could be a near extinction level event.

[00:36:49] CS: Yeah. Now, with regards to some of those sort of free credit tracking things, like I'm kind of addicted to Credit Karma, and just looking at my numbers every month. And, “Oh, my number went down. I paid off my credit card. I'm a good boy.” That doesn't really replace getting your credit reports, right? That's more of kind of like a snapshot in the moment. Are there things that that like a free credit card credit tracker doesn't see that you would see if you did like a hard request at Experian and so forth?

[00:37:18] AL: Well, if it’s a credit card tracker, you're not going to see other things that occurred in your life. Just like when someone files a tax return using your information, and you find out because you're blocked, because you can't file it, or you get a notice saying you willfully underreported your income, or your refund never shows up. And you think, “Oh, well, I've dealt with the IRS. So I'm fine.” Not really. Because if they had enough information to file a fake tax return, they have enough information to open a new account to take over an existing account to commit medical identity theft, criminal identity theft, child identity theft, and the list goes on and on. So no, it's very important to get your credit reports. But it's also important to track your scores. Because if your score goes down, there's only three reasons, four actually. One, they made a mistake, and it's not you. Two, you didn't pay a bill on time. You really need to know that. You're using too much of available credit, you need to know that. Or you're a victim of identity theft, you really, really need to know that.

[00:38:29] CS: Yeah. So I want to talk to you on sort of a more of a career side of things. This is CyberWork podcasts, and we're here to help people find work in the industry. And you had an interesting set of career arcs in law and consumer protection, cybersecurity, and politics and advocacy. So for listeners interested in working in the realm of security and fraud education, like you're doing, like what sorts of – In 2021, what kind of skills or educational tracks or experiences should they be looking for here and now?

[00:38:59] AL: Well, it certainly doesn't hurt. In fact, it helps a great deal to have a technology background and some kind of experience in the space. Now, I know that a lot of people are getting advanced degrees in cyber now. And a lot of institutions offer them. But I do think that it's very important that you get some real life work experience in the space, first of all, to decide if you like it. It is definitely a growth industry. And it's one of those things where you really have to read a lot. You have to be up on a lot. You have to know what's going on pretty much at every minute of the day or night, because things evolve so rapidly. I mean, when you're dealing with bad actors, you're dealing with people that are creative, sophisticated, and persistent. And sometimes working for even very bad people, and part of it is because there's so much money on the dark side even more than the light side.

Military experience is also something that is extremely helpful, especially if you worked in technology in the military. Having a legal background also helps, but I'm not telling everyone to immediately run out and go to law school. That would be great for the law schools. They'd love to have your tuition funds. But those are the kinds of – Frankly, education backgrounds are important too. Because now you understand how to study things, to distill things, to make them more understandable by people.

I mean, the part of this that is going to be so critical in the years to come is we all have to cooperate, collaborate, and communicate, because it's really about as being as much in the know as humanly possible. And also understanding the fact that – And I think Bruce Schneier, who's one of the lions in our space in cyber has always said, “If you think throwing money at technology is going to solve your security problems, then you don't understand security, and you don't understand the technology,” because so much has to do with human nature, working with people and understanding that people are your first – They are your first line of attack if you're a bad guy, but they are also, for an organization, oftentimes, your last line of defense. So that's why what you and your company do are critically important. It's so important for people to understand what the threats are, and what some of the solutions are, and what to look out for, what the red flags are, the kinds of things that you don't do.

And the CEO of Microsoft said it, I think, best awhile back. He said, “Look, we all have a shared responsibility, business, government and consumers.” And with consumers, my point having run a consumer protection agency, we didn't ask for it. We weren't trained for it. Half the time, we really didn't know what the heck we're doing about it. But at the same point, the hair shirt, the ceremonial shaft has been passed, and we have to be part of the process. So it's easy to sit back and everybody point fingers at everybody else. It doesn’t matter anymore. We're way past midnight on this. We got to stop the finger pointing and start holding hands, because this is a global problem.

And as much as, for instance, in the United States, we say, “Well, we're great at offensive cyber. Not so great at defensive cyber, but we're going to get better.” The truth is it doesn't matter if we get better, unless we're making sure that the rest of the world is getting better with us, because this is a global – This is a pandemic, like COVID is a pandemic.

[00:42:53] CS: Speaking to that, are there any other countries that you see that are doing a better job in terms of like educating their populace? Or are there sort of swaths in the world that you see are especially cyber savvy where we aren't necessarily?

[00:43:08] AL: Well, Israel is considered probably the best offensive and defense cyber country in the world. But then again, they have to be. They’re a teeny little country in the middle of nothing but hostility. And there are – Ready for this? 7000, real number, cybersecurity companies in Israel that have been founded in Israel that are going global. And so they're very good. We certainly know on an offensive level, China, Russia, North Korea, Iran, Syria, I think I said North Korea, these countries are – I mean, unfortunately, they're really, really good at what they do. Not so good at defense, but really good at offense. And people will say, “Well, the US, we have so many problems.” Well, just remember, this is an open country. We have breach notification laws in every state. Like the EU has GDPR. So, in the west, we're pretty open about what happens to us.

I guarantee you, China, Russia, Iran, Syria, they're not in North Korea. They're not talking about it what happens to them. And without question, we're doing to them what they're doing to us. It's just that we're more open about what's going on with us.

[00:44:30] CS: Yeah. So based on what you've seen and what the cases you've researched for the podcast have indicated, do you have any predictions about ways that phishing, or fraud, or identity theft are going to change and mutate in the future? Are you seeing things that other people aren't yet just due to your sort of constant reading and being in the front lines like?

[00:44:48] AL: Well, think some things are very clear. We're certainly under assault with anything supply chain related, certainly anything critical infrastructure related, and we're talking about everything from water, electric, power, election systems, although they we did a pretty good job with that. Healthcare system is a massive target. The education system is a massive target. I don’t know if you saw recently that a school district in West Virginia was hit with a $70 million ransomware demand. I mean, 70 million – We're not talking about that's a state. We're talking about an 18,000 person school district in West Virginia. Now either the ransomware gang had no clue where West Virginia is, or they just –

[00:45:43] CS: Of they just want to blow them off the map apparently. Yeah.

[00:45:45] AL: Yeah, I mean –

[00:45:46] CS: You’re annihilating budget probably for however many years at that point.

[00:45:49] AL: And it's very nice that the guys that hit – They said, “Hey, give us 99 million. We’ll go away.” I mean, that seems to be – I heard the song 99 bottles, but I don't know about 99 million. Not a cheap date. And it's been going up. I mean, you had CNA paid 40 million, JBS, the meat packers, worldwide meat packers reportedly paid 11 million. Colonial paid 4.4. The feds seem to have gotten most of that back. So there's more aggressive stuff going on by the feds.

But the big areas I see are ransomware is going to continue to grow because it works for the bad guys. Ransomware as a service, this is where, “Hey, I'll develop the software, and you can use it, but I want it vague.” So it's a business model. Then you have ransomware resolution companies that are springing up, and some of them are very good. The scams are getting way more brazen, anything to do with COVID, anything to do with unemployment. Now deep fakes could become a problem.

So the ultimate trend has to be that cyber hygiene has got to go mainstream, and good password management, good cyber practices, I mean, these are the kinds of things we have to gauge in the future. Just like I say to companies that I say to people, you have to have a culture of privacy and security in your life and in your company. And it's as much about culture as it is about technology, maybe even more so. Because technology is so rapidly evolving, that if we don't have the culture to say, “We're not going to click on that link. We're going to use long as strong passwords. We're going to have multi-factor authentication.” “Oh, yeah, we're not going to download that app because it's new and cool. We're going to make sure it comes from the right App Store and we're going to freeze our credit.” And, “Oh, my credit scores dropped. Yeah, nothing to worry about.” No, these are the kinds of things that you have to understand and you have to get more aggressive about. Because, years ago, I made a statement, I stand by it. The ultimate guardian always has been is and always will be the consumer. Because nobody knows what we do better than we do. And we can stop clicking on the link. The government of the United States is not going to order us to stop clicking on a link. It doesn't work that way.

[00:48:26] CS: Yeah. Now to that end, though, speaking of things like GDPR, CCPA, I'm not talking about like enforced regulations, but do you see any benefit to something like a nationwide education program, as you say, where it becomes something that's either taught in schools or there's TV shows or something like that? Because it does seem very – It's up to you to educate yourself in a lot of cases. And obviously, you can listen to What the Hack? with Adam Levin and other things, but do you think there's any benefit to – Not that we're waving a magic wand here or anything, but to sort of systematizing cybersecurity education that way?

[00:49:03] AL: Oh, I do think it's critically important. I mean, the reason why they're loath to create standards in many cases is because by the time they've actually agreed on what the standard is, the technology and the bad guys have evolved beyond that standard. So that's like kind of yesterday's news. But if you want to put this in perspective, and this is an important way to think of it. When you say the word portfolio, the Pavlovian response is investments. Most people forget that we have other portfolios in our lives beyond education and some of those portfolios, and that's our credit and our identity. And where we would hope that a professional would be managing our investments, we have to be the professional managers of our credit and our identities. We have to build them, nurture them, manage them and protect them. And only we can do that. And therefore, any way that society can help us get there, we should. And it's like, “Well, some people go, “Well, this should be learned in the home.” Well, how could it be learned in the home when nobody taught our parents? And certainly nobody taught – People didn't even know what the Internet was for our grandparents. So this is a constantly evolving situation. And I know, based on my nine year old, I mean, he is far more facile when it comes to technology than I am. He's showing me how to do things. So they are at an age where they are receptive to it. And let's see give them every opportunity to get as much education and information as they can, because this is going to impact them even more than it impacts us in the future.

[00:50:42] CS: Well, to end on that, I mean, because that feels like a slight note of hope the way that the younger generation is becoming more facile and more able to sort of like keep on top of these things. Do you see any reasons for being optimistic about the future? Or is security education inherently Sisyphean?

[00:50:59] AL: No. No. I think we should be optimistic. This is not – The world isn't going to end with this. I mean, obviously if there's a cybergedon, it certainly could be very ugly. But the truth of the matter is the only way we're going to protect against this is by working together. And if you see, there's more and more effort going on in Washington. I think we're finally speaking with one voice as to how we feel about Russia and China when it comes to their cyber antics, as well as North Korea and others. And as much as we'd like to believe, hey, everyone's going to sign an agreement. It's all going to go away. The reason why people sign agreements is because they then try to figure out how to get around those agreements, unfortunately. So it's a situation where it's not going to be easy. No one ever said it was going to be easy. And it's way past midnight when it comes to this. But I think that the more that people know, the more they adopt a culture of privacy and security and understand how important that is, as opposed to just taking billions of dollars and throwing it at technology, I think the better off we're going to be. And I think more and more people are coming to understand the fact that humans are human, and people make mistakes. It's human. And therefore, don't beat them to death for it. Embrace the fact that that's reality, and do everything we can to adjust behavior to take that into account.

[00:52:25] CS: We’re hitting about an hour here, and I really want to thank you for your time, Adam. This was super fascinating and a lot of fun. I just want to wrap up by making sure that our listeners know. If they want to hear What the Hack? or learn more about Adam Levin, where should they go online?

[00:52:40] AL: Well, first of all, What the Heck? is available everywhere you get your podcasts, whether it's Apple, Spotify, and a whole host of other places people go. And for more information about what we do and how we do it, go to adamlevin.com.

[00:52:58] CS: Great. Well, Adam, thank you so much for joining us today and for all the education. And best of luck with the new podcast.

[00:53:03] AL: Chris, thank you so much. Thank you so much for having me.

[00:53:06] CS: It was my pleasure. And as always, I want to thank everyone listening at home, or at work, or at work from home right now. New episodes of the Cyber Work podcast are available every Monday at 1pm Central, both on video on our YouTube page and on audio wherever find podcasts are downloaded. To read Infosec’s latest free ebook, Developing Cybersecurity Talent and Teams, which collect practical team development ideas compiled from industry leaders, including professionals from Raytheon, KPMG Cyber, Booz Allen, NICE, JPMorgan Chase and more, just go to infosecinstitute.com/ebook and start learning today.

Thank you once again to Adam Levin. And thank you all again for watching and listening. And we'll speak to you next week.