The psychology behind scams – why cybersecurity is about people, not tech

Garreth Hanley: 00:04

Welcome to Cross-Examined, a podcast by the Law Institute of Victoria.

Jayne Gurton: 00:12

Law firms are custodians of a lot of sensitive personal data, and that makes them an attractive target for cybercriminals. Robust cybersecurity measures are a must for any law practice, but actually only about 5 per cent of hacks are caused by failure of technology.

So, if hackers aren’t hacking computers, what are they hacking? The answer is, they are hacking us. Overwhelmingly, hackers are using time-tested psychological trickery to manipulate their way past the most secure IT systems. It is hardwired human responses and instincts that make us the weakest link in the chain of cyberdefence. So, how do you safeguard against your own instincts?

Welcome to Cross-Examined. I’m Jayne Gurton. To answer this question, today I’m joined by Dr James Carlopio, psychologist and co-founder of Cultural Cyber Security. James has worked with organisations including the United Nations, the Australian Federal Police, ANZ, Commonwealth Bank, Westpac, Rio Tinto, Deloitte and Mallesons Stephen Jaques.

Welcome to Cross-Examined, James.

James Carlopio: 01:24

Thank you, Jayne. Very happy to be here.

Jayne Gurton: 01:27

So, James, the data tells us that 95 per cent of cyber breaches happen because of people, not technology. What does this mean? And are lawyers perceived as high-value targets because of the confidential data they hold and the perception that they aren’t very cybersafe? Or are lawyers just as vulnerable as the general population?

James Carlopio: 01:47

95 per cent of breaches, as you said, are attributed to people, not technology. The Office of the Australian Information Commissioner (the OAIC) reports – well, they used to report quarterly, now they report six-monthly, and they are very slow getting the reports out – but the most recent data has actually the percentage of breaches attributed to technical and systems failure at 2 per cent. So, that means 98 per cent were caused by people.

It’s a huge business. As you mentioned in the introduction, it’s all about grabbing that sensitive information, using psychology against us. And last year, it was estimated at a $10.5 trillion industry – that’s the cybercrime industry. So, an average cybercriminal last year made more money in one month than the average yearly full-time wage earner earned in Australia. So, it’s huge business, absolutely.

And great second part to the question – are lawyers particularly susceptible? I think you already answered that. Yes, because criminals want money. Lawyers have money, their own money, their clients’ money, and they move it around. They want information that they could turn into money. Lawyers have their own information and their clients’ information.

Lawyers use a lot of email, which is still the number one threat vector. Lawyers use software and social media that criminals have access to. So, yeah, it’s a one-stop shop. Everything that the crims want, you folks have.

Jayne Gurton: 03:19

Can you walk us through some examples of the tactics you’ve seen scammers use? And I’m wondering if there’s any specific tricks that are used on lawyers and law firms. What’s actually happening out there?

James Carlopio: 03:31

Emails are still the number one threat vector in terms of being either directly responsible for credential stealing. So, you go to a website that you think is legitimate because you’ve gotten an email, and you put in your credentials, your passwords, your credit card details, etc, etc. Or you click on a DocuSign, or you click on a PDF in a download that looks like it’s coming from somebody you trust. All of these ways criminals can get malicious software, malware, installed into your systems or they will steal your passwords and credentials that you put in there.

Other methods that have been used, I’m sure you are all aware of, intercept funds transfer, you know, with home purchases. I mean, this is real. We’ve spoken to people who transferred $70,000 to their lawyer, and it wasn’t their lawyer, because the law firm had been compromised.

There’s another one called “business email compromise” (BEC). It used to be called “spear phishing” or “whaling”, when they were coming after the big fish. And they’ll target the CEOs, the practice managers, they’ll target finance people – people who are responsible for transferring money.

And some of the other things are voice scams, which we’ll probably talk about again later. And they can either be personal, because they can clone, you know, your mother or your daughter or your father or your uncle or your grandfather or whatever. And they can also clone the voice of your CEO or you or I, and there have been known cases where finance people have transferred $35 million in one case and $40 million in another case because they thought they were talking to their bank manager or their CEO or something. So, those are real.

Jayne Gurton: 05:13

So, James, what are the psychological principles that attackers exploit when they are doing the things you just mentioned? And is there anything unique when they are targeting law practices?

James Carlopio: 05:25

The habit and the hurry – because law firms are down to the 5-, 10-, 15-minute blocks. So, people don’t want to be sitting around, and they are moving and hustling and transferring information and don’t dillydally or take their time. They exploit that.

They exploit generic instinct, because humans are driven by instinct and habit much more than we either believe or would like to believe. Because we are all so intelligent and independent, and of course I know enough not to do this. But some of these scams are so beautifully crafted. And no one is to blame.

I was scammed while I was doing my PhD in psychology. The kid came out of the back of a store and looked the part, had the name tag, was intelligent, was knowledgeable. I gave him the money – I was trying to buy a stereo. I gave him the money and he went into the back into the employee area, and I never saw him again. I mean, it’s just so easy to be scammed.

Jayne Gurton: 06:30

AI-generated phone calls and deepfakes are becoming more sophisticated. When criminals can now clone voices and create realistic video calls, how can we distinguish between legitimate and fraudulent communications?

James Carlopio: 06:44

It is difficult. The first thing you need to remember is one of my favourite sayings. You can also tell how old I am when I say, “It’s not 1970 anymore”. I grew up, as you might tell from my accent, in the States. I grew up in Brooklyn, New York. And in 1970, I was a young teenager and I was able, and I did on many occasions, get on the subway alone and take a subway car from Brooklyn into downtown Manhattan, get off in Soho and Greenwich Village and walk around and listen to music and go into coffee shops, and then take the subway all the way home again. I was totally safe. I wouldn’t do that now, as an adult.

When your parents used to get phone calls and they said, “Hi, I’m from Telstra” or “I’m from Qantas,” it was Telstra and Qantas calling. You can’t trust anymore. That’s the first thing you can do, right, to help you, is assume that all communications are potentially fakes. I know that’s a disgusting statement, but you have to actually assume until you verify. Look for what’s unsolicited. Be suspicious of it. Look for what’s odd, unexpected.

We saw some images recently. They were just stupid images. You know that this is not possibly the truth. It looked beautifully crafted. There was nothing wrong that I could see in the image, but there is no way that this particular individual would be doing that. So, you know, you just have to use that intelligence, but have a little credulity, if that’s the right word.

And then, finally, set family passphrases. So, if someone calls you and it sounds like your daughter or your son or your grandmother or your grandfather, you can ask for the family passphrase that nobody in the world knows except for you and your family, to verify that’s you. And we actually know some organisations now that are doing something similar for sensitive information and financial interactions – either having two-factor approval, multi-factor authentication or passphrases that they set for a day or a week or certain kinds of transactions, because it’s just almost impossible to tell. These fakes are so good now, Jayne.

Jayne Gurton: 08:56

You mentioned that some of the oldest confidence schemes are still the most effective.

James Carlopio: 08:58

Correct.

Jayne Gurton: 08:59

Why is that? What makes something like a grandparent scam or fake wire transfer request so psychologically powerful?

James Carlopio: 09:09

The three Ps – provision, protection and procreation. That’s our silly way of talking about some of the most powerful instincts in the human being.

You want to provide and protect for those that are in your family. It’s not just your children, but it’s your family, your friends, your loved ones. That’s why the grandparent scam is so powerful.

We had a lady on one of these calls that we do with our clients. She had us all in tears, telling us about the time when she got a phone call from the voice of her daughter who was being beaten after being kidnapped. How do you describe that, right? I mean, you would do anything.

And that’s why they are powerful, Jayne, because people are emotional. People are driven by instincts, and the crims know this, and they ruthlessly, disgustingly will use it against your 14-year-old daughter or your 84-year-old grandparent.

Jayne Gurton: 10:08

From a practical standpoint, what are the most effective prevention strategies a law firm can implement without a significant financial investment? What’s the day-to-day practice? And should lawyers be talking to their clients about cybersecurity?

James Carlopio: 10:24

Gotcha, good, great questions. It will take some investment of at least time and energy, if not a little bit of money, because some of the best things you can do is constantly educate, train and develop people’s, what we call, cyber life skills.

It’s not just about awareness. Awareness is great. I’m aware that this happens, but it doesn’t mean I have the skill to do anything about it.

So, we constantly have to keep people up-to-date on what is happening, but then how do you recognise a phishing email? Well, that’s doable. What are the cues to look at when you hear a deepfake audio or a deepfake video? What are some of the specific things we know about creating good passwords, for example?

There are certain skills that we need that we are just not given. You know, we are taught how to drive a car, we are taught how to make toast or rice, but we are not given the basic cyber life skills we need. So, remember that awareness does not equal skill.

So, some investment could be small, but it needs to be at least of time and education on skills development. In terms of day-to-day practice, Jayne, everybody’s going to hate me when I say this, but use strong, long passphrases wherever possible. And I know that’s horrible, right, because I never remember them.

So, that’s why we suggest people using appropriate password management software. If you don’t know how to use it or you are worried about using it, talk to your IT people. There are really good ones out there that are usable.

Some of the other things you need to do as a firm – especially a law firm – now is run phishing simulations. So, you get somebody, or your IT team sends out monthly fake phishing simulations. So, they are phishes, but they are sent internally, so they are not real. They are not going to catch anybody in terms of having them go to a potentially horrible site. It’s going to take them to a fake horrible site.

So, when they do go to the wrong place, they then get educated about that, and they learn the skills they needed to stay safe. And then they get better and better at it. And then you measure that, and you reward that, and you report that. And, you know, you get what you measure and reward in organisations. So that’s really, really important.

A couple of other things, Jayne – link it to occupational health and safety. We found a couple of organisations doing that and having it really work, because it’s just part of occupational health and safety now, right? Keeping people safe at work.

And the last thing, and my fave is, there’s an old psych saying that if you want to make something important to somebody, make sure it’s personal to them and relevant to them. So, make cybersecurity important to staff, yes, but to their family, to their children, to their parents, to their grandparents, to their friends. Then it’s of personal importance to them. The byproduct is, it helps keep the law firm safe. And the byproduct is, it gets people’s attention and they don’t feel like they are being done-to so much.

Jayne Gurton: 13:20

Looking ahead, what emerging threats should the legal community be preparing for? And, I’m wondering, how can firms build a culture where people actually care about cybersecurity and not just ticking the box with annual compliance training?

James Carlopio: 13:36

Gotcha, good – looking ahead, emerging threats. Unfortunately, AI is helping the criminals as much, if not more, than some of us in our normal work lives. AI is making the phishing, for example, more frequent, faster, more customised, more effective.

Let me explain. Somewhere between 70 and 80 per cent of Australians’ personal and private data is sitting in a database called a data lake now, on the dark web. It’s already there. So, we’ve already been compromised, because of the big three from ’23, you know – Optus, Medibank and Latitude Financial, because of Qantas, because of the 40 or 50 that have happened since then. It’s already out there.

So, what they are using AI for is to query that database and say, give me the information we have on law firms. They targeted law firms for about a three-month period last year. They then moved on and targeted hospitals and healthcare for a while. They are kind of running thematic campaigns now.

So, they find the information from this huge database using AI. Then they customise the campaign using AI. Psych studies vary, but it’s staggering how much more successful the AI-driven campaigns are. Because the crims are getting better, and we are not keeping our skills.

So, your second part of your question was about the culture, which of course we care about a lot at Cultural Cyber Security, which is the company that I work for, because culture is what drives behaviour at work. Yes, rules and regulations and policies and procedures are important too, but it’s role modelling from the top down, and it’s what you measure and reward.

So, as we mentioned earlier, Jayne, link it to family, not just work. Make it important and relevant to people, but the senior group has to role model it, and they have to communicate top-down. That drives the culture.

Your board has to be measuring this, and your senior practice management group has to be getting reports on how well do we do on the phishing simulation campaign this month? How many people clicked? How many people reported? How many people that clicked actually went and entered their credentials? And how are we going to get better at this and continuously improve? And then link that to people’s performance management, and it won’t be rocket science. You will see people paying attention, and they will get better.

Jayne Gurton: 15:59

From what you are saying, it sounds like cybersecurity really is a whole of person, whole of family, whole of world responsibility.

James Carlopio: 16:09

Got that right.

Jayne Gurton: 16:10

What’s the one thing, or maybe two or three things, you’d want our listeners to do after hearing this podcast to improve their cybersecurity or scam awareness?

James Carlopio: 16:20

Good final action question, Jayne. As we mentioned earlier, no more ever, not once in the history of the OAIC data have they attributed breaches more than 2 per cent to 5 per cent to technologies.

The first thing is, use all the technology you possibly can. Get a VPN, a virtual private network. You can get them – they are very inexpensive and easy. Even if you don’t work in a law firm, if you are an individual, you can use any one of the big cybersecurity software companies. I don’t want to name one, because I’ve got no particular interest in any of them, but any one of them that will sell you a virus protection software will also sell you a VPN. It’s a very easy download. You put it on your phone, you put it on your tablet, you put it on your computer. I use it on every single device. So, use a VPN.

Use virus protection as well. Use a password manager. Look, everybody wants to know what’s the best password manager. If you have an IT team or an IT guru you can talk to, great. If not, the best way is to do your own search, and the thing that we suggest for Cultural Cyber Security is, if you can, use one that you pay for, because all VPNs and all password managers, you get what you pay for. So, if you go to a reputable company and you pay $50 a year or $150 a year, whatever it is, you can get the whole suite and they are very easy to use.

I’m a non-technical person, and I can use them. I’m a psychologist. If I could use these, the average person listening to this will be able to use it as well.

Last couple of things, Jayne, and everybody’s going to hate me when I say this – please reduce your social media exposure. We give away much too much personal and private information via social media. Example, a young couple we know of didn’t turn off location services, so the cybercriminals had been watching them and a lot of other people. When you don’t turn off your location services, when you post a picture, cybercriminals can look at the metadata and find out where the picture was taken.

So, they knew where this young couple lived. And of course, they posted, “Hi, here we are. First day of our three-week holiday in Germany”, and bingo, the next day, criminals moving from the cyber world to the real world rented two vans, backed it up to their house and emptied out their house. So, we give away so much information.

I was talking to a bunch of young kids, Jayne, about who they think they are posting to on social media when they post. And they have their two or three friends in mind. But there’s, everybody can see it, unless you go through all sorts of privacy settings and set up. So please, please, please – I know no one on the planet is going to stop using social media but be careful. You want to post your pictures from your holiday? Post when you get home.

verify everything. It’s not: 1970

Jayne Gurton: 19:37

This has been a fascinating discussion, James. I will definitely be putting some of your tips into practice and passing them on to my colleagues.

James Carlopio: 19:42

Good.

Jayne Gurton: 19:43

Unfortunately, we are all out of time today, but we really appreciate you taking the time to talk to us.

James Carlopio: 19:48

My pleasure. As you can tell, I love talking about this any time, Jayne.

Jayne Gurton: 19:51

And thank you to everyone listening to Cross-Examined today. You’ll find links to the Law Institute’s cybersecurity hub and everything else mentioned today in the episode show notes.

If you found this episode useful, please share it with your colleagues and make sure you subscribe, so you don’t miss out on future episodes. Until next time, thanks for listening to Cross-Examined.