Posts

Security Keynote Speaker on Rachael Ray, 60 Minutes…

 

Cyber Security Keynote Speaker National TV Montage

The average security keynote speaker is technical in nature (Zzz), which sometimes means they can be dry and boring. Death by PowerPoint! This is not good for your event. In fact, it can be disastrous for a meeting planner’s career or an organization’s entire conference. You want a keynote speaker who will interact with your audience, make them laugh, help them to understand where the worlds of human behavior, technology and the Internet converge, so that they walk out of the presentation with greater insight into securing the information that defines them.

Ideally, the perfect cyber security keynote speaker for your event will blend content, laughter, entertainment and cutting-edge data with the specific outcome necessary to change your audience’s behavior. That won’t just make you the hero, it will make the event a home run for the attendees, which is what it’s all about anyway. Take a quick look of this video to see what an engaging security keynote looks like (on stage).

Cyber Security Keynote Speaker John Sileo on Stage

 

John Sileo is an an award-winning author and security keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it sticks. In addition to national media coverage on Rachael Ray, 60 Minutes, Anderson Cooper and Fox Business, John has appeared as a security keynote speaker for the Pentagon, Visa, Homeland Security, Pfizer and more than a thousand organizations of all sizes. Interested in bringing John in to shake up your security conference? Contact The Sileo Group directly on 800.258.8076. 

Security Keynote Speaker John Sileo

Twitter privacy expert John Sileo talking with 9News on the AP hack

, ,

This Tweet disrupted the stock market as well as gold and oil prices: “Two explosions in the White House and Barack Obama is injured”.

Identity Thieves Score Billions from the IRS and Taxpayers

, ,

Every dollar counts, now more than ever, as the government searches for ways to wisely spend our money. It’s dismaying to learn that an audit report from the Treasury Inspector General for Tax Administration (TIGTA) has found that the impact of identity theft on tax administration is significantly greater than the amount the IRS detects and prevents. Even worse, the “IRS uses little of the data from identity theft cases…to detect and prevent future tax refund fraud” according to Mike Godfrey, Tax-News.

  • The IRS is detecting far fewer fake tax returns than are actually falsely filed. 938,700 were detected in 2011. On the other hand, TIGTA identified 1.5M additional undetected tax returns in 2011 with potentially fraudulent tax refunds totaling in excess of $5.2B.
  • The study predicted that the IRS stands to lose $21B in revenue over the next 5 years with new fraud controls, or $26B without the new controls.
  • Key victims include the deceased, children, or someone who would not normally file a return such as lower income individuals that are not legally required to file.
  • A Postal Inspector in Florida uncovered a tax refund scheme whereby refunds were going into debit-card accounts via thieves using the social security numbers (SSN) of dead people. Direct deposit is preferred as it doesn’t require a mailing address, photo ID, name or a trip to the bank.
  • The IRS allows multiple direct deposits to the same bank account. A key finding in the report showed hundreds of tax returns were filed from a single address. In one case, 2,137 returns resulted in $3.3M in refunds to a home in Lansing, Michigan, and 518 returns resulted in $1.8M in refunds to a home in Tampa, Florida.
  • The IRS lacks access to 3rd party information to verify returns and root out fraud. It is issuing refunds in January before it can verify data from employers and financial institutions in March. This gap provides a huge window of opportunity for thieves.
  • The IRS is not gathering enough information to prevent fraud; i.e., how the return is filed, income information on the W-2, the amount of the refund and where the refund is sent.
  • New screening filters that can identify false tax returns before they are processed have the potential to diminish the number of fraud cases as well as other ongoing anti-fraud procedures employed by the IRS. It is placing a unique identity theft indicator on the accounts of the deceased. As of March, 2012, 164,000 accounts were locked, possibly preventing $1.8M in fraud.

Charles Boustany, the US House of Representatives Oversight Subcommitte Chairman, who sent a letter to the IRS demanding a full accounting for the agency’s continued inability to stop tax fraud related to identity theft, declared that “this report raises serious questions regarding the IRS’s ability to detect tax fraud…”. The lost federal money is extremely troubling but there’s another loss to consider – the potential to erode taxpayer confidence in our system of tax administration.


John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper, 60 Minutes or Fox Business. 1.800.258.8076.

Identity Theft & Fraud Keynote Speaker John Sileo

, , , ,

America’s top Privacy & Identity Theft Speaker John Sileo has appeared on 60 Minutes, Anderson Cooper, Fox & in front of audiences including the Department of Defense, Pfizer, Homeland Security and hundreds of corporations and associations of all sizes. His high-content, humorous, audience-interactive style delivers all of the expertise with lots of entertainment. Come ready to laugh and learn about this mission-critical, bottom-line enhancing topic.

John Sileo is an award-winning author and keynote speaker on the dark art of deception (identity theft, fraud training, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust.

Are Mobile Banking Apps Safe and Secure? Not Yet | Sileo Group

A study produced by The Ponemon Institute and ThreatMetrix (Mobile Payments & Online Shopping – October 2011) states that only 29% of consumers use mobile banking apps on their smart phones and tablets. Of those that don’t participate, 51% cite security reasons for their lack of participation. In other words, consumers like you and I are not yet comfortable with mobile banking apps safety. And our instincts are correct! Why shouldn’t you be comfortable with mobile banking apps quite yet?

Top 7 Reasons Why Mobile Banking Apps Aren’t Safe (Yet)

  1. Because most app stores (e.g., Android Marketplace) don’t review apps for security, it is very easy for criminals to post malicious apps that steal information from your mobile device (like your bank account numbers).
  2. The average smartphone or tablet user has installed no security software on their mini-computer (that’s what smartphones and tablets are), meaning that they have only a fraction of the security of a laptop or desktop.
  3. Detected malware developed for the Android platform alone has increased by 400% in the past year.
  4. The technology that keeps apps separate on your smartphone or tablet doesn’t separate them out into private sandboxes, meaning that one app can read the juicy details stored in the other without much difficulty.
  5. Most smartphone and tablet users don’t even have a basic passcode set up on their device, giving anyone with access to it potential access to your bank account.
  6. The temptation to use free WiFi hotspots at cafes, airports and hotels lures people into banking over insecure networks (it’s easy to sniff (spy on) what you send over these free, unprotected networks.
  7. There is no clear legislation (that I have seen) governing your rights to receive a refund if your bank account is fraudulently emptied due to mobile bank app insecurity. Is the burden of proof on the user to protect their handset and software, or on the bank. Only precedent and real live court cases will answer this question over time.

Will mobile banking apps one day provide a secure, viable form of online banking? Absolutely. Are banking apps secure today? No way. Find out more about cyber data security from The Sileo Group.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

U.S. is Dumb About Smart Cards

, ,

The typical US consumer still swipes their card, credit or debit, with those same old black magnetic stripes. And, we hold our breath and hope they work, and don’t lead to erroneous (fraudulent) charges we have to defend. The rest of the world has switched to Smart cards, according to Peter Svensson, The Associated Press, in The Denver Post. “The problem with that black magnetic stripe on the back of your card is that it’s about as secure as writing your account information on a post-card”.

Svensson comments “Smart-cards (chip-based cards) can’t be copied, which greatly reduces the potential for fraud. Smart cards with built-in chips are the equivalent of a safe:  They can hide information so it can be unlocked only with the right key”.

This begs the question, why is the US lagging in this technology? How do we re-vamp our system to promote smart-card transactions? Some experts maintain that it is a lack of demand by everyone from consumers and issuing banks to retail establishments. In essence, we don’t want the added security. This, of course, is just a smoke screen to obscure the underlying issue: no one wants to pay for it. Consumer don’t feel like they should pay for the technology (through higher card fees) even if it makes them safer (Haven’t we always been pretty safe?). Banks don’t want to pay to issue higher-cost cards with chip technology (they probably think it is cheaper to weather the costs of fraud – it is not). And retailers don’t want the added expense of new, more sophisticated equipment.

For the sake of a short term buck, all three groups are willing to sacrifice long-term safety, viability and profits. Does anyone else out there feel like America can be embarrassingly short sighted at times?

Smart cards are recognizable by the fingernail-size gold contacts embedded on one side of the plastic. In Europe, rather than turning your card over to a waiter, the waiter presents a wireless payment terminal, has you swipe your card and enter your PIN without ever losing sight of the transaction. The window for fraud drops nearly to zero since you are actively involved in the transaction.

What can you do to help? Let your financial institution know that you value the security of smart-card technology. According to Richard Sullivan, senior economist at the Federal Reserve Bank of Kansas City, in 2006, 9 cents out of every $100 paid by card in the US ended up in the pockets of criminals (and not on the bottom line of the credit card company or retailer). The comparable figure for Spain was 2 cents. Let your bank know that they can save approximately 7% of every dollar they earn (a high ROI for a bank) by catching up with the times.

__________________________________________

John Sileo is America’s leading financial keynote speaker on identity theft and non-technical data security (the human element). His clients include the Department of Defense, Pfizer, Homeland Security and the Federal Reserve Bank. Contact him directly on 800.258.8076 and reference smart cards for more information.

Sileo on 9News: Aurora City Council Identity Theft

,

By Kevin Torres, 9News

AURORA – Five of Aurora’s most powerful politicians found out how vulnerable they truly are. They’ve joined a long list of people who have fallen victim to identity theft.

The city councilors thought they were alone, until they heard from their colleagues at a council meeting.

“It was kind of a relief when I found it was a council thing and not me personally,” said Councilor Molly Markert.

Markert and four other councilors received bills for items they never even purchased, including electronic devices.

If there was ever an expert on identity theft, John Sileo would certainly be high on the list.

He’s written a few books on the issue and even does work for the Department of Defense and Homeland Security.

Sileo says the thief or thieves likely cracked the councilors’ codes by one of two ways.

“It’s either an inside job which is someone got paid to funnel information out, or, the second way is their systems were hacked in to, it’s also very common,” Sileo said.

Read the full Aurora City Council Identity Theft Story.

 

John Sileo is America’s leading keynote speaker on identity theft, social media privacy and trust building. His clients include the Department of Defense, Homeland Security, the FDIC, Pfizer and organizations of all sizes. Learn more at ThinkLikeASpy.com.

7 Steps to Stem Facebook Privacy Bleeding

, , ,

Why You Should Share Facebook Privacy Settings with Friends

A true friend does more than just post updates about their conquests on your wall. They share information with you that makes your life better, even if it isn’t exactly what you want to hear. And you do the same for them. But are your friends unwittingly sharing too much information about you with others (strangers, advertisers, app developers, scammers)? Probably. For example, if they (or you) haven’t customized your privacy settings lately, you are giving Facebook permission to:

  • Publish your name, photo, birth date, hometown and friend list to everyone?
  • Indirectly share your restricted data with outsiders through your friends?
  • Let your friends check you in to embarrassing locations where you aren’t?
  • Post your Likes as advertisements on friends’ walls using your name?
  • Authorize Google to index, access and share your information on the web?

Taking simple steps will make a significant difference. Start with the 7 Facebook Privacy Settings below and ask your friends to do the same. It benefits their privacy and yours. The video to the left quickly walks you through how to get to each level of privacy setting. If the video is too small for you to see the pointer, simply click on the four arrows in the bottom right-hand corner of the video viewer (to the right of the YouTube logo) to view in full-screen mode. For better resolution, use the drop down menu to switch to 720 HD.

7 Facebook Privacy Settings to Share with Your Friends

  1. Hide Your Hometown, Friends & Interests from Strangers. You may want every last soul on Facebook to know who your friends are, but your friends might not appreciate being part of your popularity contest. And believe me, you don’t want outsiders knowing where you live, where you were born and what interests you. To block people other than your friends from seeing your these items, in the upper right hand corner of your home Facebook screen once you are logged in, click Account>>Privacy Settings. Then go to View Settings (under Connecting on Facebook). Set See your friend list, See your current city and hometown, See your education & work and See your likes, activities and other connections to Friends Only. You can even block everyone, including friends, from seeing these personal tidbits by clicking on the Everyone button, selecting Customize and choosing Only Me.
  2. Restrict (or alter) Your Personally Identifying Information (PII). Facebook PII includes your Birthday, Address, Email, IM Screen Name and Phone Numbers. With just your name, birthdate and hometown, a scammer can easily recreate your Social Security number, steal your identity, or rob your home while you’re on vacation. My recommendation is to leave these fields blank in the first place (where possible) or fill them with partial or inaccurate information (make up a birthdate that is close to yours but not exact. Please note this may be in violation of Facebook’s user policy.). Either way, you should also limit others from accessing your PII. Click on Account>>Privacy Settings and then Customize Settings (towards the bottom of the sharing grid – look for the tiny pencil). Each drop down box to the right allows you to Customize your setting for that item. Using the Customize option, set Birthday (under Things I share) and Address, IM Screen Name, Email, Phone Numbers (under Contact information) to Only Me. Consider setting Religious and political views and Interested in to Only Me or Friends Only as well. The primary way a social engineer (information con artist) exploits you is by understanding what interests you. 
  3. Stop Broadcasting Your Whereabouts in Places. Like the popular application Foursquare, Facebook Places allows you to check in to real-world locations and share your whereabouts with friends (so that burglars know exactly when to rob you). There are two relevant settings regarding Places. First of all, you should limit which users can see which places you can check in to. Click on Account>>Privacy Settings and then Customize Settings (see the first video for direction). Set Places you check in to (under Things I share) to Only Me (using the Customize feature) if you want to disable Places or to Friends Only if you want your friends to know your location. In a very strange default setting, Facebook allows your friends to check you in to places (e.g., a friend checks you in to a strip club while you are at the library). To turn this off, on the same screen, click on Edit Settings next to Friends can check me in to Places (under Things others share). In the drop down menu, choose Disabled and click Okay.
  4. Limit How Your Photos & Videos are Shared. If you allow everyone to see photos or videos in which you are tagged (the default), anyone can post a compromising photo of you (friend or otherwise) and then share it with the world by tagging you in the photo. This can lead to some very embarrassing situations (you’d never post the pictures taken at the bachelorette party, but the scorned bridesmaid just might). There are two settings you need to change to fix this. First, click on Account>>Privacy Settings and then Customize Settings (find the pencil). Click on Edit Settings next to Photos and videos you are tagged in (under Things others share). Change the drop down menu to Customize and change the setting to Only Me if you don’t want others to see your tagged photos or to Friends Only if you want your friends to see the tagged photos. Click Save Settings. Then, in respect for your friends, make sure you aren’t accidentally allowing their friends to see photos in which you tag them. To do this, go to Account>>Privacy Settings. Towards the bottom of the page (above the pencil) is a check box that says Let friends of people tagged in my photos and posts see them. Uncheck this box. 
  5. Restrict Google and Apps from Mining Your Identity. By default, Facebook allows search engines like Google and applications (apps) like Farmville access to certain personal information. After all, Facebook is in the business of inventorying your identity and then selling it to vendors and advertisers. To regulate how much is shared, click Account>>Privacy Settings and then Edit your settings (under Apps and Websites in the bottom left-hand corner). First, go to Public search and Edit Settings. Unclick the Enable public search check box to keep the search engines out of your profile. If you use your Facebook profile for business and want to be searchable, leave public search enabled. Next, go to Apps you use and click Edit Settings. Review and Edit every app that has access to your private information or delete the access entirely. Having all of your social networking profiles connected and using Facebook as a centralized login for convenience is a recipe for privacy disaster.
  6. Limit What’s Accessible Through Your Friends. No matter how tightly you lock your privacy down in Facebook, if you don’t restrict what strangers, vendors, advertisers and Friends of Friends can see through your friends, you have done very little to actually protect yourself. Here’s how to limit what your friends can share (knowingly or unknowingly). First, click Account>>Privacy Settings and then Edit your settings (under Apps and Websites in the bottom left-hand corner). Next to Info accessible through your friends, click Edit Settings. You will see an entire list of data that can be accessed through your friends Facebook page, EVEN IF THE SAME INFORMATION ISN’T ACCESSIBLE THROUGH YOUR PAGE (because you customized your privacy settings in steps 1-5). This is quite possibly the most devious aspect of Facebook. I only have two or three items checked here – those pieces of information that I wouldn’t mind seeing on the front cover of USA Today. That is how public these bits of data become if you allow your friends to share them. 
  7. Turn On Your Account Security Features. Facebook has several built-in security features (turned off by default) that make your social networking a safer virtual world. Click on Account>>Account Settings and then Security (left column). First, under Secure Browsing (https), check the box next to Browse Facebook on a secure connection (https) whenever possible. The gives you bank-like security when accessing your Facebook pages. Under Login Notifications: When an unrecognized computer or device tries to access my account, check the box next to Send me an email. That way, if someone gains unauthorized access to your Facebook account on a non-registered computer (your computers and phones will be registered), Facebook automatically locks the user out. If you don’t mind sharing your mobile phone number with Facebook (I don’t share my # with them), you can implement Facebook Addictiona third security feature. Under Login Approvals: When an unrecognized computer or device tries to access my account, check the box next to Require me to enter a security code sent to my phone.

If you just took these first 7 Steps to protect your Facebook privacy – congratulations – your profile and data are more secure than 99% of the Facebook population. Now it’s your turn to be a good friend – pass this on to someone you care about, and ask them to spend a few minutes protecting themselves. It’s a win-win for everyone.

John Sileo is the award-winning author of Privacy Means Profit and a keynote speaker on social media privacy, identity theft prevention and manipulation jujitsu. His clients include the Department of Defense, Blue Cross, Pfizer and Homeland Security. Learn more at www.ThinkLikeASpy.com or contact him directly on 800.258.8076.

7 Steps to Secure Profitable Business Data (Part II)

, , , ,

In the first part of this article series, we discussed why it is so important to protect your business data, including the first two steps in the protection process. Once you have resolved the underlying human issues behind data theft, the remaining five steps will help you begin protecting the technological weaknesses common to many businesses.

  1. Start with the humans.
  2. Immunize against social engineering.
  3. Stop broadcasting your digital data. There are two main sources of wireless data leakage: the weakly encrypted wireless router in your office and the unprotected wireless connection you use to access the Internet in an airport, hotel or café. Both connections are constantly sniffed for unencrypted data being sent from your computer to the web.Strategy: Have a security professional configure the wireless router in your office to utilize WPA-2 encryption or better. If possible, implement MAC-specific addressing and mask your SSID. Don’t try to do this yourself. Instead, invest your money in proportion to the value of the asset you are protecting and hire a professional. While the technician is there, have him do a thorough security audit of your network. You will never be sorry for investing the additional money in cyber security.To protect your data while surfing on the road, set up wireless tethering with your mobile phone provider (Verizon, Sprint, AT&T, T-Mobile) and stop using other people’s free or fee hot spots. Using a simple program called Firesheep, data criminals can “sniff” the data you send across these free connections. Unlike most hot-spot transmissions, your mobile phone communications are encrypted and will give you Internet access from anywhere you can make a call.
  4. Eliminate the inside spy. Most businesses don’t perform a serious background check before hiring a new employee. That is short sighted, as much of the worst data theft ends up being an “inside job” where a dishonest employee siphons information out the back door when no one is looking. In the consulting work we have done with breached companies, we have discovered the number one predictor of future theft by an employee – past theft. Most employees who are dishonest now were also dishonest in the past, which is why they no longer work for their former employer.Strategy: Invest in a comprehensive background check before you hire rather than wasting multiples cleaning up after a thief steals valuable data assets. Follow up on the prospect’s references and ask for some that aren’t on the application. Investigating someone’s background will give you the knowledge necessary to let your gut-level instinct go to work. More importantly, letting your prospective hire know in advance that you will be performing a comprehensive background check will discourage dishonest applicants from going further in the process (watch the video for further details). I personally recommend CSIdentity’s SAFE product, which is a technologically superior service to other background screen services.
  5. Don’t let your mobile data walk away. In the most trusted research studies, 36-50% of all major data breach originates with the loss of a laptop or mobile computing device (smart phone, etc.). Mobility, consequently, is a double-edged sword (convenience and confidentiality); but it’s a sword that we’re probably not going to give up easily.Strategy: Utilize the security professional mentioned above to implement strong passwords, whole disk encryption and remote data-wiping capabilities. Set your screen saver to engage after 5 minutes of inactivity and check the box that requires you to enter your password upon re-entry. This will help keep unwanted users out of your system. Finally, lock this goldmine of data down when you aren’t using it. Either carry the computer on your person (making sure not to set it down in airports, cafes, conferences, etc.), store it in the hotel room safe, or lock it in an office or private room when not using it. Physical security is the most overlooked, most effective form of protection.
  6. Spend a day in your dumpster. You have probably already purchased at least one shredder to destroy sensitive documents before they are thrown out. The problem tends to be that no one in the business uses it consistently.Strategy: Take a day to pretend that you are your fiercest competitor and sort through all of the trash going out your door for sensitive documents. Do you find old invoices, credit card receipts, bank statements, customer lists, trade secrets, employee records or otherwise compromising information? It’s not uncommon to find these sources of data theft, and parading them before your staff is a great way to drive the importance of privacy home. If your employees know that you conduct occasional “dumpster audits” to see what company intelligence they are unsafely throwing away, they will think twice about failing to shred the next document. In addition to properly disposing of new documents, make sure that you hire a reputable on-site shredding company to dispose of the banker’s boxes full of document archives you house in a back room somewhere within your offices.
  7. Anticipate the clouds. Cloud computing (when you store your data on other people’s servers), is quickly becoming a major threat to the security of organizational data. Whether an employee is posting sensitive corporate info on their Facebook page (which Facebook has the right to distribute as they see fit) or you are storing customer data in a poorly protected, noncompliant server farm, you will ultimately be held responsible when that data is breached.Strategy: Spend a few minutes evaluating your business’s use of cloud computing by asking these questions: Do you understand the cloud service provider’s privacy policy (e.g. that the government reserves the right to subpoena your Gmails for use in a court of law)? Do you agree to transfer ownership or control of rights in any way when you accept the provider’s terms of service (which you do every time you log into the service)? What happens if the cloud provider (Salesforce.com, Google Apps) goes out of business or is bought out? Is your data stored locally, or in another country that would be interested in stealing your secrets (China, Iran, Russia)? Are you violating any compliance laws by hosting customer data on servers that you don’t own, and ultimately, don’t control? If you are bound by HIPAA, SOX, GLB, Red Flags or other forms of legislation, you might be pushing the edges of compliance.

By taking these simple steps, you will begin starving data thieves of the information they literally take to the bank. This is a cost-effective, incremental process of making your business a less attractive target. But it doesn’t start working until you do.

John Sileo, the award-winning author of Privacy Means Profit, delivers keynote speeches on identity theft, data security, social media exposure and weapons of influence. His clients include the Department of Defense, Pfizer, Homeland Security, Blue Cross, the FDIC and hundreds of corporations, organizations and associations of all sizes. Learn more at www.ThinkLikeASpy.com.

 

Fun Fraud Detection Training

, , , ,

Businesses often make social engineering (or fraud) training boring! And that’s bad for your bottom line, because no one ends up remembering how to protect your organization against threats like data theft, corporate espionage or social networking exposure.

Too often, fraud and social engineering workshops cover just the concepts that define fraud rather than the feelings that signal it’s actually in process at the moment. The key to training your executives, employees and even customers on fraud is to let them experience what it feels like to be conned. In other words, they need to actually be socially engineered (manipulated into giving away their own private information) several times throughout the training so that they begin to reflexively sense fraud as it is happening. Like learning to throw a ball, there is no substitute for doing it for yourself. Fraud detection is similar; it takes actually doing it (or having it done to you) to fully understand the warning signs. Anything less will leave your audience yawning and uneducated.

This social engineering video was recorded at a fraud training I did recently and it demonstrates how fun it can be to train someone on detecting fraud, and how profitable. As silly as it might seem, the skills necessary to detect fraud can be taught in very entertaining and engaging ways. After watching the video, take a minute to understand the basic skills your employees and executives will need to Stop Fraud:

Fraud Training Step 1: The Trigger

The trigger, or what causes you to be on high alert, is actually very simple—it is the appearance of private information in any form (your identity, customer information, employee records, intellectual capital, etc.). Anytime someone requests or has access to any of the names, numbers or attributes that make up identity, or to the paper, plastic, digital or human data where identity lives (whether it is yours or your organization’s), the trigger should trip and sound an alarm in your head.

There are hundreds of examples of fraud triggers in the workplace. Here are a few of the more common:

  • When someone is requesting information about you on Facebook, LinkedIn, etc.
  • When someone requests information about your company, computer login or co-workers in person or by phone
  • When you are clicking on a link in an email
  • When you are entering data into a website

When your identity is being requested in any way, slow down and ask yourself: Is the risk of giving this piece of identity away in this specific situation worth the benefit?

Fraud Training Step 2: Hogwash!

Your team should be trained such that anytime their reflex is triggered, a phrase or picture automatically pops into their head, whether they actively think about it or not. If the word (also called a trigger) is a bit out-of-the-ordinary and the picture is humorous, you almost can’t help but noticing when it appears. The trigger that I use when I train is the word HOGWASH! Here is my definition of Hogwash:

Hog’wash |hôg’wô sh | n. 1. A gut reaction that someone is manipulating you for their own gain, or feeding you a line of bull in order to deceive you (e.g., I’ll just borrow your password for a short time); 2. Healthy skepticism that persists until the person requesting information from you proves they are worthy of your trust.

When the word Hogwash pops into your head, picture a pig feeding at a trough. Better yet, picture the person (who is requesting your information) feeding at a trough (the image is what makes it fun and memorable – don’t be afraid of the silliness – it works). As they provide legitimate reasons for needing the information and adequate reassurance that your data will be handled securely, they begin to rise from the trough. But don’t let them off the hook yet, because social engineers are masters at using your natural biases against you.

Fraud Training Step 3: Vigilance

When an outsider has access to your identity or critical business data, your trigger should automatically activate without thinking about it (Hogwash!). Your first response should be to heighten your level of observation, to become more vigilant. View the situation as a child would—with curious eyes. You can even borrow what we teach our children to be more aware in dangerous situations—Stop, Look and Listen:

Listen to your instincts. Ask yourself if your identity is safe. Is there a change in the environment that makes you uneasy or uncertain? What is your gut saying? Would a spy give away this information? Is the benefit you are receiving worth the data you are sharing? Be a healthy skeptic (i.e., not paranoid, but vigilant) of anyone who is requesting sensitive information. The final and most important step is to follow up with the right questions, or interrogate the enemy.

Don’t make privacy a policy, make it part of your culture. Start by engaging your troops, not putting them to sleep.

If you are interested in having John Sileo conduct fraud training or social engineering keynotes for your organization, contact him directly on 1.800.258.8076. His satisfied clients include the Department of Defense, the FDIC, Pfizer and the Federal Trade Commission.