During cybersecurity awareness month, we are showcasing several podcasts on security and privacy issues. In this podcast, Protiviti Managing Director Michael Lyons shares a personal experience with, and an in-depth analysis of, a sophisticated phishing scam. How can companies protect themselves against increasingly elaborate phishing attempts and other malicious actions? Listen to the story at the link below. Full transcript follows.
Podcast Transcript – Cybersecurity Hits Home
October 7, 2020
Kevin Donahue: Hello, this is Kevin Donahue with Protviti, welcoming you to a new edition of Powerful Insights and our continuing series on cybersecurity awareness. This series is intended to highlight ways organizations can be proactive in addressing these critical security challenges. We explore how leaders can dynamically build cyber resilience while maximizing value. In this series, I’m talking to our cybersecurity leaders who are in the market working with organizations addressing these challenges.
In this episode, I had the pleasure of speaking with Michael Lyons, a managing director with our Security and Privacy practice, based in Tampa, Florida. Michael not only shares great insights on the work he’s doing with retail and telecommunications companies, but he also shares his recent personal experience with what could’ve been a costly phishing scam. Michael, thanks for joining me today.
Michael Lyons: Thanks, Kevin.
Kevin Donahue: Let me ask you my first question here. How would your parents describe what you do for a living?
Michael Lyons: In talking to my parents, they probably would say, “He racks up Delta Sky miles and Marriott rewards points more than anyone else, but they have no clue what he does doing it,” but really, they understand I work in security, but they’re just not too tech-savvy. An episode of CSI might be appropriate for what they think I do, but the reality is definitely not there, but if they think my work is as exciting as a television show, I’ll let them go with that.
Kevin Donahue: That’s funny because, of course, this year, at least, those frequent-flyer miles and hotel points have not been really racking up the way they usually do, I’m sure.
Michael Lyons: It’s been challenging. I was really excited – I think the happiest email I received this year was when both Delta and Marriott said they would extend my status through next year, but I do miss it a little bit. However, when you normally spend 75% and 95% of time on the road, it’s been great being at home these last six to seven months trying to make the best of a difficult situation.
Kevin Donahue: For sure, and I’m sure that’s been an interesting change for you. Michael, you are focused on specializing in security privacy within the retail and telecommunications industry, helping them with security-related issues. How did you happen to develop expertise in those areas?
Michael Lyons: With the retail industry, it’s actually kind of a product of my career as it’s evolved. I began working in credit card and debit card processing for a company called WorldPay in 2003 or 2004 – somewhere around there. I spent eight to ten years gaining expertise in that, and as such, I migrated naturally into securing debit and credit card networks or the payment card industry network.
From there, you see a majority of retailers accepting credit cards, having to naturally secure consumer credit card payments, and it was a quick transition for me. Once I started working with a few retailers doing PCI work and doing security work there, they talked to their friends, acquisitions would occur, and such and such with now, I think, a majority of my portfolio and the clients that I work with are either in the retail industry or in the flip side, the telco side.
The telecommunication side had a very similar story about eight to ten years ago: I started looking at cellular networks and securing telephony and telephone transmission networks, and from there it’s grown – the telecommunications industry is a small industry. One person says something to another, and lo and behold, this experience that I have natively grew, and I now work primarily in retail and telecommunications, and I’ve enjoyed working in both industries.
Kevin Donahue: That’s great, Michael, because I would imagine, as in most industries, having specific knowledge of security issues in retail or in telecommunications is beneficial just because of the unique challenges in each of them.
Michael Lyons: Each one brings different perspectives that you need to factor. For example, when you work at the retail client, there is a sort of interaction with the consumer that they have – and not to say that telco doesn’t have this, but the interaction between online transaction versus a mobile transaction versus an in-person transaction, there are all kinds of different mechanisms, and retail has had a challenging couple of years. The consumer in-person experience tends to transition to more of an e-commerce experience – how do you engage, how do you retain, how do you maintain loyalty?
All along the way, as you collect data, and as you learn more and you try to interact more with the customers, and technology advances and allows you to do that, you have to secure all this data. You are gaining trust with your customers and building trust, and as such, they expect you to treat their data and their information with a sensitive nature – and, like any of us, would want all of our information that we provided, to be locked up so that others can’t get it.
Kevin Donahue: Now, Michael, I want to change gears here a little bit. You recently experienced a phishing scam.
Michael Lyons: Yes.
Kevin Donahue: So, why don’t you share a bit about what happened there?
Michael Lyons: Yes. So, it’s actually the first time I think I’ve ever been part of a serious phishing scam, and I’ve educated a lot of my clients over the years in security – both my family and friends – on awareness. In fact, my wife is the security-awareness manager for a technology company. You can imagine our dinner conversations are not the most exciting, but we do talk shop quite a bit.
We recently were purchasing a home, and two days before the purchase of our home, we received an email that we were what’s called cleared to close. Once we received this email, the next step is a wire transfer that is performed to the title company so that the funds are in the account; you can sign all the paperwork, and they can disperse to the relevant parties. Well, on this night that we received our clear to close, the next morning, I woke up, and at approximately eight o’clock in the morning, I had a follow-up email from the group, the title company, our realtor, all the folks that were on this clear to close, stating that it’s time to wire money.
Normally, you would do it a couple days later, but if we want to do it a little bit early, just let us know, and they’d be happy to provide this information. Thinking through this, and after dealing with buying a home for 30 days and just wanting everything to be over with, I replied with this email: “Sure, send over the instructions.” The instructions were sent over to me, and upon opening them up, it’s just a word document with no headers or footers or anything, just routing information, and it looks a little bit odd. Given my wife’s career and my career, we always said when it came to wiring this money, we would actually call our title company and confirm the wire instructions when we did this.
So, upon calling our title company, they informed us they never sent an email out at all. They would never email these wiring instructions, which we were not surprised to hear, and so we started digging in at that point and looking as to what had happened.
Kevin Donahue: That’s truly scary, Michael, considering that was something that you dreamed – essentially, a current transaction you were working on with your home. So, what essentially happened is, hackers accessed those communications, that information, as it was ongoing?
Michael Lyons: It’s perfect, you know. It’s such a great phishing. Great is not a good word – it was so well done, though. These attackers were targeted. They knew right when to interject themselves, so they are somewhere listening either on the title company’s network, the realtor’s network or my network, because they knew exactly when to insert their fake email.
As we go through what happened with this fake email that we received, and as you start comparing the emails, the night before – on, I think it was a Thursday night, the email had all the standard items you would expect from an email. If you actually click on the person’s name and look at the email, it looks like the title company’s email, it looks like my realtor’s email.
But the next morning, once we started digging in after calling them, the email itself, once you clicked on the name, which appeared to be our title company, behind that was a “closing@gmail.com” account – “closing.process@gmail.com.” Closing was spelled wrong. The signature – they changed one number for the title company person’s signature so that if I were to call that number, it would be them impersonating the title company, telling me and confirming the wire transfer information.
You know, one of the steps that we always tell people is, if someone sends you something and you’re a little bit concerned about it on an email or wiring instructions – in this instance, the title company – I didn’t call the number in the email, because all of that can be faked. I actually went out to the internet, or went to our title company paperwork, looked at the actual number, and then called from there. Had I not done that, I would’ve called a fake email number that they could’ve told me, “No, that’s us. Go ahead and send the information over.” It was a very well thought-out threat and attack that occurred, and they knew right when to inject themselves. They even actually copied the prior email language and dialogue moments that we’ve had to make it seem more real.
Kevin Donahue: So, Michael, you’ve touched on a lot of these already, but I did want to ask you, just to get a straightforward rundown from you, what are some things that people should look out for in terms of a potential scam or potential hacking? What are some of the red flags they need to look out for? I imagine a Gmail address is one of them.
Michael Lyons: Yes. If you get a Gmail address from a title company after working with an address, it’s kind of like our Protiviti.com – “Whatevertitlecompany.com.” If it is Gmail, that’s one. What’s interesting though, is, in this moment, you are hurrying – there’s so much that goes on, especially when you’re closing a home. I happened to look at it on my phone. I didn’t even open it up on a personal computer, where the screen is a little bit bigger and things can look a little bit more odd. Just hurrying through on your phone was a mistake that I didn’t quite make, but when I actually started looking at this – or, actually I did make a mistake, but when I started looking at it on my computer, there are things that jump out to you.
So, I would tell people, “As you go through, when you start getting aware of this, slow down. Take your time, watch out for how different and how compressed information can look on your phone,” because clearly, when you open up this email on a computer, there’s a lot more you could see. All of a sudden, you can tell things are out of alignment, the colors are different, the fonts are different, the logos look different, and those are ways that you can start making determinations.
Like I said, my wife and I, doing what we did, we knew were going to call our title company, so while we had to be vigilant for this, we always knew through our security-awareness trainings that we’ve gone through at our organizations in the industry, we were going to perform a task that required money but actually had us going out calling the numbers that we found from an independent source, such as the documents we’ve been collecting and things like that, not from this phishing email, to ensure that we were safe and secure and had the right process for doing this.
Kevin Donahue: It’s interesting, Michael. I was talking to my wife the other day and saying I seem to get a bogus, a scam, email purportedly from Amazon every one to two weeks. I’ve learned to disregard it because I don’t communicate with Amazon by email, and, like you said, usually don’t know significant companies/vendors who do that, but one of my tricks is, I look for typographical or grammatical errors. I’ve never found a scam email that is perfectly written.
Michael Lyons: Yes, that is perfect. You are 100% right. Once you dug into this email, it was very clear and very evident that this was a scam. Again, shame on me – as I said, you’re doing a million things and we’re coordinating the closing and we’ve got work that needs to get done, you got last-minute fixes and things like that. Checking it on your phone and quick-scanning through an email, it’s easy to miss that.
So, what they did was, the address, when it popped up in my email on my phone, it said from the girl’s name of the title company that we were working with. The subject line, it had the RE: and then the same subject line that we’ve been using – it was very well done and very well thought-out. I do understand and keep looking for those errors, and keep being vigilant, I think that’s a great thing that you’re doing, and I would tell you, read the emails very carefully when you’re not expecting it or when it comes to a big transaction to make sure that you’re doing what’s right.
Kevin Donahue: Yes. We talked about this recent experience, how it’s affected yourself, your family. How do you think it changes how you approach your working with clients?
Michael Lyons: Yes, that’s a great question, and throughout the process, we’ve talked about security awareness with our clients, but truly reinforcing that, there a couple of things that you need to do. One of the items in security that we talk about is defense in depth. There are multiple ways to secure a network. You level encryption out there to secure data, you only grant access to people to what they need to do to perform their jobs. You put firewalls that only allow traffic in and out, and I think the approach that I would take for this is much like everything else: being aware that there are multiple things you can do before performing a transaction or a function to ensure that it’s legitimate.
The biggest thing that we did was, the biggest moment in this transaction is the wiring, and we always said ahead of time, going back weeks, wire fraud could be prevalent. It’s something that could happen very easily. There are scams that have been going around for this particular fraud for a long time. We were aware – we knew about it – and we put a plan in place. Our plan was, no matter what, when I’m responding to whoever this is on the other end of this email, telling him, “Yes, send me the instructions,” none of that really matters, because I had a plan in place to go out to an independent area, get the number, talk to our title company people, confirm everything.
What I would put to our clients and everyone is, whatever the most important aspects – the most important data, the most important process, the most important areas – if you have a plan in place for securing them, you put multiple safeguards in place, you can thwart bad actors trying to perform bad things inside your network to your employees, to your friends, to your family. I would say, getting ahead of this – identifying what the most important thing is and having a plan in place – is what I would pass along at a high level to all of our clients.
Kevin Donahue: Michael, going back to the companies you work with, what’s the one question you think you’re asked most often by these companies regarding security awareness, and how do you answer that?
Michael Lyons: The question I get asked most often is, in the concept of security, you’re only as strong as the weakest link. When it comes to awareness, there are things like annual training that needs to occur. Well, I just need one person to potentially click on that link if we do simulated phishing or things like that. So, the question that I often get is, how do you stop that one person? In most phishing examples, there’s never 100% nobody clicked on the link. There’s always one person – especially in larger companies, you get 10,000 people doing that, you’ll have somebody who clicks, and it goes back to being vigilant about your awareness, continuing monitoring your program, seeing education and progress, knowing that this year, we had 5%, the next year, we had 3%, the next year, we had 1% – so, movement in that right direction, adding in all those defensive controls, those other things that you can do.
And continuing to, from the top down, reinforce our customers, our data, our security, is very important to this culture. We take it seriously. You should take it seriously – you should do this training, you should be aware, you should be vigilant. Don’t be afraid; don’t hold the door open for someone who’s trying to enter the building that doesn’t have a badge. All those things are ways that you can increase and promote awareness and answer that one question: “How do I keep that one person from clicking that link that could potentially expose my network?”
Kevin Donahue: This has been a great conversation, Michael. I just wanted to run a couple more questions by you. First, with respect to the broader field of security awareness and privacy and such, what are you most curious about right now?
Michael Lyons: I’m fascinated right now with the concept of California’s data protection laws and the GDPR and the consumer becoming more aware of how much data is being grabbed from them. You’re seeing a lot more discussions very casually among people when they mention some of the large social media sites, some of the large platforms, some of the large news sites, and the level of data that is being captured in your interactions with them.
I was laughing the other day because my wife and I we’re talking about something completely random – I can’t remember what it was. Let’s say it’s ski gear, and two days later, she was on her phone and an advertisement came up for some ski gear that she was talking about. We live in Florida. There should not be a lot of ski gear advertisements for people in Florida. She just made the comment about, “Huh, I wonder if this was just coincidental?” – which we both don’t think it is.
I think for me, when it comes to awareness, it’s the evolution of people, and as they become more aware of how much of their lives are online and how much is tracked online and how much awareness of what people are getting online and what you share online, too, through these social media areas, I think that, to me, is one of the most intriguing. It’s going to be what people overall do, and how they become more aware.
And you take someone like my grandmother, who is completely clueless as to what’s going on, you take someone like myself, who has worked in this field, who’s lived in the evolution, revolution, of technology, and then take someone like my two- or three-year-old niece – potentially, when she starts reaching an age where she’s working on a network, the awareness of all the data will be native to her. There’s no education. She knows this. So, that’s what I’m intrigued by – the consumer, and people, becoming more aware of their online profiles, their online data.
Kevin Donahue: Last question for you, and maybe it relates to what you just described: What do the next five to 10 years look like in your view? What do you see as changing, emerging, that organizations should be aware of?
Michael Lyons: For the organization, the attackers are just having more data to work with. They’re having more entry points to work with. For companies, I would tell them, while data right now, I think, is leading in terms of everybody wants data, they want to build these profiles, they want to be able to learn more about you and create a better experience, organizations just need to be really careful about all this data they’re capturing, and do you need it? What are your retention policies? How do you delete this data? How do you store? What is the consent?
All of that, to me, is what, over the next five to 10 years, I think is going to really ratchet up in all aspects, whether it’s a social media profile, whether it is a retail transaction, whether it is a contract or financial transaction, whether it’s real estate. However it’s being done, as we move toward these, organizations need to understand in the next five to 10 years, there is just going to be this amazing amount of data they have, and what is their social responsibility and obligation to their consumer and to the folks at the end of this data that they’ve grabbed in terms of securing it, leveraging it, using it and how long they actually need it. I think that’s going to continue to evolve over the next five to 10 years.
When it comes to people as we go through this, I do think you’re starting to see a little bit of this where, what is truly real news coming in from the internet? What is coming into my feed, that is mapped with data they have for something that I might click on versus something that I won’t click on? And it goes back to the comment I made earlier about that online profile and this data that we have about ourselves that companies are storing, and how we interact with these companies and organizations.
To wrap up, five to 10 years from now, data is going to continue to be just a massive resource to companies, to organizations and to attackers. Be aware of the data that’s out there. Be aware of how long you need this data. Be aware of why you’re keeping this data. Be aware of who’s keeping what data, and how you can secure and protect and harden this data.
Kevin Donahue: Great insights, Michael – a pleasure speaking with you today. Thanks for joining me.
Michael Lyons: Thanks. Appreciate you having me today.
Kevin Donahue: Thank you for listening today. For more insights from Protiviti on cybersecurity issues, challenges and best practices, please visit protiviti.com/security. I also encourage you to subscribe to our Powerful Insights podcast series wherever you find your podcast content.