The grim reality of virtual crime

Tab 1

January 05, 2018

There are thousands of cyberattacks every day in the United States, says William Pelgrin, co-founder of CyberWA Chatham, New York, an exclusive cybersecurity service for executives, celebrities, politicians and others.


In 2016, cybercriminals stole a total of $16 billion from 15.4 million U.S. consumers, according to a report by Javelin Strategy & Research. The real number likely is higher because not all victims may have reported the crime — or even realized they were attacked. 


To prevent a cyberattack before it begins, it’s important to be aware of two glaring misconceptions about the internet. The first is that it can be both the most efficient and most secure communication tool in history — it cannot be both. Rather, the efficiency originally baked into the internet and, now, the internet of things (the network of digitally linked objects and machines, which includes everything from smart homes to Bluetooth - activated headphones) makes cybercrime inevitable. 


Computer operating systems and applications are typically written with security in mind, but it often is a priority second to function.


Secondly, governments, universities and companies all play a crucial role in making the internet safe. In reality, the sheer size and complexity of the internet means that individuals also need to play active roles in security, recognizing that it takes a scammer only one successful infiltration to irreparably damage an individual’s welfare.

Tab 2

January 05, 2018

High net worth individuals are prime targets, but criminals have other notable individuals to choose from as well, Pelgrin says. “This isn’t just money - driven,” he says. “Some want to do reputational damage. Others are zealots about their political positions.” 


While countermeasures are constantly being developed to prevent cyberattacks, the digital black market is continuously evolving new methods. Here are a few of today’s most dangerous strategies and tactics:



In this scam, criminals design code to seek out valuable data on work or home computers. The code can be written for a specific person, but it more often is unleashed as tens of thousands of digital worms. The ransomware enters computers intending to encrypt, or lock, data from its owner until a ransom is paid.


In the first half of 2017 alone, this method was used in two serious, unrelated attacks, the Petya worm, and the WannaCry cryptoworm. The Petya worm would display on victims’ screens as an alarming red screen that featured instructions on how to unlock the data by paying with a digital currency, or cryptocurrency, which is untraceable.


Impersonation is another popular attack strategy. Criminals might use general online research to identify high net worth individuals, buy or find personally identifiable information and impersonate someone.


The Equifax attack in 2017 was a mass harvest of personal information stolen with the intent of being sold and resold globally, resulting in attacks on individual consumers as well as the creation of faux versions of victims. 


On a smaller scale, social media accounts are a common target for infiltration. A victim or someone who knows the targeted person may unwittingly accept a friend request, giving a stranger an often-intimate insider’s view of the person’s life, according to Jason Witty, Chief Information Security Officer for U.S. Bank. 


Pelgrin adds, “People get fooled into having a deeper conversation than they would ordinarily have.” 


Data harvested through social media may be used in phishing campaigns, which trick victims into clicking malicious links in a seemingly innocent email. The site at the other end of the link sends back code, compromising the computer.

Tab 3

January 05, 2018

Social engineering

Another ploy of scammers is to use social engineering to psychologically manipulate people into performing actions or divulging confidential information. Social engineers may use knowledge of a person — such as a recent vacation, a new grandchild, car purchase or even seemingly innocuous data like a recent switch to a new cell phone company — to convincingly impersonate an individual. 


Some scammers use social engineering to access a person through a company they do business with — for instance, the individual’s money manager. Security in such business relationships is often informal. For that reason, cybercriminals may use software to capture private personal and financial information and then use social engineering to make an illicit request sound like it is coming from a legitimate person. 


For instance, a cybercriminal may use stolen personal and financial information to impersonate the victim (through email, for example) or someone close to the victim and then email a request to the money manager for a large wire transfer to an account that the cybercriminal can access. 



Five to live by

By and large, the advice of security experts has not changed since the dawn of the internet. Here are a few basic security steps (beyond actions like keeping hardware and software updated).


1. Create rules for social media use. Do not share personal information online that you wouldn’t share with a stranger. Witty also recommends creating a social media policy for children, extended families and, where appropriate, close friends. “Decide what you are and aren’t going to share. And, decide when you’ll do so.” Witty also advises having children of all ages use fake names on social media in case something slips. Friends will know who the “John Doe” online is, but criminals won’t.


2. Enhance your financial security. Enable security alerts and verification procedures to mitigate a criminal’s ability to impersonate you and commit financial fraud. Consider freezing your credit with the three credit bureaus (TransUnion, Equifax and Experian). If you aren’t confident you can trust individuals with intimate financial knowledge of you, end the business relationship.


Tab 4

January 05, 2018

3. Put physical and digital barriers between your information systems and anyone you employ in or around your home. Lock doors and computers and consider creating a guest network for domestic workers. When staff leave your employ, delete their access to your computer network and change passwords and security codes for locks and alarm systems. 


4. Make sure no one leaves login information and/or passwords for hardware, software, social media or security systems lying around in clear view. Consider implementing two-factor login authentication, especially on sensitive accounts such as email, bank, telecom or ISP accounts.




5. Be consistently suspicious of possible phishing attacks, whether in the form of email, phone calls or face-to-face communications. These attacks continuously grow more sophisticated, especially after massive data thefts. Cybercriminals use stolen data to create phishing attacks that seem legitimate and lure victims into a sense of trust and security.


Prioritize your safety, and don’t worry about offending a stranger or bothering a business manager if a request feels suspicious. Be positive you know the person or at least the business that has approached you. And never let yourself feel rushed to comply with an unusual request — imposing a phony deadline is con-artistry 101.