Just as any legitimate enterprise today requires tech expertise to keep computers and networks running, so do fraud enterprises. The difference, if you believe the movies, is that the person in charge of tech at a criminal operation would be a young, slightly crazy computer genius, able to type 200 words a minute and penetrate the Pentagon’s most secure computers in seconds, simply for fun.
As a former cybercriminal and current FBI consultant, I can attest that a few people like that do exist. Take Jonathan, a bright young man I got to know who actually broke into Pentagon computers before he was old enough to vote. He got in trouble for shutting down NASA computers for three weeks. After that, he joined a crew that went hard into credit card theft. Three years into it, he was arrested. Later he died by suicide.
Join today and save 25% off the standard annual rate. Get instant access to discounts, programs, services, and the information you need to benefit every area of your life.
But most cybercriminals aren’t tech geniuses like Jonathan was; they’re good at basic skills and willing to learn.
- Kim, for example, was a middle-aged bookseller from Denver who must have read too many crime thrillers and “how-to” computer manuals. Relying solely on what he learned from books, he became a successful cybercriminal — until the law caught up with him. He spent four years in federal prison.
- Thomas had retired from a career as a mortgage officer before he decided there was easier money to be had from stealing over the web. He, too, ended up in prison.
- David was a career criminal — check-kiting was his bread and butter until he discovered it was easier to steal as a cybercrook.
- Albert was a kid from Miami with computer skills who became very rich before he was caught and given a 20-year prison sentence.
- Ray was a retired Army officer who didn’t begin his cybercrime career until he was 64.
- Shawn was an aspiring actor who was a natural at identity theft.
These are just some of the people I know who got caught. Most high-tech scammers don’t. But what we can learn from them is that there is no single profile of a cybercriminal — other than they are motivated by what they believe will be easy money.
What you can also take away from their stories is that the tech tools of criminality are relatively easy to find, buy and use. Order some computers and headsets, get top-grade internet service, buy and install the right software, teach your workers to use it and other online tools, and your boiler room can be up and running quickly.
The dark web
This underground part of the internet began as a project developed by the U.S. Navy to allow intelligence operatives to communicate with each other anonymously. Over time, the Navy made its Tor browser “open source,” meaning anyone could use the dark web, including you and me — and for free. That has proven to be a jackpot for criminals. Because of its ability to keep users anonymous, tech specialists train scam artists how to use it to communicate, share information, buy stolen goods and services, and plot criminal activities.
That’s the name of a secure, encrypted, private messaging app owned by Pavel Durov, a Russian billionaire. Telegram is notoriously unfriendly to law enforcement, and so it has become the new favorite meeting place of online crooks and scammers.
PII — Personal identifiable information
Every form of financial cybercrime has an element of identity theft. It takes sophisticated technology to create a storefront for this info that law enforcement can’t easily penetrate. Criminal websites such as Robo-check — which lists the Social Security numbers and dates of birth of millions of Americans — are well known to law enforcement, but they are hard to shut down. But cybercriminals also use many legal websites to obtain public information about you, including AnnualCreditReport.com, Delvepoint, TLO, Intelius and BeenVerified.
Your internet-browsing “fingerprints”
Sophisticated business websites collect dozens of unique attributes about the device you use when you visit. Those characteristics are individual enough to identify you out of potentially millions of other users. Today’s criminal tech gurus often try to steal your browser fingerprint. Those fingerprints are then sold to other criminals on the black market for as little as $3 each. That can allow crooks to convince online retailers like Amazon and Walmart that they are logging in with your smartphone.
Sometimes, scammers need to provide a phone number to a business to complete a scam (say, set up a new bank account in your name). While certain digital approaches can work, often a criminal simply uses a physical prepaid cellphone. The cost for one of these burner phones? Around $40.
Websites such as Phone-Gangsta and Spoofmycalls enable cybercriminals to spoof various phone numbers on a caller ID. They can appear to be the IRS, law enforcement, your financial institution — or even you. Cost: 10 cents per minute of a phone conversation.
This technology allows criminals to hide their physical location online. They might be in Ghana, Nigeria or the U.K., but they can make it look like they’re in Florida, California, New York or anywhere else they choose. The cost is about 30 cents for access to the proxy.
Fake driver’s licenses and documents
Successful online crime often requires the crook to provide proof of identity or address. So, like in the movies, illegal businesses exist that can deliver on these needs. Counterfeit driver’s licenses can sell for $40. Fake documents proving address (billing statement) often sell for $25.
Remote desktop protocols (RDPs)
A hacker gains access and control of a target’s computer. He or she can then grant that access to other criminals to use to commit crime. RDPs are used to provide a clean, untraceable connection for criminal use. The cost is typically $5 for each session in which the hacker logs in remotely.
Bitcoin, Monero and Zcash are among the rising number of online currencies used by criminals to launder money, to pay for criminal goods and services, and as a form of payment for ransom. Using them effectively can require tech expertise.
How to protect yourself
- Change the passwords on important accounts (credit cards, banks, frequently used retailers, and so on) every three months. Make them “passphrases” — a random combination of words, plus numbers and symbols, to make them impossible to guess.
- Record your passwords in a highly secure password manager system or write them in a book you hide in your home. Never keep passwords in a list on your computer.
- Take alerts about potential data breaches from online organizations seriously. If you get a message that a breach involving your information has occurred, immediately review your account and change the password.
- Purge your social media accounts of any personal info you wouldn’t want a stranger or thief to have. Such information could range from your home or email addresses to photos of vacations and birthday celebrations.