Cybersecurity Awareness: Leadership Impersonation & Business Email Compromise - How It Works and How You Can Avoid Getting Scammed Artwork

Bee Cyber Fit: Simplifying Cybersecurity for Everyone

Confused about the latest cybercrime in the news? Overwhelmed by trying to figure out if an incident applies to you? Want to learn simple, actionable steps to keep you and your family safe online? Introducing Bee Cyber Fit, a podcast for the Yale University community and beyond. We’ll cut through the cyber mumbo jumbo and make cybersecurity awareness easy to digest. Every two weeks we’ll share compelling cyber stories, make sense of buzzwords and share a simple call to action. Scammers are ever more sophisticated in the ways they try to trick us. And we’re all potential victims. Let us help keep you safe with a podcast about cybersecurity for everyone! Because it only takes simple steps to be cyber fit.

All Episodes

Bee Cyber Fit: Simplifying Cybersecurity for Everyone

Cybersecurity Awareness: Leadership Impersonation & Business Email Compromise - How It Works and How You Can Avoid Getting Scammed

March 21, 2023 • Wendy Battles/James Tucciarone • Season 2 • Episode 1

0:00 | 21:57

Are you familiar with Business Email Compromise (BEC) and the threat that it poses to the Yale community?

BEC is a form of social engineering designed to trick victims into thinking they have received a legitimate email from an organization or institution.

A simple example is receiving an email that looks like it's coming from your boss, asking you to purchase gift cards. (You should be suspect if that's not part of your typical job responsibilities.)

But with BEC, it's not coming from your boss, it's actually coming from a cybercriminal.

Sometimes thieves are so convincing that they can motivate us to take action - clicking on a link, revealing personal information or even going to Walmart to buy gift cards.

We want to help the Yale community steer clear of these cyber traps.

Listen to this episode and you'll learn:

▶️ Why universities like Yale are vulnerable to Business Email Compromise
▶️ Why it's so important to be good stewards of Yale data
▶️ How BEC works and how you can steer clear of it
▶️ Our Information Security intern's story of impersonation
▶️ How to respond to a suspicious email with the appropriate behavior

*********
Calls to Action:

Ready to build your cyber muscles?

Here are simple things you can do:

Review the FUDGE model for tips on steering clear of scammers
Read the February awareness tip, "Steer clear of gift card scams and messages impersonating Yale officials"
Watch the Lunch & Learn, Looking for Love in All the Wrong Places Part 1 with Kerry Tomlinson
Watch the Lunch and Learn, Looking for Love in All the Wrong Places Part 2 with Max Henderson and Will Gadzinski
Review the Know Your Risk and Click with Caution toolkits

Send us Fan Mail

Learn more about Yale Cybersecurity Awareness at cybersecurity.yale.edu/awareness

Never miss an episode! Sign up to receive Bee Cyber Fit podcast alerts.

[Bee Cyber Fit theme]

Wendy Battles: Welcome to the Bee Cyber Fit podcast, where we're simplifying cybersecurity for everyone, where we cut through confusing cyberspeak and make cybersecurity simple and easy to digest. I'm one of your hosts, Wendy Battles.

James Tucciarone: And I'm James Tucciarone. Together, we're part of Yale University's Information Security Policy and Awareness Team. Our department works behind the scenes to support Yale's mission of teaching, learning and scholarly research.

Wendy Battles: Ready to get cyber fit with us?

Hey, everyone. Welcome to the Bee Cyber Fit podcast. We are so psyched you're here. If you're a new listener, we're really pleased to welcome you. This is the place to come for information and inspiration about how to stay safe online. This is one of the many tools in our toolkit that we use at Yale University to help our faculty, staff, and students build their cyber muscles. So, whether you're a part of our Yale community or you found our podcast in some other way, we love that you're listening.

I remember when we started talking about this podcast, and then we recorded Season 1. And now I can't believe we are launching Season 2, that actually really blows my mind. We had eight great episodes in Season 1. We've actually included the link in the show notes, so if you haven't had a chance to check it out, I encourage you to do so. James, my amazing cohost, welcome back. How are you?

James Tucciarone: Hey, Wendy. Welcome back. I'm doing well. And how about you?

Wendy Battles: I'm really doing well also, and I'm glad we're back in our hosting role. I think we're going to have a great Season 2, I'm excited to kick things off. You know that at the end of the year, we do our New Year, New You campaign in our awareness program for the Yale community, which is like a fresh start to the New Year with our cyber habits. And I feel these fits right into that. So, James, we were on hiatus for a little bit between Seasons 1 and 2. What's something that you've been up to?

James Tucciarone: Well, Wendy, we've been doing a lot of work here at the Cybersecurity Awareness Program within Yale, and I'd say what I was most excited about while we were on break was a lunch and learn that you and I hosted on catfishing. For those that may not know the term, catfishing is when a scammer creates a fake persona or a fake identity, typically on a social networking site, to perpetrate their scams. And often these scams are some type of romance scam. So, our lunch and learn featured Cyber News Reporter, Kerry Tomlinson, who some of you may remember from Season 1, where we did an interview with her. And this time around, she shared a story about a four month undercover investigative report on catfishing a catfisher. And she masqueraded as a love-struck victim, even was able to uncover and report details about other victims to the authorities. It was fantastic as Kerry typically is.

Wendy Battles: Yeah. It was so cool. Honestly, I didn't know a lot about what happens behind the scenes. I didn't know a lot about catfishers and their tactics, and some of the things that they do. It was really eye-opening to have her go through it. Like step by step, how it unfolded and escalated, and as you said what she did, so interesting. I think it was really helpful for our Yale community to really understand how things actually happen because I think there's so much mystery around a lot of this. We know there are scams out there, we know that there are bad people that do bad things, but we don't always know exactly how they do it. I think that building awareness like that is helpful to hopefully change our behavior. To make us more aware so that we think about our online behavior and maybe take a pause before we act on something.

James Tucciarone: Absolutely. I think that's what makes this topic great and allows us to have this podcast. There's always so much to know, even though we can keep it simple and make it easy to digest. Wendy, I want to ask you as well, did you do anything exciting over the break?

Wendy Battles: Did I do anything? Well, I did go to Jamaica, so that part was exciting [laughs] to just be away and have a little relaxation time. But in terms of work stuff that I'm excited about, I will say, James, that as part of our New Year, New You campaign, we initiated a survey to our Yale community. A cybersecurity awareness survey, really, to help us in planning and thinking about our program for 2023. And just looking at the initial results, it's been really interesting to see what's on people's minds, what are they interested in, what do they want to know more about, where do they feel like there's a gap in their knowledge? Very, very interesting, and I think that will definitely help us as we work on our strategy.

Honestly, as you know we have this program that's been around for about a year and a half officially, our awareness program, but we're continuing to build it. It's really helpful information as we go from the initial launch to a more operational awareness program for the community. So, I think it's going to lend itself well to helping us broaden the future as we think about the growth of the program. So, that's something that's really exciting to me.

On that note, James, we both have some cool things that we're excited about and hopefully our audience is too. I do want to talk about our Season 2 kickoff episode. And this episode we are featuring two stories. One is about what we call business email compromise, and the second one is about impersonation. If you don't know, business email compromise, which is often called BEC, is a form of social engineering that is designed to trick victims into thinking they have received a legitimate email from an organization, or an institution. You might get an email from your boss asking you to do something, but it's not really your boss. So, we're going to talk about that and impersonation is one of the tactics that's used in BEC. We're going to talk all about that.

It really should give us pause because it helps us think about how can I be proactive and click with caution. We're each going to share a story that's about that. We've got our buzzword for the day, and then we'll have some calls to action at the end.

[Bee Cyber Fit theme music]

James Tucciarone: This request is critical and needs to be done right away. The big boss really needs a favor. You have to comply or you're going to be fired. These are all examples of how fraudsters use psychology and our emotions to manipulate us. There's a simple way to remember some of cybercriminals most common angles. Stay tuned to find out how we can use fudge to do more than just satisfy our sweet tooth.

Wendy Battles: I'm going to get us started in talking about a couple of stories by sharing a story that appeared in helpnetsecurity.com. Based on information that was gathered by Proofpoint, which is one of the leading companies in the cybersecurity space. And it's about the increasing risks in higher education for institutions like Yale when it comes to cybersecurity. I want to start by sharing this short but impactful quote from the article that says, "Higher education institutions hold masses of sensitive personal and financial data, perhaps more so than any industry outside healthcare. This, unfortunately, makes these institutions a highly attractive target for cybercriminals."

James Tucciarone: Wendy, I'm actually going to jump in right there because I think you're absolutely correct. This is such an impactful statement, and especially for our community here at Yale, because colleges and universities do hold large amounts of data, like student grades, donor information, and then if you're a research institution like Yale, you have even more high-risk data. And then in terms of Yale, once again, we also deal in healthcare. So, it really just speaks to how critical it is that we're all being good stewards of the data that we work with or that we have access to. And the first step to that is knowing the risk of our data.

Wendy Battles: Yeah, knowing the risk of our data is something that all of us can do at the university, whether you're faculty student or staff. We have a toolkit that actually mentions that. We have a Know Your Risk Toolkit. We have a series of toolkits, that's one of them. One of our four foundational topics. We're going to link to that in the show notes. As we're beginning to talk about this, I just want to mention that it's a helpful resource because it's always about how can we build our awareness and how can we develop tools that will help us make better decisions when it comes to cybersecurity and protecting our data and our information. I will just say that that's our Yale data, the data we interact with every day when we are doing our work or we're learning. But also in our personal lives, that applies to our personal lives too.

We should always understand the kind of data we're sharing in our personal life. I think sometimes we can be a little casual about that, even if we're on it with our work data. Sometimes we're a little more lax when it comes to our personal data, but just as important that we protect that. So, I think that's just important.

James, what's interesting is that email remains the most common variable for security compromises across really all industries that people use email to perpetrate these scams. Regardless of whether you're in higher education or some other industry, that's still the main way. As I'm sure you know in recent years, the frequency, the sophistication, and the cost of cyberattacks against universities has increased. It's this combination of these factors that make it especially concerning that premier universities like Yale are currently the most vulnerable to attack.

James Tucciarone: Wendy, I think that's why a cybersecurity awareness program is so important, because as we're always saying in our program, these cyberattacks, they continue to be commonplace, and cybercriminals and their tactics continue to evolve in sophistication. And it makes it increasingly important for people to recognize and know how to respond to these attacks.

Wendy Battles: James, to add even one more element to this equation, there's the pandemic, there's the shift to remote learning and working that has made it an increased challenge for higher education institutions. You can't train people in the same way; you can't get them all in the same room. It just makes it much harder to manage, so there are lots of different factors that really contribute to this increasing risk for higher education institutions.

James Tucciarone: I will say, Wendy, I think that we are lucky here at Yale because our information security team is blocking millions of potentially fraudulent emails every single month. But in Season 1, we talked about the human factor and how humans, us, we're the weakest link. And in 2021, 84% of attacks were actually caused by human error. So, I really like that this article agrees with that and suggests that people remain a critical line of defense against the attempts that do slip through the blocking tools.

Wendy Battles: Yeah, absolutely. It really does make a difference that we have a robust response to the ever changing, evolving attacks, especially via email, that anyone in our community could fall victim to. I mean, that has certainly happened in the past, so that does make a big difference.

James Tucciarone: So, Wendy, my story is actually a great example of how people are really the first line of defense and a critical line of defense when it comes to these scams. Our story comes from one of our information security office intern and during their high school experience they were the president for the Connecticut chapter of the Technology Student Association. It's a national organization where middle and high school students compete in technology-related challenges.

In this case, our intern and their fellow officers oversaw the chapters located at the schools all across the state. A key piece of information here is that the officer's names and email addresses were available on the organization's website. Now that might have given away where this story is going, but someone made an email address using our interns first and last name and emailed each of the officers, ultimately requesting that they buy eBay gift cards.

Luckily in this case, one of the officers reached out to confirm if the request was legitimate and the other officers were alerted to the scam. Unfortunately, the scammer was able to fool one of the officers who provided $600 in gift cards. So, a couple of reasons I really like this story and wanted to share it with our listeners today was that first, it really shows how even smaller groups, organizations can also be targeted by these cybercriminals. The size of your organization doesn't matter. Secondly, I really love the officer who reached out to confirm the legitimacy of the request because it's a perfect example of what we should be doing - the right behavior when these types of emails do make it to our inbox. So, Wendy, I wanted to know though, what stood out for you with that story?

Wendy Battles: Well, first I'm going to agree with you about the young person who said, "Hmm. I'm not sure about this, let me ask." Because that is always what we want our community to do. We want the Yale community, when in doubt, to call the help desk or ask your boss if you get an email from them. But it doesn't quite seem right and you're thinking, "Would they really be asking me to buy gift cards? They've never asked me to do that." So, helping people form that behavior is really the key to all of this because, as you mentioned, humans are that link between this. It's human error that often causes some of these things so I think that that's really key.

I did find it really interesting though, [chuckles] that this one person bought $600 worth of gift cards because I'm thinking when I was in high school and college, I had no money. So I didn't have a credit card. I don't know, I just thought, "Wow, maybe these young people have a lot more money than I ever did." I thought that was really interesting or maybe it's lack of life experience. They just are going along thinking, "Well, it says I should get these gift cards, so I'm just going to get these gift cards." And perhaps they didn't have the experience to stop and think, "Huh. Something about this doesn't seem right," because I will tell you, when I was younger, I probably made some poor decisions that [laughs] wisdom and age would prevent me from making these days.

James Tucciarone: Well, Wendy, it's like you always say, "We don't know what we don't know." And that's why I think it's so great that we're able to help people with these tips, these red flags, providing resources that can potentially help them think about things that maybe they never had cause to think about before.

Wendy Battles: Yeah. It's very, very true. It also reminds me that we all can be scammed. It doesn't matter what our education level is or how young or old we are. Any of us can fall victim to this if we aren't aware and we don't have our radar on thinking about, "Hmm. What about this feels not quite right, and what can I do about it?" So, the more we can educate people, the more we can help people be cautious and think about clicking with caution, the more we can see that some of that behavior change that prevents some of these things from happening. And we've seen impersonation attempts leading to fraudulent gift card purchases, something that might help is our buzzword of the day, the FUDGE model.

[music]

James Tucciarone: Here's the buzz on the FUDGE model. A tool that can be used to help identify phishing attacks. FUDGE is an acronym representing the most common red flags in terms of the emotional and psychological manipulations employed by cybercriminals. Let's start with the letter F, which is for fear. In these cases, the cybercriminal attempts to scare us into giving information or taking action. For example, we have to provide the information or the organization will be fined. The U in the FUDGE model is for urgency. We must take immediate action. This is a key tactic because cybercriminals know we may be more likely to react, if we don't have time to really think about the request. For instance, we need this for the board of directors right now. Now, D is for the desire to please. With this approach, a request appears to come from someone we want to please or impress, like a boss or executive. They'll make us feel like we're doing the right thing, even if it doesn't seem normal. Consider an example like, "The VP really needs your help."

The letter G brings us to greed. When it comes to this manipulation, bad actors offer the promise of something we might want to trick us into reacting. Maybe you've been told you're a winner, or offered a free trip, or even advised of unknown lottery winnings, or an inheritance from a very distant relative. Remember, if something seems too good to be true, it probably is. E is our last tactic, and this one is emotions. Cybercriminals know our emotions can override our logical thinking. Maybe you have a soft spot for animals. Maybe you're looking for love and connections or maybe the love of your life is football. There's no shortage of topics that might elicit some response from each and every one of us.

Being aware and staying alert are two powerful ways to stay ahead of cybercriminals and these insidious tactics. You can find out more about phishing and the FUDGE model by visiting cybersecurity.yale.edu. And keep listening to Bee Cyber Fit Podcast, where we help you to be informed and to be cyber safe.

Wendy Battles: Now, it's our call-to-action time to get you focused on simple things that you can do. Let's start with the FUDGE model you just heard about. Think about how you can put that into action to help you stay safe online. Our February tip is about impersonation, and it's got some great ideas for simple things you can do. Finally, we have two video recordings from recent lunch and learns that we held with some of our favorite industry experts about how to steer clear of scams, both catfishing and romance scams. All of those tools are designed to keep you and your colleagues, and your friends, and your families safe. We hope you will check those out.

[music]

James Tucciarone: Thanks, Wendy. And that's all the time that we have for our first episode of Season 2. Until next time, I'm here with Wendy Battles, and I'm James Tucciarone. As always, we'd like to thank everyone who helps make this podcast possible. We'd like to thank Yale University, where this podcast is produced and recorded.

Wendy Battles: James, I'm excited to kick off this season with you our first episode. Thank you everyone for listening. And remember, it only takes simple steps to be cyber fit.

[Transcript provided by SpeechDocs Podcast Transcription]

James Tucciarone

Host

Wendy Battles

Host

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.