How clicking a single link can cost millions | Ryan Pullen

[00:00:00] .

[00:00:05] .

[00:00:10] .

[00:00:15] The first time I fell for a scam, it was 8 o'clock at night. I was tired. I had just made it home to my New Jersey apartment after a late class and long train ride out of New York City.

[00:00:27] My phone rang as I was unloading my laptop from my book bag and rummaging through the fridge for a quick dinner. An 800 number glared at me from the screen.

[00:00:36] It looked like it may have been important, especially a call from a corporation after regular business hours.

[00:00:42] The guy on the other end of the phone said he was calling from my bank and needed to verify some information to upgrade my credit card.

[00:00:49] I told him I wasn't interested in another card, but he insisted it was a special promotion. And since the bank was phasing out my existing card, he just needed to verify my birthday.

[00:00:58] Besides, this new card had more perks. After a few minutes of back and forth and a bit of confusion, I relented and verified, confirming my address, age, and the last few charges.

[00:01:11] The guy was polite and friendly, but something still felt off.

[00:01:16] Afterward, I called the bank and they told me they would never call me after hours or pitch me a credit card in that way.

[00:01:23] I asked them to block it immediately, but the damage was done.

[00:01:30] I'm Sherelle Dorsey and this is TED Tech.

[00:01:33] The talk we're going to listen to today is from cybersecurity expert Ryan Pullen, who shares with us that even as the technology behind scams grows more sophisticated,

[00:01:43] it's still human-led behavior that causes us to let down our defenses.

[00:01:48] He goes on to share some simple principles on how we can all stay diligent so that the scammers don't win.

[00:02:07] This show is brought to you by Schwab.

[00:02:10] You're here because you like to keep a pulse on trends in technology.

[00:02:14] Well, now you can invest in what's trending – in artificial intelligence, big data, robotic revolution, and more – with Schwab investing themes.

[00:02:24] It's an easy way to invest in ideas you believe in.

[00:02:28] Schwab's research process uncovers emerging trends, then their technology curates relevant stocks into themes.

[00:02:36] Choose from over 40 themes, buy all the stocks in a theme as-is or customize to better fit your investing goals – all in a few clicks.

[00:02:46] Schwab investing themes is not intended to be investment advice or a recommendation of any stock or investment strategy.

[00:02:55] Learn more at schwab.com slash thematic investing.

[00:03:02] This episode is brought to you by Progressive.

[00:03:04] Most of you aren't just listening right now. You're driving, cleaning and even exercising.

[00:03:09] But what if you could be saving money by switching to Progressive?

[00:03:12] Drivers who save by switching save nearly $750 on average, and auto customers qualify for an average of 7 discounts.

[00:03:20] Multitask right now. Quote today at progressive.com.

[00:03:24] Progressive Casualty Insurance Company and Affiliates.

[00:03:26] National average 12-month savings of $744 by new customers surveyed who saved with Progressive between June 2022 and May 2023.

[00:03:35] Potential savings will vary. Discounts not available in all states and situations.

[00:03:41] Hey listeners, before we kick off today's episode, I want to give a shout out to one of our favorite podcasts, Masters of Scale.

[00:03:48] Every week on Masters of Scale, Reid Hoffman, co-founder of LinkedIn, meets with some of the world's most successful entrepreneurs discussing the strategies that got them to where they are.

[00:03:57] You'll hear from entrepreneurs like former Burberry CEO Angela Arendt, Imagine Entertainment's Ron Howard and Brian Grazer, Airbnb's Brian Chesky and many other iconic founders.

[00:04:08] Be sure to search for Masters of Scale wherever you get your podcasts.

[00:04:12] I received a phone call from somebody who needed my help.

[00:04:16] And they explained to me that this organization had suffered a cyber attack, more specifically a ransomware attack which is designed to both steal your data and make it unusable.

[00:04:29] It replicates itself throughout the business and can drive you down to paper-based controls.

[00:04:36] And this was an opportunity that I saw where I could influence something positively.

[00:04:42] And it was my job to investigate what had happened, how it happened and why.

[00:04:50] And I saw something that I hadn't experienced before firsthand.

[00:04:55] In 2017 the NHS suffered something similar and it cost nearly 100 million pounds to recover.

[00:05:03] This incident cost around five million pounds to recover and took 14 months.

[00:05:08] Yet what I saw was the human impact.

[00:05:12] How this happened, a single individual clicked a link and a single individual enabled this unknowingly to happen to an organization.

[00:05:21] Multiple people were signed off sick due to stress and multiple people weren't able to go to work the next day and carry out their job.

[00:05:31] Now for me cyber security is a very technological focused term.

[00:05:37] And yet IBM did a study in 2021 and 95% of cyber attacks used the human element.

[00:05:48] Now that's all well and good, but what does that actually mean?

[00:05:53] It means people can be exploited too.

[00:05:57] There's no lines of code and there's no fancy software.

[00:06:00] Cyber security is, as far as the media is concerned, maybe teenagers in their bedrooms causing trouble, stealing things and learning how to use them.

[00:06:11] Yet what people don't see is the impact and how is day-to-day life.

[00:06:17] And this incident for me made me think slightly differently around cyber security.

[00:06:23] And recently I had an opportunity which presented this thought process.

[00:06:30] I was commissioned to evade security controls for a very well-known building in London.

[00:06:38] That's a snazzy way of saying break in.

[00:06:41] And effectively it was my job to see if I could get past the security controls and get into the building.

[00:06:48] And so for me thinking kind of outside of the box, this building has floor to ceiling doors, 24-7 security team, endless budget for this kind of thing based on where they are.

[00:06:59] And so thinking slightly outside I needed to come up with a different plan.

[00:07:06] And what I did was I tried to go down the social engineering route, which is the art of kind of deception and making people believe something without the full information.

[00:07:19] And what I did was I walked in the front door dressed quite similarly to this and I was greeted by eight people.

[00:07:29] I thought, oh, it's a bit over the top.

[00:07:33] And it's because every single person should have the right information and should know where they're going.

[00:07:41] It's very rare for them to be visitors.

[00:07:43] And this person asked me, why are you here? Who are you here to see?

[00:07:48] And I explained I didn't have an appointment but I was here to see a specific person.

[00:07:52] And they said, yeah, there's no chance of getting in.

[00:07:54] And I thought, oh, goodness, I'll travel this way.

[00:07:58] And yet what I know is people are empathetic and people want to help each other.

[00:08:03] And so I made up a story and I said I was here for a legal matter and I was only able to achieve what I needed to achieve on these premises.

[00:08:11] And they said, yeah, sorry, we're still...

[00:08:14] And I explained the urgency and I made them feel sorry for me.

[00:08:19] And when I was thinking about giving this talk I was going to pause and I was going to pretend that I was struggling.

[00:08:25] And that motion that you would have felt where you wanted to help me or you wanted me to continue is exactly how this person felt.

[00:08:33] They felt they were stopping me from doing my job, which they were, but not for how they expected it.

[00:08:41] And so I pretended to be on the phone in the foyer, pacing up and down, pretending to be aggravated.

[00:08:47] And then the manager came across with a QR code for me and said, so sorry, so sorry for the issues, no problem.

[00:08:53] And they showed me around a side passage away from the two rounds of security.

[00:08:58] So I had my laptop bag with me with the evidence and it wasn't checked and I was able to go in and I was able to go to the floor that I needed to.

[00:09:09] And I was paid as a cyber security expert to evade the controls of this building and all I did was ask for access and make someone feel sorry for me.

[00:09:19] And so that's two very different perspectives.

[00:09:23] One, the five million pound job and took 14 months to recover where I was helping people, but the second I was the aggressor or the person trying to get in.

[00:09:32] Now this is all enabled through the way that humans exist and human behavior.

[00:09:38] And cyber security as a whole doesn't really represent that in a way that is sufficient, I don't think.

[00:09:45] And so I have one more narrative and different perspective to share and it's when I was a victim.

[00:09:52] This happened only a few weeks ago.

[00:09:56] And what happened was I received a phone call.

[00:09:59] It was around 8 p.m. I received a phone call from a phone number.

[00:10:05] And they said, hello is this Mr. Pullen?

[00:10:07] And I said yes.

[00:10:09] And they said, we've seen your bank cards be used in a different part of the country.

[00:10:14] And I thought, oh goodness.

[00:10:17] And what they explained was they explained there's been three different transactions and would they like to block them for me?

[00:10:22] I said, yes, please. That would be really helpful.

[00:10:26] And I Googled the number out of instinct and it was the phone number from the fraud line in the bank.

[00:10:34] And something didn't add up.

[00:10:37] I'm a bit of a pessimist. I don't really trust people.

[00:10:41] And so I was instantly on the back foot and they're saying all of these things and they were confirming my identity.

[00:10:47] They told me where I lived.

[00:10:48] They told me my mother's maiden name.

[00:10:50] And they told me a few other bits of information that a bank would know.

[00:10:54] And all of this is to build a perception of credibility.

[00:10:58] Why shouldn't I trust you?

[00:11:00] And why shouldn't you be phoning me to help me?

[00:11:04] And we go back and forth for around an hour and a half.

[00:11:08] And there was a few things that didn't sit right with me.

[00:11:11] And so when I was a hold when they were blocking my transactions,

[00:11:16] I phoned the actual fraud line and I said, is there a way that I can verify their identity?

[00:11:20] The person on the phone said they sound very professional and legitimate.

[00:11:24] And they were. I asked for their name and they had a fake LinkedIn profile.

[00:11:28] They had a fake crime reference number for me.

[00:11:32] And me experiencing this firsthand, having investigated things like this on a regular basis for mortgages and transactions ending up in the wrong place,

[00:11:43] I knew something wasn't sitting quite right.

[00:11:45] And this the true person put a note on my account and I explained to the person, can you tell me what the note says, please?

[00:11:54] That was the first time they got a little bit flustered.

[00:11:57] And it took them five minutes and they said, yeah, we'll go and check with the accounts team.

[00:12:00] But in the meantime, can you tell me the code that it says in your mobile app?

[00:12:04] At which point I hung up, got my cards replaced and I was okay.

[00:12:08] But these three narratives of cyber crime or scams or criminal behavior are all technology focused with the end goal but are human led.

[00:12:21] And you may ask, how is this possible?

[00:12:25] Why can this be so easy?

[00:12:27] I've literally just walked into a building and asked someone to let me in with a fake story.

[00:12:33] And someone's phoned me up with a small piece of information and built this incredible picture around.

[00:12:38] Okay, yes, I should trust you.

[00:12:41] And it's because data has a value in different pockets.

[00:12:47] And with small bits of information, you can build quite a narrative, as you can see.

[00:12:54] And so today what you would be able to do on the kind of criminal underground, if you like, would be buy a thousand email addresses and passwords for around six US dollars.

[00:13:06] A cup of coffee in some places, right?

[00:13:09] That's a thousand people's account details that you may be able to log into or have tangible information to create a case.

[00:13:17] And that might be pretending to be Amazon for a password reset.

[00:13:20] It might be what location you went on holiday and we're going to do a bit more of a targeted attack that way.

[00:13:27] And this information is available because of vulnerabilities from a technical standpoint, yet this is to exploit the human behaviors.

[00:13:37] Take my parents, for example. I think I'm in cybersecurity because my parents give me a balance.

[00:13:42] My mom is 110 percent optimist. Nothing's going to go wrong.

[00:13:46] Everything's okay. No one's going to hurt my little boy and all of this sort of stuff.

[00:13:50] And my dad's much more on the pessimistic end where why do you want to know me? Why do you want this information?

[00:13:57] And so that balance for me brings kind of both sides of the story.

[00:14:04] And my mom is the sort of person that would have shared the traditional WhatsApp messages, 250 pounds at Christmas,

[00:14:11] how lovely that would be, pay for your Christmas lunch and all those sorts of things.

[00:14:16] And that then becomes a whole different attack vector because it's coming from someone you trust and they're sharing your link

[00:14:23] and they're sharing something you might want to click and you begin to trust even more.

[00:14:28] So my talk is around really focusing on the ways in which human behavior is exploited and how we can benefit and protect each other.

[00:14:38] And it's okay to call these things out.

[00:14:40] And so there's some basic things you can do, such as resetting passwords and making sure you're not using the same password for your accounts.

[00:14:47] Because if one of your passwords did get leaked, you would like to know, okay, it's just this one account.

[00:14:51] And I understand that's the one I need to look after when many people will use the same profile Facebook, their bank, their online banking, sorry,

[00:15:00] and sites that you can purchase things.

[00:15:03] So you might be able to go on Amazon and buy an iPhone with someone's username and password, right?

[00:15:08] Bank account details are stored.

[00:15:11] And that creates a whole different perspective of risk and cybercrime.

[00:15:16] And so for me, I don't believe any generation can avoid this anymore.

[00:15:23] Children are being raised with iPads and older generations are online shopping because of convenience and accessibility to services they may not have had before.

[00:15:32] And so I believe that understanding how these things may happen and putting some light on them

[00:15:40] can really impact the way in which people conduct themselves and challenge when things may not feel quite right.

[00:15:49] And so for me, going through this journey, and there's three different perspectives.

[00:15:54] The one where I was the person helping five million pounds and seeing people really suffer.

[00:16:00] The second one where I was putting people potentially in that position, however, fully ethically, and I was meant to be there for my job.

[00:16:07] And the third where I was the victim.

[00:16:10] It shows that it can take many different shapes based on information and information can come from social media.

[00:16:18] And so if you're going on holidays in Mexico, say for your honeymoon, you've saved up all of this money.

[00:16:24] Wonderful. Have a lovely time.

[00:16:27] Yet someone you know or an acquaintance or you have public visibility of your arrangements

[00:16:36] if someone knows that information and they know the bank you may work with,

[00:16:41] they could phone you whilst you land and say we've seen your card be used in this location.

[00:16:48] Now, how are you going to feel if someone saying your cards being used and it's you?

[00:16:53] You're going to feel, OK, cool. Yeah, this is me. No problem.

[00:16:57] And they say, OK, can you just confirm your identity because we want to make sure this is you.

[00:17:04] Can you just tell me your card number?

[00:17:06] So you do. And then you ask why you're there. I'm on my honeymoon.

[00:17:09] Have a lovely time. All of these social engineering empathetic side of behaviors.

[00:17:16] And then you get down into the more conversational elements.

[00:17:19] OK, can you just confirm your card isn't going to expire? When does it expire, please?

[00:17:23] There's many different ways you can pose questions to make people feel acceptance.

[00:17:28] And then lastly, can you just check the security pin so I know which card I'm going to disable?

[00:17:34] And by that time what you've done is you've told someone you've got money in your bank

[00:17:38] because you've been saving for this wonderful occasion.

[00:17:41] And also you're not going to be in the country to do anything about it.

[00:17:45] And so from a cybersecurity perspective, exploitation can happen in many different ways

[00:17:50] and I don't think it's publicized around the human elements enough.

[00:17:54] And so if you take one thing from today, I ask that you see this as your opportunity

[00:18:00] to make sure that you protect your own information and your loved ones and your identity online.

[00:18:08] There's no problem with using social media.

[00:18:10] All I ask is you consider who you're sharing that information with.

[00:18:14] The reason being that information is valuable even if it's not to you.

[00:18:18] It could build a picture and it could cause you some trouble.

[00:18:23] Consider who you share your information with. Thank you.

[00:18:31] This podcast is supported by Tools and Weapons, the podcast hosted by Microsoft Vice Chair and President Brad Smith.

[00:18:38] Each episode features insight you won't find anywhere else from the center of the conversation surrounding emerging technologies like AI.

[00:18:45] Right now on the podcast you can hear a special episode where Brad Smith lays out Microsoft's vision

[00:18:50] for a vibrant marketplace driving the new AI economy.

[00:18:54] To hear more, follow or subscribe to Tools and Weapons with Brad Smith wherever you get your podcasts.

[00:19:02] You're growing a business and you can't afford to slow down.

[00:19:05] If anything, you could probably use a few more hours in the day.

[00:19:08] That's why the most successful growing businesses are working together in Slack.

[00:19:13] Slack is where work happens with all your people, data, and information in one AI-powered place.

[00:19:19] Start a call instantly in huddles and ditch cumbersome calendar invites.

[00:19:24] Or build an automation with Workflow Builder to take routine tasks off your plate, no coding required.

[00:19:30] Grow your business in Slack. Visit slack.com to get started.

[00:19:43] TED Tech is part of the TED Audio Collective.

[00:19:46] This episode was produced by Nina Lawrence, edited by Alejandro Salazar, and fact-checked by Julia Dickerson.

[00:19:53] Special thanks to Maria Ladias, Ferre de Grange, Corey Hajime, Daniela Valerezo, and Michelle Quint.

[00:20:01] I'm Sherrell Dorsey. Thanks for listening and talk to you again next week.

[00:20:16] you