On demand 1h 3m 50s Basic

Trickery, Deceit, & Cyber Scams

4.9 out of 5 Excellent(13 reviews)
Start your free 7-day trial
* Claim credit(s) for one free course during your 7-day trial.
View all credits2 approved jurisdictions
Play video
  • Credit information
  • Related courses

Trickery, Deceit, & Cyber Scams

Cyber security is generally seen as a technological field, but criminal hackers often employ low-tech "social engineering" attacks against people using the networks they seek to target. These attacks are actually the initial cause of most data breaches and other security incidents. How do they work? And what can you do to protect your clients and your practice?

Transcript

Kara Wenzel - Hello, I'm Kara Wenzel. I'm program attorney here at Quimbee. And today I am talking with Scott Aurnou. Welcome, Scott.

Scott Aurnou - Howdy, great to be here.

Kara Wenzel - Thanks for joining us. Today Scott is going to tell us all about trickery, deceit, and cyber scams.

Scott Aurnou - Nothing but the upbeat news for you guys today.

Kara Wenzel - Yeah, I mean, honestly, I'm very excited. If you have not had the pleasure of catching a prior program of Scott's, you are in for a treat, and I'm sure you'll learn something exciting.

Real quickly about Scott, Scott is an attorney and founder of the Security Advocate, which assists organizations in addressing information security and data privacy issues. This includes privacy and security awareness training, security consulting, compliance with cybersecurity and privacy laws, and related legal concerns. Scott spent over a decade as a litigation attorney in the New York City area. He served as lead council for Private Client Services Group at Smith Barney. He uses his legal, security, and business background to make complex information security concepts easy to understand and even entertaining for non-technical audiences. Scott has published security-related articles in national publications, ranging from the New York Law Journal to SC Magazine. And he's also created and delivered numerous presentations on information security and data privacy-related issues for executives, managers, and professionals at our range of organizations, including the New York State Bar Association and NIST, the National Institute of Standards and Technology.

Scott is a certified information system security professional. He's admitted to practice law in New York, as well as the federal district courts for the Eastern and Southern Districts of New York and the US Court of Appeals for the Second Circuit. Scott is the author of the Introduction to Information Security LiveLessons video training series for Pearson publishing. So welcome again, thank you, Scott, for joining us.

Scott Aurnou - Pleasure's mine.

Kara Wenzel - So to kick us off, what can you tell us about cybersecurity? Is it fair to say that cybersecurity involves more than just technology?

Scott Aurnou - Very fair. Obviously by now, of course, it's fair to say that lawyers are prime targets for data theft. Hopefully if you're watching this, you're not surprised by this statement. Thing is though, information security is about more than just technology. Computer networks of course are created by and for people, and human behavior can have a huge effect on how secure a network will be. And, look, people are human, that's the whole point. We all make bad decisions sometimes. And decisions are often made by what you think at the moment. Your brain is working out like, okay, I'll regret this the least later. And this is where people do things like jump into the rapids to save a drowning child rather than stopping and calling for help first. And we've all read news stories where the inevitable result of that is, adult drowns trying to save child who swims to shore. And it's a terrible thing, but this is how these bad decisions can jump back. And certainly in terms of a network that can lead to costly errors, and attackers are all too happy to take advantages of these.

And from an attacker's perspective, why go through the trouble of breaking into a secure network or building, for that matter, using technical means if you can get the same thing just by tricking someone into giving it to you. Many of the larger data breaches that you'll see in the news, if you look back and you sort of tick back where it is, there's always a poor decision in there someplace. Someone's been tricked into giving something up, or accidentally leaving access open that they shouldn't have, and that sort of thing. And obviously these threats go beyond data breaches themselves. You have things you may have heard of like ransomware. Business email compromise scams. It's called wiper malware, it literally just wipes out data, it's not fun. And a host of other things. Like I say, all good news today.

Kara Wenzel - So if attackers are just effectively using people to get at technical systems, what are some of the technology basics that would be helpful for us lawyers, non-tech people usually, to understand?

Scott Aurnou - Well, it's funny, I always think a lot of the trick is understanding how all these systems sort of, why can one thing get to another, how does data go from place to place? And maybe the place to start with that is, how do you store data electronically?

There are three basic ways to do it. There's magnetic, optical, and what's called flash, also referred to as SSD or solid state drives. A magnetic drive is something you'd see in like hard drive. This would be in a regular computer or server. Typically those look like little stack of silvery platters, almost like pancakes, with like a little spindle arm reading them. And what they're looking for are changes of magnetic polarity, that's how data is read. An optical drive will be something similar in terms of its shiny discs, usually not a stack of them, like a single one, like a DVD player or an old-school CD player. And what that's reading is depressions in the disc, which are read with basically a sensor. So in effect it's a little laser checking out those little depressions, and that's what tells you data that way. Solid state drive, or flash drive, is something you'd see in your phone. Newer computers have them, as well. They're a bit more expensive than magnetic drive, so they're not in everything, but they tend to be a little faster, and they're also, they don't have moving parts.

There are certain advantages to that. And every system has its advantages and disadvantages. The magnetic drives, like I say, it's the polarity switch. With the flash drives, it's little switches inside it. And in effect, what it all boils down to is they're all storing that data in different fashions. But since that data boils down to the same thing, that's why they can communicate with each other. And what it boils down to is what's called binary code. We've all seen representations of this, those ones and zeros disappearing into the horizon. Now, that is data. Crazy as it sounds, everything you're looking at, the screen you're watching right now, boils down to these ones and zeros, everything.

So what that basically is, every single one and zero is referred to as a bit. You can't read an individual bit because it's such a small thing. But they run in units of eight, is the smallest one. That's a byte, B-Y-T-E. And that's also still pretty tiny. That's like a number, maybe a word, depends on the program and what it's being used for. And they get effectively built up over different amounts into being more and more stuff. About a 1,000, 1,024 is the real number, not on the test later. There's no test later. That's a kilobyte. 1,024 of those is a megabyte. 1,024 is, probably heard of a gigabyte. Beyond that terabyte, petabyte. They keep going up and they're bigger and bigger by these factors of about 1,000. And what's on that will vary quite a bit, depending on what the program is. Like, if you're using it for a photo program, well, how high-definition is the shot? Is it a low-res shot? Then you're gonna have a lot more shots in the same amount of space versus a very high-definition shot. And just to give sort of a general benchmark, a conservative estimate, if you're talking just plain text, a single gigabyte will hold about 75,000 pages. So you think about that for something like, let's say a computer with a one terabyte hard drive, which is pretty normal-sized nowadays. That's in excess of 75,000 pages of data can be stored on that. And you can have little stick drives, the ones you sit in your pocket, you could have one of those, 256 gigabytes, that's gonna add up to around 17, 18 million pages of data. So it just, that adds up.

And of course, the way in which you're connecting with these various systems is a computer network. And the most basic system of that is called a client server model. Think of it like spokes in a wheel. The center part would be what are called servers. These are larger computers that handle centralized functions. Like in your firm, you might have an email server, you might have a web server, which serves everyone in the firm. And everyone's individual computers that are connected to this central repository effectively, are called clients. So if you're watching this on a work computer right now, you're watching this on a client computer. That's basically how that works. And the idea behind a network, of course, is it includes all devices intended to have access to your firm's data. And of course, attackers know this, and they'll often use a compromised laptop or desktop or a mobile device, for that matter, as a beachhead to gain entry into the larger network that's sort of, it's connected to. Now the internet itself is basically a massive decentralized network. And the way information goes back and forth is a process known as packet switching. Basically, if I were to send something to you, it'll get broken up into little pieces, sent to you, and then reassembled on the other side. And we sometimes tend to think of something like the web as the internet. It's a portion of the internet.

Typically speaking, you'll see, you have an address on top, like it might say, quimbee.com. That's the address you see. There's what's called an IP address, which is the numerical address, which is the real address on the internet. And that's both web pages and anything else that's actually connected to it, there'll be a number that corresponds to it. The real address, if you will. Think of it as the White House versus 1600 Pennsylvania Avenue. 1600 Penn is the real address. Some people will know White House. they know where it goes, but if it's your house, you might actually need the individual address to get it there. So the numerical address is an important thing to realize, 'cause that's the real place it is on the web. Now, the reason to mention all this is because email is gonna come up in this presentation 'cause a lot of frauds come through it. And how does email actually work? Well, like I mentioned, it gets broken up into these little packets, and they contain source and destination information addresses, but those can be faked, that's called spoofing.

And then there's the body of the actual information in email and possible attachments. Now what happens when you hit send, it goes from your email, basically from your computer to your firm's email server, that centralized thing. And then it goes bouncing out around the internet, through any number of routers to the receiver's email server. Think of it like, remember when you're a little kid at the summer lake winging a flat stone over the pond and it's bounce, bounce, bounce, bounce? Think of it kind of like that. That's how the email's bouncing over the routers through the internet, to basically the destination address. Now, one thing to realize, if it's not encrypted, talk a little bit about encryption a little bit, but basically what that comes down to is that, if it's not scrambled, secured, anywhere along the way, if someone can get access to it, they can grab it and read what's in it, which is of course a bit of a bad thing. And there's a cliche in information security that, quote, "Basically an email is as secure as a postcard "written in pencil."

Now, of course you don't want that for private communication. So this is where encryption comes in handy. So you should never hesitate to use encryption. But what is that? Encryption's basically done through what's called an algorithm. Probably heard the term before, what an algorithm is, is it's taking data and running it through basically a prescribed set of steps to manipulate that data. In the case of encryption, what it's doing is scrambling it. So someone who intercepts it, can't read it without the key, which is used to encrypt and decrypt data. There are different types where there's one to decrypt, one to encrypt. We don't need to get into that today, I promise. So basically what it comes down to is, that scrambles data, makes it more secure. Now for email, of course you want to use that because these days it's not hard to get encrypted email. Chances are your office is already using some sort of, like a security package or just even an email package, which has that as an option. So if possible it should always be enabled. And on the off chance you're not, there are free options available. The one I would point to is one called Proton Mail. Free, available, encrypted, and quote, "End-to-end encryption," meaning it encrypts on your side, doesn't decrypt till the other side. And at the end of the day, if you're doing anything which you feel might be of questionable security, as in, it's not as locked down as you can make it, make sure you have an expressed understanding with your clients. You can obviously put something like that in the retainer agreement, but surprises later tend to bounce back in a not so fun way to the attorney.

Kara Wenzel - Yes, definitely. I'm taking mad notes for my test at the end of this. Mental.

Scott Aurnou - If I ever do a test at the end of these, please reach into the screen and slap me.

Kara Wenzel - So where does the fun part come in? How do trickery and deceit fit into this?

Scott Aurnou - Ah, I see you already realized it's fun. I knew I liked you, okay. So, well, at the end of the day, attackers can use human nature to trick a target, i.e., you, in giving up valuable information, allowing access to a restricted area, transferring funds, you name it. And these attacks can come with threats or rewards. And often they'll seem urgent. The whole idea is you've gotta take action right now. And most people, they get that people are human. Most people do want to help. You see the little cat stuck in a doorway, you're gonna help the cat out. Most people are decent, and they get that. So they take advantage of it, of course. Lovely. Also, one thing they sometimes will engage in is what I would go called pre-attack reconnaissance. Basically that's information gathering for the proper attack coming later. So for example, just because information doesn't seem especially sensitive in contact doesn't mean that an attacker can't come up with it later.

 But for example, if your staff or a colleague tells a caller that you had a conference in Atlanta this week, that caller may then contact you next week to, quote, "Follow up on your conversation at the conference." You never talked to this person, but now they've got, "Oh yeah, yeah, you were so and so, right, uh-huh." Now, why would you think that not having spoken to this? Well, at the end of the day, human memory's kind of malleable. There's an interesting book about this from a few years back called The Memory Illusion by a Dr. Julia Shaw. It's kind of cool. A couple of things it talks about there are results of a study that was done to people's memory using manipulated photography. Plain English, basically what they'd done is they talked to people. They connected with their friends and family, got photos of former events, things that they'd done and seen. And then they altered the photos, and when they were talking to them, showed them these altered photos without indicating that they were fake.

A couple of examples that jumped out at me I thought were great, one was talking to people about that time they played around with and met Bugs Bunny when they were at Disneyland. Now, if you're a fan of the old-time cartoons, that doesn't quite add up, 'cause Disneyland is Mickey, Goofy, Donald Duck. Whereas Bugs Bunny is a Warner Brothers cartoon, so that we're talking Foghorn Leghorn, Porky Pig, and Bugs Bunny. Bugs Bunny is never gonna be seen at Disneyland. But of course, since they were able to show people pictures of them playing with Bugs Bunny, after a little they'd be like, "Oh yeah, yeah, "he was super great. "He picked up my daughter, he couldn't have been nicer." It's astonishing, but people would buy into that. And they even went to some absurd lengths.

There was, part of the study involved talking people into believing that they'd gone on a picnic with the Royal Family while in England. And a lot of them went along with this because they had pictures. Like, "Oh yeah, she was the sweetest, the Queen, yeah." And it's astonishing. You think, wow, people really buy into this. But I mean, day to day nowadays you see a lot of examples of this sort of stuff, where people are presented with information, where I think if you step back going, wait, you bought that? But it's presented a lot of cases where you're shown something that seems like it ought to maybe sort of be believable, but it never actually happened. And attackers realize this and will take advantage of it, which is where, again, "Oh yeah, "we were chatting at that conference in Atlanta. "Pretty exciting stuff, wasn't it? "I love that speech from Fred," you know. And you're going, "Yeah, Fred, he was kind of boring, "but yeah, that was okay." The next thing you know, you've established a rapport with someone who's looking to steal stuff from you, which is never good. And again, from the attacker's perspective, why put in the time and effort to circumvent a system's defenses technologically, when you can just trick someone into giving up their login credentials or downloading software, basically malware, which is malicious software. And we're talking about this, I should clarify this type of attack has a name. It's called social engineering, and it comes in a number of flavors. And these are scams and attacks that you, your colleagues, or anyone you know can and will encounter on any given day.

Kara Wenzel - So can you take us behind the curtain and tell us a little bit about how some of these attacks work?

Scott Aurnou - Yes, the good news just keeps coming. Like I say, attackers use human nature to gain access, info or perpetrate financial fraud, you name it. Thing to realize is one, for example, with the social engineering, one of the most popular types, we'll give details in a second, it's called phishing. The most recent study from Verizon's Data Breach Investigations Report, which is a really well-regarded report in the industry, noted that phishing attacks, just phishing, not all social engineering across the board, was behind 36% of all the breaches that it studied for its 2021 report. That's crazy high. So basically, and just to indicate, 85%, that's 85, 8-5 percent, of all breaches involved some human element in the problem that allowed the bad guys to get in. So, I mean, at the end of the day, the idea here is to get you to click, respond, or take another action that an attacker can take advantage of. This could mean opening up an infected attachment to an email. This could mean clicking on an infected website link, something like that. Now, when that happens, what are the consequences?

Well, first, malware, like I say, short for malicious software, that can do a lot of different nasty things to your computer, stealing data, locking things up. There's something I mentioned earlier called ransomware. Ransomware is using encryption, we mentioned, which is normally a defensive technology, basically against you. The idea behind ransomware is it takes your own stuff and encrypts it from you. And then they charge a ransom for you to get it back. And then there's the question of will they actually release it? And then a lot of times, if you're ready and you're prepared and you can resist the ransomware, what they'll do instead is say, "Oh, well, "we also stole some of your sensitive data, "so you should definitely pay us." You know, really nice stuff. There's also spyware, which is where they're literally looking at what you're doing quietly in the background. And if you're working on confidential information, this can be a real problem because you have no idea while you're, say, developing your client's litigation defense, the other side's reading it and feeding it off to your opponents. Not good.

Also one of the most basic ones is credential theft, leading to account compromise. Plain English, they steal your or someone else's login information, which allows them to be in the network masquerading as you or someone else. Often they engage in something referred to as privilege escalation, which means once they're in the system, they want to get what's called a more privileged account. They're accounts known as administrator accounts, which are a big deal inside a network because, unlike a normal account, they can download data, they can delete, or, sorry, they can download programs, delete programs, and they can change things on the system, which a normal user, if a system is set up correctly, should not be able to do. So, obviously from an attacker's perspective, if they can get ahold of a program like that and get the login credentials, they can do a lot more damage to a system because they can have a lot more control over it. And obviously it's a big deal to try and lock those down properly. And then there's just straight up theft, meaning they'll get in, they'll steal data. If they get physically inside an office, they may steal things and just walk off with them.

Now, these particular attacks come in a few different forms. Via email, you've probably heard of phishing, we mentioned it earlier. There's also spear phishing, which is a variant on that. There's something called a business email compromise, or BEC scam, we mentioned at the start of this. Some of them come via phone calls. There are in-person attacks with this social engineering. There's one called baiting and a couple of others called pretexting and tailgating. We'll talk about those in a little detail.

And then there are web-based attacks. And the main thing to remember with all of these is that these attacks are always a dynamic. What I mean by that is they're always going to change. So when you think, "Ah, I've seen this, "I know what they're doing," it'll change. Sometimes they'll trend in different directions, but at the end of the day, they'll keep changing it until they can get in. From an attacker's perspective, if there are 100 attacks and they get turned down 99 times, they've won because they got into the system with the one attack. So it's always much trickier when you're defending rather than attacking.

Kara Wenzel - So you mentioned earlier email, and we all know to be at least a little bit suspicious when we get a strange-looking email. But what about when it's not strange? What about when email is used for social engineering? How does that work?

Scott Aurnou - Well, I mean, there are a few different kinds, of course. I mean, the base one is phishing, that we've mentioned, and those are mass email campaigns that typically try to trick users into opening an infected attachment, clicking on an infected website, and/or giving up some personal or organizational information. And as I mentioned before, a sender's address can often be faked, AKA spoofed. Frequently these are designed to look like an urgent message, something like a bank account that's about to be closed, a missed delivery, a follow-up on an invoice. The idea is to get you to take action by clicking on this infected link. And as you mentioned, not all of them are really obvious. Some of them are, you're looking going, "Wow, this person can't speak in full sentences. "Hmm, this looks suspicious."

Other times they'll come in and they'll look so legit. I remember some years ago I had, it was bordering on an argument. The guy was almost shouting at me, he was an older attorney I was trying to tell, look, I know that thing had Verizon logos all over it. It wasn't from them. He was saying, "The pictures were there!" And it's like, okay. So I had to sort of walk him through. I mean, at the end of the day, anything you see inside an email pretty much can be fake, pictures, especially. I mean, that's all it is, it's a picture. It's not a seal of approval like it's purporting to be, it's a picture, and getting an illegal picture of someone's logo is pretty simple stuff. So at the end of the day, you can look at some things, but it can be really problematic, because sometimes they don't always reveal themselves. Sometimes you have to be just extra suspicious. And if you find nothing at all wrong, which is something that makes you go, hmm, that's when you pick up the phone and you call the sender up. Don't use anything in the email, of course, 'cause that'll be fake, too. But if let's say it's your bank, go look on the back of your bank card and call them up and have them go, "Yeah, no, we don't send that, mm-mm." In which case you've just saved yourself some heartache.

Now the thing to also realize with these is they sort of, I don't know if I'd say waves, exactly, but certain themes can become more popular at given times and then recede and then come back again and then recede. A few examples of this, in early 2017, W2 scams were a really big thing, where attackers were tricking companies into giving out lists of their employees' personal details. Not a good thing. And then let's see, there was a big trend in 2019, early 2020, for what we refer to as "sextortion" scams, in which someone would say, "Haha, we know what you're looking at. "Here's your password for proof." Meantime, all it was was an old password which had been gotten in a data breach years earlier. Some people don't change their passwords. So they're looking, going, "Hey, wait a second. "My God!" And you know, at the end of the day, it's nothing. It's just trying to scare you into reacting. And I had numerous calls from people going, "Hey, wait a second, I never--" I'm like, "Look, look, not judging you, just, it's a scam. "It's a scam, don't let that scare you." And presently, we're recording this in early 2022, and one thing that's been trending lately, it's actually been Instagram scams. What those are is you get an email claiming to be from Instagram, which will claim there's some problem. Someone has complained about your conduct. You've allegedly violated an internal policy or there's a copyright issue. And if you just click here, that'll fix things. Uh-huh. You click there, you might even be taken to a legitimate-looking form, but that form will be infected and attack your computer while you're addressing the quote-unquote problem.

Now, basically at the end of the day, the best thing you can do is exactly what Kara's talking about: caution. Basically presuming that any unsolicited email from a bank, or anything else like that, anything even borderline sensitive, is fraudulent. And if you are at all concerned, like I say, contact the organization directly via the phone, the official website. You could even go on, if it's a bank, go visit an office branch. You can check that way. Just don't go through what's coming at you through the mail. Because you'll see sometimes everything looks legit, and then you go to click on it and it's like, hey, wait a second, that's not the bank. And one thing you can do that's really helpful is, they'll say, like, "Oh, click here to contact the bank." If you're on a computer, you can take your cursor and hover over it. And what'll happen is on the lower left portion of the screen, it'll actually list where it's going to. You see that with any link, actually, like a news story or anything like that. You can just hover over it, bottom left of the screen will indicate where it's going. And sometimes it'll say something like, "Click here for Chase Bank," and then you actually linger over it, and it says some gibberish thing at Gmail, and you're going, "Oh yeah, "I don't think that's where I'm meant to go, nope." And also, one of the things that you can find in there is sometimes they'll want you to take steps to make it work so that you can read it. One thing that's kind of popular, has been for a few years, has been sending you a document that won't open correctly unless you enable what are called macros, which are little task automators in Microsoft programs. These are most popular in Word and Excel for the attacks. So you get an Excel document that you can't quite open, and they'll say, "Oh, no worries, just enable macros."

That's the attack. Really annoying, but that's just kind of the way it works. And if you run into something like this, like I say, you can try contacting the alleged sender directly. If you really are running into trouble with that, a plan B is, if you have a security department, have a quick chat with them. "Hey guys, here's what I saw." And nine times out of 10, "Yeah, don't open that. "We'll come help." And one thing that used to show up a bit in the past, again, the trend is down again, but I'm sure it'll pop back up, fake software updates. One reason these haven't been as popular is because a lot of programs just automatically update in the background, and they should always be set that way. You shouldn't have to manually update your programs nowadays, that's just not a thing anymore. At least it shouldn't be. Now on a related note, phishing has a sort of nastier cousin called spear phishing. Spear phishing is somewhat like phishing, but it's personalized to the recipient. Often it appears to come from someone you know with details that make it look legitimate. Like, for example, one common tactic is an attacker masquerading as someone from your organization's help desk. And they'll ask for your network login information to perform some type of, like a security check or system upgrade or some other pretext to get you to go, "Ah, sure, here you go." Now of course that's fake. And again, you can directly contact your help desk separately. Now another thing you might see as a spear phishing attack might be an email that talks about a critical report, which they, oops, forgot to attach. But of course, you can just find it on Google, and then you wind up on an infected site. As soon as you try to download the report, you're downloading malware. Ouch. Like I say, never hesitate to call and check.

Now, these attacks also can easily come in via a text message, that's something called smishing, which is because the proper name for text messages, SMS, or short message service, and then it can come in via an instant message, via a social network, any of them can work if you want. Now, another one to look at is this delightful business email compromise scam I mentioned. They're fun. Those are basically wire transfer fraud involving fake vendors and/or senior firm or company personnel trying to trick people into sending out money. Basically this is... Typically they'll target employees who handle financial transactions, or at least people who have supervision over them. Now, this is something that also, in the DBIR report, that Verizon report I mentioned earlier, has greatly increased in 2021. It jumped up 15 fold from 2020. Yes, you heard that correctly, that wasn't 15%. It went up 15 times. Because again, this is a great way to just have someone accidentally send you cash.

This can be basically like a direct request from a senior official in your organization asking you to wire out funds, or a vendor, quote-unquote, updating its wire transfer information. You update it, the next bill gets paid and it gets sent to the wrong place because that wasn't really your vendor updating the information. Now, one thing... Oh, there's a lawyer variant that I should probably mention. Showed up a few times, it's not constant, but just keep an eye on it. If you're dealing with real estate closings, sometimes what an attacker will do is insert themselves and update some of the wire transfer information. And the problem with this is, do you have a way to ensure that you can check this? 'Cause if you're just doing it by email back and forth, and the attacker is basically screwing around with it, you're not going to know. So you've got to make sure you have a way where you can call someone up legitimately and go, "Okay, was that you?" I mean, the best way you could honestly do it would be to meet in person over a coffee or something and literally just exchange it, 'cause then that's not gonna be intercepted. But if you do have to do it via message or email, first, encryption, and second, make sure there's a way to actually confirm any change like that being made as legitimate, because if it's not, that's really a problem.

Now I should mention this type of attack tends to look very, very legitimate. It's always gonna be well-researched. 'Cause that's the thing, if they're pretending they're someone you know, they're obviously gonna make it look good, otherwise it's a waste of time. And as with the other attacks, despite the name, business email compromises can also come via phone or instant message, et cetera. Now, they also can include a lot of the hallmarks you see in phishing, like email spoofing, fake websites, and even full online conversations with scammers impersonating senior personnel or vendors.

One thing that's popped up in recent years has been the use of what's referred to as deep fakes. Deep fake is primarily seen as a video thread in which basically pictures are used to sort of put someone else's face on a different subject. Where you might have seen this in popular media would be something like, at the end of the Star Wars movie Rogue One, Princess Leia appears, young Princess Leia, and obviously Carrie Fisher did not do that in 2014, but they had basically a facsimile of her using this type of technology. I mention this in context because we mostly think of that one as video. There's an audio component too which allows people to fake voices. And this was used, in 2019 there was an attack which cost close to I believe $250 million in which the CEO of a UK company focused on energy was, basically he received a call from the person he thought was the CEO of his parent company. And the voice sounded correct. As he put it, "The melody sounded correct." It sounded just like him. And he asked him to transfer this money out to the bank account of a Hungarian vendor, which was then done.

Now, they discovered it subsequently when this attacker called back to first confirm that, yes, you've been reimbursed, and then asked him to send a further one. And he realized something was up and they checked, and the phone call was coming from Austria, not Germany, and something was wrong. So that worked in that instance. But again, it appeared to be legit. So what I'm suggesting here is that you always have a process in place where if there's something necessitating some large transfer always have a way to independently verify it using another form of communication, also known as out-of-band communication. Now, attackers can also use other social engineering attacks, even your own website, news reports, and certainly social media to get the information needed to make the BEC messages look genuine. This can mean like, correct employee titles, relevant business news, et cetera. 'Cause if you're posting on something that just happened on social media, anybody can see that.

And it's also, like I say, it's critical to have these secure procedures for any financial transactions. Make sure if you've got anything, detailing anything going out, updating routing information, that there's a way to check that independent of the direct information. And one thing to keep in mind also, a lot of these tend to come with sort of a request for speed or secrecy or both. Any time you see that, regardless of the reason that's a red flag and a half. Yeah, they're gonna try and make it sound legitimate, but the mere fact that they're asking for something like that means that something's up. And at the end of the day, if this has happened, while it's no fun whatsoever, if you believe your organization may have been targeted, contact your financial institutions, they may be able to lock some of these funds down before they transfer or call some of them back, and certainly law enforcement as soon as possible. Now, with respect to law enforcement, you'll want to start with the FBI or probably the Secret Service.

Kara Wenzel - Go to the big guns right away.

Scott Aurnou - They're the ones who really deal with this. Occasionally there will be state-based organizations that are sharp, but generally the FBI and the Secret Service have the resources and the skills to, they're the ones you want to start with, basically.

Kara Wenzel - Yes, yes. I actually had to do that one time for a former employer in the government.

Scott Aurnou - Ouch.

Kara Wenzel - And yeah, it was unfortunate.

Scott Aurnou - Well, the thing you can do with the FBI in particular, and I'm thinking the Secret Service does this as well, it's great to actually develop a relationship with them before there's a problem, because they're happy, actually, and all set to come in and do presentations talking about different types of threats, what they see and what to watch out for, because to them, they're reducing the likelihood that they have to come in and deal with a problem if they help your organization get more secure.

Kara Wenzel - Oh yeah, for sure. They'd much rather do that.

Scott Aurnou - Absolutely.

Kara Wenzel - Yeah. So can we now rewind a little bit and talk about how phone-based attacks and scams work? I know that may seem old-school to some of us, but I'm guessing there are new techniques out there.

Scott Aurnou - Oh, yeah. Sometimes this type of attack is referred to as vishing, with a V. That's for what's called voiceover internet protocol for internet-based phone calls. I honestly sometimes think they just want to throw kooky names onto things, but I digress. Again, these are often seeking access and/or information. Sometimes they're used as reconnaissance for subsequent attacks, so that they can learn more about your firm to then steal stuff. Also you'll see specific examples like the infamous tech support call. Those are scammers trying to trick you into paying to fix an imaginary problem, which they quote-unquote, discover. Just flat out, Microsoft, any company like that is never, ever gonna call you unsolicited. It's never gonna happen. Same, the IRS is never, ever gonna call you under alleged back taxes. These calls don't happen. But they're out there to scare you. And of course, I should mention, these attacks work equally well on both landlines or smart phones, which of course means that they're deliberately targeting the elderly, speaking of landlines. And to be short, that sucks. What I would recommend is if you have a chance, have a chat with your mom or dad if they're elderly, or your grandma and grandpa, it's helpful.

One thing that you can do which can help them, there's a program out there called Nomorobo. Cute little name, it's N-O-M-O-R-O-B-O. And it's free for landlines, so for elderly folks, you can just put this on. And what it does is, robo-calls tend to get automatically blocked. It'll ring once and stop. I think there's a fee to put it on a smartphone, which smartphones by themselves, the newer ones, tend to block it anyway. But for the landlines, it's a great thing and just an extra way to protect them because these scams are designed to fool them and take advantage of them, which is very frustrating. But back to a professional setting, the help desk is actually a major target for social engineers, because the workers who work at a help desk are typically trained to be helpful and resolve issues quickly. Often they're actually literally, they can get bonuses based on how many tickets they can resolve. And often what they'll be doing is verifying employees via name and/or employee number, and scammers can often acquire that sort of thing without too much trouble, say, with another phone call to figure that out earlier and then try it on the help desk and get into the system.

Kara Wenzel - Oh, actually, that sounds smart to me.

Scott Aurnou - Yeah, I'm nothing but good news today. Nothing but good news.

Kara Wenzel - Yeah, yeah. So you mentioned this briefly, but can you tell us some more about how these types of attacks would specifically target smartphones?

Scott Aurnou - Sure. Well, as we noted, the smishing attacks are the texting equivalent of the phishing or spear phishing attack. You also get this nasty one called the SIM swap. SIM swaps suck. Your SIM card is basically what identifies your phone as yours. It's this little card you plug into a phone. If you've switched phones, you sometimes have to pop it out of your old phone and pop it in your new phone, or they'll do it for you at the, like, the Verizon shop, something like that. And basically what the attacker's doing is targeting you through your mobile provider. So it's not a direct attack on you. What it is is, they try to call your mobile provider and convince them that you've gotten a new phone, so they should switch over your SIM card to this new phone. And that means that all calls, and let's say something like a two-factor authentication code, which we'll touch upon in a little bit, will then go to the new phone. So that's a great way to circumvent a well-defended network because like, oh gosh, why aren't I getting any calls? Hmm. Now of course the first step will be to get a little reconnaissance to gain information about you to impersonate you effectively to the phone company. But I mean, yeah, it's a nasty one, specifically for smartphones.

Kara Wenzel - Yeah, that sounds like a nightmare, oh.

Scott Aurnou - It stinks. I mean, they've gotten a little better at defending with them, but yeah, something to be careful of, for sure.

Kara Wenzel - Good, yeah, good to be aware of. How about social media? How is social media used in social engineering for these attacks?

Scott Aurnou - Well, any message-based attack, be it phishing or a BEC scam or something, can be delivered via social media messaging. And as we mentioned earlier, the Instagram-related phishing attacks have been on the rise in early 2022. Again, that'll fade back off, but it'll come back up, go back off. You know, sometimes they come through Facebook, you name it. One thing that used to be a big thing, and again, I'm sure it'll come back at some point was fake LinkedIn connections that would professional information to use against you in future spear phishing or phishing or pretexting attacks or whatever else it is. You can also see romance scams, which can run through like, let's say, OK Cupid, or Tinder, or even Ashley Madison. And those can lead to blackmail. And that can mean like illicit affairs and sexting and compromising photos and video and all the other things, which, look, I'm not judging anybody, but just, be a little careful when you're doing this, because sometimes people are not who they appear to be.

And that can be combined with something referred to as whaling. Whaling is a concept in which attackers specifically go after the whale or big fish in a company. Often attackers deliberately target senior-most personnel for a couple reasons. For one thing, often those people have as much access within a network as they want. All I have to do is say, "I want this," and no one's gonna say no to them, so they get everything. And I've seen instances where you have a combination of a senior partner who has a lot of access that he or she doesn't need and a very unsecured network because they wanted a four-letter password. "I want the word Fido, woof!" And no one's gonna say no to them. And that becomes a real problem because it places the entire organization at risk. The thing is attackers know this sort of thing exists, so they deliberately target people like that. One of the things just to mention in passing, you remember those old Facebook quizzes that were so popular? They were kind of fun, but realistically, they were just used to gather information about you by attackers. Sorry, I'm literally here with like a pin on everybody's balloon today, you know?

Kara Wenzel - Yeah, I mean, I was always suspicious of that. I didn't know they were developed by attackers specifically, but I figured like, where is this going?

Scott Aurnou - Exactly, exactly. I'm sure one or two of them might've been someone who was just unusually curious, but the most innocuous use of that might have been maybe marketing, but realistically, yeah, it was probably people attacking you.

Kara Wenzel - Great. Well.

Scott Aurnou - I feel like I should be taking lollipops away from little kids today. I'm like nothing but bad news. Ooh, sorry.

Kara Wenzel - Yeah. Yeah, and on that note. What are some of the snazziest attacks that we might encounter these days when we're just kind of browsing the web?

Scott Aurnou - Well, you know, it's funny, a lot of attacks... I mean, your good attacks are not gonna be obvious. It's like, in the movies, there's always alerts going off and bells are coming off. That doesn't happen. Effective attacks don't announce themselves. So typically what you might run across, for example, is something called a drive-by download, and what that is basically is you go to a website, the website's infected, and you have no idea. So you're going to do whatever you're doing, in the meantime the website is literally attacking your computer. And you just, why would you know? And there's a version of that called the watering hole attack, which is a little more specific. That's usually set up to attack a specific target, who is then led to the watering hole.

An example of that I can give you, some years ago, there was a company out in Texas, a large energy company. And basically they were a little too well-defended for the attacker in question to go after them, so rather than attacking them directly, they discovered that a nearby Chinese restaurant was pretty popular, so they infected the menu page at that restaurant, knowing that people would come to that watering hole to order dinner, and that's how they got into the network. It's a very clever attack. One of the things that's related is sometimes you'll see what's called SEO, or search engine optimization, poisoning. If something's a very popular search term, like in early 2022, there'll be a lot of searches related to say, Ukraine, and people might put up pictures that they think that, oh, wow, this is upsetting. Someone will click on this. Or maybe right after a hurricane in images like, oh, Hurricane Ed, click. And that way they'll put up something that specifically calls your attention to it. It might be famous celebrities. And then you click on it, and again, it's infected. There's also something called malvertising, which is basically infected advertisements. It used to be a big thing. It's still around somewhat. Luckily Google and the others have gotten a little better at it, but it doesn't mean it's gone away, it's just morphed a bit.

Kara Wenzel - So your advice is just don't ever click on anything?

Scott Aurnou - At the end of the day, a lot of what it comes down to is obviously, you do need to be careful on what you're clicking on. A lot of the really important thing's about making sure that your network is defended. The single most important thing you can do with any of these things is make sure that the software you're using is current and up to date. That means any updates or quote-unquote, patches have been put in and installed on the system. 'Cause generally when they patch something, they also put out a little notification of like, "Hey, here's what we fixed." Which for an attacker is sort of a how-to to go after people in the future. 'Cause most people, if they do put the patches in place, they're not gonna do it right away. So that tells attackers, okay, most people are vulnerable to X, and that's what they'll attack.

So if your computer, your server, your phone, whatever it is, is as up to date as possible, a lot of these attacks that come after you will just bounce off. 'Cause what they're looking for is flaws. At the end of the day, whatever type of system you're on has millions and millions and millions of lines of code. And you know, human beings at the end of the day are doing all this programming and mistakes will be made. The best programmers in the world will make a mistake about once every 2000 lines of code, a more normal person coding probably about one out of 180 or so. And again, if you're talking about a phone with, say, 6 million lines of code on it, there are gonna be a few mistakes in there, it happens. Some of them are harmless, but some of them not so much. And when they get discovered, typically they get fixed fairly quickly. Sometimes they're not discovered or sometimes that fix is put out, but people don't put it in place. Sorry, long-winded answer to a short question. Stay as updated as possible.

Kara Wenzel - That was more useful than my original option. So, thank you. Next, can you tell us about what in-person social engineering looks like? I know you mentioned it earlier.

Scott Aurnou - These ones are kind of fun, actually, 'cause you can point to movies. Well, first there's one, I think I mentioned baiting. Baiting is essentially getting an employee at an organization to pick up something that's pretty much booby-trapped and then connect it to the target network. This could be something like a stick drive labeled "Proposed Staff Reductions," or "Senior Partner Compensation in the Current Year," and that just happens to be lying around in a common area, a parking lot, somebody dropped it. And then you're curious, plus, look, we're humans, we're curious. We plug it in and then it attacks. A movie example, this I can give you, actually, so there was a James Bond movie a few years back, Skyfall, in which James Bond's fighting the villain and manages to get the villain's laptop. Brings it back to MI6, and for reasons that evade anyone who's familiar with this area, Q, the technical expert at MI6, wink, plugs it into MI6 computer network, and it immediately attacks. Let's stay away from all the weird animation they decided to throw in it 'cause they want to make it look interesting. Generally speaking, you don't want to put something you don't know connected to your system.

Now, another one you run into is something called tailgating, which is basically using common courtesy against you. Effectively, that's getting someone who does belong at a particular place, building, facility, what have you, to hold the door and let you in. This actually happened to me a few years back. I was going to visit my dad in a hospital, and I literally wasn't sure where to go in. I was walking around around a back door and somebody saw me and says, "Oh, hey, hey, come on in." And I was like, "Oh, hey, thanks!" And I'm walking in going, wow. I mean, I'm here to see my dad, but what if I wasn't? That could have been a big problem. And generally speaking, it won't be someone who looks at all out of place. It could even be like a recently terminated ex-employee who pretends to have forgotten their ID. Someone who's, "Oh gosh, I don't know where my badge is." You know? We're nice people, you want to help somebody out. And especially nowadays right after COVID is starting to recede, you're gonna have people who were at the place of business who weren't there before. You don't remember them like, "Oh yeah, you just started. "Hey, great to meet you finally," you know, that kind of thing. And that's how people walk in and then they get access directly.

Pretexting is one in which somebody pretends to be someone who belongs in a given place. I'm gonna come right back to films here because there are numerous examples. One I think most people might remember is Luke Skywalker and Han Solo in the Death Star dressed up as stormtroopers. They were pretexting. Luke and Han in their normal clothes would've been caught pretty quickly. It's like, "Hey, they don't belong here!" But dressed up as stormtroopers, they fit right in. So they were pretexting. And pretty much any Eddie Murphy movie you ever want to watch he's always dressing up as something cool and interesting. Beverly Hills Cop, he's sitting there in this one scene, holding flowers, going, "Floral delivery's my life. "I've gotta bring these flowers up." And they're going, "Okay, sir, yeah, just go right up." And he tricked his way in. So that's what pretexting is, usually a little less comical in real life, though.

Kara Wenzel - Well, we'll always check out those flower delivery people from here on out. So Scott, tell us, please, what can we do to avoid falling for one of these scams?

Scott Aurnou - Well, first and foremost, as I've mentioned, remember, these attacks are always dynamic. I know it sounds like I'm doing the overkill with this thing, but that's the main thing to remember. They're always changing, and sometimes attacks, like I said, can become popular for a given time, but there are no rules. The biggest risk of all with these attacks comes from the assumption that you'll be able to spot them when they happen. And that includes any of us, myself included. So always assume that the call, the email, whatever it is, is fake until you're given a convincing reason to think otherwise. And even if an email comes from a company or person that you do know, don't hesitate to call the sender directly. And again don't use the number that's actually in the email. Or call to check with your security personnel, your IT department, a supervisor, whatever it is.

Also, if using email, a lot of newer email systems, most, really, now have a report phishing button. Don't hesitate to use that, 'cause you're protecting yourself, you're protecting others, and you're protecting your organization. 'Cause it sort of gives a little flag to the security department to know, okay, this email's fishy. They'll take a look at it and they'll see, okay, this is going somewhere it shouldn't go, and then they'll block access to it. So the next person who might have fallen for that won't. Next, there's security awareness training, which is hugely helpful. Detail that in just a moment. And then, like I said, don't hesitate to contact law enforcement if your firm has been victimized. And again, FBI, Secret Service.

Kara Wenzel - Great, got it. So on a larger scale, what can organizations do to mitigate these sorts of attacks?

Scott Aurnou - Well this is where what we call security controls come in. I guess this is where I'll give you more specific answers. So, I apologize for bringing up the suspense. Security controls break down into three basic categories. There's physical, technical, and administrative. Physical controls would be things like cameras, security guards, secure turnstiles. Now I mentioned a secure turnstile, what is that? That's a turnstile that only allows one person to pass through at a time, which is really helpful against those tailgating attacks, because then you can't let somebody in who doesn't belong there. Technical stuff is a little more things you may have heard of, but there's a lot more variation there. That might be something like antivirus software, but it's more than just that. In this case, you're looking at, again, we talked about patch management, how important it is to keep your software up to date. The vast, vast majority of attacks are on stuff that's already been fixed. All you have to do is put the fix in place.

Next you want to look at with respect to email in particular, what are called spam filters. Spam, by the way, is an acronym for Something Posing As Mail, that's what spam actually stands for. And the idea there is that a spam filter will filter out a lot of the stuff that's not coming from actual humans and being sent out as mass campaigns. So it makes it less likely that people will click on that. Any modern email system will have that included, and you can usually tweak it a bit to make it more effective. Also what you want to look at is the way your network is actually designed. I realize as an attorney, you're probably not gonna be setting up your own network architecture, but get a sense of what's there.

A key thing that should always be in any network in the modern day is what's called network segmentation. What I mean by that is breaking up the network into pieces. So if any one part has a problem it doesn't spread throughout the network. Think of it like a submarine. If something punctures the hull in one place, it has water-tight compartments, which means only that compartment floods and the rest of the boat is still seaworthy. If it didn't have water-tight compartments, the water would spread throughout the submarine and sink it. So think of it that way in terms of a network, same kind of thing. There are also tools within a network which can either guard information from going out or monitor what's happening inside it.

One, for example, is called data loss prevention systems. The idea with that is it tags certain types of data and restricts them from going outside a network. So for example, something like social security numbers, it'll keep that from going outside a network. If there's an attempt to do it, the system will block it. Of course, attackers who are clever will try to encrypt things because the DLP can't read that, but that's probably a little bit more than we need to touch upon in this course. At the end of the day, it's a helpful technology. What that's also really useful with is if someone's accidentally trying to send something sensitive out, the DLP or data loss prevention system will stop it.

There's also network monitoring, which is looking at those data packets, the traffic that's moving around inside a network. And there are different types of systems. Some are what are called signature based, which is looking for a type of malware that's been identified, catches a snippet of it and looks for it. Another one is behavioral based or what's called heuristics. Those are really helpful with social engineering in particular, because what they're looking for is just behavior that's sort of off the baseline. So if something looks a little weird, even if it's not using a specific prohibited program, it'll still flag it as something strange, and it'll either slow it up or stop it. So those can be really helpful.

There's also a cool thing inside a network you can set up called a honey pot. A honey pot is basically a deliberate target or trip wire within a network. The idea is it's something that looks super tempting, but it's fake. So it might be something like specific financial information from the last year, or like a database of highly sensitive information that an attacker would want to look at. But the thing is, since it's fake, someone who's legitimately using the system won't touch it. But an attacker fishing around trying to see what's what might touch it, and that basically sends out an alert to the security folks that, hey, someone's in here who shouldn't be. Also, I would mention just quickly, the idea of passwords can be really helpful in terms of dealing with this thing if someone gets ahold of your accounts. In particular, in addition to a password, you often want to have what's called two-factor authentication, we just mentioned that briefly earlier, also known as multifactor authentication. The idea is it's something in addition to a password. So let's say your password is something you know, the multifactor is something that you are or something that you have. Something that you are, for example, might be like a retinal scan or your fingerprint or hand print. Something that you have might be something like a security token, depending on the system. It could be something where it reads off a code that you have to enter in to get into your system. Or there's some, like one called a Yubikey, where you have to actually plug it in to your computer before you can log in. And as you can imagine, that's pretty hard for an attacker to fake because they have to physically steal the thing to be able to stop you. So that's really helpful.

One other thing related to passwords that are helpful is something called a password manager. Password managers basically save all of the various passwords for your different sites or generate new, really hard to break ones, and put them all in one place, and you have one single password you have to remember. Generally we want a nice long complex password for that, like a big long phrase, something like that. And the idea is that once you're with that password manager, it covers all of them. But there's one little side effect of password managers that's really, really helpful when it comes to this sort of thing. Password managers automatically log you in to sites that they know, but they do that via the IP address that we mentioned earlier, not by what a site looks like. So when you get a phishing attack, sometimes you'll go to click on it and it takes you to what looks just like your bank, but it's not. So when you go to try and log in, your password manager won't log you in because numerically it's the wrong address, even if it looks like the right address. So that's a really helpful little extra feature that comes with password managers as protection. And if you're with a decent-size company, you should have password managers in place. If not, definitely take a look at them. I believe it's PC Mag has a review on good password managers, commercial grade, which is always what I recommend. If you have it for home, there's also free ones. But PC Mag has reviews, which they update I think every six months on which ones are the best to use for password managers. There are a bunch of brands. A lot of them are very good at what they do.

And let's see, now we talked about technical and physical. The administrative controls are actually pretty key when it comes down to social engineering. First, we mentioned the procedures. Touched upon a few of them earlier, again, that out-of-band confirmation before sending wire transfers, altering routing information, or disclosing sensitive data. And also secure disclosure of sensitive information. Yeah, like, again, sending out the wire transfer info via unencrypted email and said to don't do that. And you also want to restrict disclosure of business or personal information regarding employees in general. You know, the classic, Julie's at the conference in Chicago this week, you don't want to say that. Someone's disclosing that, that could then be used against her. And again, be careful on what you're posting on social media 'cause this could very well be the same information. If it's posted there, be aware of it, that way, it won't jump back and bite you later. And then if something does happen, is there a defined procedure to either escalate or notify the personnel who need to basically deal with this? If there's a problem, what do you do? You've noticed something, now what, who do you talk to, who do you call? Make sure that's basically spelled out for your employees so they know what to do and can protect your organization.

Now, a key thing here is security awareness training. That's hugely, hugely important when it comes to social engineering. And it's increasingly required by statutes, regulations, and industry standards. Examples would be HIPAA, the Health Information Portability and Accountability Act, New York's Department of Financial Services, Part 500 Cybersecurity Regulation, PCI DSS, which is the payment card industry's data security standard. Thing to realize with training is, sometimes organizations will try to do one size fits all, like everybody gets the same training. Try to steer clear of that. It should always be based, what's called role-based. The idea is that it should be tailored to individual users, to developers, to people in leadership. IT professionals, help desk personnel, et cetera, et cetera. And you know, it'll vary a bit depending on the nature of your organization. Not every company has the same type of personnel. But just generally speaking, employees, including attorneys, should know how to recognize signs of suspicious communications, should know how to identify people who should not be in the office space as well as what steps to take in response, should know what information should or should not be given to a caller, and also how the help desk might contact them and what information they might actually ask for, as well as what they will not ask for. Help desk employees, in particular, should know how to verify employee identities before giving out passwords or other business information, how to respond when someone tries to circumvent proper procedures, and also, on the other end of it, train employees, executives, et cetera, what to expect so they don't get frustrated if they can't get through easily enough. And then, at the end of the day, realize that compliance is not enough. I've mentioned to you specific statutes and what have you. That's great, you should certainly do everything in there. But the idea is not to create a compliant organization. It's to create a secure organization.

So look at what's actually needed for security. This is something called a risk assessment, which is a little bit beyond what were covering today, but we've talked about it in other programs, so please come back and join me at Quimbee for those. And long and short of it is, secure, repeatable procedures are critical. You gotta make sure everyone's acting in the same way. That way, if you need to tweak the behavior, you make sure everybody's behavior is tweaked in the same way. And perhaps what's more important, you can make sure that if there is an issue, you can figure out what it is, backtrack it, and fix it later. Now, security awareness training makes sure that everybody knows these processes and procedures and follows them. So a few typical methods. Classes, be they videotaped or in person. Generally videos of an hour or less can be effective depending on how good it is. You can have articles in newsletters. There are security posters. Some of them aren't half bad, it's just a question of how effective they'll be with some people, some folks just don't look at that sort of stuff.

Also, you've probably seen in your organization anti-phishing and anti-social engineering training. Those are particularly good. It depends on the organization how tough it is. I always think tougher is better. And at the end of the day, make sure your senior personnel don't skip out on that. 'Cause that's sometimes a problem with that. They don't want to bother. And again, we mentioned the whaling issue earlier, they're prime targets, so if anybody should be taking that training, it's them. And at the end of the day, remember when you're doing this thing, you're teaching people, not robots. So it's a matter of not just getting the information across, but also putting people in a situation where they're actually finding it not painfully boring to learn it, because if they're tuned out, it's obviously no help. Now, there's no set standard for areas to cover, but a few basics I would mention, phishing and of course spear phishing, social engineering in general, malware, data breaches passwords, mobile devices, properly using encryption, physical security, and proper disposal of data. Obviously I'm just mentioning these as titles. You want to explain what they are and how they work, et cetera. And of course, senior personnel should be receive training in areas covered in the regular employees training, as well as a high-level view and information regarding the organization's security program. This means results of risk assessments, security policy violations, attempted attacks, et cetera, so they can get an idea of what's happening.

And finally, something to look at is testing and metrics. Testing could mean something like pen testing. That's short for penetration testing. That's where basically you're paying what's called a whitehat, or good guy hacker, to break into your system. And the idea is they break in and then they show you how you did it so you can fix the problem before a blackhat or bad guy hacker comes and exploits that same problem and uses it against you. And of course that's not a one-and-done, you do that with some regularity, not every week or anything like that, but from time to time. And then mention, of course, phishing simulations, those are a test, and those are often required under regulations or contracts, sometimes including your cyber liability insurance. Metrics themselves can include the results of those phishing simulations. Gives you an idea of who gets it, who's improving, and who needs a little help. And of course you want to look at, related not just to those types of attacks, but overall on your system, how many attacks have been against your system and what have the results been? Like year over year comparison, is there more, are there less, where are they changing? And finally you want to look at compliance metrics. So that's using it, how many users are actually completing your awareness training and are they signing what you call an acceptable use policy, meaning they know and understand what they're supposed to be doing with data that is part of the organization.

Kara Wenzel - You've given us so much to think about, Scott.

Scott Aurnou - I hope you're still awake after all that.

Kara Wenzel - Yes, yes. Can you tell us, is there a particular, either type of scam or protection area that lawyers, law offices, tend to trip up with more often than others?

Scott Aurnou - Hmm. I don't know that I would say a specific one. I mean, a lot of it is just depending on what attackers target. Like I mentioned before, there's that one where real estate lawyers can often get hit with that scam of that switching the wire transfer data. But a lot of it depends on what you deal with. Like, if you're dealing specifically with patents, there'll definitely be attempts to trick you into giving access to that information. Likewise, if, let's say for example, you're dealing with non-private information for an upcoming merger-acquisition, and they can trick you into sharing the latest version back and forth by sending you a, "Hey, here's the latest red line," and you respond to it. That would be the trick there. A lot of it just depends on what they can trick you into getting. And, on the one hand, there's the data, on the other hand, there's the ransomware where they're trying to just basically extort money out of you. All good news. All good news.

Kara Wenzel - That's fascinating. Sadly, we are out of time. I would love to hear more of your stories, but we will just have to save it for our next program.

Scott Aurnou - Looking forward to it.

Kara Wenzel - Thank you, Scott. Though, can you real quickly give people an idea of where to find you if they want to ask a question, post a comment?

Scott Aurnou - Oh, just drop a line on LinkedIn. I'm right on there. If you have a mad urge to check out landscapes, I'm also on Instagram. So that'll do.

Kara Wenzel - Wonderful, thanks again, Scott.

Scott Aurnou - Pleasure was mine.

Presenter(s)

SAJ
Scott Aurnou, JD
Founder and Cyber Security Attorney
The Security Advocate

Course materials

Supplemental Materials

Credit information

Jurisdiction
Credits
Available until
Status
Alabama
    Not Offered
    Alaska
    • 1.0 voluntary
    Pending
    Arizona
    • 1.0 general
    Pending
    Arkansas
    • 1.0 general
    Pending
    California
    • 1.0 general
    Pending
    Colorado
      Not Offered
      Connecticut
      • 1.0 general
      Pending
      Delaware
        Not Offered
        Florida
        • 1.5 technology
        Pending
        Georgia
        • 1.0 general
        Pending
        Guam
        • 1.0 general
        Pending
        Hawaii
        • 1.0 general
        Pending
        Idaho
          Not Offered
          Illinois
          • 1.0 general
          Pending
          Indiana
            Not Offered
            Iowa
              Not Offered
              Kansas
                Not Offered
                Kentucky
                  Not Offered
                  Louisiana
                    Not Offered
                    Maine
                    • 1.0 general
                    December 31, 2026 at 11:59PM HST Pending
                    Minnesota
                    • 1.0 general
                    Pending
                    Mississippi
                      Not Offered
                      Missouri
                      • 1.0 general
                      Pending
                      Montana
                        Not Offered
                        Nebraska
                          Not Offered
                          Nevada
                            Not Offered
                            New Hampshire
                            • 1.0 general
                            Pending
                            New Jersey
                            • 1.3 general
                            January 16, 2025 at 11:59PM HST Approved
                            New Mexico
                              Not Offered
                              New York
                              • 1.0 areas of professional practice
                              Pending
                              North Carolina
                              • 1.0 general
                              Unavailable
                              North Dakota
                              • 1.0 general
                              Pending
                              Ohio
                              • 1.0 general
                              Unavailable
                              Oklahoma
                                Not Offered
                                Oregon
                                  Not Offered
                                  Pennsylvania
                                  • 1.0 general
                                  Pending
                                  Puerto Rico
                                    Not Offered
                                    Rhode Island
                                      Not Offered
                                      South Carolina
                                        Not Offered
                                        Tennessee
                                        • 1.05 general
                                        Pending
                                        Texas
                                        • 1.0 general
                                        Unavailable
                                        Utah
                                          Not Offered
                                          Vermont
                                          • 1.0 general
                                          Pending
                                          Virginia
                                            Not Offered
                                            Virgin Islands
                                            • 1.0 general
                                            Pending
                                            Washington
                                              Not Offered
                                              West Virginia
                                                Not Offered
                                                Wisconsin
                                                  Not Offered
                                                  Wyoming
                                                    Not Offered
                                                    Credits
                                                      Available until
                                                      Status
                                                      Not Offered
                                                      Credits
                                                      • 1.0 voluntary
                                                      Available until
                                                      Status
                                                      Pending
                                                      Credits
                                                      • 1.0 general
                                                      Available until
                                                      Status
                                                      Pending
                                                      Credits
                                                      • 1.0 general
                                                      Available until
                                                      Status
                                                      Pending
                                                      Credits
                                                      • 1.0 general
                                                      Available until
                                                      Status
                                                      Pending
                                                      Credits
                                                        Available until
                                                        Status
                                                        Not Offered
                                                        Credits
                                                        • 1.0 general
                                                        Available until
                                                        Status
                                                        Pending
                                                        Credits
                                                          Available until
                                                          Status
                                                          Not Offered
                                                          Credits
                                                          • 1.5 technology
                                                          Available until
                                                          Status
                                                          Pending
                                                          Credits
                                                          • 1.0 general
                                                          Available until
                                                          Status
                                                          Pending
                                                          Credits
                                                          • 1.0 general
                                                          Available until
                                                          Status
                                                          Pending
                                                          Credits
                                                          • 1.0 general
                                                          Available until
                                                          Status
                                                          Pending
                                                          Credits
                                                            Available until
                                                            Status
                                                            Not Offered
                                                            Credits
                                                            • 1.0 general
                                                            Available until
                                                            Status
                                                            Pending
                                                            Credits
                                                              Available until
                                                              Status
                                                              Not Offered
                                                              Credits
                                                                Available until
                                                                Status
                                                                Not Offered
                                                                Credits
                                                                  Available until
                                                                  Status
                                                                  Not Offered
                                                                  Credits
                                                                    Available until
                                                                    Status
                                                                    Not Offered
                                                                    Credits
                                                                      Available until
                                                                      Status
                                                                      Not Offered
                                                                      Credits
                                                                      • 1.0 general
                                                                      Available until

                                                                      December 31, 2026 at 11:59PM HST

                                                                      Status
                                                                      Pending
                                                                      Credits
                                                                      • 1.0 general
                                                                      Available until
                                                                      Status
                                                                      Pending
                                                                      Credits
                                                                        Available until
                                                                        Status
                                                                        Not Offered
                                                                        Credits
                                                                        • 1.0 general
                                                                        Available until
                                                                        Status
                                                                        Pending
                                                                        Credits
                                                                          Available until
                                                                          Status
                                                                          Not Offered
                                                                          Credits
                                                                            Available until
                                                                            Status
                                                                            Not Offered
                                                                            Credits
                                                                              Available until
                                                                              Status
                                                                              Not Offered
                                                                              Credits
                                                                              • 1.0 general
                                                                              Available until
                                                                              Status
                                                                              Pending
                                                                              Credits
                                                                              • 1.3 general
                                                                              Available until

                                                                              January 16, 2025 at 11:59PM HST

                                                                              Status
                                                                              Approved
                                                                              Credits
                                                                                Available until
                                                                                Status
                                                                                Not Offered
                                                                                Credits
                                                                                • 1.0 areas of professional practice
                                                                                Available until
                                                                                Status
                                                                                Pending
                                                                                Credits
                                                                                • 1.0 general
                                                                                Available until
                                                                                Status
                                                                                Unavailable
                                                                                Credits
                                                                                • 1.0 general
                                                                                Available until
                                                                                Status
                                                                                Pending
                                                                                Credits
                                                                                • 1.0 general
                                                                                Available until
                                                                                Status
                                                                                Unavailable
                                                                                Credits
                                                                                  Available until
                                                                                  Status
                                                                                  Not Offered
                                                                                  Credits
                                                                                    Available until
                                                                                    Status
                                                                                    Not Offered
                                                                                    Credits
                                                                                    • 1.0 general
                                                                                    Available until
                                                                                    Status
                                                                                    Pending
                                                                                    Credits
                                                                                      Available until
                                                                                      Status
                                                                                      Not Offered
                                                                                      Credits
                                                                                        Available until
                                                                                        Status
                                                                                        Not Offered
                                                                                        Credits
                                                                                          Available until
                                                                                          Status
                                                                                          Not Offered
                                                                                          Credits
                                                                                          • 1.05 general
                                                                                          Available until
                                                                                          Status
                                                                                          Pending
                                                                                          Credits
                                                                                          • 1.0 general
                                                                                          Available until
                                                                                          Status
                                                                                          Unavailable
                                                                                          Credits
                                                                                            Available until
                                                                                            Status
                                                                                            Not Offered
                                                                                            Credits
                                                                                            • 1.0 general
                                                                                            Available until
                                                                                            Status
                                                                                            Pending
                                                                                            Credits
                                                                                              Available until
                                                                                              Status
                                                                                              Not Offered
                                                                                              Credits
                                                                                              • 1.0 general
                                                                                              Available until
                                                                                              Status
                                                                                              Pending
                                                                                              Credits
                                                                                                Available until
                                                                                                Status
                                                                                                Not Offered
                                                                                                Credits
                                                                                                  Available until
                                                                                                  Status
                                                                                                  Not Offered
                                                                                                  Credits
                                                                                                    Available until
                                                                                                    Status
                                                                                                    Not Offered
                                                                                                    Credits
                                                                                                      Available until
                                                                                                      Status
                                                                                                      Not Offered

                                                                                                      Become a Quimbee CLE presenter

                                                                                                      Quimbee partners with top attorneys nationwide. We offer course stipends, an in-house production team, and an unparalleled presenter experience. Apply to teach and show us what you've got.

                                                                                                      Become a Quimbee CLE presenter image