Experts Nick Mullen and Nick Oles discuss artificial intelligence and the impact of ai on business cyber risk. They share their personal stories of how they got into the field and highlight the importance of understanding the analogies between physical and cybersecurity controls.
Nick Oles is author of How to Catch a Phish nick@thenetdefender.com https://thenetdefender.com/
Nick Mullen is a CISSP, CCSP, PMP and Principal, at Sanguine Security Solutions.
Chapters
Key Topics: impact of ai on business cyber risk, how ai powered social engineering affects you, social impact of artificial intelligence, social engineering risks from new ai, how ai is changing cyber crime tactics, how ai is changing phishing tactics, how to measure new ai cyber risk, how ai increases cyber risk, h
Try KiteWorks today at www.KiteWorks.com
Don't Miss our Video on this Exciting KiteWorks Offer!
Click the link above or text 904-867-4468, 2014652: and leave your message!
You can now text our Podcast Studio direct. Ask questions, suggest guests and stories.
We Look Forward To Hearing From You!
Try KiteWorks today at www.KiteWorks.com
Don't miss this Video on it!
The Most Secure Managed File Transfer System.
Custom handmade Women's Clothing, Plushies & Accessories at Blushingintrovert.com. Portions of your purchase go to Mental Health Awareness efforts.
Experts Nick Mullen and Nick Oles discuss artificial intelligence and the impact of ai on business cyber risk. They share their personal stories of how they got into the field and highlight the importance of understanding the analogies between physical and cybersecurity controls.
Nick Oles is author of How to Catch a Phish nick@thenetdefender.com https://thenetdefender.com/
Nick Mullen is a CISSP, CCSP, PMP and Principal, at Sanguine Security Solutions.
Chapters
Key Topics: impact of ai on business cyber risk, how ai powered social engineering affects you, social impact of artificial intelligence, social engineering risks from new ai, how ai is changing cyber crime tactics, how ai is changing phishing tactics, how to measure new ai cyber risk, how ai increases cyber risk, h
Try KiteWorks today at www.KiteWorks.com
Don't Miss our Video on this Exciting KiteWorks Offer!
Click the link above or text 904-867-4468, 2014652: and leave your message!
You can now text our Podcast Studio direct. Ask questions, suggest guests and stories.
We Look Forward To Hearing From You!
Try KiteWorks today at www.KiteWorks.com
Don't miss this Video on it!
The Most Secure Managed File Transfer System.
Custom handmade Women's Clothing, Plushies & Accessories at Blushingintrovert.com. Portions of your purchase go to Mental Health Awareness efforts.
D. Mauro
AI-Artificial Intelligence. Part of buzzword bingo everyone plays these days Have you considered the Impact of AI on Business Cyber Risk?
Have you integrated AI risk into your IR planning, or created new policies yet for employees or 3-parties?
Have you integrated it into your social engineering education training for employees?
Many haven’t and the clock is ticking…
Today’s episode addresses this. We brought in expert practitioners Nick OLES AND NICK MULLEN to discuss how ai increases cyber risk and how things like deep fake are raising eyebrows in board rooms across the globe.
We even threw in some shocking true cyber crime stories for good measure….and you wont believe them until you hear them.
SO join us. This is the story of Nick and Nick and the Impact of AI on Business Cyber Risk
Impact Of AI on Business Cyber Risk
Experts Nick Mullen and Nick Oles discuss artificial intelligence and the impact of ai on business cyber risk. They share their personal stories of how they got into the field and highlight the importance of understanding the analogies between physical and cybersecurity controls.
Nick Oles is author of How to Catch a Phish
Nick Mullen is a CISSP, CCSP, PMP and Principal, at Sanguine Security Solutions.
Key Takeaways:
Key Topics: impact of ai on business cyber risk, how ai powered social engineering affects you, social impact of artificial intelligence, social engineering risks from new ai, how ai is changing cyber crime tactics, how ai is changing phishing tactics, how to measure new ai cyber risk, how ai increases cyber risk, how to measure new ai increased cyber risk, risks from ai deep fake explained, ai deep fake risks explained, dangers of synthetic media, Artificial Intelligence And Risk In Cyber Security, new dangers of synthetic media, artificial intelligence risks in cyber security, new ways to reduce risk from deep fakes, new ways to reduce risk of deep fakes, how are deep fakes made, how are deep fake videos made, how are audio deep fakes made, how is ai making it harder to detect deep fakes, how ai is making it harder to detect deep fakes,
Chapters
D. Mauro (00:02.19)
Well, welcome everybody to Cybercrime Junkies. I am your host, David Mauro And in the studio today are two cybersecurity experts, Nick and Nick. So I just, I did a poll for guys named Nick who are experts in this and they both wanted to join. It was great. So we have, we have Nick Mullin, CISSP, CCSP, PMP, lots of acronyms.
He's a principal at Sanguine Security Solutions, which I'm very familiar with. They're security governance and project management professional. Nick's been in the industry over 15 years in technology and leadership and focusing primarily in the financial services industry and supporting financial institutions. Over the last decade and all of the changes that have happened, he's been planning and delivering technology compliance solutions.
of all shapes and sizes, working with organizations all the way from the Fortune 50 down to SMBs, small to mid -sized businesses and everything in between. We're also joined by Nick Ohls, a cybersecurity expert at the netdefender .com who also has about a decade and a half, if not more of operational experience and cybersecurity experience. Nick was served over a decade in the US military.
and has consulted with Fortune 50 organizations, small businesses as well, as well as the U .S. Department of Defense. Gentlemen, welcome to the studio.
Nick Mullen (01:43.075)
Great to be here.
Nick Oles (01:43.473)
Yep, yeah, really excited for today. Thanks for having us, David.
D. Mauro (01:46.478)
Yeah, so we're going to talk about artificial intelligence and risk in cybersecurity. It's a broad conversation, but we have a lot of real, actual, true kind of cybercrime stories, stories that I think a lot of people will be able to resonate with. First, let's talk a little bit about your origination stories, both of you. So let me start with Nick, just kidding.
Let me start with Nick Mullin. So Nick, how did you first, I always like to ask this and I apologize, but how did you first figure out that cybersecurity was where your passion was, where your livelihood was gonna take you?
Nick Mullen (02:35.555)
Yeah, I, uh, so I started my career, uh, my security career as a bouncer. I was doing physical security at a, at a concert hall. Uh, not, not the sexiest job in the world. Um,
D. Mauro (02:44.238)
Excellent.
D. Mauro (02:48.75)
No, that's great. We had Phil Wiley on who was a professional wrestler. So I mean, the bouncer thing fits right into the security realm. Yeah.
Nick Mullen (02:51.619)
Yeah. Yeah.
Nick Oles (02:55.313)
Mm -hmm. Yeah, similar.
Nick Mullen (02:56.355)
Yeah, I, so I was, you know, throwing drunk people out of this this music venue and.
D. Mauro (03:01.71)
Ha ha.
Nick Mullen (03:04.291)
I was also doing some project management consulting and I was in like cloud data and then I started working on some security projects and I had a security architect that I worked with that he recognized that I didn't know what was going on. Which I mean, I was really kind of, you never expect the project manager to know what's going on. So I was at least filling that role very well, but.
D. Mauro (03:07.726)
Mm -hmm.
Nick Oles (03:22.065)
Hehehehehe
Nick Mullen (03:32.995)
He sat down with me and spent a couple hours and said, you know, hey, all these things you're doing from a physical security standpoint, all these controls, we're doing the same types of things over here. It's just our controls are more technical controls. You know, it's if you want to keep somebody from coming in your house, you put a lock on the door. If you don't want them on the property, you put a fence around your yard.
D. Mauro (03:43.854)
Right.
Nick Mullen (03:53.059)
You know, if you want to see whether they've climbed the fence, you put up motion detectors and cameras. I mean, these are all your, you know, preventative controls, detective controls, administrative controls. Oh, it was. Yeah.
D. Mauro (04:01.134)
Great analogies to for cybersecurity, right? Because when you think of all the different security layers that organizations need, right? And I find in the industry, a lot of people, a lot of organizations, a lot of vendors struggle to explain them. They talk about the features in the right, right? Like they talk about the features and the benefits and how they're so good. And this one's, you know, it's all the tech speak that doesn't, it just falls flat on business owners.
Nick Mullen (04:08.259)
Mm -hmm.
Nick Mullen (04:16.547)
Oh, 100%.
D. Mauro (04:31.022)
Right? Because they're like, I don't care. OK. Well, motion detectors. Would you care if you had one in your house? Well, yeah, we all have them. OK. Why is that? And then you explain the context in a network. You need to spot anomalies. You need to see people moving around your network that otherwise would be undetectable. Right. It's identical.
Nick Mullen (04:31.075)
It does. Yeah.
Nick Mullen (04:37.667)
Mm -hmm.
Nick Oles (04:37.841)
Mm -hmm.
Nick Mullen (04:49.635)
Yep. Yeah, it's spot on. When he put it that way, it was like all the gears just finally clicked into place for me and everything changed. And I'd spent a lot of time in all sorts of weird jobs. And it always just felt like I was doing something to make somebody else a bunch of money, which is fine. I mean, we all like money, but...
D. Mauro (04:58.03)
Yeah.
D. Mauro (05:11.438)
Mm -hmm.
Nick Oles (05:11.601)
Thank you.
Nick Mullen (05:12.707)
Security actually felt like a little bit of a noble cause. Like I knew I was on the right side of things. I felt good about the work that I was doing. You know, we're really protecting critical assets and infrastructure and people and their finances. And I never went to sleep worrying whether I was on the right side of things. And so once that all kind of happened, I decided I'm going to make a career out of this. I went back to school, I got a security degree, and I've been off to the races ever since.
D. Mauro (05:35.758)
That's great.
D. Mauro (05:40.142)
That's fantastic. That's fantastic. And how did you find the ability to break in? I mean, a lot of people really struggle because, you know, I mean, some of it has to do with the job postings out there that are, you know, like a entry level cybersecurity five years managing a sock. You're like, well, that's not an entry level job at all. Right. So how did you find it? What was your experience?
Nick Oles (06:04.145)
Mm -hmm. No.
Nick Mullen (06:04.931)
All right.
Nick Mullen (06:10.051)
It was because I had the project management background and I had experience there. So I Yeah
D. Mauro (06:12.974)
Oh, OK. Really great segue, right? That's a great way of breaking into cybersecurity, right? Yeah, it's really good.
Nick Mullen (06:21.155)
It was huge. And the great thing about project management, you're going to get so much experience doing so many different things and working with so many different tools and technologies so fast. So I mean, I, every project's different. Yep.
D. Mauro (06:33.838)
Mm -hmm. Because every project's different, right? Yeah, different tool sets, different problem that you're solving, everything.
Nick Mullen (06:41.859)
Yep.
Yeah, so I mean, I over the course of two or three years managing security projects, I probably gained as much experience as, you know, an actual hands -on practitioner might get in a decade. Now it may not have been all that, you know, nuts and bolts experience, but I at least got a pretty good understanding of what we were doing, why we were doing it, how things work, you know, and, and who the players were, you know, who you needed to get involved to make something successful. So, you know, it was a, it was a great opportunity, great experience for me, you know, in retrospect.
D. Mauro (06:52.622)
Yep.
D. Mauro (07:04.11)
Yeah.
Nick Mullen (07:12.421)
You know everybody thinks like I wish I could go back in time and change the way things happen You know it sure it would be great to do that but in retrospect everything kind of happened the way that it was supposed to and I I feel very fortunate to have you know had the experiences that I had
D. Mauro (07:29.134)
Excellent. Excellent. And Mr. Oles, so you served for over a decade with the U .S. military.
Nick Oles (07:37.457)
Yeah, yeah. So other Nick here, not to be confused. So I started off really at a young age, really enjoying technology, but using technology to solve problems. And kind of what that stemmed for when I reflect back is, I had a bunch of brothers and sisters and my family was the typical Midwestern family. And we would get a new gadget or a new car and no one really knew how to set up the VCR. I'm dating myself a little bit, but VCRs were these cool technologies back in the day that you could.
D. Mauro (07:40.206)
Mm -hmm.
D. Mauro (08:07.086)
No, I was that kid. I was the one who always got called down to like fix. You were like the AV guy all of a sudden and you were a kid. Right. Yeah. Why is it blinking 12 all the time?
Nick Oles (08:11.441)
Yeah, yeah, like, hey, turn this VCR on or let's do this record at this time. So like, I would, I love that. I loved like learning that new stuff and just the zeros and ones, like reading the manual so I could solve the problem when, you know, someone asks like, hey, can I pause this and then start it back up on live TV or something like that. We're sitting with a car. Can I program this audio button for that? And I just, I really liked that aspect of it. And I kind of...
D. Mauro (08:22.158)
Mm -hmm.
D. Mauro (08:32.302)
Hmm?
Nick Oles (08:39.761)
started out college almost a similar path to the other NICHIRS. I wasn't really sure where I was going at first. And I had a buddy recommend to go on the help desk for our college university, just as like an easy work study job that needed people. And it was just by happen chance. I happen to need a job and have a lot of time and they had a lot of work and the job opening. So they kind of just got together.
There I got an exposure to a lot of different things and really my first taste of security. So I was seeing, you know, viruses on people's computers. I was having people call in because they had been locked out of their account. They needed their password reset or, you know, the projector wasn't working at that ideal time in the middle of a presentation like it always does. And I was helping them solve all those problems and I really enjoyed it. And that kind of curtailed into my military career as well. You know, I had an opportunity to...
D. Mauro (09:15.278)
Right.
Nick Oles (09:33.969)
to work with technology to help enable people to do great things and solve hard problems. And I started out generally in the military just doing regular IT work, transitioned over into the cybersecurity work, because that was kind of my calling to continue helping people out to secure things, to stop these people that are using this technology for bad and hopefully use it for good. And I've had a number of positions throughout, but they all kind of stemmed from that.
that entry level help desk that got me some networking experience, that got me some security experience and kind of let me figure out, you know, where I wanted to go, what I wanted to focus on. Um, and, and that's kind of brought me, brought me here today. And that's kind of where I, I five. And that's, that's what I've been working with Nick here on is, you know, helping some of these smaller organizations, you know, identify malicious attacks, detect, defend things like that. You know, the ones that don't have these massive budgets and these huge robust security teams, because.
You know, they have businesses too, they have lives and they have important data and things to be lost. And it's a really rewarding, fun job because you get exposure to a lot of different things, both on the offense and defensive side.
D. Mauro (10:45.486)
That's fantastic. Which, if you don't mind me asking, which branch of the military were you in?
Nick Oles (10:48.945)
Army, yeah, so I'm still a still a reserve guy. Love it. Been really fortunate. Had a great time. Interacted with some really good people and yeah, can't say enough good things about it.
D. Mauro (10:52.078)
Excellent.
D. Mauro (11:01.486)
We have had we have had every single branch on this show, as well as several branches from from other countries. So that's fantastic. Well, thank you for your service. And I mean that like that is it's it's it's a remarkable type of person when there's danger and everybody's running away. The guys that run toward it. Right. Like they're just drawn and that's their job. It's their duty. But it's also they're there for a reason. And so.
Nick Oles (11:23.985)
Yeah.
Nick Oles (11:30.193)
Thank you. Thanks for the support. Absolutely.
D. Mauro (11:31.982)
You know, no, it's fantastic. So let's talk a little cyber crime. Can we guys? Let's talk a little cyber crime, a little synthetic media. We were just talking. We had Paul Eklof on that's going live later this week. And Paul played around with various, you know, generative AI and synthetic deep fake.
Nick Mullen (11:35.011)
You're out.
Yeah.
D. Mauro (12:01.486)
video and audio and was what shocked me was this at the end of the day. And that is I've tried things like that. I've seen things like that years ago, even a year and a half ago. And it's all pretty detectable to the human eye. Right. It was pretty, it was okay. It was kind of funny. It's more for parlor games. I didn't really see it as a real threat. Now then July 22,
Nick Oles (12:19.825)
Mm -hmm.
D. Mauro (12:30.254)
The FBI issued an alert because there were a whole host, like several hundred examples of people applying and being accepted for remote work here in the United States, interviewing by Zoom or by Teams or by Google video, whatever it is. And then they get jobs and it wasn't even them, right? They were operating under stolen credentials and then they were using deepfake. So they issued a deepfake alert. That was July of 2022.
Nick Oles (12:39.185)
Mm -hmm.
Nick Oles (12:51.921)
care.
D. Mauro (12:59.662)
And then generative AI came out. And I will tell you in the last three to six months, the level of commercial grade, I'm talking 20 bucks a month, 30 bucks a month, the level of commercial grade available to the public of these deep fake where you can take yourself an avatar of yourself and get yourself to say anything in a host of 45 different languages. It's undetectable by the human eye.
Nick Oles (13:24.625)
Mm -hmm.
D. Mauro (13:30.094)
It's it's shocking how far advanced it's got. And it just has it raises so many alarms. Right. And there's so much risk there that I want to explore it with you guys.
Nick Mullen (13:41.411)
Mm -hmm.
I mean, you're spot on. It is, even if you're trained to spot it, it's still extremely difficult. And I think different platforms are better than others. Typically, you can see things like eye movement and the way people blink their eyes.
D. Mauro (13:51.438)
Mm -hmm.
Nick Oles (13:52.529)
Mm -hmm.
D. Mauro (13:58.83)
Mm -hmm.
D. Mauro (14:03.886)
Right.
Nick Mullen (14:07.395)
You know, a lot of times that's not quite as natural and deep fakes. And I've read that a lot of the reason behind that is because the focal point isn't, it's not in the eyes. A lot of times you watch people's mouths when they speak. And so, you know, the mouths are very good. The eye is not as good. Sometimes you'll see, you know, uh, like blurring when people are moving their head quite a bit, but it's really easy to mistake that for just bad video quality.
Nick Oles (14:17.425)
Mm -hmm.
D. Mauro (14:29.582)
Right.
Nick Oles (14:31.985)
Yeah.
D. Mauro (14:33.71)
Yeah, or your own personal bandwidth. If you're watching it, if you're on that Zoom meeting or whatever meeting, that video conference from home, let's say, you might think, oh, I must be glitching, right? Or there's a lag on my end because of my crack, whatever, Comcast, whatever you've got, right? So like that could be it, right? And so you don't necessarily know. The other concern that we talked about before,
Nick Mullen (14:36.643)
Yeah.
Nick Oles (14:44.209)
Mm -hmm.
Nick Mullen (14:45.667)
Mm -hmm.
Nick Mullen (14:51.235)
Mm -hmm.
D. Mauro (15:02.51)
we started recording here was it's, you know, we're going to get into a true example of what happened over in Hong Kong and then talk about some other social engineering true stories that we all have. But what shocks me is it's not really on the radar yet. I mean, you guys are in the industry. Is it like what's concerning me is it's not at the top, let alone.
Nick Oles (15:23.569)
Yeah.
D. Mauro (15:31.246)
on a lot of whiteboards right now of CISOs, maybe on the CISOs, but maybe not at the board level or small to mid -sized businesses, which is the vast majority in the United States of businesses. It's really not on their plan. Like, I don't, I don't know that they have a deep fake detection plan in place, right?
Nick Oles (15:52.017)
No, and that's absolutely spot on. We're adopting these technologies faster than we can secure them, write policies around them, stuff like that. A lot of these organizations, they don't have any AI policies. That's just not a thing because their policies...
D. Mauro (16:08.846)
Right. Period. Let alone like all right. And that's even like acceptable use policies. Right. Like a lot of organizations don't even have those.
Nick Oles (16:12.721)
Mm.
No, they don't have the baseline policies. And then we have these very specific niche, you know, deep fake or voice AI or social engineering AI driven attacks. You know, that's not even covered yet because that's way down the road or how they can even handle or use AI, you know, because once you upload data to it, theoretically, you know, if you have a controlled environment that you're paying for on your own, you know, that data hopefully stays with you.
D. Mauro (16:25.486)
Mm -hmm.
Nick Oles (16:40.465)
But if you're using a free version of like, I don't know, chat GPT and you upload all of your company's intellectual property or a very sensitive spreadsheet, that goes wherever it goes with chat GPT. And that could be a major risk to the organization if it's not mitigated, identified, controlled beforehand. And that's absolutely things that we're talking to people about and hearing through. And I think one of the reasons why you're asking this isn't at the board level is,
I don't think it's been around long enough for organizations to feel the impacts yet. I don't think the, there have been attacks and I'm sure there's a lot of successful attacks, but it hasn't made it, you know, to, you haven't heard a lot of mainstream media losses or reports of organizations losing large sums of money or data through some of these social engineering attacks. I think they're coming. And I think that will, if I had to predict, you know, the rest of 24 and 25, that's probably what I would hear more of in the news and the media, but.
D. Mauro (17:14.381)
Ugh.
Nick Oles (17:35.953)
Right now, it hasn't happened yet, so everyone kind of thinks, well, that can never happen to us, or that's not really a risk to us yet.
D. Mauro (17:44.302)
Right.
Nick Mullen (17:45.859)
That's a lot of a lot of organizations are still stuck in the mentality of, you know, this isn't going to happen to me when it comes to security incidents, period, let alone when it comes to AI. And, you know, it's I think back to, you know, back in the 40s when, you know, people were first starting to develop nuclear nuclear technology. You know, like, yeah, you can embed these nuclear power plants and it's great.
D. Mauro (17:56.174)
Mm -hmm.
Nick Mullen (18:14.883)
But like, there's also this nuclear bomb over here and people seem to be romanticizing these nuclear power plants and all these things that you can do with AI and how powerful it is and it can transform your business. If you're anything like me, I get probably.
D. Mauro (18:17.518)
Right.
Nick Oles (18:27.217)
He he he he.
D. Mauro (18:27.598)
It can help you write Instagram posts. It can help you write. Right.
Nick Mullen (18:29.827)
Oh yeah, I get a dozen messages every day telling me I can use AI to revolutionize, you know, lead, Jen and everything else. But they forget about this bomb that's sitting over here because that's the other side of the coin for this. And the bad actors have not forgotten about that. They're already using it.
Nick Oles (18:34.961)
Mm -hmm.
D. Mauro (18:36.782)
Right.
D. Mauro (18:48.046)
No, no, absolutely. Yeah, I mean, I recently saw Simon Sinek on stage and he was talking about AI and its effect on brands. And, you know, he's the author of, you know, Start With Why and several other books. Leaders Eat Alone or Never Eat Alone or whatever. No, Leaders Eat Last. Sorry, it's on my bookshelf. I just haven't.
Nick Oles (19:01.905)
Mm -hmm.
Nick Oles (19:13.393)
Mm -hmm. I was a little confused by those. I was like, interesting.
Nick Mullen (19:13.891)
It lasts.
D. Mauro (19:18.03)
I read it like three years ago when it first came out. Great book. Great book. Yeah. I'll have to edit that out later. Don't write a note to self. Edit that out. No, but it was really interesting because he was talking about in response to a question about is AI going to take jobs? And he was like, that's not the concern because he said it's a generational technological change. Very similar to the automobile. Yes, the automobile may have put out.
Nick Oles (19:38.929)
Yeah.
D. Mauro (19:48.078)
some carriage workers, some horse and carriage mechanics, right? But it burdened it, it blossomed into an entire industry of the automobile industry, right? Like it created so yes, there might be a little bit of like some pain, of course, right? Will people lose their jobs? Some will certainly, right? But there's going to be skill training and a lot.
Nick Oles (19:50.353)
Mm -hmm.
Nick Mullen (20:00.771)
Mm -hmm.
Nick Oles (20:07.953)
Mm -hmm.
D. Mauro (20:16.11)
exponentially more opportunity from it. But more importantly, he said, that's not my concern. He said, my concern is societal. My concern is about authenticity and truth and how we define that. And he said, my biggest concern is deep fakes. And when I heard Simon Sinek talk about that, he's a brilliant mind, somebody that I follow, not a cybersecurity guy.
Nick Oles (20:40.913)
Mm -mm. Yeah.
D. Mauro (20:44.078)
Right. Like he's in the he is in the leadership motivational category, you know, strategy category, not in the cybersecurity category. And his number one concern now in light of generative A .I. is deep fake. So it's it's beyond just the security folks talking.
Nick Oles (20:56.817)
Mm -hmm.
D. Mauro (21:07.342)
Yeah.
Nick Mullen (21:07.715)
Yeah, for sure. And there, you know, this is, this has been happening now for a few years. Um, there have been, you know, it, it started with a voice and that, that wasn't something that a lot of people knew about, but there have been deep fake voice scams that have been going on for a couple of years now. You know, the, the compute power to, to mimic, mimic someone's voice isn't nearly what's required for, uh, for video. And, um,
D. Mauro (21:14.862)
Uh huh.
D. Mauro (21:18.638)
Mm -hmm.
D. Mauro (21:32.942)
Great point.
Nick Mullen (21:36.291)
You know, there was an instance here, I don't know, probably two or three years ago. So there was a company in the UK. They had a parent company somewhere else in Europe. The CEO of the parent company called the CEO of the subsidiary and said, hey, I need you to wire us. You know, we've got like some new vendor relationship. I need you to wire us quarter million dollars.
There's a little bit of back and forth, but I mean, it was the CEO of the parent company. So the CEO of the subsidiary sent him and it was $243 ,000 US Senate to him. Money transferred. And then, you know, because of course, criminals are criminals. They're a little bit greedy. Sometimes he came back and tried to get more. They couldn't get more. But, you know, they also lost a quarter million dollars and it was an audio deep fake. And it.
Nick Oles (22:15.089)
Mm -hmm.
D. Mauro (22:16.974)
Ready to get more.
D. Mauro (22:24.557)
Unbelievable.
Nick Mullen (22:26.211)
And like these are two individuals that knew each other well. And it was good enough to trick him into authorizing a wire transfer of a quarter million dollars. And then the same thing happened here. Well, actually something even more advanced happened here in Hong Kong a few weeks ago.
D. Mauro (22:44.014)
Yeah, so that was, there's a lot of articles on this. Paul and I talked about it briefly, but let's go into this. So I know our technical, I'll have a link to it in the show notes, but they talked about a deepfake scammer walks off with 25 million, the equivalent of 25 million US. And so there was initial, what, phishing email that was sent, right? Purporting to be from a CFO located in the United Kingdom.
Nick Mullen (23:08.003)
Mm -hmm. Yeah.
D. Mauro (23:13.742)
sends it to a representative in Hong Kong and says, we have a confidential transaction. It's going to be an acquisition. You're, you know, it's something to be excited about. Please, please help us. We need this amount transferred over here, this other amount transferred over here. And the person kind of pushed back, didn't they?
Nick Mullen (23:37.635)
Mm hmm. Yeah, they they didn't buy it immediately. You know, they didn't follow the usual channels, you know, and that's typically with these social engineering attacks. You know, you've got to create some sort of sense of urgency to get people to break from norms and not follow, you know, a normal process. And so the the the scammer, you know, or the criminal, however you want to refer to them, then they up the ante and they said, well, let's get on a on a phone call.
D. Mauro (24:01.806)
Hmm?
Yeah, let's talk about that. I don't mean to interrupt you, but let's talk about that. I see people's eyes glaze over when people call them scammers, right? Because it seems less, it seems, well, scammers are more obvious, they're easier to detect, and they're less sophisticated. Okay, let's call them cyber criminals. Because when you think of cyber criminals, you think of pretty sophisticated, emotionally intelligent,
devoid of empathy, right? People that are devoid of empathy and sympathy and they are very good at their jobs. So that's what this was, right? So even though this article called them scammers, this was not some hack. This was not some random, you know, group just doing it. This was calculated with a lot of research.
Nick Mullen (24:42.371)
Mm -hmm.
Yeah.
Nick Mullen (24:57.059)
Oh yeah, I mean, this is organized crime. I mean, for these are these are not, you know, just like one off people, you know, in mom's basement that are that are scamming folks. This is organized crime. It's typically nation state backed, you know, so you know, it or sponsored. Yeah.
D. Mauro (24:59.534)
Mm -hmm. That's exactly right.
Nick Oles (25:10.609)
Yeah. Yep.
D. Mauro (25:12.974)
Mm hmm. Or sponsored or somehow it's funded like they're they're either allowed to do their legal things and therefore it's backed. Right. Or it's because acquiescence is the crime. Right. As well. Right. Or or it's or it's directly sponsored.
Nick Mullen (25:26.339)
Correct.
Nick Mullen (25:30.787)
Well, you look at the countries that are on the OFAC list and they can't do business with us legitimately. And so instead they sponsor these criminal groups and they're able to get money from us through those means. So they're still getting the US dollar. It's just the way that they went about it is a little bit different.
D. Mauro (25:33.742)
Mm -hmm.
D. Mauro (25:48.27)
Yep.
D. Mauro (25:53.806)
So for listeners that may not know what you're talking about, what's the OFAC list?
Nick Mullen (25:57.763)
Yeah, so I wish I could remember. Nick, do you remember what the acronym is?
D. Mauro (26:01.262)
Yeah, I'll look it up and like edit this video and like insert it with like an image or something. But but it's basically the ones that are like we have we have like trade embargoes with them or they're right. They're banned countries. Correct. Yeah. Yeah.
Nick Oles (26:01.905)
Off it's...
Nick Mullen (26:04.899)
Okay.
Nick Oles (26:12.657)
Yeah, it's Office of Foreign Asset Control is what OFAC stands for.
Nick Mullen (26:14.211)
Embargoes, yeah. Yep. Yep.
Nick Mullen (26:20.483)
Yep. So we can restart here. So the OFAC list is the Office of Foreign Asset Control. And basically what they're going to do is they identify different companies or countries throughout the world where...
D. Mauro (26:26.766)
There we go. Great.
Nick Mullen (26:36.835)
It's typically known terrorists that are operating out of those countries and they don't want you to do business with them. So if you're a US company, you're not allowed to do business with companies that are on the OFAC list or countries that are on the OFAC list because they feel like the money is probably going to find itself in the hands of some sort of terrorist organization.
D. Mauro (26:39.598)
Mm -hmm.
Right.
D. Mauro (26:56.782)
Makes perfect sense. It's quite logical.
Nick Mullen (26:59.427)
Yeah, so I mean, they you have a country that's on the OFAC list and you know, they're not able to legitimately do business with us. So instead they they get money out of the US through things like cybercrime. You know.
D. Mauro (27:10.35)
Yeah. And that's who's really backing this. So now let's segue back to where I interrupted you. And you were telling us about this cybercrime that occurred using deep fake at this Hong Kong bank. So they sent a phishing email. The person pushes back. And then what happens?
Nick Mullen (27:20.867)
Yeah.
Nick Mullen (27:28.579)
Yeah. So then, um, they ended up getting the, you know, the, you know, accounting manager, whatever role he was in, they got him on a phone call and on the phone call was the CFO of the company, who he knew along with, I believe seven other or six other individuals. There were eight people total on the call out of the eight people on the call. The only one who was real was the victim, you know, and everyone else, it was all real time, deep fake video. So there were,
D. Mauro (27:46.478)
Unbelievable.
D. Mauro (27:56.11)
So think about, so let's break that down. So that is something that is really shocking to people because a lot of people think of deep fake as mostly audio only or pre -recorded video. But what it has evolved in the last few months and is accessible everywhere is now it's real time. So you can respond, get a live question.
Nick Mullen (28:21.475)
Mm -hmm.
D. Mauro (28:25.55)
type in the answer and have that person say it. Have that avatar say it. Right. And the avatar is based on a real person. That's the scary thing.
Nick Oles (28:26.769)
Yep.
Nick Mullen (28:29.443)
Correct. And it's, yeah, it's an avatar. That's exactly.
Nick Oles (28:33.297)
Yes.
Nick Mullen (28:37.283)
And the more picture and video there is of you, you know, on platforms like TikTok or Instagram or YouTube, the better that deep is going to be. You know, yeah. Yeah. Yeah, yeah.
Nick Oles (28:46.769)
Hehehehe.
D. Mauro (28:48.782)
I've already warned my family. Like, I'm like, if you get something, I want to verify that I said it. Right. I mean, all of us, all three of us, like whenever you are speaking or you're out there in public, then you're going to be like you're ripe for this. Right.
Nick Oles (28:51.121)
Yeah, yeah.
Nick Mullen (29:05.155)
You know, and like Nick and I have done research into it.
D. Mauro (29:07.182)
So there was out of the eight people on the call, seven of them were live deep fakes. Seven different ones. Wow.
Nick Oles (29:09.489)
Yes.
Nick Mullen (29:13.379)
Correct. So, and it was convincing enough that they got this gentleman to wire transfer the equivalent of a $25 million US into 15 different accounts over the course of 15 transactions.
Nick Oles (29:24.209)
Yeah.
D. Mauro (29:25.518)
So 15 different transactions. Think of how convinced the person was because that's a lot of work. That's a lot of, well, I don't know that this is accurate. I don't know if I should be doing this. 15 times. He thought it was accurate. Like it worked right. 100 percent.
Nick Oles (29:27.921)
That's a lot of work. Yeah.
Nick Mullen (29:33.283)
lot of work.
Nick Oles (29:33.937)
Yeah.
Nick Oles (29:40.529)
Mm -hmm. Yeah.
Nick Mullen (29:43.523)
100%. Oh yeah. I mean, so social engineering, that's, um, I mean, that's the, you know, people say it's like the oldest trick in the book. Social engineering is the oldest trick in the book. I mean, it goes all the way back to the Trojan horse. Like that, that w that was a social engineering attack. You know, they, they, they con the, you know, the city of Troy to open the gates so they could come on in.
D. Mauro (29:56.59)
Yeah. Mm -hmm.
Nick Mullen (30:07.843)
It's the same type of thing that people do now. It works. So that's why they keep doing it.
D. Mauro (30:13.838)
And for those that don't know the Trojan Horse story, we will have a history lesson linked in the show notes. But, you know, you can you can look it up. But it's it's I mean, that is really that's a really good analogy as well as the the motion detector. Nick, I like both of those.
Nick Oles (30:14.481)
Heheheheh
Nick Mullen (30:18.627)
Yeah, there we go.
Nick Mullen (30:31.427)
So Nick and I have done some research here over, you know, just trying to understand what tools and technologies are out there, you know, to help kind of prevent this. And, you know, there are companies out there that have deep fake detection platforms and tools. So Intel has a tool that they say is 90, I think 96 % effective. It detects the changes in like blood vessel.
Nick Oles (30:44.561)
Yes.
D. Mauro (30:47.95)
Correct. Yep.
Nick Mullen (30:57.603)
coloration in your face. Uh, there's another company called Sentinel, uh, Microsoft has a tool. There's another cool one called a duck, duck goose, not affiliated with any of these companies. But as far as I know, none of them can analyze video on something like a teams call or a zoom call in real time. Now they can, they can scan an image or you can upload a video or I think a duck, duck goose even has like a, an API plugin into your browser. So like you could, you could look at a YouTube video.
D. Mauro (30:57.966)
Mmm.
D. Mauro (31:07.406)
Yeah.
Nick Oles (31:11.825)
Yeah.
D. Mauro (31:14.382)
Right live.
Nick Oles (31:27.121)
Hmm.
Nick Mullen (31:27.557)
And it can give you a...
D. Mauro (31:28.142)
Oh, so they can do it post facto. So they could do it after the fact, but they can't do it live.
Nick Oles (31:31.569)
Yeah.
Nick Mullen (31:32.931)
But as usual, the technology lags behind the criminals.
Nick Oles (31:35.121)
Mm -hmm.
D. Mauro (31:36.846)
Yeah, that's a great point.
Nick Oles (31:38.961)
Yep, it's a cat and mouse game. Absolutely. Yeah. Yeah, so Dave, you kind of alluded to one of the tips and recommendations that Nick and I have kind of talked through and what we found in our research. So you mentioned like if you've warned your family about this, having like a code word with your family or a code question that you can ask this person, something like, I don't know, what's my favorite coffee or what's my favorite coffee cup or something like that. Yeah.
Nick Mullen (31:39.651)
Yeah. You know, we're always chasing. We're always chasing behind the criminal 100 percent.
D. Mauro (31:45.422)
Yeah... Holy cow...
D. Mauro (32:01.998)
Mm -hmm.
D. Mauro (32:07.214)
My family and I do it all the time. We actually do things like that. Like if some like just in social situations, like we don't want to say we have to go right now. We'll be like, hey, do you want an orange or whatever the phrase is? Like as soon as they said that, like I would love one. And then when you meet at the car or whatever, like a code word is really good. Yeah.
Nick Oles (32:15.473)
Yeah, yeah.
Nick Oles (32:20.337)
Yeah, yeah. So that's sometimes like old school technologies or practices are the best to new school attacks and techniques and things like that. So having something like that ahead of time, discussing that with your family, like Nick was saying, some of these software technologies, they'll scan images and things like that, but just paying attention to normal breathing patterns, senses of urgency, like just your standard phishing email detection.
D. Mauro (32:33.774)
Yeah.
D. Mauro (32:49.038)
Right.
Nick Oles (32:49.713)
or social engineering detection rules. Like if someone's trying to get me to do something very fast with very grave consequences, whether that be positive or negative. Like I'm gonna win the lottery if I give you this lottery ticket that I never bought. That's kind of odd, but there's a sense of urgency. There's outcomes, there's circumstances, there's repercussions if you don't do that. Being aware of that and then paying attention to things like background images. Does that make sense? Are they in the right area that they're supposed to be? Does this make sense?
D. Mauro (33:07.374)
Right. Yep.
Nick Oles (33:19.377)
based off your interactions with a person in the past, you know, and kind of just using that as like a totalitary analysis of what's going on with the situation.
D. Mauro (33:33.486)
Yeah. Can you guys elaborate the difference between phishing and business email compromise? And I apologize for defining terms, but again, a portion of our audience isn't necessarily technical. They're more business owners or brand people. So can you guys, somebody want to take a stab at that?
Nick Oles (33:48.177)
Absolutely. So I'll have a shameless plug here because I actually wrote a book on phishing right here. So I'll give you, I will get you a link for that too. So I love, I love phishing. That's kind of what I cut my teeth on in the information security world, just seeing these complex attacks all over. So phishing is really just in the cyber world, you know, it's using email messages to entice some action on a user. And whether that's click a link, download something,
D. Mauro (33:58.254)
There we go. We will have links to that in the show notes. Please.
Nick Oles (34:15.633)
provide information, sometimes even just open the email. You're trying to get as an attacker, a victim to take on some action. Business email compromise, this is a step within phishing. It's an emerging attack. The FBI is tracking this very closely because it's really wreaking havoc on these medium and small businesses. It's very effective. I cover this in my book, just the basic outline of it and some tips and tricks to catch this. But it's where...
D. Mauro (34:16.622)
Mm -hmm.
D. Mauro (34:23.694)
Right.
D. Mauro (34:39.726)
very effective.
Nick Oles (34:44.497)
An email account is compromised and then you are leveraging a trusted reputation or brand or communication that previously occurred from that compromised account to then leverage that in your attack to gain additional information or most of them are finance based. So for example, like if Nick owns a small gas station, he has a vendor that delivers gas to him every single week. I might as an attacker, compromise Nick's email account.
D. Mauro (35:08.142)
Mm -hmm.
Nick Oles (35:14.193)
then impersonating Nick, contact that gas station vendor saying, hey, I know you just delivered this or you have a gas delivery next week. I accidentally changed my bank information to a country in the Middle East or pick your country, wherever. I'm traveling for business. Can you please route this payment over here? The vendor, they see this email from Nick. It's his actual email address. So like, hey, I just talked to Nick last week.
D. Mauro (35:34.798)
I'm traveling for business or something, right?
Nick Oles (35:42.353)
I'm going to do what he says. I'm going to change this PO or this invoice and I'm going to send him the money. And then days, weeks, hours, whatever goes by, Nick tries to balance his books because he's a really good accountant and he never misses anything. He finds out, hey, I did, yeah, project management bouncer. He's not going to miss a beat. So he goes through and he sees, hey, I never got this invoice from September 1st from this gas company. I reach out to them.
D. Mauro (36:00.59)
the project management background that he's got. Keeps it all organized. All right.
Nick Oles (36:10.833)
the gas company is like, oh yeah, I paid you actually, like three months ago. And then you start to do this research, you call hopefully some consultants or some IR firm, they come in and take a look and say, actually, they routed the money to the wrong place. And oh, by the way, you probably still owe them money for that good that you received that gas. So it's an emerging, yeah.
D. Mauro (36:12.878)
Yeah.
D. Mauro (36:19.278)
Right.
D. Mauro (36:33.358)
Yeah.
Yeah, that's a great example. Yeah, it's a great example. There's one that I'm familiar with where somebody in leadership at an organization, it was an SMB, maybe two, 300 employees, but somebody from the C -suite was presenting at one of the trade shows. Right. And that was all over social media because they're proud of it. Their marketing group put that out. And then while they're gone, there was an email sent. It wasn't even from the person. They hadn't compromised the
Nick Oles (36:49.905)
Mm -hmm.
D. Mauro (37:05.134)
email account. They actually just changed like the R and the instead of an M in the name, it was an R and an N, which on the phone on somebody's phone, or even on a laptop, it looks almost identical, right? And they and they do that a lot with certain letters. So it looks almost the same. L and I, right? L and I and things like that. And they said, Hey, I'm over at this event just got here. It's going great. I'm about to go on.
Nick Oles (37:09.585)
Mm -hmm.
Nick Oles (37:20.529)
Absolutely.
D. Mauro (37:33.614)
I forgot to get this vendor paid. And it was a vendor that they used, which was also in the public domain, right? Because they were able to see, oh, they work with this pretty common vendor, right? For either whatever their service was, right? And just the only thing that was different was the wiring instructions. It had the logo on it on the invoice, everything else. And they came back and there was like 160 grand wired wrong. I mean, it's pretty...
It's pretty powerful.
Nick Mullen (38:04.195)
I saw a similar situation happen firsthand. Organization I was working with several years ago, they managed retirement plans for businesses. And so this guy, I don't remember his own name, we'll call him Jack. So Jack, he owns this construction and landscaping company, been in business for several years, has a few crews running jobs all over the county. Well, Jack got hacked.
D. Mauro (38:13.998)
Mm -hmm.
Nick Mullen (38:30.307)
Now, I don't know all the details of how or when I've got some suspicions, but basically the route that would be my guess. Yeah. So like at the root of this, though, was business email compromise, probably a little bit more. But the guy, he owned Jack's email. He got his calendar. He had a pretty good amount of his personal information. Well, one week, Jack went on vacation. And so this guy who hacked Jack.
Nick Oles (38:34.193)
Or click the link, yeah?
D. Mauro (38:35.278)
Probably you've reused a password or something, right? Like in something like that. Yep. Yep.
Nick Mullen (38:57.731)
He knew Jack was on vacation because he had access to Jack's calendar. And so Jack's, you know, he's not checking his email. He's not answering phone calls. And this guy, this criminal goes into Jack's 401k account and did a hardship withdrawal. Now his retirement plan rules said you could take out 50 % of the account's value as long as the company approved it. Well, Jack owns the company. So guess who they emailed to approve the transaction? Jack.
D. Mauro (38:59.502)
Mm -hmm. Yep.
D. Mauro (39:14.222)
I don't know.
Nick Oles (39:20.209)
Yeah.
D. Mauro (39:26.414)
Jack and he and his email was compromised so they just responded as Jack impersonating Jack and said sure yeah I approve it.
Nick Oles (39:27.921)
Mm -hmm.
Nick Mullen (39:32.611)
Yep. They responded as Jack approved. Yep. And $400 ,000 out of his personal 401k gone. Now here's the thing, say what you will about criminals. Um, but the good ones, they're not stupid. Like you, you had, you have Brett Johnson on here. Uh,
D. Mauro (39:40.078)
Oh my gosh.
D. Mauro (39:47.95)
Mm -hmm.
Nick Mullen (39:51.395)
You know, you've had them on a couple of times and Brett will tell you exactly like this is, this is all planned out in advance. And so this guy, he wasn't stupid either. Um, he didn't have them send the money into some account overseas. He had them account. He had them ACH transfer the money to an account in Wisconsin. That account.
D. Mauro (39:57.23)
Yes.
D. Mauro (40:08.558)
So it looks legit. So it looks legit.
Nick Mullen (40:11.395)
It looked legit. It was a real person because this guy also had a romance scam going on with some older woman in Wisconsin. And so he wired the money to her account. It does. Wired the money to her. She turned around and wired it to this guy overseas.
Nick Oles (40:11.697)
Hmm.
Nick Oles (40:17.393)
Heheheheh
D. Mauro (40:20.718)
It sounds like a Brett Johnson episode. It really does.
Nick Mullen (40:28.867)
Jack comes back from vacation, opens his mailbox and finds a physical confirmation notice and they're notifying him that $400 ,000 out of his retirement account. You know, he's livid. He thinks the investment company got hacked. No, Jack, you got hacked. You know, and now you're out almost half a million dollars and this type of thing happens all the time. Now,
D. Mauro (40:28.942)
Oh my gosh.
Nick Oles (40:39.441)
Mm -hmm.
D. Mauro (40:45.198)
Unbelievable.
D. Mauro (40:51.086)
Well, yeah, that's unbelievable. That's a good story. You know, the. Yeah, good.
Nick Mullen (40:54.915)
My guess was I was gonna say my guess is what happened here is, and this is what we usually see. Jack had data leaked in some breach. You know, who knows what breach, but it was probably something where he was using the same email and same password.
D. Mauro (41:01.422)
Yeah.
D. Mauro (41:05.134)
Mm -hmm.
D. Mauro (41:11.598)
Right.
Nick Mullen (41:11.811)
that he used for a lot of different things and it was enough for this criminal to get access to his email account and then the person just sat around and waited you know they waited for an email to come in about his retirement and they waited for him to go on vacation and that's what hundreds yeah
Nick Oles (41:18.641)
Mm -hmm.
Nick Oles (41:23.793)
Yep, yep, they've got a pool. Yeah.
D. Mauro (41:26.542)
because they may be targeting hundreds or thousands of potential targets and they're waiting for something to pop up that could wait for them. Yeah, unbelievable, right.
Nick Oles (41:34.545)
Mm -hmm.
Nick Mullen (41:34.659)
That's exactly it. They want to find a loose thread. And when they find it, they start pulling. And if things start coming loose, they're going to keep pulling and see what unravels. And that's, like, you see that on the dark web a lot. Nick and I have been trying to get more proactive about helping people identify those loose threads when they pop up on the dark web, you know, and you actively monitoring individuals in your organization, like,
people in your C -suite, anybody with elevated or administrative privileges to certain data or systems, or anybody that can grant those privileges, people that have access to financial control systems, and just knowing that, hey, all your data was just exposed in this breach, basically letting them know that blood's in the water.
Nick Oles (42:21.521)
Mm -hmm.
Nick Mullen (42:26.595)
because you know if you can give them that notification that hey you you just had a lot of information about you leaked on the dark web which is where these criminals search to find their victims yeah you can at least react yeah
Nick Oles (42:31.857)
Mm -hmm.
Nick Oles (42:36.593)
Yeah.
D. Mauro (42:37.454)
Well, then you can head it off at the pass, so to speak. You can get there beforehand and bolster those their defenses, their awareness ahead of time.
Nick Oles (42:40.337)
Mm -hmm.
Nick Mullen (42:46.339)
You know, and it's crazy. Like everybody I talk to, they're like, oh yeah, I've got dark web monitoring through my bank. Well, how many people use it?
Nick Oles (42:50.001)
Yeah.
Mm -hmm. Yeah, exactly. Yeah.
D. Mauro (42:55.566)
Yeah, and how many people decipher what it really means? And what are they monitoring too? Like, right? I mean, the dark web, I mean, a lot of what's happening is in the forums, it's in the talks chatter. It's not where the dark web tools are, right?
Nick Mullen (42:58.819)
Yeah, you don't know what it means. Right, you have no idea.
Nick Oles (43:07.792)
Mm -hmm.
Nick Mullen (43:14.018)
I just uncovered something a couple of weeks ago where, and I'm sure Nick knows what I'm talking about here, there was a guy who was on one of the breach forms and leaked a very large file full of clear text, usernames and passwords, a few million of them. And I went in and looked at the file and I mean, it's legit. I was able to validate it with a couple of folks that I know who run some of those organizations and it...
D. Mauro (43:24.494)
Hmm.
Nick Oles (43:26.065)
Mm -hmm.
Nick Oles (43:41.105)
Yeah, and I'm sorry, go ahead, Dave. So I wanted to add a little bit because Nick, you were kind of like teasing this out in your story. So I've had, you know, I've responded to a lot of business email compromise and, you know, I've got a few things that I look for when I'm starting one of these cases. But one of the interesting things that I always ask for is a list of outlook rules on the compromised account. And I had.
Nick Mullen (43:42.531)
It was real. Very scary.
D. Mauro (43:47.118)
Well, no, no, go ahead. I mean.
Nick Oles (44:05.585)
Yeah, so I'll tell the story about the rules and then I've got some tips to catch this. So we had this individual, one of those people that is very adamant, very meticulous about their mailbox. Like every message goes into a folder. They don't have any, there's two kinds of people, they keep everything in the inbox and then there's a person that keeps nothing in the inbox, that filters everything out and thinks everyone else is crazy that does the other way. But anyway, we had this person that did that, very meticulous, never miss an email, file it away in the right way.
D. Mauro (44:07.15)
Excellent. That's what I wanted to get into. Like what can organizations do? This is a great point.
D. Mauro (44:30.83)
Right.
Nick Oles (44:33.425)
And their email account got compromised. It was a business email compromise. We had a vendor that they wired money and were looking at it. So we took a look at their email rules and we saw that she had three rules. The first rule was for anything invoice related. The second rule was anything payment related. And the third rule was to forward it to this external Gmail account. So she, her email box, any time...
that a message had the subject, let me reiterate that the subject, had invoice or payment, it would immediately send that to an external email account and delete the message from her inbox. So if someone contacted this individual and said, hey, I'm at this gas station company, I need to send you this invoice for processing, here you go, they never saw it. It went straight to this external account, the attacker was monitoring this external account, that way they don't have to log in to 50, 100,
D. Mauro (45:36.686)
I was going to ask the obvious question for listeners and that or viewers and that is, is that a good practice or a bad practice, generally speaking? Oh, that was the attackers. Okay.
Nick Oles (45:38.065)
Well, that was the attackers. That was the attackers practice. So yeah, so instead of the attacker logging in and monitoring this mailbox every single day, they just had to monitor this. Yes, they created this rule. They had to monitor this external email account that the user had no idea about. And then the user of this external email account would just get emails here and there from all their different compromised accounts because they would create this rule on all of the accounts that they had.
D. Mauro (45:52.91)
Oh, they created the rules. Oh.
Nick Oles (46:06.417)
they had owned. And then they would see, oh, OK, Nick's gas station, they just got an email about an invoice. Let me hop back into their account, take a look at what's going on, look through all their messages. Who do I need to impersonate? Who do I need to attack? Stuff like that. And the user had no idea. So the two things that I think are the biggest, the first place I look on these is external logins. So I would take a look at what IP addresses are you logging in from to access your email account.
D. Mauro (46:26.958)
Unbelievable. So what are what are business owners supposed to do? What are people supposed to do? Like.
Nick Oles (46:35.825)
Sometimes that's super easy. You know, if the people, I'll just say Wisconsin, cause that was brought up earlier or Indiana. Like if they always work out of Indiana and I see a login from Saudi Arabia or, you know, New Mexico or somewhere out in the world, I'm like, Hey, that doesn't make sense. This person's always in the Midwest. Maybe they traveled, maybe they got a VPN. I don't know, but that doesn't make sense. Does it line up with their business hours? Do they work eight to five and someone's logging in at 2 a .m.
D. Mauro (46:59.982)
Right.
Nick Oles (47:01.937)
because oh, by the way, that's a time zone in this other country that this person's not in. So that's the first thing I look at. If you can, I would restrict logins to a geographic location that you can control or that makes sense for you. And I get it, that's hard. If you're an international company, you can't do that. But some small businesses, you're not international. So you don't have to worry about that. So you can restrict where people can log in from. You can also generate alerts if people log in from abnormal places. The other biggest indicator, and you touched a little bit on this, David,
is external tagging. So you talked a little bit about some domain impersonation or manipulation to get someone to view the domain and think it's the trusted domain. Well, if you can do email tagging, external email tagging in almost all the major platforms, it will say, hey, I work at Nick's gas station. It's nickscastation .com. Anything that doesn't come from nickscastation .com is going to be tagged external. And it's going to have an ext in the subject or in the body message.
D. Mauro (47:44.334)
Mm -hmm.
Nick Oles (48:00.945)
And if right off the bat, so if it's Nick's gas station with two S's or something like that, but it says EXT, you know, that's going to raise a flag. Cause I'm like, wait a second, Nick's right down the hall. Why is he, why is this email external? This doesn't make sense. And you know, they're not foolproof, but it's going to help you. It's going to give you indicators that help you identify suspicious activity. And yeah, both of those solutions are, are free. Absolutely.
D. Mauro (48:04.622)
Right. We see that a lot. And I think that's good. It alerts the recipient.
Nick Mullen (48:29.987)
and it's free.
D. Mauro (48:32.718)
Yep.
Nick Oles (48:34.161)
Yeah.
D. Mauro (48:35.662)
Well, so is creating an AI policy. I mean, you can even have AI write the first draft, right? Like, I mean, there's almost no reason not to do these things for an organization. Well, what do you think the hesitation is, like in people kind of addressing some of these, you know, concepts of deepfake? Is it still, I think, Nick Mullen, I think you said it right off the bat, and that they still don't think it's going to apply to them.
Nick Mullen (49:06.243)
Yeah, I mean, everybody thinks that somebody else is the target until they become the target. And then it's, you know, but it's a lot of, well, you know, maybe I should have done this, maybe I should have done that. You know, it's it's easy to see all these other things that are happening out in the wild. And.
D. Mauro (49:10.094)
Right. Yeah.
Nick Mullen (49:22.755)
and assume, particularly if you're a small business or even like a mid market that people aren't gonna come after me, they're gonna come after Bank of America. Well, Bank of America has hundreds or thousands of people on their security team, like their security budget is in the hundreds of millions.
D. Mauro (49:26.094)
Mm -hmm.
D. Mauro (49:33.358)
Right.
Nick Mullen (49:43.331)
Why would they go after Bank of America when they can come after you? So it's really, people have the exact wrong idea about the way that criminals target their victims. You're not looking for the toughest victim. Yeah.
D. Mauro (49:47.598)
Right.
D. Mauro (49:55.79)
Absolutely. There's a lot of value, right? There's a lot of value. A small mid -sized business has customer list data invoicing information on the employees. It could have it could be you could be used to log or launch from your systems to a larger target. Right. If you're a distributor for Toyota, they could use you to get in there and meanwhile destroy you. There's a whole bunch of reasons.
Nick Oles (49:58.833)
Mm -hmm.
Nick Mullen (50:23.235)
100%. And think about how much easier it is to go in and, you know, send a fraudulent invoice or, you know, or, or send some sort of, you know, scam email and, and socially engineer somebody into paying you. Think about how much easier that is than ransomware. Yeah. Night and day, you know,
D. Mauro (50:30.702)
Mm -hmm.
Nick Oles (50:34.897)
Mm -hmm.
D. Mauro (50:40.878)
Oh yeah, absolutely. Right. There's also thread jacking as we wrap up. I know we're coming up by the hour, but thread jacking is has gotten a lot of press lately and it's not anything new, but it's it's one of those components that appeals to people's curiosity. Can one of you guys want to explain what that is?
Nick Mullen (51:02.691)
Yeah, so I can talk a little bit about that. So it's basically, you'll insert yourself into an existing ongoing email. And so like, let's say that, you know, David, you and I are emailing back and forth. All of a sudden, you know, Nick pops up on this email.
And he maybe drops a link in the middle of that email to say, hey, click here. And so it's an existing email or existing thread. And you just pop in and then add in a link or drop in an attachment. And all of a sudden, 100%. And now all of a sudden, the person clicks on that. And that's how they launch the attack. So you can get people to install malware that way. Yeah.
D. Mauro (51:27.214)
Mm -hmm.
Nick Oles (51:29.808)
Mm -hmm.
D. Mauro (51:34.862)
that's relevant to what we're talking about, right? Yeah.
D. Mauro (51:42.99)
That's how they launch it. Yeah, yeah. And it appeals like if yeah, like if you're in management or if you're a a line employee somewhere, right. And all of a sudden you start to see the CFO and the CEO talking about something or maybe I heard of one instance where somebody was seeing like the CFO and the CEO communicating by email.
they were BCC'd or they were CC'd on the email along with several other people and they just thought, oh, they mistakenly put me on here, but I'm going to keep reading because they're talking about potential layoffs. And then at one point they sent the list. What they said was the list of who they're laying off. Guess what? Like people were clicking on that and downloading and opening up and it was malware, remote access, Trojan, whatever it was. Right.
Nick Oles (52:17.233)
Mm -hmm.
Nick Mullen (52:20.515)
Yeah.
Nick Mullen (52:24.355)
Yep.
Nick Mullen (52:29.955)
Mm -hmm.
Nick Mullen (52:33.891)
Yeah.
Nick Oles (52:37.713)
Mm -hmm. Yeah.
Nick Mullen (52:39.971)
And like everybody's got that email that they were copying on by mistake. And then, you know, and then five minutes later, this, yeah, the sender sends this frantic email, delete this, don't read it. Like everybody reads it, you know, because we're curious. And so they're playing to your curiosity, trying to get you to click the link, open the attachment.
Nick Oles (52:43.409)
Yep, yep.
D. Mauro (52:44.782)
Yep, we can all relate to it.
D. Mauro (52:50.574)
Right.
Yeah. Yeah.
D. Mauro (53:00.462)
Isn't that like digital baiting, right? Like back in the old day, like I say back in the old days, but like there's always the stories where people would litter USB drives in like the common area, in the kitchen area with like a label on there that says like, oh, Q4 whatever, or like, you know, pick bonuses, right? Or something like that. And someone's like, I want to check that out. But it's really just a social engineering attempt.
Nick Oles (53:03.025)
Yeah.
Nick Oles (53:10.993)
bonuses. Yep. Yep.
Nick Mullen (53:26.211)
Yeah, there was a.
D. Mauro (53:26.958)
And this is like the digital form of it. It's like, well, now that we're working remotely, let's just do it by email and then we'll drop the link in there and get somebody to click.
Nick Mullen (53:36.739)
You know, one thing before we close up here, though, like that still happens because it.
D. Mauro (53:41.998)
Oh yeah.
Nick Mullen (53:43.363)
People, I think that in this digital age, like we've forgotten that, you know, there's only a certain percentage of our users in our organization, but their primary means of communicating with, you know, the outside world is email. There are a lot of people that, you know, that basically the way that they communicate with clients or customers or whoever, it's via phone or it's via person. You know, so if you're a healthcare system, you know, or a hospital, you may only have 10 % of the people in that hospital that they're
D. Mauro (53:56.558)
Right.
D. Mauro (54:04.846)
All right.
Yep.
Nick Mullen (54:13.317)
means of communication is via email. There's a lot of people picking up the phone. There's a lot of people seeing people in person. There was the baiting example you gave here a second ago. There was a police department.
D. Mauro (54:17.806)
Right.
Nick Mullen (54:27.043)
that got owned here within the last couple of years because some police sergeant was walking through the parking lot. And like, how bold is that? You're going to you're going to USB bait a police department. Well, this guy picked it up and plugged it right into his work laptop. And all of a sudden, now they had the police department. They shut down emergency services and held the police department ransom because of that exact scenario. You know, as long as these tactics keep working, people are still do it.
D. Mauro (54:27.31)
Mm.
Nick Oles (54:45.777)
Mm -hmm.
D. Mauro (54:47.534)
Unbelievable.
D. Mauro (54:53.358)
Unbelievable. So best practices, what do we recommend? Top five best practices. Nick Oles. What should, talking to the SMBs, because the enterprise groups have teams that are responsible for that, but most organizations that are struggling.
Nick Oles (55:04.785)
Yeah. So, so my first thing out the gate is patching. So work on, on patching. So I know it's difficult, the larger organization gets, but, but have a solid patching process or policy or just game plan, you know, just come up with what, what are your critical assets? What are going to have the biggest impact to your business? What are the, you know, the most stable assets or the least stable assets and factor that into how you're going to, you're going to patch things because they shouldn't, it's not a, you know, one patch fixes everything and that, that never works for anyone.
D. Mauro (55:16.11)
Hmm.
Nick Oles (55:34.353)
So if I was going to focus on one thing out the gate, it would be patching. The second thing would be asset inventory, just knowing what you have in your environment.
D. Mauro (55:48.302)
Yeah, so many struggle with that, right? Because they're always getting new things. Different people are bringing BYOD devices, Internet of Things devices, all this stuff.
Nick Oles (55:50.257)
Yeah, so just understanding where it is, you know, what operating system you have so that way you know, you know, when there's a new heartbleed or there's a new vulnerability that's going wild, do I even have that in my environment? Can I take it off the environment? Can I protect myself? What not. The next biggest thing, I'm a fishing guy, so I got to cover fishing. So training your employees the right way. So, you know, identifying.
D. Mauro (56:16.782)
Yep.
Nick Oles (56:17.777)
And it has been, you know, that's one thing, you know, if you went back in time 20 years ago, people were phishing and they were getting into organizations through phishing messages, through emails and links. And here we are in 2024. People are still getting into organizations through phishing links and attachments. So training your users, you know, like I learned a lot of things on videos, but I'm not a great learner through videos of how to detect phishing emails. What I would learn really good from is someone standing up in front of the organization, taking phishing messages that have been sent to our organization.
D. Mauro (56:19.662)
Everybody thinks they can spot one, yet it's the number one tactic. Right? Yeah.
Nick Oles (56:47.505)
breaking them down or teaching me what made this suspicious based off attacks that I've actually seen in my organization. So I'm a big component of actually identifying risks associated with phishing and mitigating that. The fourth thing is using your tools wisely. I think a lot of people dive into some of these commercial off -the -shelf tools to fix problems that they haven't really identified all their problems for.
D. Mauro (57:01.838)
Mm -hmm.
Nick Oles (57:14.641)
when they could maybe have gotten a solution with an open source tool. So identify what your problems are, start with an open source tool, use that to its capacity, and then look at a commercial tool, which we do the exact opposite. Most people are like, I got to solve this problem, kind of, or I need this new XDR, MDR, SOAR cloud security product because everyone else has it, or I read an article about it. Let's buy it, set it up. And then you realize, oh, you could have mitigated this by something else, or something in -house, or something free, or you had a...
D. Mauro (57:32.526)
Excellent.
Nick Oles (57:43.345)
you know, a side project for a.
Absolutely. And then my last thing, you know, leveraging my incident response background is just setting up good logging and verifying your logging. So when you have an incident, you know, that's the worst time to verify that your log records are accurate and working and you're getting data from all the right sources. So look at, you know, all the devices in your environment. You know, I can, I can almost guarantee you've got a router, you've got a firewall. Hopefully you've got some sort of endpoint device, whether that's like a Windows system or a Unix system, like that's all generating log information.
D. Mauro (57:48.878)
Right.
There's a lot of really good open source tools out there.
Nick Oles (58:15.825)
Where are you putting that? How are you collecting that? How long are you storing it for? And then how often are you verifying that? Are you logging in and taking a look at your, if you've got a log management server or a SIM or not, maybe you're just logging into some devices and saying, hey, I've got 30 days on this device. I don't have a budget. Maybe that's good enough. Everyone varies, but during an incident, when things are going on, that's the worst time to check that.
D. Mauro (58:32.558)
All right.
D. Mauro (58:44.43)
That's fantastic. Yeah.
Yeah, that's really good. Nick Mullen, give us your top five or maybe top three if they differ in priority or list than Mr. Oles.
Nick Oles (58:58.417)
That's a good one. Yeah.
Nick Mullen (58:59.171)
All right, so no specific priority here, but the easiest one, MFA. If you don't, MFA is not expensive. Yeah.
D. Mauro (59:01.998)
Okay, good. That's fair.
Nick Oles (59:02.161)
Hahaha!
D. Mauro (59:05.934)
Ah, yeah. Well, there's like 20. So that's why I'm, I'm, I've kind of decided I want to ask because sometimes we forget we get to the top of the hour and then we rush off. And I'm like, I want to, I want people to hear kind of what you guys in the field are seeing what you see, you know, as, as a best practice. So MFA absolutely critical.
Nick Mullen (59:27.267)
Yeah, and I like authenticator apps. UB keys work well, but yeah, authenticator apps work really well. And along with MFA, I would say kind of a close second there is use a password manager. Like don't just write all your passwords on a sheet of paper. Don't keep them all on a spreadsheet. Don't use the same one for everything. Password managers are cheap.
D. Mauro (59:30.158)
Yeah, me too. Yep.
D. Mauro (59:41.614)
Mm -hmm.
D. Mauro (59:51.022)
browsers? How about keeping them in like the Google password manager? I get asked that a lot.
Nick Mullen (59:54.947)
It's not a not a great practice, in my opinion. The same thing with our credit card numbers.
D. Mauro (01:00:01.422)
Why is, I understand not keeping your credit card numbers in your browser. That please, if listeners are doing that, please don't do that. So if they're not using any type of password manager, is it bad for them to do it? And what's the risk generally?
Nick Mullen (01:00:17.219)
It's better than nothing. But I mean, if let's say that this actually happened a couple of years ago when when open AI first came out, there were a lot of fake open AI plugins that people were downloading for their browsers. And so they thought they were getting this open AI plugin. What they were actually getting was malware and your. It capture everything. 100 percent. So so if you've got all those passwords saved in your browser.
D. Mauro (01:00:30.67)
Right.
D. Mauro (01:00:35.118)
Right, that would go and capture all of that because it's all in the same system. Yeah.
Nick Mullen (01:00:45.027)
then you're opening yourself up to that type of attack and you're making yourself vulnerable where you otherwise wouldn't need to be.
D. Mauro (01:00:47.886)
Right. You may be OK if so long as you don't make other mistakes. But if you do, then that is a harvest land for for criminals to to attack. And there's a lot of really good password managers out there. Yeah. Yep.
Nick Mullen (01:00:56.963)
correct.
Nick Oles (01:00:59.793)
Mm -hmm.
Nick Mullen (01:01:03.267)
Yeah, yeah, for sure. And most of them are free, or at least they have a free version. I guess I would say incident response, like have an IR plan and have some sort of business continuity in place.
D. Mauro (01:01:09.806)
great advice.
Nick Oles (01:01:13.393)
Yeah.
D. Mauro (01:01:18.062)
I'm a big fan of that and doing tabletop exercises. I mean, in school, we all did it. We all had fire drills. Like, why would you not do it for your brand? Like everything, you know, like.
Nick Oles (01:01:18.865)
Yeah.
Nick Mullen (01:01:22.403)
Yeah.
Yep, 100%.
The worst time to be figuring out what to do is in the heat of the moment. You should have a plan in place. I'll give a plug for my friend, Maria Christina Hayden. She runs a company called OutFoxum. You should have her on, she's phenomenal. And she runs tabletop exercises for big companies and teaches them, here's what this looks like, here's how you should respond.
D. Mauro (01:01:33.838)
Yeah.
D. Mauro (01:01:49.838)
Oh, that's great.
Nick Mullen (01:01:56.515)
I highly recommend that anyone who, you know, if you've got an organization where you make a pretty decent amount of money, you should definitely have an IR plan. Even if you don't make a lot of money, you should at least have a, you know, a business continuity or disaster recovery plan that way you know what you're going to do when things hit the fan. Last two here, good policy and process. So,
D. Mauro (01:02:12.974)
Right.
D. Mauro (01:02:18.798)
Mm.
Nick Mullen (01:02:20.035)
Security policy and security process should be easy to understand and easy to follow. If you make your security policy hard to understand and hard to follow, then people are going to do the wrong things. Like you should always make always make doing the right thing the easy thing.
D. Mauro (01:02:30.99)
Great that is great advice. That's great advice, right? Yeah, what I like about you two guys Can I just say this from because I interview a lot of people and in my day job I interview a lot of people but I will tell you like you guys really make it relatable and you're not like you're like look There's open source things and you really are good at explaining it. I mean, that's kind of the whole Magic to it right is really understanding the business impact of it
Nick Oles (01:02:32.273)
Thank you.
Nick Oles (01:02:51.601)
Yeah, thanks. Thank you, David.
Heheheheh
Nick Mullen (01:03:00.771)
I appreciate that. I mean, it's the perk of being a dummy is that, you know, you got to figure it out for yourself. So, yeah.
Nick Oles (01:03:01.329)
Yeah.
D. Mauro (01:03:02.126)
That's really good.
D. Mauro (01:03:06.542)
That's the way I look at it. I'm like, I'm just too dumb to be afraid. So I just like, let's just learn about this.
Nick Mullen (01:03:12.867)
So my last one, this actually, this is going to go right back to what we were just talking about. My last tip, understand what your human attack surface really is. So it...
D. Mauro (01:03:22.158)
Oh, the human attack service. Oh, very good.
Nick Mullen (01:03:25.219)
Yeah, like understand like how the people that work at your company, how do they interact with the outside world? Because that's where they're going to be vulnerable is, you know, is when they're dealing with people outside of the wire. So if you're somebody that operates, you know, if you're a call center company and you know, out of the thousand people that work for you, 950 of them are on the phone all day, then your attack surface is mostly voice.
D. Mauro (01:03:33.006)
Oh, that's really good.
D. Mauro (01:03:40.462)
Mm -hmm.
Nick Mullen (01:03:49.603)
You know, that's how people are coming in. And so you should implement controls and tools and technologies to protect people where they are. And the same thing goes back to, you know, awareness training and education. If if the same security training that you give everyone every year is focused around phishing, you know, which is great. But if 95 percent of your company doesn't do a lot of business over email, then.
D. Mauro (01:04:01.71)
Really?
Nick Oles (01:04:12.081)
Mm -hmm.
Yeah.
D. Mauro (01:04:15.47)
Right.
Nick Mullen (01:04:16.067)
It's not really applicable to most of them. So like you need to like meet people where they are and understand the roles that they have. 100. Yeah.
D. Mauro (01:04:20.878)
Right. Maybe baiting is more maybe physical baiting, right? Or maybe social engineering voice. Like maybe just have a like so many times I find like if they just had a policy in place where I can't wire things or I can't email confidential information or all of the employees W2 information without verifying a layer or two above me. Like if you just have the policy in place and let everybody know this is clear, this is.
Nick Oles (01:04:36.593)
Mm -hmm.
D. Mauro (01:04:49.87)
we have to follow this, a lot of the stuff could be completely avoided.
Nick Mullen (01:04:53.859)
And there are tools out there for voice.
D. Mauro (01:04:57.582)
Mm -hmm.
Nick Mullen (01:04:58.051)
There's one called color verify that integrates with Okta and whatever your ticketing system is. So if I call in, like let's say I'm the, it's the MGM attack. If I, if I call into the help desk and say, you know, I'm Joe Schmo, I'm, you know, the whatever admin here, they click a, an authenticate button and it's going to kick me off a one -time pen to the Okta verify app. And if you're an Okta user, you know, the, the pain comes right up in the app. I give them the number and they have to input that right number before they can ever open up the rest of that console.
D. Mauro (01:05:01.55)
Hmm.
D. Mauro (01:05:07.374)
Right.
D. Mauro (01:05:24.174)
All right.
Nick Mullen (01:05:28.005)
to work the ticket with me. There are other tools, it's super slick. There's another tool that I've demoed recently and basically what they do is they'll detect a spoofed call and so that's another really common tactic is people will call and they'll say, you know, hey, I'm David and they'll call from a spoofed phone number that looks like yours.
D. Mauro (01:05:31.054)
That's really good. Yeah.
Nick Oles (01:05:40.241)
Yeah. Yep.
D. Mauro (01:05:48.27)
Right. The email will like the phone number will come up as a co -worker or as your boss, even though it's not. It's just a spoof. You can do that easily.
Nick Mullen (01:05:52.675)
As you. Yeah.
And so basically what they'll do is, you know, on the voice over IP, you can detect where the IP originated from. And so we'll say, hey, this is a.
The phone number is Indianapolis, Indiana, and this originated from Iran. This is a spoof phone number and you can set up rules on how you want to deal with that. Either you can just send the call into the abyss where nobody ever picks it up, you know, or you can send it to a special team that handles suspicious, you know, or suspected fraud calls. And so, you know, you basically, you're, you're setting up those tools again, to meet your employees where they are and help them with the deal with the problems that they're really going to face on a day -to -day basis. So.
D. Mauro (01:06:25.934)
Right.
Nick Mullen (01:06:35.685)
Yeah, mapping that human attack surface and implementing controls in kind.
Nick Oles (01:06:41.073)
Hahaha.
D. Mauro (01:06:41.166)
That's fantastic. Really good insight, guys. That was really, really good. This will not be the last time we have you guys on. Just letting you know ahead of time. Like that was really good because I have a feeling that cybercrime is going to continue to be a big thing. So I have a feeling like there's going to be more stories for us to talk about in the weeks and months to follow. So thank you both so much. We'll have links to both of your causes, companies.
Nick Oles (01:06:49.937)
Yeah.
Nick Mullen (01:07:03.427)
for sure.
D. Mauro (01:07:10.734)
your social media, your book, all of that in the show notes. We encourage everybody to check this out. You will get great insight in a very relatable way. So, excellent discussion, guys. I appreciate you being here.
Nick Oles (01:07:16.849)
Yeah. Yeah, thanks for having us.
Nick Mullen (01:07:25.411)
Yeah, thanks so much for having us.
D. Mauro (01:07:27.214)
Thanks guys.