Credit Card Skimming with Scott Schober
We’ve all had that random fraudulent charge show up on our credit card and we wonder how did that happen. Do I need to cancel my credit card? Do I need to get a new one? Today we talk about credit card skimming with Scott Schober.
Scott Schober is the president and CEO of Berkeley Varitronics Systems, a 48-year-old leading provider of advanced world-class wireless test and cybersecurity solutions. Scott is a highly sought after author and expert for live security events, media appearances, and commentary on ransomware, wireless threats, drone surveillance hacking, and cybersecurity for consumers and small businesses. He is the author of Hacked Again and Cybersecurity is Everybody’s Business.
Scott shares his many experiences about personally being hacked and finally getting the money back. We talk about what you need to know, how to protect yourself, and more.
- [01:02] – Scott shares how he got involved in cybersecurity.
- [02:01] – Cybercriminals want to silence you. They don’t want you to share tips or expertise on how to keep companies secure or even individuals. These attacks lead to the creation of his first book, Hacked Again.
- [03:02] – In that process, he learned that there were some fundamental things that they were doing wrong. So he had to relearn and reimplement best practices for the company and himself.
- [03:34] – We should create more secure passwords and not use them across multiple sites.
- [06:14] – Anonymity is extremely powerful in the criminal empire. Criminal gangs often get educated to conduct criminal activity.
- [08:42] – We can now use technology to fight back.
- [10:29] – The challenge is to get the skimmers out before it even happens.
- [12:02] – Follow the money and it usually tells you why things are done or not done.
- [14:12] – Scott uses Apple Pay and Google Wallet when possible.
- [15:22] – When you’re at a gas station use cash if you are afraid of a skimmer. Use common sense. If things look like they have been tampered with, use caution.
- [17:17] – The part of the iceberg sticking out of the water is the surface web that we use for searches and purchases. Below is tons of information that don’t make a lot of sense to us working at the surface web.
- [19:38] – If you see a small transaction on your credit card ($0.50/$1) it could likely be that it is on the dark web and has been posted to be tested.
- [21:37] – It is hard for law enforcement because this is an attractive way to make money.
- [22:50] – Don’t be complacent. Start out by doing best practices across the board in your personal life and business.
- [23:12] – The best thing to do is to add layers of security like multi-factor or two-step authentication.
- [24:29] – Scott doesn’t share his actual birthday on social media, because that is one of the critical pieces of information if someone tries to compromise your identity.
- [26:07] – When setting up security questions put a password instead of the actual answer that can be researched about you.
- [27:42] – They discuss the pros and cons of freezing your credit.
- [29:25] – The process and investigation when Scott lost $65,000 took months, but he did finally did get the money back.
- [31:28] – Cybercriminals create fictitious accounts, steal money from multiple people in a bank, and quickly close them out.
- [33:32] – You can do things to prevent it from happening to you.
- [35:49] – You can’t be too trusting to anyone. Don’t use their means of communication to verify.
- [37:49] – Take a few minutes to question everything. Use caution.
- [40:07] – Many of these scams look very convincing.
- [42:50] – Your better to spend the time and effort upfront securing things then pay for it later.
- [44:04] – A small business owner can do small practical things to protect themselves.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Have I Been Pwned
- Berkeley Varitronics Systems
- Scott’s Website
- Hacked Again
- Cybersecurity is Everybody’s Business
Scott, can you tell me a little bit about how you got involved in cybersecurity?
Absolutely. For the past 10 years or so, Berkeley Varitronics Systems and Company, we’ve been focusing on wireless test tools that are usually tied to security. Keeping facilities secure from any type of wireless threat. A lot of it is tied to (obviously) mobile phones, smartphones where there’s Wi-Fi, Bluetooth, and the regular 3G, 4G—fourth-generation technology of communications.
We understand the vulnerabilities and how cybercriminals can use that to get into different types of computer networks or compromise classified information via a government DoD facility or a corporate boardroom (whatever the case may be). As I educated people more and moreover the years, what started to happen was I had a target that was put on my back. In other words, the cybercriminals want to silence you. They don’t want you to share tips or expertise—how to keep companies secure, even individuals, or small business owners.
The more that I started sharing information the more they started to go after me. That’s really the genesis of my first book, Hacked Again. They started going after my Twitter account and took that down. They went after my email. They repeated DDoS attacks to our online store, so we didn’t have online commerce, all of a sudden. It was terrible.
Repeated credit and debit cards—both in the company as well as myself personally—I was being attacked. Reissue the card…the process goes on and on. Finally, one morning, I came in and checked the online bank for our company and $65,000 was taken out of the account. I said, “This is serious.” Of course, it became a federal investigation. A lot of paperwork, time, and effort with phone calls and everything under the sun just to get all the money back. I finally did get the money back. But in the process, I learned (as a security company) there were some fundamental things that we did wrong. I had to relearn some of the things and re-implement best practices within the company, and I did myself, personally.
A fair amount of that is what I share when I speak to audiences, when I educate, when I write in the book such as Hacked Again or the second book Cybersecurity Is Everybody’s Business. Hopefully, readers can connect with me and say, “Jeez, I really do need to make a more secure password.” Or, “I shouldn’t reuse the same password across multiple sites because here’s somebody that was dumb enough to do it and look at the outcome.” I try to share my personal story and say, “Hey, dummy. Here, don’t do what I did, or else you’re going to have to go through this pain.”
All of us, if you did ask anyone who had an account more than 10 years ago, it was a very common thing. I have maybe half a dozen different passwords I use for different things and most people probably had one or two.
It’s interesting because we would think, at the time, like, “I’m secure. I’m safe because I’ve got this really great password,” but we never really thought about data breaches. What if that password actually got out there? Is that the genesis of how access was gained to your accounts?
Yeah. To your point, the world of cybercriminals has changed so greatly because when they compromise this information, they used to be able to say I’m going to target this particular account and try to do some damage. It’s changed where now there are layers of criminals and criminal activity where they will go to the dark web and they will now sell it.
Just because the guy steals your password, your login credentials, your Social Security number, or anything to compromise your identity, it doesn’t mean he’s going to go do that. He’s going to now repackage it, repurpose it, and put it on the dark web so he can monetize it. Once there are means to not only do that and monetize it and there’s a market, so now you’ve got supply and demand there that come into play as a regular business. Things happen and people make a lot of money.
On top of it (just the world of the dark web) it’s so interesting because it allows anonymity. I always use the analogy of a typical criminal. They pull out a gun, they put a mask on their face, they rob a bank, and they assess the risk. What are the chances I’m going to get caught by a camera, someone spots me, or I get shot? The getaway car doesn’t start up or whatever happens. The money is tainted and blows up and it’s blue in my face.
Those are very different risk assessments that they have to make if they’re still brave enough to go in and try to rob a physical bank. Cybercriminals, the ability to encrypt data, to use the Tor network, to have traffic rerouted to different IP addresses in the dark web, and to pay for things—commerce—by Bitcoin, which is a digital currency that doesn’t trace it back to a person, per se. That anonymity is extremely powerful in the criminal empire.
We’ve seen a lot of criminal gangs get educated in cyberspace just to conduct criminal activity. They’re monetizing it and saying, “Wow, if I buy this campaign to launch ransomware against, maybe, targeted hospitals, I can make a lot of money.” There’s a lot of value in that. When they look at dollars and cents, they’re very attractive to the world of cybercrime.
It sounds like it’s gotten more beyond just an individual committing crime, hacking, and doing things, but it’s now become its own business ecosystem around committing an electronic crime.
Absolutely. We look at Amazon and the success of that (nobody could argue with it). It’s a great way to buy goods and shop prices—the convenience of it, and the easy button that you press. That’s what I’m starting to see with the dark web. With anything else, what do you do in the world of cybercrime? What do you do to counter it is really sniffing and doing dark web audits.
I’ve been working closely and I’m an advisory board member of a company called Cyberlitica. They provide services. It’s basically looking at your login credentials and personal information about yourself—maybe your email and other things—to see if it shows up on the dark web to give you an instant alert. That’s what the powerful thing is. Now people can be proactive. They can actually take intelligent actionable items when they say, “Wow, my information is down on the dark web.”
That means, in the not-too-distant future, it may be sold, my credit card will be compromised or my account will be compromised. It’s nice to see the world of cybercrime. They’re getting some fight back against them because people are taking this actionable item with different companies doing dark web audits. The software is getting much more efficient.
Tying that in with a little bit of machine learning, artificial intelligence, you’ll now get a phone call that says, “Hey, this is suspicious activity on your credit card.” Why? Because they’re using some of the software and some of these algorithms to determine. It’s unlikely Scott just bought a new pair of slippers in Alaska when I just saw a transaction he was in New Jersey yesterday at the gas station. That makes a big difference—using technology to fight back. I’m excited about that for the future.
Definitely. I agree with that. I’ve been pretty impressed with the credit card companies within the last couple of years. I seem to consistently get a credit card compromised about three days before I go on an international trip. The other thing I’m always impressed by is the fraud amounts have gotten smaller and smaller on the credit card transactions that have happened, but the banks have gotten better and better at spotting them. I was really surprised a while back. I got a phone call or an alert from the bank saying, “Hey, there was this $100 transaction at a hardware store that was within 20 miles from where I lived. We stopped the transaction because we believe it’s fraudulent.”
There was no other suspicious activity on my account. I was like, “How did they know that transaction?” It was a hardware store that I—not that particular location—but a chain that I would frequent. It was not outside my normal purchasing habits, but somehow they identified that specific transaction and were able to stop it.
That’s pretty neat. It could also be some of the AI modelings. They’re looking at patterns. In other words, if one particular cash register, there was a skimmer in the credit card reader. That day, maybe there were 500 cards that were skimmed and a couple of them were deemed fraudulent. Now they could trace that back and narrow the subset down and say, “Ah, high probability (whatever). This bank here, let’s contact these 100 customers because it’s a good chance it’s fraudulent.” Better to be safe than sorry.
They’re using some of those techniques in their modeling and it’s working really good. The challenge is probably to get the skimmers out before it even happens. That’s an area I’ve done a ton of research with, and we’ve done some development. We have a product called Skim Scan, which is cool, that checks to see if there’s a second read head, an actual skimmer placed inside the retail readers (the point of sale readers) be it at the gas pump, an ATM machine where you put your debit card in, at your Macy’s, or any other retail location, as well as Bluetooth skimmers.
We’ve actually identified, and got from the wild, known addresses of really fraudulent Bluetooth skimmers that are placed out there compromising cards. Our little scanner will actually look for those addresses and alert somebody so they can constantly pull the skimmers out before the credit cards are compromised. It’s a really exciting industry, and it’s a multibillion-dollar industry with cybercriminals taking money in each and every day. Very scary and concerning.
Every little way they possibly can.
Oh, yeah. Terrible.
If you don’t know the answer to this, that’s fine. Is there a reason why credit card processors or companies in the US haven’t gone to Chip and PIN in the way they have in Canada and most of Europe? Here in the US, there was a chip on the card, but it’s basically a magnetic stripe. There’s really no additional security on those things. Is there a reason why the card companies haven’t gone to that additional authorization level here in the US?
A lot of it has to do with money. At the end of the day, I always say follow the money trail. It tells you why things are done or not done. First of all, in the US especially, we’ve got the best laws for liability protection if our credit card is compromised. Most of your guests that are watching or listening are probably going to say, “Yeah, my credit card is compromised a couple of times a year, but I always get my money back. They always issue a new card really quickly. You’re only held liable for $50. Most of the time, I have a good relationship with my bank and they waive the fees. Why does that all happen?” Because the laws in place are really good, number one. The bank also doesn’t want to lose you as a customer. Where do they make their money, high-interest rates? At some point—maybe it’s a COVID crisis, somebody loses a job, or whatever—they start to rack up debt on their credit card. That is a lot of money for a bank. If they’re charging 18% interest, if they’re paying 4% interest to cover the cost of all the credit card fraud from cybercriminals, they’re willing to take that.
Let’s cover the cost, eat the loss, reissue the card, let’s get this customer going because they want to keep that money coming in. That’s really the fundamental reason that it’s happening so much. You’re right, though. To your point, you can get a Chip and PIN card. I always ask people—especially when I present—I say, “How many of you have Chip and PIN cards?” Almost 100% of everybody’s hands go up.
I say, “How many of you stick that in front of the machine and actually enter a PIN number in?” You get a little bit of hands that go up here and there. Well, some of the places I do but not all the places. It’s really not true Chip and PIN. It’s Chip and signature. We’re signing Mickey Mouse. It passes through. It is safer than traditional mag stripes that are on the cards, where you swipe the card because there’s some security that’s implemented on Chip and PIN that is obviously better. But they’re not fully implementing Chip and PIN.
If they forced me to enter a PIN every time, I would feel really good as a consumer. What do I do instead? I use Apple Pay where it’s accepted. Google Wallet, Apple Pay, tokenize, and end-to-end encryption. They’re not at any point sending your credit card or personal information during that transaction. It’s fast. It’s secure. It works. It doesn’t have widespread adoption, though.
The cost to upgrade the POS systems for retail would be astronomical. I look at gas stations. That’s a typical example. How many times do you go to the gas pump and they have a Chip and PIN card reader? Very few. There are a million and a half gas pumps out there. Why? Because there’s no federal law of forcing them to upgrade to Chip and PIN. Why? Because the petroleum industry, the issuing banks, it’s a monopoly. Until they’re willing to say, “You have to do it.” October 2020, the law goes into effect. They’ve got to start upgrading.
Slowly, banks are going to be working with the petroleum industry, with gas stations, to upgrade the security to make it better. That’s all good. But the time it takes to upgrade all those will take a few years. When you’re at a gas station, use cash if you’re afraid of a skimmer. Use common sense. If things look like they’re tampered with, be careful and use caution.
Most of the newer threats in gas pumps are all Bluetooth skimmers. They buy a common key. There are six of them out there in the wild. You could buy it on eBay for $15. Open the machine, plug a Bluetooth skimmer, and lock it. In 10 seconds you’re in business. Now nobody ever has to come back to the machine. They simply drive up 50-75 feet away with a laptop. They download, typically, 200 cards a day. I think the average gas pump with a Bluetooth skimmer nets about $114,000 before they find the skimmer. You see how lucrative that problem or that crime is for cybercriminals.
You place it once, you pay someone to go put these in hundreds of pumps, and all you’ve got to do is drive your rounds each day or hire someone to do it. Collect that. All those stolen credit cards, they go back and burn fresh cards at night and go shopping. Typically, they go buy gift cards. They buy $100 gift cards at the store. They hand it to someone and say, “Give me $50. Here’s a $100 gift card. It’s a gift for you.” And then they’re getting cash. It’s kind of that little pyramid scheme that they’re using. Very effective. Hard to spot. Hard to stop.
Earlier you were talking about the dark web, dark web audits, and credit card numbers showing up in the dark web. Probably a lot of the audience, you’re watching your favorite episode of NCIS, and say, “Let me jump on the dark web and find that for you.” As if everything is just magically available in an instant, but what actually is the dark web for our audience?
Sure. I try to explain it in a simpler term. A lot of times, everybody uses the analogy of an iceberg. We all know what an iceberg is. You’ve got the point or the tip of the iceberg above the water. That’s the surface web, what we’re all used to. We go on to do a Google search or go to buy something online. We’re up here at the surface web. Below are tons and tons of information, repositories of databases, lists, links, and all kinds of other stuff that really don’t make a whole lot of sense to anybody working at the surface web.
There are also websites and other portions of information down there that are accessible only if you know the specific address. These are really unindexed searches that you can do, or specific URLs that you put in. To access it, you don’t go to Google to jump into the dark web. You have to use what’s called a Tor Browser. It was designed and developed by the United States Navy. And it was really used so dissidents could communicate, the military could communicate, and stay anonymous.
Because it bounces around all of the traffic, nobody could say, “Hey, the origin of this computer is here in Metuchen, New Jersey.” Because one minute it looks like it’s in India and then it looks like it’s in Texas. It makes it hard to track the guy down, plus they encrypt it, which again, allows somebody to stay anonymous. It allows for anonymous communication. It’s this underbelly of specific sites that you can access.
Again, it’s not all bad stuff. When people classify it and say “the dark web,” “the deep web,” it’s not all bad things down there. A lot of it is just information that supports the surface web. It’s a lot of good stuff. It’s the small percentage of the stuff that’s down there—these 10,000 plus sites, let’s call it—that are nothing but trash. They’re selling guns, child pornography, lists of stolen credit cards, identities, and so on and so forth.
Anybody can access it by downloading free software, the Tor Browser. I have it on my laptop. I go there occasionally when I’m doing research. I could find this information. You find lists and repositories of stolen credit cards and identity theft. They put sample free cases out there that you can download to test. That’s why, often, I always caution people to see if your credit card has a small transaction, $0.50 or $1.
It could likely be that it’s on the dark web, and somebody posted it for somebody to test. A cybercriminal goes, “Let me see how fresh this list is. It’s 10,000 credit cards for $1000. Let me test a couple of them and run $1 or $2.” They say, “Oh, it went through. This list is a fresh stolen list. Let me buy it and spend $1000.” In simple terms, the dark web survives, works, and thrives with the world of cybercriminals.
Got you. It’s not that it’s some inherently evil place, but it’s just a matter of that additional level of privacy is used inappropriately by those who want to steal.
Exactly. It makes it very convenient. It was kind of the analogy about cops and robbers robbing banks and things like that I mentioned before. Since the transactions are typically tied—I think all of them that I’ve seen for the most part—Cryptocurrency, it gives you that added layer of anonymity and distances you from getting caught. It makes it so attractive.
I always ask myself this: If I was a cybercriminal in the basement of Romania sitting in my pajamas, and I say, “Wow, I could make $100,000-$200,000 a year right out of high school. Or I could try to struggle and go to college, get deep in debt, and get a job just to pay for making peanuts in an hour, what would I choose?” That’s the challenge that a lot of people that are a little bit tech-savvy run across around the globe.
I’m just mentioning Romania because that’s a hotbed of cyber activity, but it could be anywhere. It could be in the United States. It could be in Russia. It could be in China. It could be any country that has the same fundamental problem. That’s what’s hard for law enforcement. How do they combat that problem? They’re doing good at it. The FBI has done some amazing things monitoring this information. And nine out of 10 times, if you look at all the major cybercriminals, how are they caught? I find it fascinating—social media. They brag. Bragging rights, big egos, they spill the beans, then they trace it back to them, and they usually nail them. If cybercriminals are listening to this, stop bragging so much on social media because you will be caught.
That’s not the point of the podcast—just tell the bad guys how to do it—though. What are some of the things the rest of us should be doing? You talked about checking boardrooms for wireless threats. You talked about dark web audits, credit card transactions. Should we have the warning signs that maybe we have been hacked, or we just don’t know it yet type of warning signs?
Number one, some people get this complacency. They read the breach headlines again and again and again and say, “Why bother?” I hear that often when I’m talking to people. It could be a friend, a co-worker. It could be an audience of even cybersecurity professionals. Don’t be complacent. Start out by doing best practices across the board in your personal life, within your business, and then you could start striving to get a more secure stance against these cybercriminals.
You have to almost empower yourself and say, “Hey, I’m going to fight back.” I always use the analogy that the best thing to do is layers of security. I liken it to your home. Everybody’s got a little toggle on your door, but you add a deadbolt, an alarm system, a camera, the fake alarm stickers, and the Fido bowl. Whatever it takes to deter their would-be thief to break into your house. Do the same thing in the world of cybersecurity.
Instead of just logging on to your bank account with your username and your password, think about having an additional layer of security. Two-Factor Authentication, Multi-Factor Authentication is a huge step. It’s not perfect. Nothing’s 100% secure. However, when you take all those physical things within your home to prevent a thief from breaking in, they turn to the guy next door. The same thing in cybersecurity.
They start to try to hack and they’re going to say, “He’s got Multi-Factor Authentication, he’s using encryption. He’s doing this, he’s doing that. I’m going to go get an easy target because there are millions of people that are doing nothing. They’re still using password 123.”
Those are the targets that they’re going to keep exploiting. Until enough time has gone by, where they have to up their game and try the harder thing. Do the best practices always. Common sense, we talked about social media a little while ago. I personally don’t put out my actual birthdate on social media. I always tell people different birth dates when you set up your Twitter account, then your LinkedIn account, then this then that. Why? Because that’s one of the critical pieces of information that’s going to be used when somebody tries to compromise your identity.
The second that phone call is made to the issuing bank, they’re trying to do something and they say, “Wait, that’s not the right birthday.” Click, hang up. Common sense things a lot of us just forget to do. Freezing your credit. I can’t tell you how many people I’ve talked to and they’re like, “Yeah, I’ve got to get around to doing that.” Nobody wants to do it because it’s such a pain. I did it myself. It took a little more than an hour. It’s a nuisance.
I had to take out a card for something else, and it didn’t work. I got denied. I said, “How could that be?” My credit froze. Now I’ve got to unfreeze it or thaw it. Now I get to go through that ordeal. Is it pain? Yes. Usually, we have to balance our trading. Is it convenient or is it secure? Finding that fine line and always weighing towards security, taking the extra time, can do a wonder of things.
Another thing I always tell people, encourage people, when you’re setting up accounts, especially a bank account, a stock account, and you get those stupid security challenge questions. What high school did you attend? What’s your mother’s maiden name? Guess what? Anybody could find any of that information out just by a couple of quick searches on the internet. Instead, use that as an opportunity to use that as a layer of security.
Put in a unique password. Even if you put the password 1234 there, that would be 100 times more secure than putting Edison High School as the actual high school that you attended. That would be a mistake because cyber thieves can find that information readily at their fingertips. I always tell people, instead of getting overwhelmed with too much detail about cybersecurity, focus on the basics. What’s in your control, it doesn’t cost you much money. Keep it simple. Start with that.
After you get that established and set up, then you start thinking about things like a VPN, encryption, data that’s being in transit, and how do you handle the next level of cybersecurity. But start at the basics. You’ll feel strong and empowered to say, “They don’t get me. They’re not compromising my credit card, my computer. I’m not getting keyloggers.” You could fight back against those things initially, then take it to the next level. Otherwise, I think what happens is you will get complacent because you’re just overwhelmed and you’ll do nothing, which is what cybercriminals want you to do.
I totally agree with the hassles and the benefits of freezing your credit. A while back, my wife and I were going to buy a new car. We had the cash to do it, so we went to the dealership, and I said, “Let me write a check.” They’re like, “Oh, no, no, we don’t take checks.” They said, “Okay, fine. We can take a check but you still need to fill up a credit application.” I got to go home, unlock my credit, unlock my wife’s credit. Unfreeze it. Make sure to set it to refreeze after a certain number of days.
For most people, how many times a year are we really opening up a new credit account? Not getting a new credit account every month or every couple of weeks. While it might take half an hour or an hour of our time to do it once a year, it’s better than the hassles that you have to go through if your credit gets compromised. Now you’ve got to spend hours chasing it down.
You can ask the credit card company if they’re going to do credit checks and basic information to make their job and your job easier. You could say, “Can I ask you? What credit agency are you going to check my credit against?” They may say, “We check with Equifax.” Okay, I will unfreeze my credit for Equifax only, and I could set it up with a fuse so In 10 days, it refreezes. It’s yet not another long call. Just to simplify the process, and that works pretty good.
That’s what we do is like, I know I need it just for 48 hours, so you better get it done quickly.
Move it or lose it.
I’m curious, you were talking about the variety of things that happened to you, of getting hacked and eventually getting the money back. What was that process and how much time and effort did you have to spend as part of that investigation to get the money back? Were you actually able to figure out who it was?
Yeah. It was interesting. Maybe to the point, I’ll talk just about the $65,000 that was taken from my checking account, because that to me was the unforgivable sin, let’s say. In the process of it, it took months, unfortunately—the whole process and investigation. Never gives you full clarity on exactly what happened. From the understanding that I finally was able to get out of the bank, it happened through the bank by somebody impersonating to be a teller.
What I did learn in the process during and more so afterward of my research, a lot of people don’t realize how banking works, but cybercriminals learn quickly. And they share that information. Once they’re able to compromise the network in a bank, they’ll get in there and they don’t just start stealing money. They’ll observe it for months.
They’ll observe patterns of certain tellers. They’ll start collecting their ID, their password, and all the information that they use to access accounts and to move money around. They also get skillful in creating deceptive accounts and that was kind of the case of what happened. When I approached the bank and the investigators, I said, “I would like to know exactly who took the money out of my account, specifically what account it went to, and what the name was on that account.”
They said, “Sir, we’re not going to tell you that information. That’s private. I said, “Wait a minute, they breached my company’s account.” I said, “The law requires you to divulge that information.” They said, “No it doesn’t.” I said, “Yes it does.” “We’ll get back to you.” They called back and said, “You know what, you’re right, sir. Do you have a pen handy? Here’s the account number it went to, here’s the individual it went to, and we’ll tell you the reason that was put down for the actual wire transfer,” because there were internal wire transfers that totaled $65,000 that was taken out of my account.
One of them, interestingly enough, was a woman that was claimed to be out of Cherry Hill and it was too close off the final payment for her mortgage. Something like $20,000that was stolen out and used for that. That was the claim. The interesting part, all the names that the bank gave me, I determined were fictitious accounts that were then closed out later on.
What they do is create fake accounts, siphon money, steal money from multiple people within a bank and they quickly close them out. Working with federal investigators in the bank would give me that limited amount of information with a lot of pressure on them. I don’t think the average person that starts asking questions gets much result other than the bank acquiesces and says, “Hey we got your money back. Here it is. Go away happy.”
That to me left me a little depressed thinking how often this does happen and how many people don’t fight to get that information. In addition, I took that information with some colleagues that I work with out of a company in Israel. They dug in for me and used those names and some of the accounts to see if any of it appeared on the dark web. I was able to also cross-correlate and say, “These were actually fictitious accounts that were created, money siphoned through, and then closed out.”
Again, the cyber-thieves did a good job to keep themselves completely anonymous. I could not say, “Tt was this cyber-thief that did it.” However, putting all the pieces together I did identify—or one of the cyber thieves on my Twitter account, I got an acknowledgment, yes, they’re in the dark web, they steal information, and they target security practitioners such as yourself. At least I got a glimpse into one of the personalities. But as far as trying to hunt them down and get justice, I couldn’t and I think most people honestly can’t. That to me is very disturbing.
I’m hoping to change that a little bit by maybe empowering people, educating people, and working with other companies that are in the industry to fight back. But it is, for the most part, can be a losing battle. You do feel good at least. There’s some solace when you say, “I got my money back and more importantly, it’s not going to happen to me again. Now, I’m going to strengthen everything.” That’s what I’m hoping people will do at least, if they get anything from when I try to share encouragement with them, it’s not hopeless. Nothing’s 100% secure, but it is not hopeless. You can do stuff to prevent it from happening to you.
I know one of the dangers is if someone tricks you into sending the money. “Sir, you sent the money and…it was our internal system that was hacked. Absolutely we’re going to make it right because we have a legal obligation to make you whole. But if you as the customer decided to send all your money off to somebody, that’s not our fault, and we’re not going to help you at that point.”
That’s a huge problem. I’ve identified, in just the past nine months, four instances where my email has been spooked and it’s my signature, Scott Schober, President and CEO Berkeley Varitronics, and it’s a request. This is what I thought was interesting. In one of the particular cases, we have 70 resellers internationally, this cybercriminal wrote to each of them basically saying, “Hey our bank account changed,” trying to pretend they’re Berkeley Varitronics.
“Here’s our new bank account, routing number, and blah blah blah. Can you place an advanced payment for that large order that’s coming through for blah blah blah. This many tens of thousands of dollars.”
The good news is out of those 70, I had eight of the resellers immediately, within half an hour of them receiving it, reach out to me, texting me, calling me, and emailing me, saying, “Is this legit? This doesn’t look like something that you would ask,” and I thanked them all. I said, “Thank you.” And then I had to inform the others, “Hey, this is not me.” There were a few minor tells that were in the email.
It was nice to see that our resellers—again, they’re in the world of cybersecurity, too. They’re pretty savvy. They said, “This doesn’t look like you because boom boom boom.” I said, “Thank you. You understand it, you got it, you weren’t duped, and you weren’t fooled.” There was a percentage of them that did respond to them and asked a few more questions. “When do you need the money?” I’m like, “Oh.” It really helps you appreciate it. You can’t be too trusting with anyone. Question everything, and don’t use the means of communication.
If it’s email, get outside the world of email and text, or phone call. Do something, go old school, send a fax, do something that will kind of validate, “Yes, this is me, and yes, I want this money transfer for this amount.” If you question the process, usually, you’ll prevent it from taking it to fruition.
I have looked at a number of those types of high-profile cases where if the person had just verified outside of the method of the usual communication, they would have found out it was the original email coming in was from a misspelling of the email address, the text message that came in really wasn’t from the boss. Asking him to go out and buy gift cards for all the staff because they’ve done such a great job.
Billy and I are laughing. He came up to me one day and said, “Are you buying the gift cards?” We had that scam here as well. Really, they’re targeting everyone and that’s the interesting thing. I always approach it and say it’s kind of like spam. Spam just goes out there. Every day, billions of emails go out there. They don’t really know they’re victims. And then there’s more focused phishing attacks or whaling attacks, where they’re going after CEOs and wire transfer.
You almost have to look at the spectrum of where the attack is, break it down and analyze it, and I know the average person hearing this is going, “I don’t have time for this.” Unfortunately, you have to take a few minutes, and not be too quick to click on anything, or be too quick to transfer that money, because once it happens…
I’ll share an example of that with some of the credit card fraud when we shipped something to Indonesia in my book, and a lot of it has to do with timing and at what point do you question things.
It’s important for everyone that’s listening and watching, take a few minutes to question everything, even if it’s your spouse or whatever. It may appear to be them, but it could be somebody spoofing their email, or their text, or their phone calls, so use caution.
One of my first online ventures, I was selling books competing against Amazon…
I think they won.
Yeah, they won. I was really excited one December. I got the biggest order I’ve ever received. I was doing maybe $10,000 in sales a month across all my orders and this one order came in for a couple of thousand dollars. I’m like, “Wow, my business is really growing,” and stuff like that. I processed the credit card, shipped it under their FedEx account number, and like, this was the easiest thing, and then, later on, the credit card charge got reversed. Find out because it was a stolen credit card, the FedEx account was a stolen FedEx account number.
Anything that seems to be outside of your norm, you really have to hold the enthusiasm, hold the excitement and go, “Is this legitimate? Is this our biggest customer ever?”
Yeah, question everything. I had one, I was doing some international travel. While I was out of the office, a check came in for $82,000 for an order. Everyone looked at it and said, “What the heck is this for? Scott must’ve quoted it. He didn’t give me a copy of the quote.” We always try to align it to the quote, to the purchase order, or the salesman. Qualify everything before we do anything. They didn’t want to do it and they said, “We’ll just put it in the bank and we’ll explain it when he gets home.”
I come back a week later, and I’m looking at my desk and said, “What is this for?” I go ask them, they said, “We thought you initiated this, and quoted it, and sold it.” I don’t know who it’s for and sure enough, it was a complete scam. It was a fake check, and then I looked at my email and I said, we paid to the wrong amount, could you just pay back this little bit. They routed through the Canadian Bank, which takes about five days until it actually settles, so it’s a big giant scam.
They’re looking to pay the delta difference. They keep that money and the big stuff just disappears and of course, the money came back out of our account, so complete traditional scam, but it looked really convincing, When I analyzed the envelope, you saw the check and the whole email. Somebody took a lot of time to analyze the way we do business. Look at the size of the transaction, the way things were written—it will fool just about everyone.
I always encourage people, it’s not just you, but really your entire staff that handles any of the funds, the wire, the credit cards, checks that are coming, that everybody is disciplined to communicate and question everything.
Anytime there’s a new account or something happens outside the normal procedure, you’ve got to question. That was one of the things that I’ve started to talk about. If you’re a small business, then you need to have established procedures for how you set up new vendors. That there’s something well beyond just an email saying, “Hey, create an account and pay this vendor.”
There needs to be, again, that out of channel, out of communication, secondary piece of information. A piece of paper dropped on the accountant’s desk from the person signed saying “Yes, I’m authorizing this account to be created. Here’s how to pay them, here’s what the average order is, or the average dollar amount. If it ever gets above this amount, it needs a verbal authorization,” or things like that.
Yeah. That makes a lot of sense. A simple thing I did recently after our account was compromised and money was taken out was I met with the bank, and I made sure I set up a new account and security protocols. I said, “I never want to have money that could be allowed to be wired out of my account without me signing a document and being here in person.” They established that if I do a wire transfer out of my account, I have to go to the physical bank. Here’s my ID, I have to sign the document and approve it. Otherwise, money can’t come out.
It’s a pain. Again, it’s that convenience for security. But guess what, no money’s ever come out of my account again that I haven’t authorized. It works. If you put those discipline steps in there, And it works for $50 or $50,000. That’s what I think people need to realize. It’s your money. When you have to go through the process of fighting to get it back, you realize how much time, effort, and cost. Your time is worth something. When you’re spending months trying to chase money down to get it back on your credit card and prove things with invoices and paper trail. Unless you’re a really, really good bookkeeper and keep accurate notes, sometimes it’s hard to do. That money doesn’t come back in your account overnight as people sometimes think it is. It’s better to spend the time and effort upfront securing things than pay for it later.
Is that the premise of your second book, Cybersecurity Is Everybody’s Business, that everybody needs to be involved?
Yeah. I think it’s bringing it to more of a conversation now that when things first happened to me and I would share information. Two-factor authentication, or what’s a DDoS attack, a secure password, it was kind of deer in the headlights—the conversation a few years ago. But things have changed greatly. You go post Target and Home Depot breach. It’s now affected everybody. It affects small business owners. It affects consumers.
Everybody I talk to says, “Yeah, I have my credit card compromised. Yeah, I had this happen. I had my identity compromised.” It’s now become literally everybody’s business to take security and responsibility themselves, so they’re not the next victim.
I think it resonates well, but especially small business owners. I’ve noticed that niche—there’s a lot of small business owners. They don’t have the money to spend as JP Morgan does—$500 million to secure their computer networks and train everybody. A small business owner can do practical things so they could stay much safer, though. That’s where I think it resonates well with them. The spillover is most of that information you use in your personal life as well as a consumer. It helps a lot of people with it.
The third book, Senior Cyber, the book is now completed. I’m going through the editing. I noticed again and again and again that there’s this population of the elderly that cybercriminals just don’t care. They’re just targeting them, just like the crazy cybercriminals targeting people with the stimulus, and the COVID, and anything else they can steal. They don’t care. They just want the money.
The same thing they’re doing is targeting seniors and the elderly. I’m trying to help with that book. Empower them, feel comfortable using the phone, comfortable on the internet, comfortable with the computer, and not falling victim to as much of the scams and being fooled out of their money that they worked so hard for.
Yes. In the golden years of your life when you enjoy the fruits of your labor, you don’t want to spend your time and effort trying to recover stolen money. You want to travel and live the high life.
Wrapping up here, is there any way that people can learn more about you and what your company does?
Yeah, absolutely. My company is simply www.bvsystems.com. There, we’ve got all kinds of wireless tools, bug-sniffing tools that we’re selling, again, law enforcement. We’re selling to colleges and universities, DOD agencies, pretty broad spectrum there. Then my personal website is simply my name. It’s scottschober.com, and I’ve got free information on there, tips you can download, excerpts from the book, a bazillion videos, and lots of practical information. It doesn’t cost you any money, but it’ll help you benefit so you can stay safe.
Great. We’ll also make sure that we link to Hacked Again and Cybersecurity Is Everybody’s Business in the show notes. If anyone wants to get those books, they can jump onto Amazon and go ahead and download them.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Online Privacy
- Online Safety
Most of us view the internet as a useful and benign tool. But in many ways, it’s…[Read More]
Here's an important piece of advice: You need to learn what Find My and iCloud.com can do...[Read More]