CJM hosted Cyber Security Expert Jeremiah Baker, for a captivating and informative cybersecurity talk as Jeremiah unraveled real-life hacking stories drawn from his extensive 15+ year career dedicated to protecting clients from malicious cyber threats.
Drawing from hacking scenarios, Jeremiah guides you on how to shield yourself from falling victim to such malicious acts. Jeremiah provides a hacking checklist takeaway at the end of the presentation. This video is a replay of our webinar on April 30, 2025.
Introduction
Parker G. Trasborg:
Thank you everyone for joining us today. My name is Parker Trasborg. I’m a Senior Vice President here at CJM. We are very excited to talk about a very important topic today that really impacts everyone – cybersecurity. It impacts me, it impacts Jess, it impacts our parents, it impacts our kids sometime down the line. So we’ve invited Jeremiah Baker who has a 15 plus year career dedicated to protecting clients from malicious cyber threats. He’s had a global reach. Jeremiah and his team have diligently assessed the security measures of numerous organizations across various sectors, including casinos, banks, hospitals, energy companies, and government entities. The hope today is not to scare you, at least not too much, but to at least give you an update of what’s going on out there in the cybersecurity space and suggest some ways that you can help protect yourself. If you have any questions throughout Jeremiah’s presentation, please submit those to the q and a function at the very bottom of the zoom here and we will try to get those answered for you before we finish up the presentation. With that being said, Jeremiah, I will go ahead and turn it on over to you. Thank you again for joining us.
Jeremiah Baker:
Thank you, Parker. Thank you Jessica. And I just want to make sure that you can all see everything. We’ll do a little tech check here and make sure that my audio is functioning okay. It’s not too loud or too faint.
Parker G. Trasborg:
All’s great
Cybersecurity Overview
Jeremiah Baker:
Okay, perfect. Great. Yes. Well, thank you. So number one, my goal is to not necessarily just scare folks, but it is to share genuinely what’s happening From my experience over, I guess now it’s the 18th year of being hired to essentially ethically hack into banks, casinos, hospitals, financial organizations, corporations around the globe with an effort of showing them where their vulnerabilities lie and how to then protect themselves from future attack. And in that time, I also was on the frontline as a partner owner of the business and vice president. I received all of the phone calls from folks when an incident happened, and that’s what I’m going to share today if it’s okay with everyone, just real world stories that have been anonymized to remove client names or any specific details, but just to share what’s happening and what we’ve seen and what continues to happen, and then how to protect ourselves.
Real-World Cybersecurity Stories
Because the truth is that if we don’t know how we’re being attacked, oftentimes we find out by being attacked by the bad guys and then it’s too late. And that’s why I put the subheading in this document that says How to protect yourself before it’s too late. Because in my experience, oftentimes it is, but the good news is that there are ways that we can protect ourselves before it’s too late. And oftentimes it’s not a lot of money, it’s low tech, low cost. It’s just being aware and then putting protective measures in place so that we don’t have catastrophe. So I will start with a story. This is a real story. It was about seven 30 on a Monday evening. I was sitting in my kitchen after dinner and my phone rang and I picked up the telephone because I recognized the number. I was excited to talk to this particular CEO, who’s also a friend, and he said, Jeremiah, how are you?
I said, I’m good. How are you? He said, not good. Someone just stole $740,000 from one of our companies. This, of course, as you can imagine, it made the hairs go up and I walked down the hall to my office, which I’m sitting in right now, and I asked him what happened? And he said, hold on, I want to pull in our chief technology officer and our vice president of sales. So we started to go through the process of incident response and understanding reverse engineering what actually happened. And what happened is a very common attack, a cyber crime. So what happened here in this case is a bad actor, a cyber criminal, took over the email account of a vice president of sales, and the vice president of sales did not know this, and by takeover it means just gained access to it. And they were watching for months and months and months.
This particular company was in the private aviation business. So you can imagine fairly high ticket sales happen in this particular industry. And the bad guy sat in the email account. They watched, they watched, they watched, and they noticed dialogue between the vice president of sales and a potential client, a new client that was about to onboard. When they got very close to that point where there was a purchase about to happen, they started to take over and act as if they were the vice president of sales for the aviation company. And they were hiding all of the communication by setting up special rules and different things in this person’s email account. So the vice president of sales had no idea this dialogue was going on, and in the minute when they made the request, the bad actor made a request to wire the funds to them.
They sent it to the bad actor’s account, not to the aviation company’s account. So the transaction happened, it was conducted, and then a few days went by and the customer called the aviation company and asked, what do we do next? We purchased from you, we haven’t received an order confirmation or our next steps. We’re curious what we should do. And the aviation committee responded with, we did not take an order from you. And the client said, yes, you did. I have screen captures from the communication. They saw it and it looked, yeah, like you were communicating with us the right screenshots of the email and the threads and so forth. But it wasn’t the person at the company, it was the cyber criminal that they were communicating with the hacker, attacker, whatever we want to call it. I just call them cyber criminals, essentially reverse engineering what happened and how they were able to do it.
There’s major data breaches as we see in the news all the time. Our usernames and passwords are relatively easy to get and or to brute force figure out with certain tools that people have in place if we don’t have something on our accounts. All accounts called two-step verification, multi-factor authentication. It’s really just identity management, which is adding an extra step to log into our accounts. Even if someone has our username and password, they would still need to have a code that sits on an app, hopefully on our phone or a device that we use, a key that we use to access our accounts because this way, in this particular case, there was no multifactor authentication on the account. So all the bad person had to do was to get the username and password and then do their normal tricks that they do in setting up all the rules and so forth to be able to access the account and carry out this case of fund transfer fraud.
Common Cybersecurity Attacks
So in reality, if they had had multifactor authentication on the account and they were doing regular exercises to look for hidden rules in their email account and things like that, they likely would have spotted this before it happened and or made it very difficult to where the attacker said, I’m going to move on to another target. It’s too difficult for me to access this particular account. But the basics weren’t in place, which made it relatively easy for the attacker to be able to take over this particular email account and trick the potential customer into sending funds to them versus the company that they thought they were buying from and that moving forward, to your point, Parker, over the last 18 years of being in cybersecurity and working with some of the largest companies around the world all the way down to smaller companies, these are the types of attacks that we keep seeing happening over and over since 2007.
And it hasn’t changed. Even though we see massive investments in new cyber technologies, all kinds of funding has been dumped into the industry. If you Google any of that, you’ll see that tons and tons of venture capital firms that put money into cybersecurity companies and all that. But this was a simple case where 700,000 plus was stolen because there weren’t some basic cybersecurity hygiene practices, best practices in place. It wasn’t a highly technical attack. And over the years we’ve seen it across everyone from working with banks to casinos, to hospitals, corporations globally, including software companies, family offices which are small companies that are designed by ultra high net worth individuals to basically protect and grow their wealth and manage their family enterprise and or family finances and many, many more. And again, it’s really the same attacks. And then this is just a little humor.
This is me back, my first technology company in the mid 1990s, and I always say that’s probably not what anyone thinks a hacker looks like, but that’s me at the ripe age of 20 years old in the.com era building my first technology business. So I’ve been in the space for quite some time, and again, the same attacks are happening over and over again, and oftentimes they’re not mission impossible, James Bond level attacks. It’s really tricks and scams. So my goal today, as I mentioned earlier, is to share through story and experience the attacks that are happening and how you can protect yourself from them with usually, I’d say majority of the time, low to no cost tools and strategies. So I’d like to share a few bits of data with you just to set the stage. So this was from the FBI, this was just a few days ago.
Cybersecurity Statistics
On April 23rd, 2025, I was in the gym on the treadmill and I looked up at the TV and I saw this. So I immediately took a screenshot with my phone and went and looked it up on USA today when I got back home to my office. So scammers and cyber criminals stole a record of $16.6 billion from Americans in 2024 marking a 33% increase in losses from 2023. This does match with what we see. Of course, we don’t see everything, but the trend line is the same. And again, I think scam and stole is are very important words here that that’s really what the folks are after the bad guys, they’re after our money disrupting our business, extorting us just trying to get money in the easiest way possible. And that’s usually not attacking super advanced cyber technology tools, right? That’s hard to do. It’s much easier to take advantage of us.
I think it was Mark Twain that said, it’s easier for me to trick you than it is for me to convince you that I tricked you. So it’s an interesting kind of thought process, but this is the increase is on. And there’s things like AI and I’ll talk about that later, that are advancing the ways that folks are able to attack. So I was reading an article from a cyber insurance company, a company that basically provides protective insurance policies to folks in case something happens from a cybersecurity instant like the ones we’re talking about today. And they shared that three things account for 80% of all their claims. One account takeovers like I shared in the first story where an account of some sort gets taken over and then leads to some damaging attack, either extortion, the fund transfer fraud, a wire fraud like you saw here, and similar as I mentioned, that’s number two, which they lead oftentimes in account takeover leads to fund transfer fraud or wire fraud.
Then three ransomware, we’re all probably pretty familiar what that is. I’ll just explain it lightly. It’s where someone usually sends a link to you via text, email, something like this. You click someone in the organization or yourself clicks a link. And this tool is designed to not be by detection devices and then it will lock down all of your files. And the bad guys, cyber criminals will require a ransom in order to unlock your files. And they usually give a key to unlock it so that you can get back up and running. And you can imagine if everything’s locked down, you can’t function. That’s extremely high cost to a business and you want to get back up and running. And oftentimes people will make the attempt to make the payment, and it’s usually or not, I’d say often in the form of non kind of US currency, it’d be like blockchain, Bitcoin or some form of cryptocurrency.
I’ve even heard someone say at a talk that they rushed me after a talk at a banking conference in the elevator bank and said, someone actually asked us to meet in the parking lot with gold bars. I’m like, this is insane, because they don’t want to get caught asking for some form of cash transfer. So again, it’s really trying to get after our funds in the easiest way possible. And according to the FBI post, it’s pretty rampant. So this is an interesting fact too, showing how simple things really can be from the attacker side. And this is a company called know before. They do what’s called security awareness training. And that is really just teaching us, like I’m sharing here today, the things that are happening, how to spot them and how to protect from it. They stated in a recent report that 90% of successful hacks and data breaches attacks cyber crimes started from a phishing attack.
So an email, a voice call, a text was sent with a link or a request and asked someone to do something that you probably shouldn’t be doing. And then that resulted in the things that I’ve shared today. So shows again that that’s a pretty high percentage and it’s not the hoodie and the keyboards and all the high tech stuff that we see that makes for good Hollywood. So moving forward, this is another stat which is important to go back to the ransomware component that the average cost of ransomware attack in 2024 was just about $5 million according to most of the reports that I saw. So that’s a sizable amount of money. I’m sure all of us growing up always heard about famous bank robberies and stuff like that. They were never coming in with a mask on and usually taking this kind of money. So you can see that this is really modern day bank robbery that’s actually quite successful according to that FBI report.
And according to the data that we are seeing here in this presentation, here’s another scary fact, and this hasn’t changed a whole lot over the last 18 years. So when a major company gets breached or compromised from a hacker, it’s taking over six months on average to detect that they’ve actually been attacked. And this is another thing that really bothers me, and that is of those who actually reported it, we’ve seen things in the news where when someone’s compromised, they try to hide it from us because they don’t want to damage a reputation so forth. So almost six months just to know that someone’s in your environment. That’s kind of absurd in my opinion, and it really shouldn’t be happening, especially with the tools that we have available to us today. So another thing that’s kind of not in our favor is that our attack surface increased, and this is just to lighten the mood a little not to be so scary all the time, but I do want to hit the point home here is that 4.8, I believe it was 4.8 million or billion rather, 4.8 billion people have a smartphone according to the mobile phone marketing association or report they did.
And only 4.2 billion people on the planet have a toothbrush. So it kind of shows us that what’s happening is with all of these in our hands, that’s adding to our attack surface, meaning something that can be attacked and something that’s compromised. And we all know that we don’t leave. Most of us don’t leave anywhere without this, and it’s easy for us just to get a text that has urgency or hey, I’m stuck, or a phone call. That’s not even really the person, which I’ll talk about that later. So having these phones and having all these connected devices also has increased our attack surface, starting from when I started back in 2007, which I believe is the year that the iPhone came out right around there. So it’s been quite an increase over the years. And then this story is not a story that’s mine. It’s a public story that you can all Google if you want to, you can search it.
And it’s just really to illustrate the point of how simple some of these attacks are happening even at a large enterprise level, but also how they could have been prevented. And some time ago, if you Google this, more than 40% of the population in the United States had their data stolen from one of the major credit bureaus. And that happened once we dissected and looked at the report of what happened. Basically bad attacker used phishing and malware to take over and gain access to an account that was used for customer complaints. Then once they got access into there, they were able to do something like we would do as ethical attackers and hackers as to move laterally and try to increase our privileges and see how far you can get. They did that through a known vulnerability in an Apache strut server, which is just the web server technology, the computer that runs it.
It was a known vulnerability that had been reported and it hadn’t been properly patched. So it was a vulnerability, a known issue within the software, and they were able to get in and then essentially start exfiltrating very personal information that we really don’t want people to have. And they were hiding it and setting up rules to encrypt it. And it took a long time, like in the last report that I shared about how long it takes for a breach to get detected. So it happened for some time, but again, when we dissect it, it wasn’t anything super complicated and it could have been avoided. And if I remember correctly, that led to the CEO being in Washington DC in front of all the officials basically having to talk for some long period of time about what happened. And it looked extremely stressful to me. And since then I’ve read that they’ve really done a tremendous job at fixing things.
But back when this happened, it was a pretty basic kind of attack that could have been avoidable. And then next, a major retailer that we’ve all probably shopped at some years ago had 40 million debit and credit cards stolen in a similar fashion. Malware was used to send a phishing email to someone that helped manage the HVAC systems. And what they did is they took over the account because someone clicked the link and it started to basically capture keystrokes from a keyboard and they were able to get usernames and passwords, then they logged in as well, the bad guys did, and they started to again move laterally, which they shouldn’t have been able to do. The network should have been segmented, but it wasn’t. They got into the main network all the way through to where we swipe our credit cards and they were capturing credit card information and exfiltrating it out to themselves and again, hiding it and sending it slowly so that they could have credit and debit card information.
And it took some time for that to be detected. And then ultimately, I recall the CEO, I believe it was saying we were just certified PCI compliant, which is a payment card industry certification for those that collect credit card information. I don’t understand how this happened. And some short time later, this is about 11 or 12 years ago, the CEO was let go from the company as a way to show that they were doing something about it. Now, this changed the entire industry for the better because people started to take things more seriously, whereas before it was a lot of just check off the box that I’m compliant now. People started to care about security, and I was in a lot of those meetings, speaking events like the billion dollar round table and so forth with large industry leaders, and they said, what do we really need to do? And that’s when I noticed a very positive shift from people actually caring about this stuff. So in the essence of time, I’d like to move forward and share with you what the attacks are through some real world stories. And I’ll try to move through these kind of quickly just to be conscious of everyone’s time. But if there’s any questions or anyone wants to ask something, please stop me. But I am trying to kind of keep us on schedule, if that’s okay.
Parker G. Trasborg:
Yeah, if you do have any questions, please use the q and a function there at the bottom and we’ll make sure we pass them on to Jeremiah. Thanks.
Jeremiah Baker:
Okay, great. So account takeovers, we talked about this already in the first example, but that is really where someone takes over your email account, your bank account, something that’s super sensitive to you that any account that you just don’t want a bad actor to have access to. And what happens is they usually get our username, our password, the credentials to log in, and then they take it over and they start doing nefarious things. So in this case that I’m sharing here, what happened is a person who manages funds for ultra high net worth individuals in the family office space had called me and said, Hey, someone, I believe someone took over my email account. I’m getting screenshots from an individual that I know saying this doesn’t look like you, this type of content. And really what happened is the email account was taken over and emails were sent out for a cryptocurrency investment scam saying, Hey, acting as if they’re the person, Hey, I got this great deal for us, it’s like 10 or $15,000.
I did it. You should do it too. Luckily, the contacts knew that that wasn’t something that this person would request, and we were able to remedy it pretty quickly. So we got very lucky in this particular case to get the bad actor out of the account and secure things up and put some real strong measures in place moving forward. But that was an account takeover that led to that type of an attack. And then really talking about wire fraud, again, wire fraud is really just modern day bank robbery, and I’ve seen so much of it over the years, over and over and over again, and it always makes me feel so horrible when I get those phone calls, like the hair just stands up because I can tell already when I pick up the phone and the individual starts talking about what happened, I know that we’re likely not going to get the funds back.
And in a particular case, a CEO called and said that their CPA had been tricked, like in the previous example, and this was more elaborate, where someone had set up accounts, fake websites, fake email address, a new brand new bank account in the city that they’re used to dealing in, and the bad guys were pretending to be a partner, and they were communicating below the below level actually with the partner and the CPA and ended up wiring the money out to an account that was not sent to the actual partner who was the intended recipient. And again, it was a situation where the multifactor authentication and access controls weren’t really in proper settings, and that led to a tremendous amount of money going out and potentially to the wrong people. So wire fraud is really, really one of those where we see dollars and cents really leaving of all the things, that’s one where the real money is, we’re seeing it go out quite frequently. And just to add a little levity, that’s the kid just throwing money out the window.
So moving forward, another thing that we see folks attacking, whether infected devices, for example, we’ve all seen these little jump drives and things that people give at events or we’ve even seen cases where in testing to dump a box of these out in a parking lot, like in a corporate office setting and they have non-detectable malware on it to do certain things and or in exercises of working with clients. We do it not in a nefarious way, but as a way to show that we can actually access their systems and that their people are susceptible to picking these up and plugging them in. And it could be a jump drive, it could be a wireless mouse, it could be anything that you can plug in. Anything that can be connected is quite vulnerable. So we always recommend not to plug anything in or use any of these if you absolutely don’t have to.
Phishing Attacks
So phishing scams, like we mentioned earlier, according to no before, 90% of most of these attacks are starting from some form of a phishing scam, like you’re getting a phone call or a text message or I think, I don’t know, maybe some of you can kind of put a thumbs up in the chat if you’ve seen recently I’ve been getting a lot of these like a, Hey, you ran the toll booth and you didn’t pay the toll. That’s a pretty common one that we’re seeing and getting reported to us, and also authorities are seeing it. And then basically you click the link and you’re essentially giving money to someone that you weren’t guilty, but they’re trying to trick you into it and use urgency, you better hurry up or it’s going to be more, you’re going to be in trouble or something like that. That’s usually the telltale signs of a phishing scam. When someone wants you to hurry up and do something, that’s the time to pump the brakes and start verifying that this is truly a real situation by going outside of the communication channel. Pick up the phone, walk down the hall, go talk to the bank in person, those kinds of things. Just make sure that you’re verifying that you’re really dealing with the people you think you are. So here’s an example of a phishing scam that recently happened. An individual, a pretty high up person in the C-suite of a large company.
I, I think it was probably somewhere around 5:00 or 5:30 in the evening. I was actually wrapping up my day at that time, and I received a phone call from a friend and I could tell he was in a restaurant. It was really noisy with plates banging and dishes and these kinds of things, so I couldn’t hear, so I could tell something was up. So I asked him to please step to a quiet place where we can have a conversation and tell me what’s going on. And he said, Hey, I have a friend here with me who was in his office and he was finishing up his day as well around the same time, and he was at his computer, but he had his iPad set over to the side and Instagram was open, and as he was answering emails, he saw a message pop up on Instagram saying, Hey, check out our vacation photos.
He wasn’t even thinking about, he doesn’t usually even really use Instagram. He said, I clicked the link and it was designed to do command and control. So it basically went in the malware, took over his Instagram account and changed his username and password immediately, the bad actor did so that he couldn’t go in and recover his account. And then they started sending out similar cryptocurrency investment scams to his contacts. And the challenging part with all of that is that the way a lot of these free social media tools work, they don’t really have a customer support line. At least they didn’t at the time of this story. And what they want you to do is to do some kind of face verification with your phone by taking several pictures or using the video to go like this. Well, he purposely did not have photos of himself on his social media account.
So it became extremely difficult and several months went by before he could remedy this. So it was an activity of reaching out to all his contact saying, if you receive something like this from me in this cryptocurrency scam, please don’t respond to it because it’s not me. So that’s some things that can happen from phishing with our social media accounts. Nothing email, nothing is protected or off limits here. So again, it’s a scam as they say on the office, just be careful of these kinds of things because what the scammers are looking to do, they’re looking to trick us into doing things that we shouldn’t be so they can get our money and ruin our reputation and things like that. So this is another form of a scam. It’s a very common one, a gift card scam. I was in my office working away and I received a phone call from my friend in New York and he said, Hey, something happened.
One of my portfolio companies, the CEO of that particular company received several emails and text messages that appeared to be from my friend to the CEO of one of his companies saying, Hey, I’m at a lunch meeting. I need to go grab a couple gift cards for I think it was $500 a piece or something, and get the details and then send them back to me in this email. I want to give it to the person that I don’t have time to client. I don’t have time to leave lunch here and go do that. So this particular CEO, she did it on the first one, sent $500 and then said, I think something’s up. She got in the elevator, went a few floors up to the executive floor and said, Hey, are you sending me these requests? And he said, I absolutely am not sending you those requests.
And what they were doing is spoofing the email address of the ceo. So it looked like it was coming from him, but it really wasn’t. And if you looked into it closely, you could tell it wasn’t him, but again, they used urgency, hurry up, I’m your boss. All these kinds of things to try to get you to send the money. In this particular case, it worked, and it does happen quite frequently, but it’s easily avoidable if we verify, just go through a different channel, first step, first, go upstairs, call somebody. Just make sure, make it part of the policy for you and for your businesses that you always verify before sending money up. So this is another big one that we’ve started to see more frequently that I had not seen in past years, and that’s an AI impersonation scam. So my friend is a CTO, and he said to me several months ago that he went to visit his mother on the weekend with his grandson, and they were sitting on the couch in the living room and grandmother received a phone call and the phone call appeared to be this exact voice of her grandson and saying, Hey, I’m stuck in a jail in South America and I need you to send me money in order to get out.
I don’t remember how much it was. I think it was like five or $15,000. It was a pretty sizable amount of money. Luckily, grandson was sitting right next to his grandmother, so she was able to spot it and turn to him and say, Hey, you’re right here. I know this isn’t you on the phone. Then she asked her own son, what’s going on? And this is exactly what was going on. They took a few seconds of audio from grandson on social media, maybe had a video on YouTube, something like that. They were able to clone his voice and then use it in this attack, and that’s called an AI impersonation scam with extortion attached to it. And this is also happening. We’re seeing in things like when someone’s about to purchase and or sell real estate, there’s some impersonations like this that go on where people are pretending to be who they’re not.
So we need to be very, very alert that these things are happening and make sure that we verify that we are indeed talking to whom we think we’re talking to by stepping outside of the channel that they originally contacted you in. And person is always best.
Ransomware Attacks
So moving back to ransomware, this again, as we saw, 80% are 80% of all real damaging attacks seem to be coming from account takeovers that lead to fund transfer fraud, and then ransomwares in there as well. This is another genuine story, a real world story. It was Sunday afternoon, I was finishing up some errands driving back from a big box home goods store, hardware store, and a friend from Florida called me and I picked up the phone. I was excited to talk to him. I said, Hey, how are you doing? He said, I’m doing great, but my friend is not doing great.
He’s on the other line. Can I patch him in? I said, sure. I asked him what’s happening. He immediately told me that someone in his company had clicked the link. All their computer systems in this particular corporation we’re locked down. They could not continue operations, so they were basically stuck in the mud and they were losing a lot of money every minute that they couldn’t operate. And then I asked him, well, do you have data backups and have you conducted regular recovery exercises so that if something like this did happen, you can at least ignore the request and get back up and running within a reasonable period of time? He said, no, we do not have backups and no, we have not been conducting any kind of recovery exercises. Then he proceeded to ask me, do you have any Bitcoin that I can purchase from you because they’re demanding $500,000 in the form of Bitcoin in order to send us the key to unlock our files?
I said, I do not have Bitcoin, and I was going to recommend to him that he reach to the three letter agencies, the FBI and so forth, and he immediately hung up on me. So I do not believe that he was able to do anything but pay. And unfortunately, when we pay these types of attacks, they may come back again and again because they see that we are willing to comply. So again, we’ve got to be very careful of these things and have some basics in place within our organizations backups, conduct regular recovery exercises so that we have the confidence that if something like this happens, we can protect ourselves. And then of course our IT and security teams can put measures in place to help prevent a lot of these attacks from even getting to us in the first place. But nothing is 100% protective, so it’s a layered approach.
So this is another attack that’s pretty scary, and I recommend everyone kind of be aware of this. I was at a rotary meeting, a local rotary small business meetup several months ago, and we were talking about this exact topic and someone in the audience came up to me and said, Hey, this actually happened to a client of mine where someone had basically tricked the mobile phone provider into porting this person’s phone number to the bad guy’s phone, and then they were logging able to get credentials to log into a bank account, and multifactor authentication was set up on text message in this particular case, not an authenticator app or a key or a device. So once the bad guys got into the bank account, they had the phone and they were able to get the text message codes to be able to log into the account, and then they started transferring money out of the account according to what this individual had told me.
And what I recommend everyone do is work with your mobile phone provider to make sure that there’s a lock on your SIM and account so that it makes it difficult for someone to do any kind of a port out attack. Now, that’s not foolproof, but it is a lot better than not having it because again, nothing is 100% foolproof, but we want to make it difficult for the attacker so that they, unfortunately they’re moving on to an easier target. And you can work with, most of your mobile phone providers will do it if they haven’t already done it for you. A lot of times they’re already doing it for us now because it’s a pretty bad problem.
Identity Theft
Identity theft, I’m sure we’ve all heard stories or even maybe become victim of this. This is where someone essentially gets our personal identifiable information, they’re able to sign up for accounts like cars, homes, credit cards and things like that, and purchase things on our behalf. And then we only find out later that there was a big bill and hopefully we’re not held accountable for it, and that we got ahead of it in time so that it’s not too damaging. In that case, what I recommend, one moment, I just need to go back, what I recommend everyone do at the very minimum is to freeze your credit at all three bureaus. They usually make it pretty easy for us to do that. If you visit them, this will freeze your credit so that no one, including yourself can sign up for new accounts. And then many of them have monitoring so that we can see if something new has hit our credit report relatively quickly.
And then also you want to keep an eye on your credit reports just to see if anything looks strange in there that was purchased or signed up for that you know didn’t do. And it’s just a good way to kind of keep one step ahead of the bad guys.
Investment Scams
Investment scams, this is another thing that we’re seeing. This is a personal story. So a small business owner in the town that I live in reached out and said that they had been a victim of what they thought was really good at first it was a cryptocurrency investment opportunity. The person had reached out to them saying, I got a great opportunity, I believe in this case it was actually a person came into the establishment in person, and the contact that called me made a small investment. And then on the screen they could see that it was going up and up.
And then eventually sometime later, the cyber criminal, the scammer said, Hey, would you like to invest more? This is doing well. The context said, absolutely, I would love to do that. This is actually going really, really well. So several months go by and I think they made a third investment first, second, and third, and then they started to get a little curious and they wanted to take some of the funds out of the account. Well, that’s when they found out that they were not able to and that none of it was real. The bad guys just took advantage of the opportunity to have some upside earnings by putting in some money into crypto, and they took advantage of what we call context. If you look at the news and all this kind of stuff, everyone’s talking about how much money they’re making with cryptocurrency, and that tends to get certain individuals excited and they’re a little bit more susceptible to these types of attacks.
But in a pig butchering scam, that’s where they basically get you bit by bit by bit, and then they take everything. So you want to be very, very careful if it looks too good to be true. It really is, especially with things that we can’t affect and or impact, and it requires us to give our money in order to get something back. So I want to be very, very cautious of these scams. They’re very prevalent.
Bank Scams
Bank scams. This one was actually, this story was a few months ago. I was going to a fraud conference in Texas, and I was about to board my flight. I was in the Atlanta airport, and I received a phone call from a CEO that I know in Long Island, New York, and she was pretty scared, but I will say upfront that she got kind of fortunate and that the bad guys had called her claiming to be her bank.
And they said that someone had sent through one of the money transfers, be it Zelle or something like this, sent money into her account in the tune of about $14,000. Plus, they asked her, do not touch it over the phone, but we do need to get into your account so that we can get that money back out. So basically what they did, and this is what happens a lot of times, the bad guys will take the money from somewhere else, then steal it over here, put it into someone else’s account, call you, and then on the phone, they were asking this individual for username password to get into the bank, and they had a bunch of details about this person that made her feel comfortable because of previous data breaches and or scraping the internet. She felt like it was a professional. Well, number one, your bank’s never going to call you and ask you for your username and password.
So folks, that should be something that we all watch out for, and that’s a red flag right away, hang up the phone, go right to the bank and let them know what’s happening. Or if you can’t go to the bank, you call the number on their website and make sure that you’re dealing with the right folks. But this particular contact got very lucky in that when they asked for her password, there was a little bit of chop up in the line and they missed one character of the password that she had given. And when they asked, Hey, it didn’t go through, can you give it again? That raised the red flag for her and she hung up the phone and then called me, and then I told her to get in the car, go to the bank, which she did, and she was able to resolve this, but she had been under more of a persistent attack because she has several bank accounts and the other bank, she started to get requests there, and then she even got requests from a bank that she does not have an account with. So we just need to be very careful when someone calls us and starts asking for sensitive information. Most organizations will never ask you for login information or something like that, so hang up the phone immediately and know that that’s not really the bank calling you.
Parker G. Trasborg:
There’s a question actually kind of in regards to that that I’ll interject with real quick. If I’m on a phone call with Fidelity, Pershing, Principal, et cetera, et cetera, what questions can I ask them to verify that I’m actually speaking with a legitimate representative as opposed to being scammed?
Jeremiah Baker:
Yeah, that’s a very good point. So number one, I would maybe, well, first and foremost, don’t give the information that if they ask you one, flipping it, if they ask you for your username and password or anything like that, they will never do that. So that should be a sign that you’re not dealing with the right person. But on the other side, yeah, it is kind of difficult to know that we’re dealing with the right people. It’s much easier to know not to give them certain information that can be super damaging because again, someone can spoof a website and you think you’re talking to the right banking folks and things like that. I like to think of it differently, and I’ll put it this way, I like to think of it as verify as much as you possibly can over the phone, and if you don’t feel comfortable, go into a local branch and know that you’re talking to an executive at the bank. And then most importantly, just don’t give information that could get you into really big trouble, like login information, username, password, and that kind of stuff. But there is no real 100% foolproof way to know over the phone exactly who you’re dealing with, if that’s helpful.
Parker G. Trasborg:
Yep, thank you. Okay.
Jeremiah Baker:
So credit cards and debit cards. We all know this. I’m sure all of us on here either had it happen to someone we know or happened to ourselves, but all of a sudden we see strange charges applying to our cards. This actually happened to me some time ago, maybe just a couple of weeks ago actually, I have a credit union and they said, Hey, something’s going on. Someone in New York City and I’m in Atlanta, so someone in New York City is trying to make some purchases at a deli for a couple hundred bucks, and they got declined luckily. So what I recommend doing with credit cards and debit cards, it’s just set up within your bank to get alert anytime a transaction happens. And then it’s just generally good practice to have one card that you can use out in the wild, like gas pumps and different things like that, and then another card that you do not use for those things.
And then that way if something happens, you can essentially have a little bit of a firewall or a layer in there to protect yourselves. And most banks and organizations these days are pretty good about handling this because unfortunately, it’s pretty prevalent. And I sat inside Mastercard. I was up in New York City several summers ago, and I was inside the innovation center, and I saw this giant map of the tri-state area, and they were showing all the hotspots of where transactions were happening, and I got to talk to fraud folks and all this interesting stuff, and it’s absolutely insane how much it’s going on out there. So it’s just adding a little bit of layers from a security approach to protect ourselves in something in case something bad happens. This is another one, this is new. So ai, we keep hearing about ai, and I’m always trying to get down to the real nuts and bolts of what’s working the good, the bad, the ugly.
And this is an extortion scam using ai. Essentially what happened is I was talking to a colleague of mine who’s in the security space and he’s part of a round table of others like us, and he said that someone had shared a story that bad actors took over an internal chat tool. I won’t name the name of the tool, but it’s a very popular tool that people use the chat between each other inside of a company, and they were able to, the bad guys were able to get access to this account. The account had admin rights so they could see all the chats across the organization, and they used AI to sift and then sort for questionable chat dialogues, and they found one between CFO and the report. And the report had basically alerted that something was going on and that we need to do something about it because it’s not, I guess, within compliance or something like this.
It was in those terms. And the CFO repeatedly said, Hey, forget about it. Don’t bring it up again. Leave it be bad. Guy saw that and said, Ooh, I think we have gold. That took a screenshot of it, then emailed that to the CFO and said, Hey, look, we see that you could get in a lot of trouble for what you said here, and if you don’t give us, I think it was $300,000, we’re going to report it up to the CEO and to the board and authorities and so forth. So they used AI as a way to one. One, they took over the account, then they used AI to sift and sort for questionable conversations, find something that’s damaging and potentially maybe illegal. And then they used it to extort money. I don’t know if they ever got the money or not. The story wasn’t complete.
But these are the kinds of things that people are using AI for to clone our video, our voice make things easier. It’s increasing the efficiency of what they do and making it more believable. So again, as I said in the beginning, I know this a lot of information, it’s a lot about the bad stuff in attacks, but don’t worry, I will share with you things that we can all do to better protect ourselves that don’t require a whole lot of super high tech. And then if we’re working inside a corporation, something like that, most corporations have a really strong IT team that are implementing the technology solutions to help prevent the things from getting to us in the first place. But if they do get to us, here are some of the ways that we can all protect ourselves. And just before I go into those solutions specifically, I’d like to share with you a website.
I believe it’s now owned by Microsoft, but it’s called Have I Been Pond? And that’s just a hacker term for Pond is for if I’ve been breached or taken advantage of. And these websites will show you if any of your email addresses have shown up in a public data breach. And really the idea is you can see here that at the time of this screenshot, there was a lot of accounts that have been pawned, and what bad guys do is they’ll use this information to get our username and passwords, and then if we’re reusing account credentials and things like that across the accounts, they’ll then have the ability to get that information and use it for nefarious things. But it also shows us, hey, if one of your accounts have been compromised, maybe it’s a good idea to go in and change your password and so forth, and make sure you have, well, in general, you should make sure you have multifactor authentication like Google Authenticator, Microsoft’s product, there’s Okta, there’s tons of companies that are really good at this identity management stuff.
So just make sure you have it in place, but this will at least let you know if your information’s shown up on the internet somewhere where you don’t want it to.
Protecting Yourself Online
Okay, so here’s 10 things that we can all do today, and I highly recommend we do these things and in the essence of time, I’ll move through them pretty quickly. So one is multifactor authentication. We talked a lot about this. This is really great for preventing unwanted access to our accounts that can lead to wire fraud and wire transfer fraud, front transfer fraud, all those things, people sending out emails on our behalf and so forth. Number two, mandatory authentication process for wire or any fund transfer, just a second step outside of the normal communication channel that you’re in, be it email or whatever it is, and force it inside your organization because if you can’t afford to lose it, then you absolutely must verify.
Otherwise, you’re basically saying, I’m okay with absorbing the risk and the loss. Three, back up your data frequently and run recovery exercises. This is very important for most businesses, small and large. It’s really just taking your data on a regular daily frequent basis, backing it up outside of the network where it can’t really be touched. It’s air gat and segmented and all that stuff, and encrypted so that you can then run recovery exercises with your IT team just to say, okay, in this scenario we’re down, we’re locked. Ransomware, hit us, for example, we can’t do anything. Can we get back up and running? And then if you’re really good at that by running frequent, just practicing, practicing, practicing, then when you do get hit, it’s not super, super catastrophic or damaging to the business, you can get back up and running. And a lot of the times when I get the calls, none of this stuff’s in place and we’re really in a bad spot.
So going all the way back to the beginning of the presentation when I said how to protect yourself before it’s too late, this is a prime example where prevention goes a long, long way and can save a lot of money and super headaches. So number four, encrypt sensitive data, emails, text calls and transfers is really important in business. So we’re sending emails. There’s technologies like PGP and different things like that that can always be set up for us where the communication chain is not set in plain text where if someone were to compromise it could just read it like you and I are, and our email threads, you have to have a key, and then everything looks jumbled up in different characters and so forth to someone if they got ahold of it. But to us, we have the key and it unlocks it so that we can actually read it.
It’s just a good practice for sensitive information so that someone gets ahold of it, that it doesn’t become super damaging. And we’ve seen where someone had been compromised and all of their communication between someone had been dumped on the internet and those communications were not good, very damaging. You do not want the public to see what they were talking about at all because it put them out in the open. So encryption is very important. And also just not sharing sensitive information across email and things like that if you don’t have to. So number five, connect to the internet using a trusted VPN. I’m sure most of you do that, especially if you’re in any kind of a company setting, that’s really just creating a secure connection between your computer and your company, just so that we know that there’s not someone in the middle. This happens a lot where if you’re out in the wild and you think you’re connecting to Starbucks Wi-Fi, for example, it could be somebody in a van that just created, set up a wireless router, and they’re basically sifting and sorting all of your communication back and forth trying to get your information.
So one, it’s just good not to connect to Wi-Fi in the public if you don’t have to. And if you absolutely have to use A VPN, and I recommend using A VPN all the time just because it encrypts the communication between you and the internet, making it more difficult for a man in the middle attack to get information that you don’t want people to get. Number six, enforce strong password policies. Hopefully one day we won’t have to worry about this. Passwords seem pretty archaic to me, like we’ve been using them for as long as I’ve been in the industry, but if you reuse your passwords or don’t change them, then it could be just a matter of time for someone to get ahold of it in the wild, in the stories that I shared today. And then if there’s no multifactor authentication on the account, for example, it makes it very easy for them to get in. So that’s why when someone says inside an organization, we enforce you to change, you get this popup and change your password frequently. It’s just a really good best practice that’s low cost, but can have a lot of impact for you and for your organization to avoid catastrophe.
Parker G. Trasborg:
There was actually a question surrounding passwords that had popped up throughout your presentation. If there is a greater risk of using say, OnePass, where basically there’s one password and they’re all stored locally versus kind of memorizing all of them manually.
Jeremiah Baker:
So in a perfect world, I’ll just say this, a lot of the password lockers or password management services are, that’s a really good, again, everything’s in layers, so that’s a next step that’s better than a lot of times we’ll go into an office, someone has a post-it note under their keyboard with all their passwords written on it. Don’t you think someone else has access to the office could walk by at night when nobody’s there? Take a picture of it, put it back down, you don’t know. So using a locker or a manager, that’s the next really good step. And then really the only perfect step that’s well, better than using a locker like OnePass or one Password or any of the tools that exist is you have a big old metal safe on your desk with everything kind of written down in some kind of code that only you understand.
So even if they saw it, they couldn’t get it. But all joking aside, the password manager is the next best step. And a lot of times a company will use those and they have rules set up in there too to alert you. You’ll get a prompt, Hey, you need to change password. You need to change the password. So you’re kind of staying one step ahead of the bad guys, the cat and mouse attack. But the password managers are a good practice as of right now, better than one, trying to remember them all or having them written in a notebook or on a post-it note or something like that. But everything has its risks associated with it. So the step there is to change your passwords frequently, even if you are using a manager. And then to also make sure you have multifactor authentication in place. So even if one of those do fail, let’s say someone gets into your one pass. If they don’t have your phone with a Google Authenticator or Microsoft Authenticator and so forth, then they’re kind of stuck. It makes it very, the bad guys can do a lot of things, but it makes it extremely difficult and they’d have to be the most talented people in the world to get through after that level of layers, if that’s helpful.
Parker G. Trasborg:
Yeah, it is. And there’s two questions that came in about pass keys actually, if they’re maybe a better solution than using straight up passwords as well.
Jeremiah Baker:
Yeah, I like the pass keys. Personally, it’s a little bit of newer technology, like the RSA Keys. A lot of the banks will give us that key that we set that gives a timed code, so it’s actually expiring. And that’s the way that most of the multifactor authentication, the good ones work as well where the codes only real for a few seconds and then it resets as well. So it’s all about just you’re staying ahead, staying ahead. But yeah, the keys are like UBI key, UBI key, and those kind of things. Those are very good technology, but again, the bad guys are always trying to figure out a way to get through. But using YubiKey and those kinds of things make it really difficult for the bad guys, and that’s what we want to do. We don’t want to make it super easy. I shared in some of the stories where just they got our username password and they’re in.
Parker G. Trasborg:
Perfect. Thank you.
Jeremiah Baker:
Yeah, and then the security awareness training is really like what we’re doing here today, but there’s of course more advanced ways to do it. If any of you have used platforms like the company called KNOW B four or any of the others where they’re constantly training us on the computer through video, through pretend phishing us, like, oh, you click the link, Jeremiah, you shouldn’t have done that. Oh darn it. And then you report it back to your IT team. Just really good because the only way we can really know what’s happening is to stay ahead of it and to educate ourselves versus what I see a lot over my years in this business is people get paranoid and they put their head in the sand and they don’t want to kind of deal with the reality that it’s happening. It’s better to know how we’re being attacked and then how we can prevent it.
So that one, we can spot these things when they come in. And a lot of the tools these days will kind of reward us as users inside of a company saying, Hey Jeremiah, you did really good this month. You stopped, you reported you didn’t click. And it kind of becomes like a positive thing like a game. And we’re kind of staying ahead of the bad guys. So security awareness training is very, very powerful as long as we do it consistently and we really care. It’s one of the best ways to protect ourselves and the companies that we work for. Number eight, this is a basic, but keep your antivirus and malware software up to date. The bad guys are constantly releasing new malware, new antivirus, new ransomware strings, and on the other side, the good guys are trying to keep those signatures and those files up to date so that the tools that we use of theirs can catch things before they even get to us.
So again, in terms of thinking like security like layers just adds that extra layer and don’t want to go too long without updating your machines. Most of the time within an organization, the IT team and security team will help us do this, and that’s something they should really be doing where we don’t have to think about it as much as individuals, but we do want to make sure that they’re doing it. So number nine, again, we talked about this earlier, but don’t use public Wi-Fi if you don’t have to. There’s all kinds of crazy stuff and we don’t have a lot of time left, but I could share some stories about where even in our exercises we set up fake stuff to trick people. Even with the badges that we use to get into office space, the little card looks like a business card, it had a backpack antenna in it.
The guys were basically intercepting the signal as people would swipe, transmit a signal and the backpack had a printer and it could print out a card to duplicate the card and then someone could gain physical access into the building. So there’s all kinds of stuff like that. There’s public Wi-Fi with people setting up stuff that says Starbucks or your office name, but it’s really not. They’re a man in the middle trying to intercept you connect to them, then they intercept all the stuff that you’re typing and all that kind of information being transferred if it’s not encrypted. So it’s just good to be very careful of public Wi-Fi. Usually what I’ll do if I’m not on VPN, I will just connect through my cell phone connection hotspot to my phone as another layer to prevent public Wi-Fi. Number 10, third party security reviews and testing.
This is something that most organizations do. This is usually at the enterprise level. This is the work that we do come in and basically break in before the bad guys do and then show where all the problems are and how to fix it and harden it. That’s really on a both social engineering, the stuff we talked about today and then on a physical means as well, like breaking into the actual software and networks and stuff like that. But that’s really for business to business and that kind of stuff, like big companies are doing this kind of stuff. So I’d like to recap a little bit here and then end, because we’re coming up on time, I want to be conscious of everyone’s time, scammers and cyber criminals. Court of the FBI took 16.6 billion, 2024, that’s up 33%. So that shows scams are up. A lot of things we shared today is what’s happening.
Scams, extortions, wire fraud, account takeovers, all that kind of stuff’s leading to a lot of this high dollar account. But you can see that a lot of that can be avoided so that also hackers don’t need to trick your technology. Really, they just want to trick you because it’s easier. It’s a lot easier than trying to trick some high tech firewall protection or something like that. It’s easier to act like someone that they’re not and get you to give information you don’t want them to have so they can steal from you. So it’s really tricking. And then the strongest firewall in the world is a human, you who knows what to look for, like things we talked about today and how to protect yourself before it’s too late. Really think like a hacker to beat a hacker. Think like a cybercriminal to beat one and really be privy to what they’re up to.
And then again, the cyber insurance firm. Three things really comes down to, and this matches with what I see in terms of real dollars and cents being stolen, be careful of our accounts, multifactor authentication, all the things we talked about. Two, always verify and fraud, fund transfer, wire transfer, and these types of things if you can step outside of the communication channel you’re in. And then three, set up those things with backups and detection and prevention for ransomware. So if you do get hit, you’re not stuck in the mud and having to pay and or literally be stuck because what we read also recently is that 60% or so small businesses that get hit with these types of attacks go out of business within a few months because you can see it’s such a high dollar amount. We generally can’t recover from those kinds of costs.
And then lastly, this is why I do all this is to be in service to help folks. I don’t want you calling me ever saying that one of these things happened to you. This really is a transfer from how I grew up. My parents helped raise 56 foster children in our home over the years. This is my late mother who passed a few years ago. She was our foster mother and my mother and she and my father helped. That’s me. Here comes trouble. Isn’t that true? My aunt made that shirt for me. And so what I’ve been doing since my mother passed, my father just turned 82, we’re all as a family writing a book called 56 Hearts One Home to celebrate the work that my folks did to be of constant service to others. They would literally help anyone in need. So I told my mother and her last few days that that’s what I must do, carry that forward.
And that’s why I’m here today. So if any of you would like to connect with me on LinkedIn, that’s probably the best place because one, I can verify that you’re a real person to some degree versus just email where I don’t know who’s emailing me. And then I’m always happy to answer questions, be as helpful as possible. I just don’t want you calling me saying that you had a wire fraud issue or someone took you on one of those pig butchering scams where they got you into some investment you shouldn’t be in, or someone took over your email account or you got hit with ransomware and you have no options. Like all those stories. I would rather never receive a phone call from anyone on this call that that happened to them. And that’s the end of my presentation and I’m happy to answer questions best I can, and if I can’t get an answer to you, I can get to the technical team and ask them to help us out as well.
Conclusion
Parker G. Trasborg:
Yeah, I think that was pretty much all the questions today. Jeremiah, thank you so much. I really do appreciate your presentation and the insight that you provided today, and I appreciate you honoring your parents in this way as well. I hope that we’ve all come away with at least one or two things that really aren’t too difficult to implement in our daily lives to help protect ourselves online as the saying kind of goes – You don’t necessarily have to be faster than the bear. You just need to be faster than the person that’s a little slower than you. So a couple of things to protect yourself, and then the hackers will hopefully move on to an easier target if really they find that they can’t get into you very easily. So thank you again to everyone that is tuned in live, and thank you to those that may be catching the recording at a later date. That does conclude our presentation today, and we hope you enjoy the remainder of the spring, and we will see you hopefully soon. Thank you. Thank you everyone.
Social Media