NASHVILLE — When cybercriminals strike a small business, many owners assume law enforcement will help them recover their losses and bring the perpetrators to justice. Former FBI cybersecurity specialist Scott Augenbaum has sobering news: That rarely happens.
“Once the cyber criminals do their damage, law enforcement does not have a magic wand. We cannot fix the problem. There is no reset button,” Augenbaum says during a recent National Federation of Independent Business (NFIB) webinar.
In Part 1 of this series, we discovered the growing problem of cybercrime and the threat it can pose to all businesses, including dry cleaners. Today, we’ll continue by exploring why traditional law enforcement is often powerless to solve cybercrimes after the fact.
The Limits of Law Enforcement
This harsh reality became clear to Augenbaum during his FBI career.
“There’s nothing more that pains me, even to this day, almost seven years after retirement, when I have to speak to a small-business victim who lost all of their money in a business email compromise,” he says. “That money is gone. They are never getting their money back.”
The challenge of prosecuting cybercriminals has grown significantly more complex since Augenbaum’s early days with the FBI.
“If you ask me to define my role in ’95, I’m going to tell you it was so easy,” he says. “Bad people did bad things to good people. I worked with state and local cops and we put bad guys in jail.”
Today’s cybercriminals, however, often operate beyond the reach of U.S. law enforcement.
“A majority of the cybercriminals today are located in Eastern Europe, tied to Russia. They’re tied to Iran. They’re tied to West Africa, China and North Korea,” Augenbaum says. “Law enforcement is not going to arrest our way out of this problem. It’s just not happening.”
Even in the rare cases where criminals are caught and prosecuted, victims seldom recover their losses. Augenbaum shares a particularly devastating example of a small business that lost $70,000 when cybercriminals compromised its email system and tricked the CEO into paying a fraudulent invoice.
“I couldn’t get the victims’ money back. I couldn’t put the bad guys in jail,” he says. “I got really, really depressed because I joined the FBI to help people. I just couldn’t help people enough.”
Have You Been Pwned?
The primary weapon cybercriminals use isn’t sophisticated technology — it’s social engineering, or tricking people into doing something they normally wouldn’t do, Augenbaum says. While social engineering isn’t new, advancing technology has made it far more effective and harder to detect.
“We’re seeing things that are happening through ChatGPT where the bad guys are able to create very calculated email attacks,” he says. “They’re going out there scouring the websites. They’re knowing everything about it and then they’re just hoping that they can get into your email account because that’s really what they want to do.”
The threats come through multiple channels: “We have text messages that are going on. We have telephone calls, QR codes, social media hijacking or taking over social media accounts, pop-ups… and tech fraud against elders is such a big scam.”
The situation has become even more dangerous with the recent leak of passwords online.
“Recently, there are so many usernames and passwords on the dark web,” Augenbaum says. “I just did a piece for USA Today. We’re no longer dealing with RockYou2021 (password leak). We’re dealing with RockYou2024 — 10 billion usernames and passwords were leaked online.”
Augenbaum suggests using the website HaveIBeenPwned.com (the “P” in “Pwned” is correct) to check and see if an email address has been involved in a data breach.
These massive leaks are particularly dangerous because many people reuse passwords across multiple accounts.
“About 66% of the population is using the same password for multiple platforms,” Augenbaum says. “So, what happens today if the cybercriminals get access to this list? Now they are going to bank on the fact that the password that you may have used for your favorite social media platform is the same password for your bank account.”
Come back Tuesday for the conclusion of this series, where we’ll explore the specific steps dry cleaners and other small businesses can take to protect themselves from cybercrime.
For Part 1 of this series, click HERE.
Have a question or comment? E-mail our editor Dave Davis at [email protected].
