Episode 3: 10 billion attacks a day?

SARAH
My husband passed away 11 years ago. And after two years, I wanted to go back to date someone, and I was ready to find love again. And so that’s why I went on match.com.

MARIA VINCA
It’s a common story, looking for love online. But this woman we’re calling Sarah, that’s not her real name got more than she bargained for when she tried online dating. These past couple of years, more than ever, we’ve been living our lives from behind a screen, it’s literally become a lifeline for some of us. All of this increased time online, though, has unfortunately meant that we’re also at an increased risk of cyber fraud. This is a problem for us. And not just as individuals, businesses, institutions, healthcare providers, and basically any entity or person with an online presence needs to be wary of cybercrime. Still, the online world is here to stay. So, what really matters is how we adapt to it, or make it adapt to us.

Hi, I’m Maria Vinca and this is fireweed, a podcast from the British Columbia Institute of Technology. Now, as some of you may know, fireweed is the very first plant to grow back after a forest fire, bright pink and incredibly resilient in carpets, the hills and mountains of the whole Cascadian region, where I’m lucky enough to live, inspired by the resilience of the smile flower. On this show, we explore stories of human resilience and meet people who’ve adapted their lives, either by choice or as a means of survival.

Let’s get back to Sarah. Can you describe the person that you met on Match?

SARAH
He had a military uniform on [and] his profile had just [the] same things that I was interested to, like walking, dancing, reading. He was also a widow. So that too, he has one son and I have two girls. So, we both have the same similar situation. And he was stationed in Afghanistan, but was from Ghana. And he just catch my eyes.

MARIA VINCA
He wasn’t any of these things. He was actually a group of 10 or 15 men in Ghana, working out of an internet cafe, operating a sophisticated scam on Sarah. In hindsight, the signs of fraud were there. But at the time, Sarah believed she was falling in love. So, what was he like?

SARAH
He said I’m beautiful, he said also, that he sees the future with me together that he would like to come to Canada and with his son, and we have a family together. And he was so romantic. And after a few weeks, I felt the connection and I was falling in love with him.

MARIA VINCA
Can you tell me about the first time that he asked you for money?

SARAH
In the beginning [it] was a normal conversation, what we are doing, what he’s doing in Afghanistan, and we went on from there. After a few times he started, you know, [saying] that he missed me. And then suddenly he comes and said, his son needs a computer, but he cannot send money from Afghanistan. In the end, I did send him the money for the computer.

MARIA VINCA
Mmhmm, so did that seem strange to you at the time?

SARAH
I was thinking no, that’s not right that I sent him money. But in the end, I did it anyway. So I went on away with my head than my gut feelings, and because I was in love with him.

MARIA VINCA
That was the beginning. What followed was six months of him making promises, canceling plans, and Sarah sending him money. You were pretty private about your relationship with him. Did you tell anyone that you were sending him money?

SARAH
I think I was  ashamed to tell anybody or if they judge me about that I did send money and maybe too that I didn’t want to lose him. That’s why I did send him money. In total, it was $600,000.

MARIA VINCA
That’s right. $600,000 over just a few months. It may sound unbelievable, but it happens. It happens to smart people and web savvy people. It happens because let’s face it, we’re all vulnerable when we trust someone, and what’s life without trust?

Steve Wilson is the Director of the Center for Digital Transformation at BCIT. And he happens to study fraud and financial crimes. So I asked him, just how common is something like what happened to Sarah?

STEVE WILSON
Oh, you know, it’s very common. In fact, if you look at recently, the stats with the Canadian Anti-Fraud Centre, I think in February of this year, they said that they were seeing a large increase in in romance scams. And they said that at that point that it was about $18.5 million over the past year that they’ve saw Canadians losing. But in reality, we know that from experience that typically only about 5% of people actually report the fact that they’ve been scammed or victim. So that dollar amount that loss is much higher than that probably $370 to $500 million, is probably a more realistic figure. It used to be traditionally we would see older people won’t say, you know, 40 plus, they were victims of online dating scams. And basically, because they are at that point in their life where maybe they were looking to settle down, or they’re looking to get into a new relationship. But now because of COVID. And there’s so much more many more people online right now. We’re seeing the scams are right across. There’s  no defined group of people as from younger generation, all the way up into seniors.

MARIA VINCA
And these are sophisticated operations, we’re talking about really tailored attacks. In Sarah’s case, they created a fake profile of her dream partner based on her profile, her preferences and various other online sources. The scammers were organized, technically savvy, and highly motivated. Steve, it seems like we’re hearing about this stuff more and more. So why is that?

STEVE WILSON
I think the big reason that we’re hearing more about is the fact that everybody’s online, COVID. Now we’ve got remote working, we’ve got you know, people that used to go to nightclubs are now having to do pretty much everything about their lives online at this point. So we’re hearing more about it. So, you when you think about online, particularly when you think about different types of scams or even dating sites, for example, you have to remember that when you think about scammers, they’re tying into people’s emotional reactions, emotional ties. So there’s less of a tendency for people to do the due diligence, and a lot of people will just jump right into it. If you think about a general scam, where they’re  purchasing products online, not doing a lot of background check and reading reviews. Whereas if it’s online dating and they could be an absolute perfect match and decide just to kind of fall right in headfirst, and the scammers take advantage of that, particularly with COVID. Now with everybody being online, understanding more how you’re interacting with being online, how that’s affecting you, as far as like you think about purchasing products through Amazon, for example, the one click purchase, it’s so quick to do that. We think about online dating for example. Do you know how to do a proper background check on some the due diligence are you doing that? So it’s really really important to be aware of that and then obviously it’s  a trust issue as well. We want to make sure that it’s really important not to trust everybody online, or to give out a lot of personal information. Traditionally, with any type of scam we always say if it sounds too good to be true, it probably is.

MARIA VINCA
So clearly, as we adapt our lives to be online more, we also have to adapt our online behavior to be more guarded. How unromantic and the truth is, even if you are careful online, the things around you aren’t most of your devices like your home assistant, your phone, and even your car are connected to the Internet, and therefore vulnerable to attack. And that can make you vulnerable. It’s not all bad news though. Cybersecurity is a growing industry, both here in BC and schools up and down the Cascadia corridor. People are working hard on this problem. Yoshi Kohno is the professor who teaches the students about the potential security risks associated with the Internet of Things. Essentially, he’s teaching them how to stay ahead of the bad guys.

YOSHI KOHNO
With my students at the University of Washington, what we try to do is we try to understand the risks with future technologies. And we can proactively figure out ways of defending against those risks.

MARIA VINCA
Yoshi and his students have become well known for testing and exposing the vulnerabilities in cars and other everyday objects.

YOSHI KOHNO
In the first phase of our experiments we focused on what might an unauthorized party be able to do if they could somehow connect their own computer to the car’s internal computer networks. They could forcibly engage the brakes, they can disengage the brakes, they can turn on the lights, they can turn off all the lights, they could change the information that was being displayed on the dash. And these are just some examples. The second phase of that work, we asked the question, how might an unauthorized party gain the ability to communicate over the car’s internal computer network? Our car actually had in it a built-in cell phone we developed the ability to call our car’s phone number play the appropriate tone to switch to the inbound modem, play additional modem tones to bypass an authentication vulnerability, play additional modem tones to compromise a security vulnerability on the car software to basically load our own software onto the car remotely. And this is without ever physically touching the car.

MARIA VINCA
This meant that Yoshi and his students were able to take control of the car from a totally separate location. Creepy right?

You’re listening to fireweed, a podcast from BCIT, exploring adaptation and resilience in a world that frankly demands it, got a story to share with us, email us at fireweed@bcit.ca.

So quick recap, on an individual level, you have to be careful with what you do online, just as Sarah. Plus, as Yoshi’s students showed, you also need to think about those things around you. And if they are vulnerable to hackers, and where possible, adjust your security settings. But what about the vulnerability of the organizations and systems around us that keep us safe and allow us to thrive? cybercrime doesn’t just impact us as individuals, companies, institutions, cities, transit networks, and healthcare systems have all been subject to cyber attacks. And in the past couple of years, the frequency of these attacks has gone way up. Meet Derek Manky, Chief of Security Insights and Global Threat Analysis at Fortinet. I asked him to talk about some of the ways companies and larger organizations get attacked.

DEREK MANKY
Ransomware is by far the most common type of malware that we see out there. Big payments that are happening right now in the industry targeted ransom attacks, it’s a big issue. Originally, it was just a broad attack, trying to encrypt data on systems and asking for $500 to $2,000 back to restore access to that data. Nowadays, it’s changed especially over the last two years, instead of going after a high-volume attack. So a lot of targets, they’re going after deep pockets targeted big companies actually crippling their revenue streams. So taking operations offline, they know they’re bleeding more than the ransom demand that they have in place. You know, we’ve seen ransom demands that up to $5 to $10 million US, as an example. And unfortunately, some organizations are forced hand and they’re paying these ransoms.

MARIA VINCA
So Derek, what are the impacts of these attacks?

DEREK MANKY
Oh, the impact is massive when it comes to these attacks. I mean, we’re talking about, especially in the public sector services that are going down. So it has a direct impact to society, you know, at the organization level, literally digital systems that are taken offline. We’ve literally seen companies go back to the Stone Age, in a sense, right? Going back to phone calls and paper based systems and forums, because you know, their online systems are just not operating. And that obviously leads to what we call a denial of service. It leads to millions of dollars of revenue being bled in worst cases we see in these attacks going after hospitals and health care, and that actually puts human lives directly in impact.

MARIA VINCA
It seems like we hear about these kinds of attacks all the time in the news. So why aren’t we able to stay ahead of them?

DEREK MANKY
We’re seeing over 100 billion attacks a day that are happening, that’s not million, but billion attacks. That is huge volume, literally is information overload and it comes down to that proverbial, ‘how do you find the needle in the haystack?’ when it comes to trying to find the big players here and trace cybercrime. And so it really is a compound problem. We are trying to address this of course by collaborating different industry initiatives that we’re doing, but also leveraging technologies on the good side, like machine learning and artificial intelligence. These are a critical part in our way to trace and fight cybercrime.

MARIA VINCA
Derek told me that while it’s great, we have things like AI and machine learning on our side. When it comes to fighting cybercrime. It still really boils down to people and their habits.

DEREK MANKY
I like to start with the humans first, they’re always the weakest link in the chain. So education is key when it comes to preparing ourselves for these attacks. Earn trust model, right? If someone is contacting you unsolicited. Just make sure that they are who they say they are. If it’s a friend, or if it’s even your boss or another employee, give them a call. Use things like multifactor authentication as an example. It’s very important to keep your software patched and up to date. That’s the way that you can close those attack holes that cyber criminals are using. And then of course, it’s also very important to put security technology things like antivirus scanning and having proper security inspection on your machines to look for these attacks. Again, there’s no silver bullet, but it’s a multi-pronged approach.

MARIA VINCA
The impacts of cybercrime and fraud can be devastating for businesses and individuals.

STEVE WILSON
When we think about the impact of victims, we talk about cyber fraud. I mean it can be everything from as minor as not getting the product you’ve ordered. So in other cases, it can be much more substantial. When we think about romance scams, for example, you could be hundreds of hundreds of dollars of losses, you’ll never ever see any of that recovered. But there are victims who become suicidal, because they just feel that they could have gone through something life altering, trying to get into a new relationship, for example, now they’ve lost all this money that they’re never going to recover. And now they’re destitute. You know, when I talk to a lot of people that have been victims of various types of scams online, particularly recently, after the fact, they always come back to say, you know what, I thought something didn’t seem right, or all that was just too good of a deal. Or, you know, it’s my gut was telling me that, that I shouldn’t have done it. Listen to that a little bit.

MARIA VINCA
Sarah lost her life savings, but somehow managed to keep her house and pay her bills. She knows she’s one of the lucky ones, she’s become a lot more careful online with everything she does. And she encourages anyone who thinks they might be in a similar situation to her to reach out for help.

SARAH
Just be careful. Please reach out to a good friend or the police and get advice, please don’t send money in any way. I mean, I know what I have to look for now. I went back to dating site and I have to say 60% were real. I just hope if my story I could help someone who is at the moment in the same boat that I was. Make the right decision and get help.

STEVE WILSON
Sarah has been absolutely phenomenal. When we think about the fact that what she’s been through over the past couple of years, moving beyond that. And now coming to a point where she’s willing to talk about her story. It’s so important to talk about what’s happened. And that’s one of the reasons we continue to hear these types of victimization is because no one talks about it. And it’s really, really important to get out there and share your story. And I know it’s not easy, and there are people out there that don’t understand how this could possibly happen to you. But there are an awful lot of people that continue to be victims of online or cyber frauds and romance scams. So it’s really, really important to get out there and talk about it and like I’ve said to Sarah, even if it prevents one person from becoming a victim, or if there’s numerous people that had that gut feeling that something’s not right. And finally reach out to a family member or friend and say, this is what I’ve been up to online. And what do you think just to kind of get that additional piece of advice.

MARIA VINCA
You’ve been listening to Fireweed, a podcast from the British Columbia Institute of Technology. I’m Maria Vinca. We’re unearthing stories of modern day resilience and how groups and individuals are adapting to our current context. Got a great story of adaptation to share with us, reach out at fireweed@bcit.ca or send us a DM on Instagram @lifeatbcit. Thanks for listening.