How to combat cyber-crime during EOFY

Shanna: All right, so thanks to everybody for joining. My name is Shanna. I’m the content specialist here at Eftsure and we’re joined today by Peter Price. He’s the CEO of Crimestoppers New South Wales. He’s twice been awarded the Order of Australia. So obviously he has deep expertise in this area and we’re really keen to explore what he understands. Find out some good tips to take back to your team and, figure out what’s going on during this time of year, because it is a riskier time of year for reasons we’ll get into. And let me just go ahead and explain what the structure of our discussion will look like. First we’ll be getting into a snapshot of the threat landscape, as well as some more background on Peter and where he’s coming from and where his expertise comes from. We’ll also be getting into the economics of crime, we’ll be looking at organised cybercrime and Peter will also be explaining some of the practical things that leaders can do to protect themselves and protect their organisations. So thank you again for watching. We know that it is a busy time of year during the financial year, but we think that half of defence is awareness.

So it’s really great that everybody’s taking the time to listen to Peter’s expertise in this area. So just really fast, we just wanted to share what we’ve seen here at Eftsure with our own customer base. We’ve seen a three and a half times increase in fraud attempts over the past nine weeks. So that spike could be due to a number of different reasons. The first is, of course, end of financial year. Historically, this is a time where scammers are trying to take advantage of the additional deadlines reporting admin as well as historically, anytime there is economic volatility or headwinds, we do see scammers ramping up their efforts.

And then lastly, if you joined our webinar in April, you’ll know that data breaches and stolen data, like those that happened with Medibank, Latitude Financial Optus, those can sometimes fuel additional scams because there’s simply more stolen data floating around the dark web. So, now that we’ve given you a picture of what things look like currently and why things are a little bit risky right now, let’s talk a little bit more about who is Peter Price. So, Peter, I understand that you are at the highest levels of law enforcement, but you are not a cop. So can you tell us how that works and what that looks like?

Peter: Thanks, Shanna. And good morning. Good afternoon, good evening. Wherever you’re joining us from, it’s very nice to have you with us and it’s my absolute pleasure to be here to assist with providing you some insights here. Look, my background is a bit unusual. My background is in advertising. I come from a creative background and, as I said, working for eight agencies in Johannesburg, London and Sydney. And then some time ago, the agency I was with was doing some work for asked to do some work for New South Wales police in the area of crime prevention. And that campaign led to a 72% drop in car park crime, and that was in the late 90s, early 2000s. As a result of that, I was invited to attend the meeting of the Board of Crime Stoppers here in New South Wales and was approached to join that board. Shortly thereafter, took over as their Chair and then took over the Chairman of Crimestoppers Australia and then the Vice President of Crimestoppers International. So my job in terms of working with Crimestoppers has been to work very closely with the affiliated law enforcement agencies and the affiliated agencies.

For example, at Crimestoppers International, its affiliated police agency is Interpol. For Crimestoppers. Australia, it’s the Australian Federal Police. And for New South Wales. It’s obviously New South Wales police. Crime Stoppers itself is actually the largest single-policing brand in Australia. And one of the things that I created in Australia was to sort of create the national brand of Crimestoppers in Australia. In terms of working with Interpol, the FBI, and the United Nations. I have given talks at the UN. I’ve worked very closely with the FBI out of Washington DC, on fugitive apprehension campaigns.
And probably the largest fugitive campaign we worked with was with Interpol called Operation Infrared. So when you watch a movie and you see that someone is given, they’ve issued a red notice, it means that they’re a wanted person by Interpol. So Interpol has different coloured notices and a red notice is a wanted notice. So I spearheaded the public relations campaign, public engagement campaign for Operation Infrared. We had 150 global fugitives. These are hardcore criminals, not terrorists. And out of that 150, Crimestoppers had a remit to basically try and apprehend 25 of them. And so I did all of the public-facing engagement.

Shanna: Okay, amazing. So clearly you’ve mentioned that creative background, and this is clearly a non-traditional kind of approach. So you’re kind of coming at things from a different angle, it sounds like. So on that note, I think that’s a good transition into looking at an area that I think will be really relevant for primarily a financial audience who’s probably tuning in, just understanding the economics of crime. What have you observed about those coming from that very different perspective? What have you seen about the economics of crime? What should we know?

Peter: Look, I think it’s fair to say that other than things like rape and assault, basically, crime is very much financially motivated. And in that respect, it’s all about basically moving money from the haves to the haves not. This is basically like a Robin Hood scenario. You should not be under any illusion. We are at war. We are at war. We are at war with organised crime. And they have ways of working around us. And the reason why they can be so effective in working around us is because law enforcement and government agencies work in a typical, what I call command and control environment. So it’s very much a vertical structure. Somebody at the top basically makes a decision and everybody below their hierarchy. Their role is to essentially deliver that activity. When it comes to organised crime, they don’t have that kind of command-and-control environment. They don’t work like that at all. In fact, they are forced to work in a very creative environment where they have to basically find new ideas and new ways to perpetrate their crime and basically stay one step ahead of law enforcement every day.

When it comes to financial crimes, at the end of the day, this is about manipulating behaviour because holding on to some dollars is a person, either a consumer or someone in an accounts payable department, who basically has access to holding on to those funds and then letting those funds go. Their primary objective is to essentially manipulate that behaviour. From a crime prevention perspective, what we have to do is we also have to manipulate behaviour, but in a positive effect. We have to manipulate behaviour so that the people on our side of the fence don’t get manipulated by the people on the other side of the fence. It’s fair to say that the people who are perpetrating these crimes are not 14-year-old kids sitting in a hoodie in the back of someone’s garage. This is organised crime. These guys are running a business, turns over hundreds of millions, if not billions of dollars a year. As you can imagine, managing that kind of money is a huge undertaking.

What they do is they basically play a game of cat and mouse with us. For example, let’s say Procter and Gamble or Kellogg’s wanted to introduce a new product into the market, they would create the product and then they would market test that product. They would test the advertising, they would test the product, they would test the efficacy of the product and eventually they basically have a formula which works. And when they’ve got their formula that works, then they launch it to the market. And organised crime does exactly the same thing. They will test messages whether by SMS or email and they will test them until they get a result.
Of course, when they do that, they are securing huge sums of money, huge, hundreds of millions of dollars. And that kind of money needs to be laundered. You can’t just put in a suitcase. And so organised crime is traditionally involved in a number of different businesses to launder that money. Most businesses that are cash intensive, things like bakeries, laundromats, things like that, coffee shops. The interesting thing is that just the other day Europol basically managed to completely disrupt organised crime networks in Italy and Spain with significant risks and all they were doing is basically laundering money. But these people are sophisticated people. These are business bankers, accountants, and lawyers. These are people who understand how transnational crime needs to be undertaken and how money is moved across borders.

Shanna: Wow, that’s frustrating because it sounds like they have all of the advantages of a large organisation but without any of the restraints. They are operating with scale of resources but then they don’t have a lot of the same red tape or barriers that I’m sure a lot of people listening are very familiar with. If they’ve ever worked in a complex organisation or an organisation with geographically dispersed teams or different markets, I guess focusing a little bit more on that transnational element that you mentioned. Can you talk a little bit more about that? I think it’s interesting to understand how and why they operate and how they kind of overcome those silos and those barriers. I’d really like to hear more about that international element. How does that work?

Peter: Well, I think what we’re talking about here is we’re talking about the transfer of money. You need to understand the banking system. But when you look at the macro environment that we’re operating in so here you can see on the slide you’ve got you and your company. And if you look at the top left-hand side, say 11:00 O’clock, you can see here you’ve got organised crime groups who are basically perpetrating various crimes and then taking that money and reinvesting it in other investments in order to clean that money. And they work in that cycle where they basically attack your company, they get the money and they reinvest it, they clean it and then they keep moving on. This is their lifecycle, their daily lifecycle. If you then look further down at 07:00 O’clock on the slide, you’ve got large corporates and banks and basically their job is to help protect your company from being attacked as well as intervene in what they call unusual behaviour. They’re using technology to look at how they look at predictive analytics, for example. This company normally pays these suppliers, all of a sudden there’s something new in there. How do they analyse and pick up on that unpredictable behaviour?

If you turn your eye to 05:00 O’clock on the screen, you’ve got the state and federal government agencies and of course, their job is to continue to reinvest in the environment and the infrastructure to protect the landscape. And within that, you’ve basically got the police and border force and AFP, and the FBI and they’re all involved there and they’re all trying to basically disrupt these criminal networks.

And then at 02:00 O’clock you’ve got the individual criminal there. And here we’re talking about people who are perpetrating crimes literally out of someone’s garage or out of their house. And what’s happening is, every time that they are successful, we are basically reinforcing their success. Every time that they basically make an attack, and they get a customer who’s basically been extorted, that encourages other people to basically participate on online attacks. And so, what we’ve got to do is we’ve got to try and shut these people down, we got to try our best to not make them successful. As that explains it.

Shanna: Yeah, definitely. I think though, that a lot of this, the complexity, the different ways that they’re operating, it does seem disconcerting simply because technology and how dependent we are on digital ways of working seems like it adds a whole other element to this that can be a real challenge for legitimate organisations. So on that note, it would be really good to maybe get into organised crime, cybercrime, the relationship that those have and what that means for all of this.

Peter: Sure, look, I think, as I mentioned before, so we talk about it as serious organised crime in our circles. It’s also known as S.O.C. And the thing to remember is, as I mentioned earlier, we’re talking about huge amounts of money and so these organisations are set up like conventional businesses, so they run like conventional businesses, they recruit like conventional businesses, people take leave just like any other business, except the business they are dealing in is in crime. Crime is their business. But make no mistake, it’s a business. And so from that level, they actually have a hierarchy, they have management, they have incentives and things like that. What they’re doing is undertaking crime, but they’re using the Internet as a facilitator of organised crime and the Internet is actually the enabler. So they are getting in drugs, weapons, human trafficking, organs, and financial crimes. All of these things are basically conducted over the Internet. And this is an environment where basically there are no guardrails. So we entered into the world of the Internet, web one, web two and there were no guardrails. There are no policies or procedures. Everything’s done retrospectively. And I think it’s important to understand that in government agencies who create policies like the Attorney General’s Department, DOJ in America, policy is generally retrospective in nature.

You can’t create a policy for something that doesn’t exist. So normally something exists, and you see the way that it operates and you go, okay, so what we need is this tech is now available. We need a policy or a guideline or regulation to help basically civil society find their way around that. And we’re trying to do this through Web 3.0, which is going to be the metaverse, Crimestoppers and the police are working very closely with an organisation called the Responsible Metaverse Alliance. And feel free to look them up online. They’re not-for-profit. The founder of RMA is one of the leading people in AI in the world. And what we’re trying to do here is we’re trying to understand this landscape before it becomes everyday usage. And that if this is going to be a landscape where civil society is going to conduct business and engage, we want to make sure that there are guardrails there. The only issue that we have is that this environment is online, which means it doesn’t have a physical jurisdiction, which means that the police themselves don’t have jurisdiction. They can only have jurisdiction in a physical jurisdiction, but in an Internet, which is basically worldwide, that basically transcends jurisdictions, the cops basically don’t have a jurisdiction. So we’re looking at basically installing guardrails in that environment and hopefully, that’ll be a more safe place for people to conduct their online business.

Shanna: That sounds comforting because it feels promising to hear that guardrails are being designed into part of the web rather than this wild west kind of structure that we’ve had for so long. And I think that that really paints a strong picture of the macro circumstances and the actual overall landscape. But I’m sure one thing that leaders are probably asking themselves, hearing about the challenges of having to build those guardrails from the ground up and for policymakers and law enforcement to kind of always be trying to stay ahead of technological advancements that change how crime can even be committed. I think leaders might be asking themselves, how does this affect their team? What can they do to kind of protect themselves from these circumstances? And that kind of, I think, maybe takes us into some of the practical defence that I think it would be really good to get into. So, Peter, what should leaders be thinking about? What should they be taking back to their own organisations? What should they be taking away from today?

Peter: This is a good question and I think you mentioned the word team. At the end of the day, this is about people. At the end of the day, it’s people who are trying to steal from other people. And when we look at cybersecurity and whether it’s transacted online or it’s actually a crime that’s basically perpetrated in the real world, it’s basically all by people. And so what we need to do is we need to make sure that our people are well armed and well prepared and not easily manipulated, because a lot of this is around manipulating the crooks, basically manipulating their target audience. And in this particular area, end of financial year, you’ve got people working long hours, they’re getting reports out, there’s a staff in accounts payable environment, there’s a routine that they work in and the routine is part of the guardrails that actually keeps that department on the straight and narrow. The routine is what actually keeps it going. However, sometimes that routine can create some level of monotony and can get people to actually lose concentration. I think what we need to do is when they lose concentration, it’s easy to fall prey to a cybercrime predator.

And so what we need to do is we need to interrupt that routine. When we say interrupt the routine, it’s not only at the end of the financial year, it’s throughout the year. So how can you keep a place sort of on the straight and narrow, but still continue to freshen it up every day? I think what happens is we need to understand that the scams and the methodologies used by organised crime to basically remove money out of your companies to a large degree, is based on tried and tested scams. So they have fine-tuned their skills quite significantly. We need to keep accounts payable staff trained. And the interesting thing is that we come from a civil society, we’re used to being polite. Yes, no, thank you, please, etc. We’re not used to hanging the phone up on people. That’s considered rude in our culture. Right? We kind of need to change the way that our staff operate within those AP environments, and we need to shift their attitude to understanding that they can quite easily become essentially victims of these perpetrators. What we need to do is, if I use an example, when you get into the car, we all learn how to drive a car.

We also know that we need to use and wear a seatbelt. When you’re sitting behind your desk in an AP environment. Your seatbelt is actually the delete key on your computer. So that is your first line of defence. Literally press the button, okay? Because if you just delete the email, then you’ve got no problem. And if you accidentally delete an email, that’s a genuine email, I promise you, they’ll call you or they’ll email you again. The other thing is the phone. Now, the phone is very easy to basically get manipulated on the phone. A lot of the time, basically, the phone rings and you go, Hi, it’s Peter speaking. And what they do is the first thing they try and do is they’re going to try and create empathy with you. Now, you’ve just opened the door because you’ve just told them your first name. So they go, oh, hi, Peter, this is Jane and I’m from XYZ. And they try to create empathy with you. Your job, be rude and hang up the phone.

I know it’s a hard pill to swallow, but it definitely helps. These are things, what I call sort of cyber hygiene tips. And I think that what we have to do is we have to basically interrupt the monotony by doing these two simple things. Press the delete key, hang up the phone.

Shanna: Amazing. That’s really good, simple, practical advice. And my understanding is that Crimestoppers New South Wales created the first-ever cyber awareness campaign. You had a cyber education campaign that you ran nationally. Since a lot of this is about awareness and training staff, and feel free to reiterate some of the themes from before, but what would you say were some of the big lessons that you took from that Crimestoppers Cyber educational campaign?

Peter: I think what we need to do is we need to sort of dumb down the language, okay? So, the jargon, we need to make it simple. I don’t like to refer to sort of cybercrime as such because cybercrime is a crime, basically facilitated over the internet, but it’s basically fraud and theft, bottom line, right? When we’re talking about disrupting the routine and the monotony within the environment, this is about accounts payable department talking to marketing, talking to the IT department and going, look, what we need to do is we need to change up our environment here. Let’s introduce on a regular basis some new screen savers onto the system, right? So maybe every other Monday morning a different screen saver comes on. And this is about creatively getting people to be aware about become a victim of a cyberattack, maybe looking at putting up posters around the office, putting up posters on the back of the toilet cubicle doors. These are simple messages that are it’s all basically internal marketing to help protect the people within that company and then importantly, to empower the staff to actually ask questions.

Shanna: Awesome. Kind of on that note, a lot of this is relevant to frontline staff being targeted by scammers and cybercriminals, but my understanding is that there are some financial leaders who are targeted as well. It’s not just the frontline staff. What should they be aware of there?

Peter: When we’re talking about significant sums of money basically being moved transnationally or internationally, there’s a lot of skills and knowledge and know-how that’s required. Sometimes what happens is CFOs, senior people within accounting firms, etc, become unwitting accomplices within the organised crime environment. And I’ll explain how that works. Let’s just say someone from an outdoor motorbike gang, motorcycle gang comes in one day, asks for an appointment, walks in and says, listen, I need to move $50,000 from Sydney to Bangkok. Can you help me do it? Sure, I can help you do it. We can move the 50 grand. And so you move the 50 grand and a couple of weeks later he comes back and goes, look, I’ve actually got $500,000 I need to move now. And by the way, here’s an envelope. And in the envelope is $5,000 in cash. Why don’t you take yourself and your family away for a weekend? Or in the envelope is two first class around the world aeroplane tickets. And you’re going, okay, fine, no problem. All you did was basically push some buttons on a computer and the money left, right? So what harm was created there?

Well, a lot of harm was created, but what happens is you go from becoming an unworking accomplice to becoming a regular accomplice. And the problem here is that now you’re basically trapped. You’re trapped in the system, and you can’t really get out. And this is where an organisation like Crimestoppers can basically help you to get out of that routine. Because when you report to Crimestoppers, you do not need to give your details. You can report information about a financial crime or any crime. It doesn’t matter how big or small it is. If you’re an unwitting encompass and you want to get out of it, and you basically want to share the information with law enforcement, you can only do that in complete confidence with Crimestoppers. This is the phone number. You can go to the website. The phone number is completely we don’t have caller ID. We can’t trace the number. It’s confidential reporting in perpetuity. If you go online and report online, it’s completely encrypted. So that way, if you know something about a criminal organisation and you want to refer them to law enforcement without actually putting yourself in harm’s way, then this is a way that you can do it.

Shanna: Amazing. That’s some really great that’s some great resources, some great advice that I think audiences can take back to their organisations. And on that note, we do have further resources on the Eftsure blog. If you go to Eftsure.com/blog, we do have, for instance, an article right there at the front about end-of-financial-year scams and other ways to keep your team safe. But I think these are the big pieces of advice and especially the big strategic things that leaders can be thinking about in order to stay safe during this really busy period. And we do have a few questions for Peter to answer. These are questions that the audience wanted to know. Thank you again to Peter for taking the time to share all of this with us and we’ll just keep you a little bit longer to talk through some of the questions that the audience wanted to know. One of the first questions was, from someone in an accounting firm. They regularly get inquiries online; they get email inquiries and they’re never sure what is legitimate and what’s not. They do end up deleting inquiries that might actually be genuine. How can they know what’s genuine and what’s not?

Peter: That’s a good question and look, it’s not really related to cybercrime as such, but it’s just getting, I guess, inquiries through the internet. You do need to be cautious, but like any business, you need to do your own due diligence. Looking up the company, look them up online, looking up on social media, see what activities they’re up to. You just sort of do a little bit of mystery shopping as such. I think at the end of the day, it’s like no different to if you were working in a retail environment. Not every single person who walks through the door is a genuine customer. Some are just looking for knowledge or they are tire kickers, or they are just window shopping as such, and maybe they just got a lot of time on their hands. So, I think you just need to do your due diligence there.

Shanna: Right, and I think this is kind of a related question because there is a lot of concern about understanding who’s genuine, who’s not, what’s a genuine inquiry, and what can you trust when you’re operating in a primarily digital environment? And so the next question is how can businesses address or protect themselves from tactics such as Deepfakes and other AI-generated impersonations, video, audio, etc, that have been created through AI to impersonate someone they do trust? What can they do about that?

Peter: That’s a big question. I don’t know that the answers even exist right now, other than due diligence is obviously important. I think that Deepfakes and AI are becoming more and more sophisticated, even to the point where some of these organised crime networks that run these contact centres, currently employ, let’s call it hundreds of actual people. We might find that five years from now, which is not a long time away, those contact centres actually don’t employ any people. All of those scams, whether done by email, but particularly by phone, are done through robots and through AI. The bottom line is to remember to hang up the phone. Don’t forget the delete key. That’s your seatbelt. It’s there to keep you safe.

Shanna: Awesome. Great. Our next question is going back to one of those broader pieces of the landscape, which is about money laundering and what happens to that money. Essentially, I think the audience member would like to know, once they’ve successfully scammed or redirected a payment away from the legitimate recipient, where does the money go? What does that journey look like?

Peter: It’s a really good question. And the money gets laundered in basically cash-intensive businesses. These are businesses like brothels, coffee shops, laundromats, and landscaping companies where they pay maybe wages in cash and things like that, as well as human trafficking. A large lot of it goes through the prostitution channels. So what you normally find is that organised criminal networks who are laundering large sums of money have vested interests in a number of vertically integrated businesses and they basically wash that money through those businesses.

Shanna: Yeah, that is quite a journey. So, going back to some of the more specific kinds of threats that I guess AP and finance teams are facing, are you aware of any particular scams that are especially popular right now? Are there any that have picked up steam in this most recent period that you’ve seen?

Peter: There’s no question and it shouldn’t be news to anybody, but business email compromise continues to be a significant issue. I mean, for businesses, this is still the fastest-growing area of financial crime facing businesses. It’s hugely sophisticated and it’s easy to get caught out. So easy to get caught out. Now, I know that Eftsure basically has solutions in this area, but that’s part and parcel. That’s a service that your company provides, and that’s great. But at the end of the day, we’ll support any initiatives that can basically reduce the risk of business email compromise. I think again. Check and check and check again.

Shanna: Since you did mention it yeah, I think that overall, there are probably some technological ways that leaders can be looking to update some of those financial controls, to kind of create some guardrails towards the end of a payment process to make sure that details are correct. And we will send out some further information and resources about, for instance, the cybersecurity guide to help leaders align their security practises with their financial controls. There are some things that leaders can do, but it is a tough one because, Peter, as you said, business email compromise is constantly afoot and always taking different forms. I think that’s something that people should definitely be aware of. And our next question is a little bit more straightforward, probably just good advice for anybody, whether professionally or personally. Is it safe to give out phone contact details or mobile details online? What do you think about that, Peter?

Peter: I think phone numbers giving out your contact details online, it’s not necessarily unsafe. You know what I mean? There are millions of mobile phone numbers on the Internet. People can find mobile numbers. I don’t think that’s a big issue. I think the issue more around is if you get an unsolicited phone call and they ask you to give your date of birth and verify your details and you don’t know where they are calling from, and even though they say they’re from the tax office, you don’t really know that. And so that’s one of those instances where just hang up the phone. But I think you don’t want to be giving out any information but phone numbers. To be honest with you, they’re a dime a dozen. They’re everywhere. I wouldn’t worry about that too much.

Shanna: Okay. Amazing. I think that’s probably a relief to all the different businesses that depend on potentially genuine customers getting in touch with them. I think that’s very a reasonable approach. And our very last question is about Crimestoppers. Is Crimestoppers in New Zealand? Is there an equivalent organisation? And also, should people be reporting scams or attempted scams to the Crimestoppers? Should they be reporting them to you?

Peter: The short answer is Crimestoppers is in New Zealand. Crimestoppers operates in 27 countries around the world. The principle of Crimestoppers, which is basically anonymous tip reporting, is universal. The same principles apply in all of those countries. We are interested in any crime. It doesn’t no matter how big or small it is, it doesn’t matter whether it’s tech or non-tech, but we don’t take information if you’re a victim of a crime. If you’re a victim of a crime, you need to go to the police and report that to the police. And I would suggest the local police station is probably a good idea if you’ve been scammed in your personal capacity, whether it be by phone or online in Australia, definitely report it to Scamwatch.

Shanna: Okay. Super practical, helpful information. Thank you, Peter. And I think that about wraps it up for us. So, yes, we will be in touch with everybody from the audience with further resources. And don’t forget that the Crimestoppers number will include that as well. And Peter, just thank you again so much for taking the time to do this.

Peter: You’re most welcome. And thank you. Thanks, everybody.