Why Cybercrime Succeeds: A Conversation with Cyber Expert Brett Johnson

First Republic Bank
March 9, 2021

Watch “Original Internet Godfather” Brett Johnson, a former U.S. most wanted cybercriminal, for an entertaining and educational talk covering the latest techniques criminals are using and how to protect yourself.

Read below for a full transcript of the conversation.

Mark Van Divner - Good afternoon, everyone. Good morning, good afternoon everyone, we'll give another 30 seconds here and we'll get started. Okay, that's good, let's get started. Good morning, good afternoon, everyone. My name is Mark Van Divner. I'm the chief information security officer at First Republic Bank. Is my pleasure to welcome you here today for what I'm sure will be a dynamic and informative discussion. Given the ever-changing environment we're living in and the exponential growth of internet usage, cybersecurity matters now more than ever. We believe a rising cybersecurity awareness is key to preventing online raising, sorry, cybersecurity awareness is key to preventing online fraud. So this is why we continue to serve our clients by offering educational webinars among other unique services that keep them up to date on the latest cybersecurity information and online scams. So that you're better prepared to protect yourselves online. We're excited to have the opportunity to hear the views of a former United States most wanted cyber criminal and I highlight the word former, and that's Brett Johnson as our guest. Brett, please take it away.

Brett Johnson - Hey, thank you so much. And I wanna thank everyone for taking the time to come and listen to me today. I truly appreciate that. I promise that we're gonna try to get be entertaining, enlightening and educational. With that being said, let's go ahead and share my screen here and we'll start the show. Now that is my United States most wanted picture. Yeah, I was in Las Vegas, Nevada. The night before I had stolen $160,000 out of ATM's, woke up the next morning, signed on to, there's my name US most wanted beside of it. There are things in life known as aha moments. This, this was more of an type moment. So I did what any normal person would do. I loaded up and I went to Disney World. Yeah, I really went to Disney World. Lasted about six weeks, Secret Service, they came and got me, arrested me, sent me to prison. Then I escaped from prison. Wow, I prefer not to think of it as escape. I think of it as the institution could no longer benefit me. So I decided to release myself, I'm on recognizance. That got me even more time. So the question is, "Well, who is this idiot talking today?" The answer is the United States Secret Service called me The Original Internet Godfather. Now, how did I get that title? 39 felonies, 39. A place on the United States most wanted list. That escape from prison and I built the first organized cyber crime community. It was called Shadow Group. It was a precursor to today's darknet and darknet markets. It laid the foundation for the way modern crime channels operate today. Those 39 felonies had to do with refining modern financial cyber crime as we now know it.

Phishing credit cards, tax return identity theft, false bank accounts, fake driver's licenses, online identity theft, those types of things. I am that guy. Not needless to say, I went to prison deservedly so. Now, that is not where I began my life of crime. No, I actually began much earlier that that. 10 years old, 10. See, I'm from Eastern Kentucky. Eastern Kentucky is one of these areas like the Panhandle Florida, parts of Louisiana that if you're not fortunate enough to have a job, you may be involved in some sort of scam, hustle, fraud, whatever you want to call it. My mother was basically the captain of the entire fraud industry. No crime, too big or too small. From stealing a 108,000 pound Caterpillar D9 Bulldozer to taking a slip and fall in a convenience store trying to sue the owner. We had a neighbor she used to act as a pimp for, that was my mom. My dad, my dad was a good man. My dad's problem was, is he loved my mom so much. He was scared of losing her, he became the enabler of the family. If she had an idea to commit crime, he would support it. She wanted to abuse the family, he'd co-sign on it. And my mom was an abusive parent. I'm not talking just physical. She could be physical but her heart was in the emotional, the verbal, the mental, the negligence. I remember she used to bring men home. She used to bring men home in front of my dad. And he would sit there and cry and beg her not to do it and should do it anyway. Finally, she leaves my dad. We were in Panama City, Florida that point in time. We moved from Panama City, Florida back to Hazard, Kentucky. That's where I'm from Hazard, Kentucky. And my mom kept up those partying ways. I was age 10, my sister, Denise nine. And I get the worst part from my mom and my dad. From my mom, I get the criminal mindset.

From my father, I get that fear of being abandoned of the people who I love leaving. So mom kept up those ways and she would she'd leave me and my sister alone for days at a time. And I'm the kid I used to. She'd be gone and I'd post up at the window and look outside, see if she's coming home and sometimes I'd walk out into the street, see if she's driving down the street, coming home. Denise wasn't like that. Denise was just the child who got angry. So mom had been gone, This one time mom had been gone for a few days, we didn't have any food in the house. Denise walks in, she's got this pack of pork chops in her hand. And I'm like, "Where'd you get that?" She was like, "I stole them." I'm like, "Huh, show me how you did that." So she takes me over, shows me how she shoplifts food and I'm like, "That's the best idea ever, let's do that." So we started stealing food. Look across the way there's Kmart. Kmart's got clothes and it becomes like this perverted form of Maslow's hierarchy of needs. Books, games, jewelry, music, clothes, yes! Until mom comes home, sees all the stolen loot, asks where it came from. Now when you're 10 years old, you can't lie very well. I've always been that liar. I looked at my mom, "We found it." She was like, "No, you didn't find that." My sister, Denise, she never lied at all. She stands up half proud, half pissed off, "We stole it." My mom, my mom looks at my sister, "Show me how you did that." And she joins us. Not only does she join us but she goes to get her mother as well to join us. We become this inter-generational shoplifting ring at Eastern Kentucky.

We used to take these road trips. They'd go to JC Penney's and steal clothes and jewelry, I'd go to the bookstore and steal books because that's the kinda guy that I am. And here's the thing, I'm not trying to say that my childhood resulted in my choices as an adult. That is not true. My choices as an adult are mine. For example, my sister has the exact same upbringing as I did. Other than that one shoplifting experience, she never breaks the law again. She goes off to be a great parent, a great teacher, a great citizen. Me, I'm just the guy who kept ongoing. As I got older, I got more and more involved in the types of scams and fraud that my mother and that side of the family committed. So, insurance fraud, document forgery, drug trafficking, mining illegal coal, whatever you can think of. I grew up in that charity fraud. Until finally I branched off on my own, in 1994, faked a car accident. Get enough money to get married. Use the money to move from Hazard, Kentucky to Lexington, Kentucky, to go to university. And again, I'm that guy that's always scared that the people that I love are going to leave. So here I am, I told my wife, I was like, "Look, look, look, look, look, you just worry about going to school. No you don't worry about getting the job, I'll do the work. No, no, no, don't worry about cooking and cleaning, I got it, I got it. You just concentrate on school." So here I am, 18 hour class load, 50 an hour week job, all the cooking, all the cleaning, something had to give. Well, what gave, well there's a job over that proclivity toward fraud, I've already got.

Gotta make money somehow, didn't really know how until I find eBay. And man, I like eBay. Didn't really know how to make money on eBay until on night Bill O'Reilly's on Inside Edition talking about Beanie Babies. Now, I'm not sure how many people remember Beanie Babies out there but they were the high dollar collectible in the mid to late '90s. This one they were profiling was Peanut the Royal Blue Elephant. Selling for $1,500 on eBay. I'm sitting there watching like, I need to find me a peanut. Skip class, the next day, go around all the stores looking for Peanut. Figure out pretty quick, you can't find him 'cause he's on eBay for 1,500 idiot. But they did have these little gray beanie baby elephants for $8. Buy a gray beanie baby elephant for $8. Stop by the grocery store on the way home, pick up a pack of blue Rit dye, go home, try to dye little guy. Turns out they're made out of polyester. They don't hold the dive very well. Get them out of the bath, look like they've got the mange but here's the thing I ripped a lady off for $1,500. Found a picture of a real one online, posted it. She thought I had the real thing, she wins the bid. As soon as she wins the bid, I sent her a message, "Hey lady, we've never done any business before. I don't even know if I can trust you. What I need you to do is send me a US postal money order, it protects us both. Soon as I get that and it clears, I'll send you your elephant. She believed that. She sends the money order, I cash it out. I send her this creature, immediately get a phone call. This is not what I ordered. My response, "Lady, you ordered a blue elephant. I sent you a blue-ish elephant." And right there is where I learned the first lesson of cybercrime.

That lesson is if you delay a victim long enough, if you just keep putting them off a lot of them get so exasperated, they throw their hands in the air, walk away and you never hear from them again. And guess what? None of them complained to law enforcement. First lesson of cybercrime. Now that's the first online crime I ever committed. Did it under my own name, very unsophisticated but I kept going. And as I kept going, I got better and understood how to do things properly. How to commit proper types of crime online. I got to where I was selling pirated software. Pirated software led into installing mod chips into first gaming system so you could play the pirated games. Then installing mod chips in the cable boxes so that it would turn on all the pay-per-view on your TV channels. Then finally it was programming satellite DSS card. So it was 18 inch satellite systems. You can take the card out, program it, turn on all the channels all the pay-per-view. Started doing that at about the same time a Canadian judge ruled that it was legal for Canadian citizens to pirate satellite DSS signals. His reasoning was "Hey, since RCA doesn't those satellite systems up here, my citizens can pirate your signal." Well, what happens is literally overnight, an entire little cottage industry pops up in the United States. You go down to Best Buy, buy the system for a hundred dollars, take it out on the parking lot. Open it up, pull the system out, pull the card out, throw the system away, program the card, ship it to Canada, $500 a pop. I started doing that. Making a lot of money. Had so many orders, I could not fill them all.

Thought to myself, "Why do I need to fill any of them? They're in Canada, I'm down here. Who are they gonna complain to it's illegal." So I didn't fill any of the orders, stole even more money, got worried about how much money was coming in. Thought I was gonna be looked at for money laundering, figured the best thing that I could do is get a fake driver's license, open up a bank account under that driver's license, and launder the money through cash out of the ATM. Being at university, you would think I would know where to get a fake ID, not a clue. So I get online, look around, think I find a guy, send him $200, send him a picture, he rips me off. Yeah, he rips me off. And man, I got angry. I got so angry that back then the result was ShadowCrew solved a problem of committing crime online. And that problem was before ShadowCrew, the only avenue you had to commit online crime was this rolling chat board. This IRC chat session stands for Internet Relay Chat. It's this rolling chat screen who you have no idea who you're talking to. If they're a cop, if they're a crook, if they're just trying to rip you off because everyone there is a crook. If they've got a product or a service, if it works, if they really have it, ShadowCrew gave a trust mechanism that criminals could use. Now you have a large communication channel in a forum type structure where people in different time zones can reference conversations. Days, weeks, months old, they can take part in those conversations. They can learn from those conversations. You know by looking at someone's screen name if you can trust that person, if you can network with that person, if you can learn from that person.

We have vouchers in place, we have escrow systems in place all with the purpose of allowing one criminal who will never know the real name of another criminal, never even meet that person to network with and work with that person in order to be more effective as stealing money from you. Shadow crew goes on to make the front cover of Forbes. August, 2004 headline, "Who's stealing your identity?" October 26, 2004, the United States Secret Service arrest 33 people, six countries, six hours. I'm the only guy who gets away. They picked me up four months later and they give me a job and I am the idiot who continues to break the law from inside Secret Service offices for the next 10 months until they find out about it, at which time I take off on a cross country crime spree, steal $600,000 in the space of four months, wake up one morning find out I'm United States most wanted. Get sent to prison, escape from prison, get caught again and serve out my time. I was able to turn my life around through the help of my loved ones. My wife, Michelle, my sister, Denise and finally the FBI. They gave me a chance and opportunity to use the knowledge I had of just being a lifetime criminal to help protect people from the type of person that I am today. Today, I'm very fortunate. Today, I lead a blessed life. I truly do. And it's because people gave me the opportunity to do so. The FBI, Fortune 50, Fortune 500 companies, First Republic Bank. You kind people out there today that are good enough to listen to me. That's my story, I run a couple podcasts. I've got a couple of TV shows in the works, couple of books as well. That being said, we're not here just to talk about Brett Johnson story. We're here to talk about crime.

How can you protect yourself from the type of person that I used to be. In order to understand that it's important to understand how cyber crime actually operates. This is what I call the cyber-crime triangle. So cybercrime has three necessities. Those necessities are gathering the data, committing the crime and then cashing out. All three necessities have to work. If they don't, the crime fails. The problem is that a single criminal, one guy is not good in all three things. He's good in one thing, sometimes two, very rarely can he do all three. That is why you have the forums, the marketplaces, the dark web, the surface web groups. They allow that one specific criminal to network with other criminals who are good in areas where he or she is not. Now, for the criminal and him or herself what has to be inherent in that criminal for them to engage in criminal activity? I would say three things, knowledge, willingness and ego. So willingness, what do I mean by that? What is the criminal willing to do or not willing to do? Let's take an identity thief for example. So an identity thief may be more than willing to compromise the identity of a middle aged individual and milk out your bank accounts, commit HELOC loan fraud, student loan fraud, tax return identities, have set up new accounts, any number of things but that same identity thief may not be willing to take over the identity of a senior citizen and divert their Social Security payments to a prepaid debit card that he or she has. He may say or their moral compass may point North just enough that they say to themselves, "You know, that's the only money this person gets. If I take this, if there's a hell I'm gonna go there." Maybe, maybe their moral compass points North just enough to realize that. So what is the criminal willing to do? Willingness first and foremost.

Ego, ego plays a huge part because you have to have a huge ego to engage in this. And you have to basically believe that it's David versus Goliath. That a single person can defeat a billion dollar security company or a billion dollar company. So ego plays a huge part, but here's the thing. You can have the biggest ego in the world. You could be more than willing to do any crime that's on record but if you don't have the knowledge to do the crime, if you don't have the knowledge to do it, you sir, are useless. And that once again is why you have the forums, the marketplaces, the dark web and service web groups. They are there to educate any criminal who wants to engage in criminal activity. To network with them to help them succeed at committing crime. Again, cybercrime communities and forums allow members to network for maximum success. Now, what's an example of that? Currently, it's stimulus fraud. And we're gonna have a Q & A, I see some questions popping up. We're gonna have a Q & A session right after this presentation, okay? So I'm going to save enough time for Q & A so save the questions and we'll get to that. So one of the examples of what I'm talking about is stimulus fraud. So Paycheck Protection Program, EIdL, unemployment fraud. Now let's talk about unemployment fraud 'cause that's where a lot of this stuff's taking place right now. Washington state, Washington state gets hit with a billion dollars. A billion dollars in unemployment fraud. Now, how does that actually work? Remember the three necessities of cybercrime. Gathering the data, committing the crime, cashing out. So what do I mean by gathering data? PII, you need people's Social Security numbers, you need their dates of birth.

So the reason think of all three of those necessities and I'm sorry to backtrack here for a second. So think of all three of those necessities. Gathering data, committing crime, cashing out. So gathering data is when you steal PII, when you steal credit card numbers, make account logins, any number of things like that. It's the information needed that a criminal is going to use to commit a specific crime and then finally putting cash in pocket, cashing out. Okay? All three of those necessities have historically had an element of desperation to them. Criminals have been desperate to use the stolen PII before it's flagged as breached. They've been desperate to commit the crime without being caught. And then finally, they've been desperate to put cash in pocket once the money has been wired to prepaid debit cards or bank accounts, or what have you. All right? So there's been an element of desperation. But because of COVID-19, that desperation has now done a 180. The criminals are no longer desperate. The people who are the people who are desperate are the good guys. Criminals are calm, cool, collected and calculating now. So they're able to take their time, pick and choose the types of crimes they wanna commit. Meanwhile, the good guys have been the ones that are desperate. The reason that stimulus fraud is happening right now is because the federal government was so desperate to get money out to the people who needed it that they put these programs in place with absolutely no security protocols in place at all. The only thing a criminal needed to steal money was someone's social, and date of birth and name. That was it, that's all you needed. So Washington state is where this thing kinda first pops up.

The Nigerians hit the Washington state unemployment fund for a billion dollars, a billion dollars. So the three necessities, they had all the data. They had gathered all the information they needed. They knew how to properly commit the crime. Where they kinda failed though, was in cashing out. See they literally had a billion dollars wired over. Did they get a billion dollars? No, they didn't, they got about 200 million. Two to 300 million which is still a great payday but it's not a billion. So they had trouble cashing out at the end of the day. All right? So if you look at these stimulus type programs now. There was desperation on the part of the government to get the money out to people who need it. There was desperation across the board on the good guys side. There's desperation among, there's 19 million Americans out of work and estimated another 19 million out of work in 2021. Those people are scared of losing their homes, their cars. They're scared of putting that, how you gonna put food on the table? So they're right in desperation too. They're looking for jobs so you see scams popping up there. You've got these vaccines out. People are wanting to get vaccinated so they're desperate to get vaccines. So you see the vaccination scams that are running right now. Everything revolves around an element of desperation. And that's why stimulus fraud is going through the roof right now as people are putting reason to the side and they're acting out of desperation. Cybercrime is not rocket science. That's what you need to remember. It's not, the crimes that are being committed typically are not sophisticated crimes. We have this perception that cyber criminals are these upper tier computer hackers able to break into any type of computer system they want to like yes! No, no, those types of attackers are out there but their numbers are extremely small.

The 98, 99% of cybercriminals, they're just very good social engineers. They know what it takes to manipulate you into giving up information, access data or cash. Which brings us to the anatomy of a scam. So how do scams operate? I don't care. I don't care if the scam is someone using someone credit card details. I don't care if the scam is a romance scam. I don't care if the scam is a home repair scam, a stimulus scam, a vaccination scam, I don't care what the scam is. All scams tend to operate because of one thing, trust, trust. A scam will not succeed unless the criminal gets the victim. Whether the victim be a business or a person unless the criminal gets the victim to trust them. So how do criminals build trust in today's modern world? Three things, technology, tools and then finally social engineering. So what do I mean by technology? This, your cell phone, your laptop, your desktop. We inherently trust the technology, which has given to us. We don't understand it, but we trust it. We trust the news that comes across. We trust the phone numbers that show up on the screen. We trust the emails that come to us. We trust that the computer or the cell phone is when that information comes across, that the information is correct. We don't understand it, we don't verify a lot of stuff but we trust that information is coming across the board. What we don't understand is what we don't really get is that criminals have a variety of tools they can use to manipulate you. So they have proxy addresses. So I can be in Ghana, Egypt, Nigeria, or New York and make it appear by using a proxy that I'm in Florida or South America, or the UK, or the EU or Massachusetts or wherever I wanna pretend that I am. I can spoof a phone number. So instead of you seeing a phone number that I'm actually calling from, I can make it look like it's the IRS or the Social Security Administration, or your local Sheriff's department, or the CDC.

There's a variety of tools in place that I can use to manipulate the technology to get you to believe that I am who I claim I am. But technology and tools only let lay a base level of trust. Once the base level of trust is there, that's when social engineering kicks in. How good is the criminal? How good of a liar, how good of a con man is the criminal into manipulating you to give up one of four things. Information, access, data or cash. So if you look at it, technology and tools establish a base level of trust. From there, it's up to social engineering to continue to layer trust. So you build rapport, you cause a problem, a diversion, a conflict, you deny an offer. You alienate the victim. You then get the victim to join sides with you and then finally to act out of desperation. So let's give an example of that. We'll use a romance scam. So first of all, technology, we trust the technology that's in front of us. We trust the cell phone. We trust, excuse me. We trust the cell phone. We trust the desktop. We trust the website. So a lot of people out there join dating sites. Now it may not be just for romance, maybe for companionship, for friendship, whatever but whatever that is, the people who are joining dating sites tend to trust the site to vet the other users that are there. They figure that or eharmony or whatever dating site that is, they're saying, "Well, you know what? We weed out all the scammers. So we can trust the other people that are there that they are who they say they are." What they don't understand is that scammers can use tools. A tool being stolen identity information. They can use someone else's identity.

They can use spoofed phone numbers so that even if they're in Ghana or Egypt or Nigeria, it makes them appear that they're in New York or Florida or California. They can use proxy addresses so it looks like their machine is wherever they want it to look like. All right? So they use a variety of tools to bypass the security that's on these dating sites to gain access. Now, the dating sites have algorithms. So the scammer comes in, he makes a nice profile, he uses someone's stolen identity information, stolen pictures, puts a profile up there. Does he have to look for victims? Not really. The algorithms on the dating sites will deliver becomes to him. So he finds somebody. Now here's the thing, I'm a scammer on a dating site. If I immediately started messaging people on this dating site and I came up and I said, "Hey, you know, I see your profile. You are very, you are very good looking. I like your profile long time. I tell you what, I tell you what, I need money, I need money. I need money, you need love. I need love, everyone need love, love is world. Love is world. Send me all money you got, I love you long time. I love you long time." If I had reached out and sent a message like that, would you fall for that? Would you send me all the money in your account? No. Why? Well, because obviously you are a scammer, sir. I'm not about to fall for that. I don't trust you at all. You don't trust me at all. So scammers don't tend to do that. Scammers tend to fit in with the other users. So how do you fit in on a dating site? You fit in by joining the crowd. Sure you send messages out, "Hey, I saw your profile thought reach out, like your profile, how are you doing today? You start building rapport, start layering trust. You start building report and you keep it going. You just keep that conversation going. All right? Because this is a long con, this is not a short con. We're looking for all the money you've got, not just a few dollars.

So start building rapport. As you build rapport, you increase the heat of the conversation. Until finally, "Hey, I don't know about you, but I never thought, I never thought I'd find somebody online. I really didn't. Is this not crazy? Is it not? I mean, the way we get along together, I mean, we really do. I know we've not met yet, but the way we get along and the way we've been talking, everything, I really, I mean, I think this could go places, I truly do." So you continue to increase the heat of the conversation, increase the glue that holds that relationship together. Now, at some point, the potential victim is gonna wanna meet. So the scammers not wanna meet. Of course, the scammer's not wanting to meet 'cause the scammer doesn't look anything like the picture that's on the profile. So how do you handle that? "Well, you know, I wanna meet you too. I do, but the problem is that my son, I'm saving my money up right now. My son has to have this medical procedure. As soon as I get that done, I'm out to see you. I promise but right now my son needs this. It's life and death, I just have to have this done, okay? So it won't be that much longer. As soon as this is done, we'll take care of it." So he creates a problem. The problem is there so that the victim responds to the problem. We all have empathy, we all have sympathy unless you're sociopath, so that the scammer knows that you're going to offer money. So you offer money. Now, here's the thing. And I've been very fortunate over the past couple years to talk to many, many victims, a lot of victims of these romance scams, even as it's going on, they start to think, "Hey, this could be a scam. This person is probably just wanted money." Even though they think that, they still offer cash.

Now, if the scammer is an expert, if the scammer actually knows what the scammer's doing, does the scammer accept that initial offer of cash? I would argue, no, no. Instead the scanner goes, "Whoa, Whoa, Whoa, Whoa, Whoa. I don't even know you, and not have you met. Now I will do this, I would never ask you for that. I appreciate it, I would never ask you for that. No, I can't do it, I cannot. Why does he deny the offer? He understands that the victim, somewhere in the psyche of the subconscious, they think it's a scam. They think he's only wanting money. By denying the offer, it tells the victim, it can't be a scam. If it was a scam, he would've taken the money. So it dismisses that. It gets the victim closer to the scammer, tells the victim it's not a scam but the scammer keeps going 'cause he knows that that offer's gonna come again. "You know I'm just trying to save this money. I was trying to save this money, I seemed a little bit more." He knows the offer's gonna come again. The next offer, "I don't know how all to repay you, I don't. I hate to even ask you, I'll get your money back. I really appreciate it, I just don't know what else to do. So he takes the money. He takes the money, comes back a few days later, "It was great. My son, he had the procedure. The doctor said it was a great success. The doctor says it's only gonna take seven or eight more of these. So we're on our way, we're on our way." It's a long con, it's not a short con. It's a long con. The thing is, we as a society, media and individuals, what do we do? We blame the victim. Don't we? Yes, we do. If you look at phishing attacks, why would you click on that and link? Romance scams, why would you send money to someone you don't even know? So we blame the victim. We blame the victim. Well, what happens when you blame the victim?

The victim shuts down, the victim shuts down. So someone's involved in this romance scheme. They know that if they reach out to family, friends, and associates that they're gonna get a response like that or they suspect you're gonna get a response like that. So what do they do? They just shut down. They stopped talking to them. So that the historical support group, the support net, they've had a family, friends and associates, they no longer have that. The only person that they end up talking to is a scammer. And so it starts out. The scammer's on one side of the fence, victim's on the other side of the fence. But before you know it, victim's over with the scammer. On the same side of the fence because that's the only person the victim can talk to all of a sudden. And it just keeps going and going until finally, you see, excuse me, let me get something popped up here. Close this out until finally the victim starts acting out of desperation, sending money because at some point the victim's like, "You know, it can't be a scam. It can't be. Just a little bit more. I've already invested this much, just a little bit more or it'll work out. I know it'll workout." And it never works out because the scammer's there to take every single penny that you got. That is how scam actually operates. Cybercrime is not, it is not rocket science, it's not. Again we have this perception that attackers are these hackers they wanna do whatever they want to. The truth of the matter is that 90% of all attacks use known exploits, known exploits. It's not the stuff we don't know about. It's the stuff people are not doing anything about. That's the problem. If you look at the number one cyber attack in history, it's called NotPetya.

It's $50 billion worth of damage. Now this looks complicated. It's not really complicated. What it is, the Russian government, the top hacking group of the Russian government decided they were gonna launch an attack against the Ukrainian country. They took over basically the QuickBooks of Ukrainian government, took over the update server, faked a Microsoft certificate, which is a known exploit. They used EternalBlue and EternalRomance which were known patched exploits. They looked for things called RDPs which are remote desktops which people had known about for well over a decade, that it's been said, "Shut them down, shut them down." No one ever shuts them down. So it uses a variety of known exploits, chained together to watch the most successful cyber attack in history. It destroys computers. It gets into Masq cause shuts down Masq. Gets into pharmaceutical companies that have still not been mentioned today but shuts these people down. Destroys their computers across the board. Cybercrime is not rocket science. This is the most sophisticated attack in history right now. Other than SolarWinds and anybody that's read about SolarWinds right now, solar winds was sophisticated except they got access by looking at a password which was SolarWinds123. Again, stuff you're not doing anything about not the stuff you don't know about is a lot of the issue here. So that's the issue. If you look at cyber crime, it's not sophisticated. It's not, it's not, it's the stuff that we can do things about that people don't tend to do things about. If you look at this stat here, 56% of companies have experienced a breach caused by third parties. A lot of companies don't even know how many third parties are accessing their system and they never vet those third parties.

The problem is your system is exactly as strong as the weakest device which accesses your system. So if you're letting the third party in there and you've not vet them. You don't know how strong they are. You don't know what type of cyber hygiene they've got. It's polluting your system as well. That's the problem and it doesn't matter if it's an individual or a company. The weakest device which accesses your system is exactly how strong your system is. Here's another stat for you. 41% of every single router on the planet has a default password. That's not even talking about IOT devices but 41% of all routers have the default password. Any idea what you could do with a router that has a default password? It ain't pretty. I mean, it is for criminals, but it ain't pretty if you're trying to do things legally. 41%. 92% of every single breach begins with a phishing attack. Why? Well, why would I potentially spend years trying to fight my way or route force my way through an industrial proof firewall, when the only thing I need to do is send an email to someone behind that firewall and gain the same type of access. That's why. And if you look at how successful was it a spear phishing, it's about 86% successful. Doesn't matter the amount of cybersecurity awareness training, the how rich, how poor, how educated, how uneducated, how important, how unimportant the person is. It's still about 86% successful. So why is that? Well, lot of people say, "Well it's because there is no patch for human stupidity." Now that's a cute line. It's funny, it gets a laugh, but it's not true. It's not, that's not true at all. It has nothing to do with human stupidity. It has to do with an attacker who understands technology and human psychology enough to manipulate you into giving up information, access data or cash. Let's look at an example.

Here we have two email addresses. The first email address is The second email address Can anyone see the difference between the two email addresses? If not, let's pull it up. Here's the first one And here's the second Let's back it up again. There was number one and there is number two, Can anyone see the difference? I'm sure someone out there has said, "That i doesn't have a dot above it. You're right. That's the difference? Do you know what that is? That's a Unicode domain. That is not an English alphabet i. That's been known about for years, but that, that is $7 million a day. That's $12 billion. That is the number one way that business email compromise is committed today. Known exploit That right there. It's not the stuff we don't know about, it's the stuff we're not doing anything about that's a problem. And if you're looking at phishing, phishing is all about, a lot of it is all about stealing PII. A lot of it's stealing PII and here's one of the things we used to teach on ShadowCrew. All crimes should begin with identity theft. Why would I use my identity if I can use your identity? Shields me. And here's the thing, we need to understand. I know a lot of people out there think, "Well, what can I do to make sure that my information is not compromised?" Let me tell you right now that ship has sailed. Your information has been compromised. Everyone's information is compromised. Just last year, we had 1500 reported breaches. Of those 1500 reported breaches, 2.6 billion records compromised just last year. Everyone's information is available.

What we need to do is we need to accept that to understand that because once we accept that we can then say, "Okay, so what can I do that if a criminal has my information, what can I do to make sure he or she cannot use it?" Everyone's information is available. Today, you can go on the dark web. You can buy an adult's identity for a low of $30 to a high of $130 depending on the victim's location, credit score and gender. Children, children are the number one victims of identity theft. How much can you buy a kid's information for? $2.8. For $2, you get the child's name, social, date of birth, mother's maiden, place of birth. $2.8, everyone's information is available. You can buy it ready-made, it's called a Fullz. It comes with the driver's license, the mother's maiden, the date of birth, Social Security number, credit report, background check, all this stuff. Or you can make it yourself. How do you make it yourself? You go on the dark web. You buy a bank account credit card number. You then go to a website like where you can buy, is a criminal database it sells people's Social Security numbers and dates of birth for $4 a piece. It has a 170 million Americans listed on just one website and there are countless websites like that. So I buy your social, your date of birth, for $4. From there, I go over to BeenVerified. BeenVerified pools a background check of you and every single associate of yours in the hopes of getting the mother's maiden name, which I'll get. Once I get that, it's time to get the credit report. Where do I go? I go over same place you go.

Why? Well they ask the security questions over an annual credit report, but guess what? There's no time limit over there. So I can spend all day long with the background checks and with Google, trying to figure out the answers. If I get one of the answers wrong, that's okay because then I go over to Credit Karma where they ask the exact same security questions except the answers are different, except the correct answer. So I got the credit report. From there, I go to LinkedIn, to find out where you work, Glassdoor to find out how much you make and finally Facebook to find out if you've posted anything of interest and at that point, that's your ass. I can do whatever I want to. That's how identity theft and cyber crime works. It's not sophisticated, it's not complicated. That takes 20 minutes, 20 minutes to do that. Everyone's information is available. It doesn't matter how rich, how poor, how educated, how uneducated, how important, how unimportant you are. Your information is available To illustrate this, I have taken the opportunity of pulling up the information of one Donald J. Trump because I too believe in making America great again. #Maga, #noone'ssafe, #isthatevenlegal? I don't know but I do know that's his Social Security number. I know that's his date of birth and I know that's $4. Everyone's information is available now. So all of this information available, what can you do? Well, one of the things you can do if you're a criminal is synthetic fraud. Synthetic fraud is the number one, is the fastest growing form of financial fraud on the planet. It's 80% of all identity theft, 80% of all new account fraud. It's 20% of all credit card chargebacks. 5% of all credit card debt. Over $50 billion in fraud is synthetic. So what is it? 2011, the Social Security Administration, they randomized Social Security numbers.

Meaning that you can no longer tell the year the social was issued or the state it was issued in. Now they did that to combat identity theft. Okay, because if you're issued a social before 2011, if I know the last four, and I know the state you're born in and the year you're born, it's pretty easy for me to get the first five. So they randomized the number to stop that fraud, stopped it dead in its tracks. But when they did that now, a criminal can fabricate numbers out of thin air or he can use a child's Social Security number to commit synthetic fraud. So you basically go on the dark web, buy a child's Social Security number, get social. You're only gonna use a social, get the social, add a name to it, add an adult date of birth, an address, a phone number. You'll apply for credit. Credit bureaus don't know you exist until you tell them you exist. So they've never seen that data before the application for credit will be denied but when it's denied, it actually creates a credit profile, a credit report in the system with that synthetic information. Bam! So you're in the system. Now the idea is to pump the credit score up as fast as you can and cash out. How do you do that? Well, you do it first by taking care of what's called open-source intel. Because when you pull a credit report, when a creditor pulls a credit report, it's not just the credit report. You're actually looking for information that connects the address to the applicant. So the way a criminal does that, the way he games that system is he goes to a site like, which is a free white pages listing service. He puts in that synthetic information. Couple of later that address is associated with that synthetic person. So it starts receiving it's spam physical mail, any type of internet crawlers start to relate the address to the name as well.

At the same time, he opens up rewards cards, grocery, pharmacy, airline that way all that stuff starts to connect online. Now, from there, he uses this thing. Typically these days, this thing called credit piggy-backing. So in the United States what you can do is if someone adds you on as an authorized user of a credit card, that helps your credit history and it's legal but it's also a tool that criminals use. A tool that criminals use. So what happens is I would come to you and I would say, "Hey, why don't you add me on as an authorized user of your credit card? Wait, wait, wait, no, it doesn't affect your credit. It doesn't do that. I don't get to use your credit card or anything else, I'm just gonna be an authorized user." And you will look at me and you'll say, "Brett, you look trustworthy, I think I will do this." So you add me on. Now, the next reporting cycle of that one specific card, that card's history then becomes my credit history. If the debt ratio is good enough, if the available balance is high enough, if the card has been alive long enough, I could go from a zero to a 760+ in 30 to 45 days and then cash out. That is synthetic fraud. Okay? New account fraud, basically it's once I get your credit report, I go and where don't you have an account, I start setting up accounts in your name. Very easy to do that. How do you do it? Well, you have to add an address onto the credit report. How do you add an address onto someone's credit report? Well, it can be as easy as simply filling out an application for credit. Yeah, so I fill out an application for credit. Instead of putting your address, I put an address down that I control called a drop address. That application will be denied but when it's denied, guess what? 30 days later, that address then shows up on your credit report.

So I can start ordering new cards to that address at that point in time. So I'm rushing through some of these 'cause I wanna get to this other thing real quick. ATO fraud, account takeover fraud. All right? Now, when I was engaged in crime, the accounts that we were interested in taking over were credit card accounts and bank accounts. Nowadays, every single account has value. So it's merchant accounts, email accounts, credit card and bank, tax records. Every account has value but since I'm more versed, I'm better versed in bank and credit card, that's what we're gonna use this example on. So how do I take over your bank account? Well, the way I do it is I first have to have your complete identity information. I've already shown you how to get that. I can buy it ready-made or I can make it myself. So I've got your complete identity information because I need to be able to answer any type of questions that the bank may ask me. So to take it over, what I need to do is I need to change the phone number on the account, to a phone number that I control. So first thing I need to find out is does your bank have multi-factor authentication. If they do, that's a strike against me. I don't really like that. There are ways I can overcome that. For example, is the multi-factor implemented via email? If it is, easy enough for me to spearfish your email account and gain access to your email and intercept those messages that are coming cross. Is the multi-factor authentication implemented via cell phone? If it is, then there are ways for me to port the cell phone number to basically have the phone that's in your pocket shut down and your phone number transferred to a prepaid cell phone that's in my pocket so I can intercept the SMS messages that are coming across. So the first question I ask is, is multifactor implemented?

If the bank does not have multi-factor and there are some out there that don't, if the bank does not have multifactor authentication guess what, fun time. So what I do is I pick up the phone. I spoof your phone number. That way when I called into customer service, customer service doesn't see the phone number I'm calling from, they see the phone number that's related to the account. That's the number that's supposed to be calling from. Remember tech, tools, social engineering. So the customer service agent trust the technology that's in front of them. I'm using a tool to manipulate my phone number to come across so that I know they trust that screen. They trust the number that's coming across. Oh, this is this person calling in but it's not it's me calling in. So that's laid a base level of trust. Now I'm gonna call in, the only thing I'm gonna ask, I'm gonna ask available balance. I just wanna know what my available balance is on the account. Now, they're gonna ask me two security questions. One of those security questions may be mother's maiden name. Now I've got the mother's maiden name. I've got that, but I'm not going to say it. I'm gonna see another name, I'm gonna get it wrong. So, but I'm gonna say it with confidence. So I'm gonna say, Johnson. Sorry, sir, that's not what we've got. Well, what do you got? Sorry, sir, we're not gonna tell you what we've got. Well, you know what, I don't know what you've got but I know what my mom's name is. What are you guys even doing over there? So what are they trained to do at that point in time? They're trained to ask two other security questions which I have the answers to. I answer those questions correctly, then what happens? Then they change the mother's maiden name to whatever I want them to change it to. Then they gave me the available balance.

As they're hanging up, guess what? Oh, by the way, can you update my phone number on file? Yes, sir, we can do that. So how does that actually work? So the technology and the tools, the screen in front of the customer service agent, the phone number that I'm spoofing, that lays a base level of trust. Now, if I just call in just doing that and asked them to update the phone number on file, they're probably not gonna do that because I've not layered enough trust yet. I need to layer and build rapport and trust. So how do I do that? I do that by missing a security question, call in, ask for available balance, get the mother's maiden name wrong, it allows me to build rapport with a customer service agent. I create that problem by missing the mother's maiden name but that's okay. We're going to solve a problem together allowing me to build even more rapport with the customer service agent. Solving the problem though, guess what? It allows me because they ask more security questions. I get those security questions right, proving even more, I am who I claim I am. At the same time, this problem acts as a diversion from what I'm really doing which is changing the phone number on file because customer service they may handle 200 calls a day sometimes and they're there to make me happy. So once the problem is settled, once the problem's solved, once the available balance is there, they've already mentally disconnected from this call, they're looking forward to the next call. Me though know, I know that once they mentally disconnect is the time that I need to strike. So, problem solved, they're getting ready to hang up. Oh, by the way, can you update my phone number on file? Yes, sir, we can do that. Now, how effective is that? I have done it that exact same way numbers of times.

It's so effective that I've been asked on more than one occasion, "Why are you updating the phone number?" And my answer has been, "I no longer have that number." I no longer have the number that's showing up on the screen in front of customer service agent. That is how account takeover fraud works. Conclusion, we are all screwed. Best thing you can do, not even get online. It's done. No, no, no, no. Just as crime itself is not rocket science, it's not sophisticated, protecting yourself is not horribly sophisticated as well. There are things you can do. The first is and word on victims, do not blame victims do not. You've got somebody that's a victim of a scam, romance scam, stimulus scam, whatever that is, phishing scam. It's important that we don't do that. Because when you do that, the victim shuts down. We need victims to be prosecuted, okay? So the first thing is don't blame the victims. Now on the to-do list, everyone in the house. You freeze the credit of every single person in the house. September 18th, 2018, credit freezes became free. So you freeze the credit of every single person and including children because children are the number one victims. One in four, 25% of all kids will be a victim of identity theft. So freeze the credit of every single person in the house. Understand that a credit freeze only stops new account fraud. Works great for kids but guess what? Adults have a lot of existing accounts. So what do you do? Well, you monitor those accounts and you place alerts on those accounts where you can. For example, Discover Card has a $0 alert. Meaning that if a criminal just buys your Discover Card information, he pings the card to see if it's alive, you get a text message saying, "Hey, someone's trying to use your card." And then you can take care of it before the criminal can actually victimize you.

All right, so freeze credit, monitor accounts, place alerts. Strong password security. This is the trifecta right here. Strong password security. How many people out there use the exact same password across multiple websites? Come on, you're alone in your house or in your office, raise your hand for me. Come on, it's like an AA meeting. Hi, I'm Brett Johnson. I use the same password across multiple websites, 80%, 80%. That's the number, 80% of every single person on the planet uses the same password and login across multiple websites. Here is why that's a problem. I may send out a phishing email from Bank of America. And you may receive it, you may say "Obviously that's a phishing email. I'm not gonna fall for that crap." But what if I send out a phishing email that looks like it comes from Hulu, is your level of awareness is gonna be as high. Probably not, probably you're gonna get the email, you're gonna look at and say, "Hulu, does anybody even watch Hulu? I mean the only thing they got's "The Handmaid's Tale" next second season. Woo, well, that was bad. So no, but if you use the same password and log in God like I used to be, it's an automated program. I put the information in the computer, go to sleep. Meanwhile, your login and password is pinging thousands of websites during the night. I wake up the next morning, I've got access to your email, your merchant accounts, your tax record, your credit report, your credit card, your bank account, your a Hulu account. Yeah, so strong password security. We're never trained how to pick a strong password. What I say is pick a password manager. I don't care the one you use, just pick one. It takes all of that out of your hands, It logs in for you, it changes passwords for you. The only thing you have to do is remember one major key password or master password. Okay?

Understand your place in the cyber-crime spectrum because you have a place. The way a criminal will victimize you does depend on who you are and what you do for a living. For example, if you're a CEO where you work payroll, the way that I will victimize you differs from if you've worked food service for 20 years. I'll still victimize you, but the way I'll do it differs. If you work payroll, I may try to do some sort of business email compromise. If you're a food service, I may try to do a HELOC loans, student loan, set up bank accounts in your name, right out like that. I'll still victimize you so understand your place in the crime spectrum, design security around how a criminal will attack you. Security awareness training. There's a difference between training for effectiveness and training for compliance. A criminal does not give a damn about HIPAA, SIPPA, GDPR or anything else like that. They don't care. That doesn't mean we don't need to do it but understand the criminal doesn't care about these regulations. All right? So when I worked for a Fortune 50 company at one point. While I was there they launched efficient simulation campaign. The email is sent out was, "Hey, we've added two more days of vacation to the calendar." They didn't mention what the days were. They just had a PDF at the bottom that was marked a calender. The question was, well, how many people will click on that? The answer was everyone clicked on it. Well, the people who clicked on it raised so much chaos. They got so upset that the company sent out an apology. Saying, "Hey, we apologize for this. We will never launch another campaign like this again." That is the exact wrong thing to do because that is exactly how a criminal will attack you. So understand that and do training for that as well, okay? Never act out of desperation, never act out of desperation.

If you feel that someone's calling you you're about to go to jail, whatever. No, they're trying to get you to put away reason and act out of desperation. Same thing for business. Are you scared of losing sales and because of that, you're allowing more orders to go through. That's desperation. Never act out of desperation. It's important to take a step back, let reason takeover, sit desperation to the side. Apply all updates. I shouldn't have to mention Equifax. So we won't, but an update is basically a broadcast to every single criminal on the planet telling them which door to knock on to gain access to your system. So apply all updates. Limit BYOD, that's bringing your own device. Remember I said that your system is exactly as strong as the weakest device, which accesses your system. So if you have a system here, if you're company, make sure that the people, you're not gonna stop them from surfing and stuff outside of work. So make sure that the system is segmented so that when they're surfing, it doesn't have access to the delicate data that's on your network. A layered approach to security. There is no one single tool. There's no one single tool that will stop all fraud, all cybersecurity issues, all cybercrime. It takes a multi layered approach. Think of an attacker as a criminal who's having a toolbox. And in this toolbox, he's got a variety of tools, from level of tools like phishing attacks and social engineering to high level tools like SQL server attacks. Alright, so he's got a variety of tools. He picks the tool that's best suited for the job at hand. You need a toolbox as well. That has a variety of tools to counter whatever you're going to be attacked with, okay? Trust but verify. This is big. I believe that we should trust people but like Ronald Reagan said, trust, but verify.

That's news, that's phone calls, that's whatever's coming across the board. Trust but verify everything. Always report to law enforcement, finally realize that First Republic has a variety of products and services which can and do help counter the type of stuff I've been talking about today. They help protect you against the type of person that I used to be because First Republic knows how to do things properly. That being said, I think we've got time left for a few questions. Let me go ahead and stop the screen share so we can see what we're doing here. Stop share, all right.

Mark - And Brett, first one step in to help you out here is how do you protect yourself against SIM swapping?

Brett - That's extremely difficult, extremely difficult. You need to make sure that you first notify the phone provider that you want whatever extra security they've got on there that they call you on any type of changes to the account. Any number of things like that. Because what happens is I can go online today and I can buy a lot of these pin numbers that allow me to switch phone providers for you. So you need to make sure that any type of change to the account, that you're personally notified about. So everything that you need the account frozen, go from there okay?

Mark - Okay. Another one here for you is when we get phone calls that are only looking to see if we say hello, what information are they fishing for? And why do you think they're recording it? Are they doing for our voice samples?

Brett - I mean, it could very well be voice samples. Absolutely, could be that. It could be just to see if a live person is picking up or if they're gaining access to a system, whatever that is. There's a variety of things that are being pinged at that point. They're looking for a live person, they're looking for a voice samples any number of things like that. The sad thing is that we as human beings, we pick up the phone, we say, hello. I mean, that's what we do. All right. I would advise that and I do this all the time, there's several phone providers out there are very good about flagging potential spam or robocalls or things like that. If you don't recognize the number, don't pick it up. If it's coming across as robo, or spam, or potential scam or anything like that, certainly don't pick it up. Don't engage with these people at all. You see all these YouTube videos about these people who fight against scams by continuing to call back the scammers, or talk to the scammers for hours at a time, that serves no purpose at all, no purpose at all. You're best not to engage with these people whatsoever. Okay?

Mark - Okay, thank you Brett, for that great informational session here, your expertise certainly shines. You've spent quite a bit of time in this world

Brett - Unfortunately.

Mark - And we appreciate having you on speaking to our clients here. And we have a number of questions that were not answered. We have a wealth of information up on the site, go to the fraud and cyber section. And the bank also offers to our clients, internet security health checks. That's an opportunity for you to have a one-on-one session with one of our cyber experts that you can enter your questions, they'll go through and make sure your systems are optimally protected. So I recommend you reach out to your banker and ask for one of those. So with that, we're gonna wrap it up, excuse me. And thanks everyone for attending. Have a great day.

The guest speaker(s) is neither an employee nor affiliated with First Republic. Opinions expressed by the guest speaker(s) are solely their own and do not necessarily reflect those of First Republic. This information is governed by our Terms and Conditions of Use.