After being scammed, embarrassment can prevent people from getting the help they need, but in order to destigmatize the painful mistake, more people need to report incidents and understand that it happens to even the most technically savvy.
Today’s guest is Rory Innes. Rory has spent his entire career in cybersecurity and has worked for leading global cybersecurity companies in a range of senior management positions. Rory spotted the huge gap in support for victims of cybercrime and online harm and created the Cyber Helpline to mobilize the cybersecurity community to step in and fill the gap. As CEO, Rory is responsible for the strategic, direction, performance, and operational effectiveness of the Cyber Helpline. Rory often provides comment and opinion for the press and has appeared on live TV and documentaries providing his expert opinion on cybercrime.“We have these real themes of hacked accounts, frauds, and scams, but also these really complex human issues and then the seasonality of cybercriminals being good at marketing and taking advantage.” - Rory Innes Click To Tweet
- [1:10] – Rory shares what Cyber Helpline is and his motivation to start it up.
- [3:26] – There are different types of cybersecurity such as commercial issues and personal concerns.
- [4:31] – Now, Cyber Helpline sees an average of 2,000 reports a month.
- [5:53] – Cyber Helpline began as a UK only organization, but they are now looking to help globally.
- [7:11] – Rory shares the types of things reported and the things that have been surprising over the last five years.
- [8:35] – In many places across the world, Covid-19 had a huge impact on the economy and the rise of scams.
- [10:46] – Hacked social media accounts are really common and can be really detrimental to the people in your network.
- [12:00] – Investment scams are also very commonly seen and you may not see the problem for a while.
- [14:43] – Hypervigilance from the threat of cyberstalking makes things mentally draining, scary, and creates difficulty for them to be believed.
- [16:36] – Rory describes the process of investigating and helping a victim through a cyberstalking case.
- [19:50] – Misconceptions are created and then spread wide through crime stories, social media, and crime shows or movies.
- [22:46] – Does changing your password and wiping your devices really help?
- [24:24] – When it comes to cyberstalking, it is important to remember that stalkers are obsessed. If you remove the access, you don’t remove the obsession.
- [26:51] – The Cyber Helpline also helps educate the victim in how to spot signs of scams.
- [28:00] – The Cyber Helpline uses the Assistance Self-Help model.
- [31:30] – Service users are asked how this experience is impacting them.
- [32:59] – Mental health is the highest reported impact on victims, even more so than money.
- [35:31] – Mental health support is getting better, but is still not effective for many people who experience this.
- [37:32] – The demographics of the victims can tell a lot about the likelihood of them reporting something.
- [40:27] – Rory himself has been a victim of cybercrime and admits that he was very embarrassed by it at the time it happened.
- [43:41] – The hardest thing is when targeted children and teens don’t feel comfortable talking about it with their parents.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- The Cyber Helpline
Rory, thank you so much for coming on the Easy Prey Podcast today.
Thanks for having me. Excited to be here.
I'm glad to have you here as well. Can you tell myself and the audience a little bit of background about who you are and why you do what you do?
I'm Rory Innes. I am the founder and CEO of The Cyber Helpline. We are a charity that provides free expert help to victims of cyber crime and online harms in families who have fallen victim online. I do that because I saw firsthand the huge gap in support for victims, how hard it is when you don't understand IT and cybersecurity, and how devastating the impact is. I really realized that it was the cybersecurity profession that had a real opportunity to step in and fill that gap. I really had that concept of a movement profession to try and help.
When you started The Cyber Helpline, was this just a labor of love or did you have funding friends? How did it start up?
It was definitely a labor of love at the start. I've been in cybersecurity since university, essentially. I had been in the industry for a long time. I ended up in the cybersecurity gym that was part of an investment portfolio of our merchant bank. One of the other things they had was a private office. They were working with a lot of ultra-high net worth individuals, the rich and famous, essentially, providing a whole range of services from where to park your super yacht, how to get the tickets for events, that kind of thing. They also had lots of businesses and another part of the business.
I was there to help the consultancy for the small, medium businesses. These […] individuals kept coming to us and saying, “I've got this […].” At first, I was a bit dismissive. “If you just go to the police, that will be fine. You’ll get sorted.” They kept coming back, kept coming back, and say, “We haven't heard anything. Nobody’s helping us.”
We started looking into this area of how do you help individuals? Why aren't they being helped somewhere else? And what does it take to actually deal with some of these issues because they're different? There are corporate cybersecurity issues and then there are the types of issues individuals might face, which include cyber stalking, revenge porn, these more human issues.
At that point, I took a step back and said, “Somebody needs to do something here. The gap in support is just too big.” I had this crazy moment of, “Why don't we just put up a website, offer help. I'll go and get some meat in the industry, and we'll see if we can help some people?” That was five years ago. It's been a really busy, interesting five years since then.
How many people or cases have you worked on since then?
Since we took our first case around five years ago, we've now probably opened over 28,000-30,000 individual cases. We're currently opening around 2000 cases a month. I think our biggest ever month in terms of cases opened was around 2500. We've gone from putting up that website in the first case coming through the online form to having built all sorts of maturity and ability to scale. We're continuing to see lots of demand growing pretty quickly.
Is this worldwide or just the UK?
We started in the UK. For the first four-and-a-half years, we've been in the UK only. We have a range of ways people can get help. They can use our helpline, which is our volunteer cybersecurity experts. We also have lots of online guidance for each type of attack somebody might face and a chatbot that can help them walk through that process. We've always made the chatbot and the website available to anyone because people across the globe are suffering from very similar types of attacks.
We've limited the actual helpline itself to the UK because of how much funding we have, but also because of the local knowledge needed to get really good outcomes for victims. Over the last couple of months, we've actually just started a pilot in the US. We are working out right now how we localize our advice and our help for the US market.
We're starting to take some cases there. The plan is as we get deeper into that pilot, we will start offering the service in the US, essentially. Right from day one, five years ago, we put the website up. We had lots of people from all over the world asking for help because globally, that gap and support exists.
Has there been a trend in the most common scams or cybersecurity issues that you work with?
Yeah, definitely. There's definitely some seasonality and changes, but there's also some real constants in what we see. When we started designing the service, we thought, “OK, this is probably going to be fraud and scams, probably going to be malicious software, and maybe some hacks that we'll have to deal with.” We went off and thought, “What's our advice here? What's the playbook we're going to use?”
Essentially, in the first 10, 20, 50 cases that came in, these really complex technology meets the human world type attacks. They were cyberstalking, online harassment, revenge porn, sextortion, or bullying. What's been really interesting over the last five years is getting a real understanding of, how do individuals actually fall victim to these? We've seen in the press one million accounts hacked over here. People have lost $400 million or £400 million. But actually, that's not the story of cybercrime.
The true story of cybercrime and online harm is ex-partners stalking previous partners. This image is being shared. It's a real impact on mental health. I would say that about a third of what we do is cyberstalking, online harassment. I'd say the big other areas, we see a lot of hacked accounts, we see a lot of fraud and scams, but it's really either professional criminal gangs running sextortion scams, or it's other people harassing or stalking each other.
We see this real seasonality and attack types, where in the UK—and I'm sure in the US too—the impact of COVID has had quite a big impact in terms of the economy, inflation is really high, wages are really low. There's a real crisis here. What we've seen for the last three or six months is a huge rise in loan scams, getting people to pay fees to take out loans. We've seen a huge rise in job fraud, pretending people are getting jobs, getting them to pay for visas or for vetting, and then there's obviously no job.We've seen a huge rise in job fraud, pretending people are getting jobs, getting them to pay for visas or for vetting, and then there's obviously no job. -Rory Innes Click To Tweet
Also around government support for energy bills and other areas, because they're sending out these things by text. Obviously, the criminal sent a text a couple of days before and millions of people got scammed. We have these real themes of the hacked accounts, the fraud or scams, but also these really complex human issues, and then the seasonality of cyber criminals being good at marketing and taking advantage.
Whatever the government program is or a marketing program, they will definitely seize on that and leverage that to their own abilities.I like to say that cyber criminals aren't particularly good at cyber, but they're excellent at marketing. You don't have to be technical as a cyber criminal targeting the general public because the bar of protection is relatively… Click To Tweet
I like to say that cyber criminals aren't particularly good at cyber, but they're excellent at marketing. You don't have to be technical as a cyber criminal targeting the general public because the bar of protection is relatively low. What you have to be really good at is understanding what is going to make that individual act to do what you want them to do—click a link, share some money. That used to be the sob story by email, nervously tricking somebody into sparing a naked photo. Whatever it is that will make that person act and part with their money, they're very good at understanding those human behaviors.What you have to be really good at is understanding what is going to make that individual act to do what you want them to do—click a link, share some money. -Rory Innes Click To Tweet
Are there certain things that they're using or methodologies that they're using to get people to take action, regardless of whether it's faking a government program or faking a package?
Yeah, absolutely. I think what we've seen a lot is hacked social media accounts and email accounts being used to then scam the people in their network. When you hack someone's social media account, you can contact all of the people in their DMs. When you talk about an investment opportunity, you ask for money. You've broken that barrier of suspicion if you can mimic how they communicate and make it look roughly legitimate.
We've seen a lot of that. Or using that social media account to do some research. If I can find that person's mother's name and their phone number, then I can text them and say, “Hey, I've lost my phone. This is a new number. I'm in trouble. I need £300 sent to this account.” You break that barrier by having that connection and extra research.
What we're also seeing in terms of investment scams, particularly virtual currency investment. It's not just, “Hey, buy some virtual currency,” and the money goes missing. It's to buy some virtual currency on this platform that the criminal has created. It looks like an investment platform. You can see your investment, you can see the value of your investment, you've got an account manager who sometimes texts you, usually on WhatsApp, which is, I guess, a red flag, but you think you've got an investment.
You think it's going well, you get really excited, they ask you for more money, you put more money in. The problem comes when you try to take money out. That's when there are interesting taxes or you have to pay to release that money. At some point, that poor platform goes offline and your money has gone missing.
There's definitely more investment in the tools that people are engaging with, whether it's fake websites, whether it's fake investment platforms. But generally, what we're seeing is non-technical people using everyday technology. It's an ex-partner who's got access to the […] and can see location and photos. It's people using social media accounts to stalk someone. It's very rare we see something super high tech, but our technical ability allows us to troubleshoot and understand what actually is happening and what action we can take.
With regards to the troubleshooting, I know I definitely get a lot of people contacting me about it. “I think my ex has control over my phone and is cyberstalking beyond my phone,” and then they'll send me screenshots of open source licenses and things like that. My general view is I think they're misunderstanding the technology, seeing things that they don't understand, and they just automatically assume that that must be the cyberstalking.
What are some of the things that you look at as, yes, this is cyberstalking versus someone not—they may be cyberstalking, but what they're seeing is just, no, that's just the underlying technology of your phone and you're misunderstanding what you're seeing.
Yeah, it's a really good question because there's a couple of things at play here. When you feel like you are being cyberstalked, then you feel that there is a threat actor out there monitoring you who may be there to harm you. You can develop what's called hyper-vigilance. You are just always switched on. You are constantly aware that the stalker might be there. When you don't have technical understanding, anything that happens becomes part of the stalking. The printer reboots or the kettle makes a funny noise.
It can be bizarre things. If you look out the window and the lamppost flickers. All of a sudden, the hyper-vigilance leads to that individual thinking that that must be part of the stalking. The stalker must be high tech; they've got access to the lamppost somehow. That makes it really tricky (1) for the individual because they're exhausted, because they feel everything around them is hacked, compromised, and they can't escape the technology. (2) It makes it hard for them to get believed. If a police officer comes to the door and they say, “Hey, I think the stalker got access to the lamppost.” They immediately think, “OK, this person's struggling with their mental health,” so they don't get that immediate access to help, that issue.
Technical understanding, I think, is the biggest hole that we fill for people. The other factor here is that what you read in the news and what you see in terms of this cybercrime that is covered is usually nation-state. There are these big things. People don't understand why all that is possible. It's highly, highly improbable that your ex-boyfriend, who's a plumber, is using a nation-state malware to stalk you.
Often, what we are doing is saying, “OK, let's look at the facts and let's find the facts.” Often, we are saying, “What does your online footprint look like? What devices do you have? What accounts do you have? What other technology is involved in your life?” And we get a history of what that stalker has been doing or what they perceive that a stalker has been doing.
We basically go through a process of elimination. “OK, if you've got a Gmail account, let's look at this Gmail account,” and go and follow a checklist of indicators or compromises that we will look for. Through that process, we can identify what is actually compromised. We can also go through a process of elimination. “How did that person get that information? Where does that information exist? Who else have you told?” It's often the simplest explanation that's true.
We usually have to take them down from a high-tech, hyper-vigilant place. Down to, “Look, it's not malicious software, it's that they've got access to your iCloud account because it's your ex-partner and they know the password.” Or, “You've shared it online here, but you didn't realize you were sharing it.” You can prove that timeline. That obviously helps them a lot because it puts their mind at rest. It gives them something they can focus on and control because it's that unknown which is the horrible bit. We need to know who it is, how they're doing it, and what they're doing. It's just terrorizing, essentially. It's really tough.
It doesn't help that every crime television show has a cybercrime angle. The lone individual has the nation-state hacker tools and in three seconds can compromise the doorbell that isn't Wi-Fi connected, and all these other things.
Yeah, and that's the narrative, isn't it? The narrative that you see in the news on TV is this really exciting, interesting lone wolf or professional outfit who can change or shift directions in a second, then cause an international incident. Actually, what we've got to understand really quickly in our case is, who do we think the threat actor may be? And what is their capability?
If this person works in cybersecurity, then we're going to look at that in a different way. But if they're not in the IT world, immediately, it doesn't remove it, but it lowers the chance of highly technical going on. There's usually a more simple explanation. Just trying to take them away.
The other chance that we often see too is, remember that the police aren't technical either. They're not IT experts. They're reading the same things in the press. Sometimes when they're talking to a victim who's reporting a crime or an issue, a cyber crime, the police officer may say, “Oh, yeah. I read an article about a nation-state attack on Apple devices. Maybe it's that, and it fuels this. It proves this.” Getting people in front of the right people at the right time who will understand what's happening can make such a difference.
I suppose there's also an impact on the opposite side in terms of, with those crime shows, you see that the crime scene investigators were able to, in three seconds, go, “Oh, that IP address was assigned to Rory, and he's currently driving his car southbound on this freeway. Let's send someone out right now.”
I don't know if you've got any experience with the evidence collection process in the US. But in the UK, they might take your mobile phone and have it for eight months before they even look at it because there's such a backlog in demand. You'd have to be on a very, very long, far journey to get caught in the act at that moment.
That's another challenge too because if a police officer does want to seize your mobile phone, you are 16, and they say, (1) “We're going to look through your phone.” I don't know about you, but if I was 16 and the police said, “I want to look through everything on your phone,” I'm probably pretty unhappy about it. (2) If the police officer also says to you, “You might not get this phone back for eight months,” that's also going to be pretty unappealing to a 16-year-old, or pretty much anyone. Part of the challenge we have is (1) how long it takes, but (2) how appealing that is for victims who just want it solved and want to move on.
They're not interested in cybersecurity. Cybersecurity is boring for the general public, but it gets really exciting when something goes wrong. They just want to move out the other side and get back to their life again. We just don't have the services, the capability, the resources, law enforcement, and the wider community to do that. It's what makes the problem worse.
It's also what brings rise to things like recovery scams. The scammer phoned you up three days later, pretended to be the police, and scammed you again because they know the police will not have been in touch in that timeframe. There are lots of areas for us to work on to get better.
Because I don't have the time to dedicate four hours to helping a specific individual and being on the phone with him the entire time, myself and other people often will simplify the advice in order to…”Let me give you something that will most likely help you.” But because I haven't been able to do the work to identify, yes, this really is a hack versus a stalker, you're just seeing things that aren't there because you're worried about some history that's happened with this individual. Does things like telling the person, “Just wipe the phone, reinstall the OS, change all your passwords, install password manager, two-factor authentication, the bare bones, simplified device,” actually work for a lot of people on the technical side and then on the perception side?
Yeah. This is really, really interesting because cyberstalking is a great example of this. While I was talking, there's probably a third of what we do, and we do lots of other stuff. It's one of the most complex types of cases that we take because it's ongoing; there's lots of risk. There's an active threat actor. You've got all these elements to it, which is really tricky.
The advice that most commonly victims will get when they go to a stalking service, who are not technical but awesome at dealing with stalking, or the police says, “Hey, just don't put your passwords, block them, factory reset your device, and see what happens.” They're actually some of the worst advice you can give because you factory reset that device, there isn't any evidence that you've got on it. If the police do come for that device and want to do that investigation, that can make it really tricky. It can also make it really tricky for the victim to tell their story because the timeline, the events, and the content of messages, documents, whatever, will be lost.
Also, you've got to remember that stalking is about obsession. The person on the other side is obsessed with this individual. They might only have one access online to that person. They might have access to their email account. They might be friends on their Facebook page. If you remove those things, the danger is that you don't remove the obsession, you just remove the access.
What if the stalker changes their behavior and that behavior becomes more risky? Instead of now they can't see you on Facebook and they can't read your emails, they turn up at your office and follow you home.
What's been really interesting is that nobody teaches you in a computer science degree or in a corporate office on how to deal with cyberstalking if you're in the IT security team. We've had to really sit down and understand, to work with some stalking charity, work with some academics in the space, work with some other people in the area, and actually define not just how do we help people with cyberstalking in terms of looking for online compromise and dealing with that, but how do we keep them safe while we're doing it?
If the stalker knows where they are, we don't want them to escalate their behavior and feel like they're running out of time. You can move the stalker into this mode of what's called finality thinking—“I've got to do this now or I'm never going to be able to do it again”—which increases the danger. All of this is about how do we help them understand the compromise? How do we keep them safe and stop it getting any worse? That safeguarding element becomes really important, but then it's how do you help them recover?
The police's job isn't to help you get your device secure again; it’s to look for evidence and try and prosecute someone for doing something. But remember, the impact of cybercrime isn't just technical. It's mental health. It's online confidence. It's feeling safe at home. This is financial because often they've bought lots of devices and done lots of things. Part of our job is to get them to a point where they feel safe online again. They have some security. They have some privacy, but also they build some confidence on being online again.Part of our job is to get them to a point where they feel safe online again. They have some security. They have some privacy, but also they build some confidence on being online again. -Rory Innes Click To Tweet
How do we empower them through the process to be able to spot compromise, to know what to do when it happens so they at least feel they will know what to look out for in future? It's really interesting because it started off as a bunch of techies trying to do technical things. Very quickly, it moved into a bunch of people of all sorts of backgrounds trying to deal with this really large problem.
From a big picture perspective, what are some of the things that you and your team do to help people regain that confidence of being able to be online and feel secure in that?
I think this is the biggest benefit that we give people. The other is probably helping them collect evidence, have some credibility with the police, and push for investigations. I think, actually, the big benefit is empowering those individuals to feel safe and secure online. I think that starts right at the beginning of our service.
Our model is what we call an assisted self-help model. We don't remote desktop into your machine. We don't sign into your Google account and play around. What we do is take you through a process where we empower you to take those actions with our guidance. You may tell us what your accounts and devices are, what your online footprint looks like, and we may highlight some areas that we want to go and investigate, but we will give you the instructions. We'll be sitting over your shoulder listening, watching, helping you make decisions, and understand what you're looking at.
Because they're taking the action, they're the proactive person looking and putting the protections in place, it gives them that skill set of, “OK, well, now I realize in my email account, there's a section where I can see recent logins and failed logins. Now I know I don't have to just worry about it; I can check.” They realize because they've set up a stronger password, they've turned on two-factor, they've done these other things we've put in place, they have the knowledge of how to do those things.
I think the other bit to that is it comes back to what we were talking about earlier, which is that lack of technical understanding and hyper-vigilance. Sometimes, just going through that process and understanding what is possible, what is incredibly unlikely, and what's not possible, can help them go through that triage process themselves. “He probably did not hack the lamppost outside my house. It's probably just a coincidence.” Or, “If my printer does this, that it's a normal thing for my printer to do.” That also helps as they go through the process.
The other flip side to that is that's also really hard. If you are being stalked, you are scared of the stalker, and they've been stalking you through technology. Someone like us is saying, “Hey, can you look at all your devices and check for these compromises?” It can be really daunting and really scary. Helping that individual by going at their own pace, by giving them the right support, and by trying to really minimize the actions they have to take each step also really helps.
One of the big challenges we have right now with law enforcement and other places is that we're asking people who are being targeted online to report online, find all the evidence online, and then report it online again. That person really doesn't want to be online at that point in time. They're terrified of being online. The user engagement model will probably have to change for the whole fraud. Just to sum up on that question, I think really empowering the user and making them part of the solution really leads to that confidence coming back.I think really empowering the user and making them part of the solution really leads to that confidence coming back. -Rory Innes Click To Tweet
You're talking about the mental health impacts of cybercrime, stalking scams, and whatnot. Do you provide services in that space also or is that something that you more frequently refer out to?
We mostly refer. I do a bunch of things in our service to make us aware of what we're hearing and what we should do next. We ask all of our victims when they come to us or service users when they come to us, “How is this issue impacting you?” We look at areas like financial, mental health, physical health, online confidence, personal safety, impact on family members, and others. We have all these areas that we've identified—our key impact areas.
We ask them to score them out of 10 and then we ask them to create a statement around that number. “Why have you scored this 10?” What's really interesting is that having been in the industry for a long time, you always see it through a financial lens of how much someone lost, and that's what gets reported. It's what the police report. “These many victims have lost this much money.” It was really interesting for us when we looked at 26,000 people who filled that out.
Financial loss is almost always bottom out of their categories. Even if they've lost significant money, it's often not the top area. It's mental health and online confidence. They are the two big things.Financial loss is almost always bottom out of their categories. Even if they've lost significant money, it's often not the top area. It's mental health and online confidence. They are the two big things. -Rory Innes Click To Tweet
We understood that really early when we started talking to victims and realize that while we're not a mental health service and we don't plan to be, we have to understand how to listen and speak with vulnerable users. We have to understand what the red flags are that we should be watching out for, and we need to have really good safeguarding procedures in place so that if we do think that individual is a danger to themselves or others, we know what to do with it. We have the right partners where we can refer and write procedures.
That was hard too because again, a bunch of techies wanted to have the technical things. It's just not your space. Part of that is also in our recruitment. Some of our volunteers are on the front line who have some of those skills, and we can train some of those skills. Others are the second, third lines. They're a specialist in ransomware. They can be contacted on the help desk and come into a case to provide technical expertise but not do the front line bit working with the victims. We've had to build that knowledge, intelligence, and procedure into the service as we've gone forward, essentially.
It's really interesting because when you talk about the mental health aspects, the financial, the number lost is less important to people. It's interesting because there isn't a quantifiable mental health impact metric that you can report. You can report on the number of incidents, the accounts compromised, the number of dollars lost, pounds lost, or currency, but you can't really count, “How many friends did you lose over this? How have your relationships degraded because of this?”
Think about this. If somebody steals your phone, which maybe cost you $1000, but on that phone was a video of you naked, and that is now on social media being shared, that £1000, $1000 phone loss is pretty insignificant compared to this video of you online, and somebody's asking you for $5000 to take that video down. You're right.
Luckily, the issue of mental health and the impact of mental health is something that just, as a society, we are getting better at a little or not there, I think. I think that in the UK, in particular, mental health services are extremely busy and extremely underfunded. That can be a challenge too, and those people are accessing the help they need when they need it. I think that even something as simple as an individual clicking on a phishing link and losing £200—£200 is a lot of money to almost everyone, to a lot of people.
It's the feelings of shame, being tricked, and being stupid. “I've done something wrong; it's my fault.” The isolation of that, which can make it really tricky, or it's a 15-year-old boy who's being targeted online. He doesn't want to tell his school. He doesn't want to tell his parents and certainly doesn't want to walk into a police station and talk about it. It's that isolation and challenge.
We need to change the way people feel about these things, how easy it is to report, how we support them when they report instead of saying, “Hey, cool. Here's a credit reference number. You'll never hear from us again. Good luck.” There's lots of work to do there, I think.
Do you think some of it is some of the issues around the shame of being a victim of cybercrime is that they don't feel, “If I was a cybersecurity expert, this wouldn't have happened to me, and because I don't hear cybersecurity experts talking about them being victims of cybercrime, then it's about me, not about the crime itself”?
You see the reasons differ by demographics, I think. These are massive generalizations, but for the older population, they don't understand technology; it’s their faults. They're being stupid, they've been tricked, they're embarrassed about it, but they blame themselves because of their technical acumen, actually, and their nervousness just generally about being online.
I think as you get to the problems that exist in the younger generations, that feeling of embarrassment and shame is much more tied to friendships, relationships, sex, because a lot of what we're seeing is revenge porn, sextortion, harassment, shaming people online. That obviously is embarrassing, it's bullying, and it's harassment.
I'm 40 years old, so I didn't grow up with the internet and technology. It was relatively early in my life—probably 18—when I was online and had an email account. Younger kids today, their online identity is inseparable from their offline identity. If you taint that online world, their online friendships, and there is information out there about them online, it's easy for the older generation to say, “Hey, don't worry about it. It’s just social media. Everyone forgets about it.” It just doesn't work like that.
The impact on mental health, isolation, or just ability to go about their day-to-day lives, completely changes. I do think that as we help different segments of the population and sometimes also different religions, beliefs, and things with our sensitivities about what people have been doing online, whether it's gambling and whatever, we have to be really mindful of where they are, what the online world means to them, and what the impact is in the offline world. That's what's so challenging about it.
As you see, there's no metric that I'm aware of for impact on mental health. It's a tough area to really deeply understand for a helpline like us, but it's undoubtedly the big forgotten impact of cybercrime.There's no metric that I'm aware of for impact on mental health. It's a tough area to really deeply understand for a helpline like us, but it's undoubtedly the big forgotten impact of cybercrime. -Rory Innes Click To Tweet
In the hopes of working towards destigmatizing those that have been a victim of cybercrime, I'll ask you the question: Have you been a victim of cybercrime?
Yeah, absolutely. More than once. I think that any of us who are online will have been targeted, whether it's social engineering, whether it's malicious software, whether it's online bullying or whatever. But I remember being really embarrassed about mine at the time, not because it was particularly embarrassing, just because of this scenario.
I was a university student placement in a cybersecurity firm. They were a cybersecurity consultancy that had just started to manage security services, running a security operation center for our companies. I wasn't particularly technical. I was doing a marketing degree. I was trying to catch up on all the cybersecurity stuff and the terminology. I'm pretty new to technology myself, so you want to put your best foot forward and look like you know what you're talking about.
I had just moved to London. This company was based in Edinburgh. I just moved to London and I was flat hunting. I was on our site called Gumtree, which I think is very similar to Craigslist, maybe, in the US. I'm just clicking through adverts for rooms to rent, flats to rent, and I clicked on one advert. Whatever they loaded onto my machine was obviously malware, but it just absolutely melted the machine. There was just nothing I could do.
I realized really quickly, (1) there was nothing I could do, (2) that this device was probably not going to be usable very quickly, and (3) I was going to have to phone work and say, “I'm really sorry. I know I work for a cybersecurity firm, but I've clicked on a malicious link online. My laptop doesn't work.”
It reinforces cyber criminals being good at marketing. Where are people clicking? Where are they going? Where do they feel safe clicking? Go there and that's where you'll have your success. There are lots of other instances.
I think over the last 30 years of being online, something has popped up. Now that I have young children, I'm constantly thinking about, “Hey, do I keep them safe online, less from cybercrime, but more from harmful content?” I'm sure there'll be more instances in my life as we go forward.
Yes. It's definitely a new world for parenting. Although maybe every generation can say that, it seems to me like there are so many fundamental shifts in parenting.
Yeah, we get asked all of the time, “What advice would you give to parents?” It's really interesting because the answer is completely non-technical. Talk to them about the dangers online. Make it really, really clear that if something bad happens online, or something scary, they see something scary online that makes them upset, then they can come to you and not get in trouble. It's the saddest thing we deal with, I think.
On top of all the big, sad things like cyberstalking and the devastation of people's lives is young children who've been targeted, who just feel they cannot talk to their parents because they'll get in trouble. Actually, if you can almost guarantee them an open door, you will get in trouble, let's chat about it. I will make some pointers on how to do better in future, but we will be in trouble. If we just make life so much easier, so it's just education and making sure they feel comfortable coming to you if something goes wrong.
Yeah, I'm sure. If people specifically in the UK are looking for help, where can they go?
The website is thecyberhelpline.com. On the website, you will see two things that will be really useful. We have web guides. The approach we go through for each of our 40, 50 different types of attacks, we have those methodologies on the website. We literally say, “If you're suffering from this, here's step one, here's step two, here's step three.” If you want to do that yourself without coming to talk to us, then you can use those online.
We also have an interesting technology on the site where you can describe what's happened to you in your own language, and it will identify it, and then walk you through the process. Because a lot of people do want to remain anonymous when they need help from us, there's a lot of the reasons we've talked about. But also, that's the way, using our website, you'll get access to one of our volunteers. If you end up on thecyberhelpline.com, then you'll be able to access any of our help, essentially.
For those outside of the UK, they can still use all the guides. You're just not going to be able to provide them personal support.
Yeah, exactly. You'll get access to the chatbot, you'll get access to the guys who will be able to self-help—what we call a self-help service. If you're in the US, then it's probably relatively soon that we'll start accepting cases and helping people locally.
What you'll also see in the coming months is those web guides and chatbots being localized to the US. The attacks are very similar about how you get help, how you interface with law enforcement, and the laws in the various states. All of those things just be taken into account when we think about the advice that we give. That will also help until we get those US volunteers up and running.
Got you. If anyone wants to connect with you specifically, is there a way for them to do that through LinkedIn or something?
Yeah, I'm on LinkedIn. You can also come through the website. It has that Contact Us form, which will end up with me at some point if you're asking to connect with me. Those are probably the two best ways to get in touch.
We're really open to collaboration because this isn't a space we're going to solve on our own. The partnerships are really important. Volunteers are important. Donors are even more important. All those people can come forward and talk to us about how they might support the mission.
That's great. Rory, thank you so much for coming on the Easy Prey Podcast today.
Thank you. It's been really good to chat.