What is it like to be a world-renowned cybercriminal and what motivates them? Today’s guest referred to as the original internet Godfather shares his experience running a cybercriminal empire, going on the run, and ultimately turning his life around.
Brett Johnson was responsible for refining modern financial cybercrime as we know it today. After being placed on the United States’ Most Wanted list, captured and convicted of 39 felonies, Brett promptly escaped prison. Captured again, Brett served his time, accepted responsibility, and found redemption through his loved ones and the help of the FBI.
Today he is considered a leading authority on internet crime, identity theft, and cybersecurity. Brett speaks and consults around the world to help protect people and organizations from the type of person he used to be.
- [1:11] – Brett starts telling his story by summing up why he got the title, “The Original Internet Godfather.” What really got him the title was him building the first organized cybercrime community called ShadowCrew.
- [2:24] – Brett ran both ShadowCrew and CounterfeitLibrary. The other primary cybercrime site that he did not run was CarderPlanet.
- [3:14] – ShadowCrew and CounterfeitLibrary were run like forums and marketplaces to connect and network with other criminals.
- [4:37] – Brett was arrested in 2005 and was offered a job to work with the Secret Service, but chose to continue pursuing criminal activity and eventually made his way onto the United States Most Wanted List.
- [5:40] – Secret Service used a Trigger Fish, now called a Stingray, which locates targeted cell phones in a specific area. This device was used to find Brett at Disney World and to arrest him.
- [7:37] – Brett shares the experience of his car and house being searched and how his choices got him caught.
- [9:54] – Brett’s tendency to break the law started when he was 10 years old and his mom was also a criminal. He shares a lot of his childhood background in shoplifting.
- [12:13] – Although he started shoplifting as a child, Brett says that as an adult, he made the choice to continue criminal activity.
- [13:32] – Brett’s first cybercrime was on eBay by posting a Beanie Baby for sale, requiring the buyer to send a money order that couldn’t be canceled, and sent her an item that did not match the post.
- [16:07] – Brett kept going and his eBay crimes led to pirated software, which led to modchips, which led to programming satellite DSS cards.
- [17:40] – After bringing in several thousand dollars per week under his real name, Brett got scared he would get caught, so he shares his story about getting a fake ID to open a bank account.
- [18:17] – Brett’s fear of being abandoned became a reality when his wife left him.
- [19:36] – Brett remarried a stripper who was an addict. Through all of his crimes, his second marriage caused his sister to disown him.
- [21:06] – It took several years of not speaking to his sister and justifying his actions for Brett to realize that he was in prison because he chose to break the law.
- [22:08] – For three after being released from prison on probation in 2011, he couldn’t get a job because he wasn’t allowed to use a computer.
- [23:13] – Brett met his current wife during this time and moved in with her. He was able to find a job doing yard work.
- [24:00] – Although he was doing better, during the winter months when there was no yard work to do, he got online to find stolen credit card information and started making orders. He went back to prison for 10 months.
- [25:24] – After his 10 months, he got married, and started to turn his life around. He contacted an FBI agent for job advice and now he feels he is living a blessed life.
- [26:40] – Now Brett does a lot of consulting and hosts a few podcasts. He also works with AARP and other types of organizations.
- [28:19] – A big misconception people have about cybercriminals is that they are very educated and can hack into anything. But 98% of cybercriminals out there are really good social engineers and know-how to manipulate someone using technology and psychology.
- [29:56] – The number 1 group for identity theft is children.
- [30:51] – Most people use the same password across multiple accounts. Brett says to always use a password manager.
- [32:38] – The reason a scam works is because the scammer and the victim are on opposite sides of the field. The scammer works to get the victim to his side by establishing trust through technology and social engineering.
- [34:36] – How good is the scammer at establishing trust with a victim using the technology they have?
- [37:09] – The scammer’s job is to make sure the victim is not thinking objectively.
- [37:50] – People like to trust. Generally, people like to see the best in people. Brett says to trust, but verify.
- [39:08] – In his experience as a consultant, Brett has found that most victims suspect something might be a scam but alienate themselves from telling anyone out of embarrassment as society tends to blame the victim.
- [42:16] – Chris asks Brett when a scammer stops caring about the victims and only cares about the money. Brett answers that it depends on whether or not the scammer is a sociopath. He says that most scammers are not and come to believe their own justifications.
- [44:18] – There’s no beneficial thing about being a criminal.
- [44:50] – Be proactive, not reactive, when it comes to security.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- AnglerPhish Web Page
- Brett Johnson on Twitter
- Brett Johnson on LinkedIn
You've been referred to as the original internet Godfather. I see you rolling your eyes already but there's got to be a great story behind that. Can you tell your story?
Sure, sure. I guess the best way to start with that is how did I get that title? That title comes from me being convicted of 39 felonies, I was placed on the United States' Most Wanted list, I escaped from prison. What really got me the title? I built the first organized cybercrime community; it was called ShadowCrew. It was a precursor to today's darknet and darknet markets that laid the foundation for the way modern cybercrime or financial cybercrime channels still operate today.
Of course, I went to prison. And rightfully so, if anyone ever needed a stint in prison, it's Brett Johnson. I'll tell you that one.
That sounds like a good promotion for prison.
Right, come on down. It'll help you out.
What was it that your organization was doing?
ShadowCrew. If you look at organized cybercrime, the way they were talking about credit card theft, phishing, account takeover, tax return identity theft, any number of things like that. Before ShadowCrew, there are actually three sites, there's ShadowCrew, CarderPlanet, and Counterfeit Library. I ran both Counterfeit Library and ShadowCrew.
Before the advent of those sites, the third site, CarderPlanet, was run by Dmitry Golubov. He was a Ukrainian and went by the screen name of Script. Now he's a member of parliament. I know he's running for mayor in Odessa this year, so I don't know whether he'll get it or not. Who knows?
But before the advent of those three sites, if you were looking at engaging in any type of cybercrime, the only avenue you really had was an IRC chat session. You'd go there, you'd have a rolling chat board, you don't have any idea who you're talking to- if you could trust them- if they were a criminal, if they were a cop, if they had an item or a service for sale, if it worked, or if they were just trying to steal your money.
What Counterfeit Library and ShadowCrew did, they provided a trust mechanism that criminals could use. Now you had a large communication channel that's a forum-type structure where someone at different time zones, they could reference conversations, days, weeks, months old. You knew by looking at someone's screen name what the skill level of that person was, if you could trust that person, if you could learn from that person, or if you could network with that person. Because if you look at the necessities of cybercrime, there are three things that have to work in conjunction for cybercrime to be successful: it's gathering data, committing the crime, and then cashing out, so all three things have to work together. If they don't, the crime fails. Why even try?
The problem with that is that one specific criminal cannot do all three things. He's good in one area, sometimes two, rarely all three. That's why, again, these forums, these marketplaces, exist today; they allow that one specific criminal who is not good in one area to network with other criminals who are good in those areas, and that's typically what we see time and time and time again. That's what Counterfeit Library did.
ShadowCrew makes the front cover of Forbes, August of 2004. October 26th, 2004, United States Secret Service arrests 33 people, six countries, six hours, and I am the only guy publicly at that point mentioned getting away. They pick me up on February 8th, 2005 and they gave me a job, Secret Service did, and I am that idiot that continued to break the law from inside Secret Service offices for the next 10 months until they finally found out about it. At which point, I go on a cross-country crime spree, steal $600,000 in about four months, wake up one morning—the night before I'd stolen $160,000 out of ATMs—wake up the next morning, signed on to cardersmarket.com, which was run by a friend of mine named Max Butler, there's my name US' Most Wanted beside of it.
Me, being the idiot that I am, what do you do, Brett? You've just made the United States' Most Wanted list. Let's go to Disney World, and that's exactly what I did.
That's challenging. How did they catch you at Disney World? Did they catch you on camera or at the airport?
Triggerfish. Nowadays, it's called Stingray. Back then, it was called Triggerfish. Stingray is actually the next generation of the Triggerfish device.
For the audience, can you explain what a Stingray device is?
Sure, it is a device which spoofs a cellphone tower. It can actually locate your cell phone—maybe closer now—but back then it could locate your cell phone within a seven-foot radius, and not only your cell phone but all the other cellphones in that area. They could do any number of things. The federal government likes to keep that so secret, they will dismiss charges against you if you start to try to bring it up in court. That's what happens.
An associate of mine, Daniel Rigmaiden, was arrested for tax return identity theft. I'm the guy that started that whole thing. Everyone's tax returns are delayed every single year, I am that son of a bitch that started that stuff. I taught Daniel Rigmaiden how to do it, set him up with the Secret Service so they could arrest him, he ended up spending, I think it was three or five years in county jail, defended himself, and filed over 1000 FOIA requests.
One of the requests happened to mention something about a device spoofing cell phone towers. At that point, he was like, “I want to know about this.” Prosecutor comes in and says, “Hey, just plead guilty, we'll let you go by with time served.” He was looking at 20 years, ended up serving I think six or something like that, so not bad for him.
There's a plane flying over Disney World with a Stingray device on it and what were you doing?
I was riding rides. Dude, I was an idiot. Give you an idea of what I used to do. When I was arrested—I had a 2005 Mini Cooper—in my car, I had I think $962 dollar bills, so they went from there and that's because that's what the strip club gave out as change. Had all those $2 bills and they went to the house to search the house. In the kitchen cabinets, instead of dishes, I had prepaid debit cards, so they didn't know about the tax fraud back then and they're sitting there going, “What is this?” I'm like, “I just like debit cards.” Then they searched the bathroom. In the guest bathroom, I had $10,000 in 20s in one of the bathroom drawers. That's this idiot here.
When I went to Disney World, they had confiscated or seized a DVD collection that I had. It was a $30,000 DVD collection, all the Criterion editions and all that, because I'm a big film buff. I went and bought the thing again, they seized it again. Not only that, but here I am, I went from Las Vegas to Orlando by the year as for both Universal and Disney World. Figured I needed to lay low at that point, figured I'd lay low for a year then I'd bug out to Brazil. So I rent a timeshare for nine months straight just paying cash, prepaid for it, go down to the furniture place, modern furniture, and I buy $30,000 worth of furniture, buy $30,000 worth of electronics, and I'm just set up. I'm like, “OK, I'll just play Xbox for a while.” Lasted about six weeks.
Of course, when I'm arrested, they're looking at the TVs and everything else like that. I remember to this day in my arraignment, the Secret Service agent, his name was Bobby Kirby, he and I are friends now, but he's up there testifying during the arraignment about everything that they seized. Bobby looks at me, he's like, “That's a really nice TV you got there, dude.” And I'm like, “Yeah, yeah, thank you, Bobby.” But I was a complete idiot. Just a worthless human being at that point, let's put it that way.
What made you change sides then? You said you went from being a criminal to working for the Secret Service. Was that just to get out of jail time that you went to the Secret Service?
Sure, I guess backtrack a little bit, Chris. My first crimes were when I was 10 years old. I'm from Eastern Kentucky and Eastern Kentucky's a very poor area. It's I guess 20%, 30% real-time unemployment. You're lucky to have a job. If you don't have one, you may be scamming, hustling, or on government assistance, something like that.
My mom was a criminal through and through. The first crime I committed, my dad wasn't like that, but my dad became the enabler of the family. He loved my mom so much, he was scared of losing her, so any idea she came up with, he would support.
She finally leaves him. Me and my sister, I was 10, my sister Denise was nine. We were in Panama City, Florida, moved back to Hazard, Kentucky, and she used to go out and party with men all the time, and she kept up doing that, and would leave me and Denise alone for days at a time.
I remember I was a kid that was always scared she wasn't going to come back and Denise was a kid who just got angry about it. We didn't have any food in the house, mom had been gone for a few days. Denise walked in, she's got some pork chops in her hand, and I'm like, “Where'd you get that?” She was like, “I stole them.” And I'm like, “Show me how you did that.” She shows me how she shoplifts and I'm like, “Shit, yeah, let's do that.”
We started stealing food and the shopping center had a Kmart there. We start taking clothes from Kmart, and then toys, and video games, and books, and music, and all that stuff. Mom starts to notice all the stolen loot. When you got a brand new television or Atari 2600 sitting there, she starts noticing that. “Where'd that come from,” she says. And I'm like, “Oh, I found it.” She's like, “No, you didn't find that, Denise.”
Denise never did lie. Denise stands up, and she's like, “We stole it.” And my mom looks at my sister, and she's like, “Show me how you did that.” She starts running me and Denise as these little shoplifters, and not only that, but she goes to get her mom as well. So it's grandmother, mom, me, and Denise taking road trips, and they'll go to JCPenney and steal clothes, and I'll go to the bookstore to steal books, because I'm a big reader. That's the first crime I committed.
I'm really big on this. I don't want you to think that my childhood resulted in my crimes, because as an adult, you're responsible for your actions, so I chose to victimize people. But my sister, other than shoplifting that one specific time, she doesn't break the law again. She goes off to be a great parent, teacher, just a great person overall. I was the guy who didn't stop.
In Eastern Kentucky, I guess it's the male mentality. You're expected to do whatever the family's doing, so I grew up committing crime, benefit fraud, charity fraud, insurance fraud, faking accidents, documents, everything else. Branched off on my own in the mid-90s, faked a car accident to get the money, be married, moved from Hazard to Lexington, Kentucky, to go to the UK for English and theater. That was my degree.
I'm the guy that's always scared. Even today, I'm scared that people who love me are going to leave me. I was married at that time, and I told my wife, I was like, “No, I'll do the job, you don't worry about getting work. I'll get a job, you just worry about going to school.”
Then it was, “I'll do the cooking and cleaning.” So here I am doing everything. Got a 50-hour-a-week job, 18-hour class load, all the cooking, cleaning. Something had to give. What gave was a job. I'm already a fraudster. So I got to make money, didn't know how. My first cybercrime was eBay.
Find eBay. Started trying to figure out how to make money on eBay, and then Bill O'Reilly was kind enough to have an episode on Beanie Babies. I'm watching that, he's profiling Peanut the Royal Blue Elephant, and they were selling for $1500. I was naïve, I didn't understand this kind of stuff, so I was like go run down, the Hallmark stores may have one.
I go run to all the shops the next day, they don't have one. I'm like, “Shit.” But they did have these gray Beanie Baby Elephants for $8, so I bought one of those. Stopped by Kroger on the way home, picked up a pack of blue Rit dye. I dyed the little guy.
I guess I failed home economics class at that point. Found out pretty quickly he's made out of polyester. Doesn’t hold dye very well. Get him out of the bath, look like he's got the mange, this little ragged animal. I'm like, “Gotta do something.” So I started researching mail fraud, and I was like, “As long as you send the person something, you can argue they received it.” It's your word against theirs.
I found a picture of the real one online, posted it on eBay, woman won the bid. She thought I had the real thing.
When I was a kid, I became a really good social engineer because I had to with the adults in my environment. You had to do it out of necessity to survive.
You see that time and time again with these online criminals, is as children, they're forced to be social engineers. And then as adults, they choose to use that tool to commit a crime, and that's what I did.
I sent her a message, I was like, “Hey, we've never done any business before, don't know if I could even trust you. What I need you to do is go out and get a US Postal Money Order.” “Why?” “Because it protects both of us; it's issued by the US government, send that to me, once I get that, I'll send the animal to you.”
I knew she couldn't cancel a US Postal Money Order, so she sent that to me. I sent her this little ragged creature. Got a call from her, and she's like, “This is not what I ordered.” My response was, “Lady, you ordered a blue elephant; I sent you a bluish elephant,” and I keep putting her off.
That's really the first lesson that I learned about online crime, is that if you keep putting the victim off, a lot of them, they get exasperated, they throw their hands in the air, walk away, you don't hear from them. None of them, even today, none of them complained to law enforcement about that.
It's unsophisticated. I did it under my name, but as I kept going—and I did keep going—I got better at the craft. Until finally it turns into pirated software, pirated software leads into installing modchips into systems, modchips lead into programming satellite DSS cards.
I started doing that. About the same time I started doing that, a Canadian judge ruled that it was legal for him to hit citizens to pirate those satellite DSS signals. His thing was since RCA doesn't sell those 18-inch dishes up here, my citizens can pirate it. That, and leave it to the brilliance of legislators to open up a lot of crime.
That immediately in the United States, you go down to Best Buy, buy the system for $100, take it out in the parking lot, open the system up, take the card out, throw the system away, program the card, ship it to Canada, $500 a pop. Started doing that, making a lot of money, got to the point that I had so many orders, I couldn't fill all the orders. Thought to myself, “Why do I need to fill any of them? They're in Canada, I'm down here. Who the hell are they going to complain to?”
I didn't fill any of the orders, stole even more money, and got scared. I was making about $4000 a week at that point and got scared of the money that was coming in. I figured that someone was going to look at me for money laundering, figured the best thing that I could do is get a fake ID, open up a bank account under that, launder the money through that. No idea where to get one, so I got online. Idiot here gets online, looks around, thinks I find the guy, his name was Fake ID Man.
Very reliable source.
Oh, very reliable, very reliable. Had reviews and everything, his reviews. I sent him $200, sent him a picture, he rips me off, and man do I get pissed off. I don't like being a victim. The result was Counterfeit Library, and Counterfeit Library led into ShadowCrew. That's the backstory of that and then Secret Service. What turned me around.
Got married. I was married for nine years, lied to my wife the entire nine, took three years for her to find out that I was a criminal, which she should've known way before that, but the next six years were me telling her, “I've quit. I'm going to quit. Just a little while longer.”
Then finally—you know, you like spending the money, though—why don’t you keep quiet. And she found out I wasn't going to quit, so she leaves. That fear I had with being abandoned all the time, that was my fault, but it became real.
Here I am, I was in Charleston, South Carolina, and got depressed. I was just walking around the house in a stupor, and everything else, and getting suicidal, reached out, called a psychologist.
She took me in and she's trying to get me to stop breaking the law and she was trying to get me to go into real estate. I remember still, she's like, “Why don't you try real estate?” I'm like, “Is there a difference?” She was like, “What?” I was just saying but she did some good. I saw her for about four months, and what happened is one night, Brett Johnson, he gets lonely and horny.
I was 34, I had not been to a strip club in my life—I didn't start drinking till I was 34—walked into a strip club and I am that idiot that fell in love with the first stripper that he saw. Girl walks by, I'm like, “Whoo, that's the one for me.” Got engaged to her, got engaged to her, found out she's addicted to coke. Subconsciously, I figured if I could save her, I could save me. I tell you that because what turns me around, my sister disowns me, not because of the crime but because of the stripper. That was a line in the sand right there.
ShadowCrew made the front cover of Forbes, we got busted, the Secret Service hired me, and I worked for them for about a year, then went on a cross-country crime spree. Denise hadn't talked to me the entire year and that was the only family I had was Denise at the time.
I get arrested, get sent to prison, then escape. I got caught again, Denise still hasn't talked to me. After I got caught on the escape, my dad came to visit, I was in a county jail in Lexington, Kentucky. He came to visit. I got a 10-minute visitation. He's like, “Son, can I do anything for you?” I'm like, “Dad, you can tell my sister I said I love her.” He gets on the phone, calls Denise.
She's pregnant in Hickory, North Carolina. She gets in the damn car and drives 7 ½ hours to come see her dumbass brother for 10 minutes to tell me she loves me. I don't see her again for about five years. It took about two-and-a-half years behind the fence for me to really accept responsibility, for me to realize because I justified everything I've done. I said I did it for my wife, for my sister, for my stripper girlfriend, and took about two-and-a-half years for me to realize, “No, no, Brett, the reason you're in prison is because you chose to break the law. It's nobody's fault but yours.”
That's a tough pill to swallow, man, to realize that the reason your life is a wreck is nobody's fault but yours, mister, and not only that but you hurt people that you didn't even know. I stole and lied to people that I never met, that I didn't know, family, friends, everything else.
Got out in 2011, no taste for breaking the law, whatsoever. I was on probation, I was on three years' probation, could not touch a computer. Had job offers from Deloitte, from KnowBe4, from a couple payment processors, couldn't take them because I wasn't allowed to touch a computer.
It got to the point where I was applying for fast food. Probation officer, “No, that's a computer.” I'm like, “OK, what about a waiter's position?” He's like, “No, that's a computer and credit cards, idiot.” I couldn't get a job.
I couldn't get a job, I was bumming money from my dad and my sister. I had a roommate taking care of half the rent, I was on food stamps so I could eat, and they tell you when you leave prison. They tell you, “Hey, find something you care about and a job, and the chances of you recidivating are zero.”
What I found that I care about, I had a cat. I got to the point I had enough money to feed the cat, and I didn't have enough money to buy toilet paper. So went to the Dollar Store, bought the little guy some food, and on the way out, they had this kiosk that had toilet paper there. That right there was the first crime I committed when I got out. I didn't want to go back online to do it, so I ended up shoplifting toilet paper.
About the same time I did that, my wife now, Michelle, she met me. I was dating the same type of women I had been dating. She met me, we got together. I ended up moving in with her a couple of months later, finally got a job. The only job I could get was pushing a lawnmower—that’s the only people that would hire me. This guy was running a business out of his house.
My job was pushing the lawnmower 10 hours a day, $400 a week. And you can tell by looking at me right now, I'm not the manual labor type of guy. I'd come in, pass out, wake up the next morning, shower, go at it again, but I was doing something, dude. I was happy at that point, I was. It gets cold, the grass doesn't grow, so the job ends. Michelle's the only one working. I'm sitting there going, “Got to do something, got to do something, got to show I'm worth it.”
Figured I could bring food in the house, so I got on the dark web, bought some stolen credit card details, and started ordering food. The truth of the matter is you start ordering food and it's like back when you're shoplifting as a kid, food turns into clothes because I'm supplying food and I'm like, “Let me get the boy some clothes. I'll get Michelle some clothes when we got Christmas coming up.” I get arrested—of course I do. I get arrested on a food order. Michelle had no idea what I was doing, no idea, I'd lie to her the entire time.
I get arrested, go back to prison for 10 months on a violation, my sentencing on that violation. The only people that were there were the US Marshals, the judge, the prosecutor, probation officer, me, and Michelle. She stands up in front of the judge, she's telling the judge that I'm a better dad to her kids than their actual father is, and I'm crying like a baby. Still go back to prison for 10 months, and that's when I find out that all that damn time, Michelle didn't need me for what I could give her, she just needed me for me. I had that with my sister, in the relationships I never had with anybody else.
I got out of prison after 10 months. We got married shortly after that. They killed the probation. I started looking for any type of job, and they tell you, “Hey, at the very least, you could get a job at a car lot selling cars.” Not Brett Johnson. Turns out when you're a cybercriminal, hell no. I know I can't get a job, and I know what my triggers are. I know I'll go so far.
I look at Michelle and it's like, “Let me see what I can do.” Signed on to LinkedIn, reached out to a guy named Keith Mularski, FBI super cop. This guy, he's been on the news, he's been on documentaries, everything else. He was above some of the rest that I was associated with, reached out to him, sent him a message. I was like, “Hey, I respect everything you did. By the way, I'd like to be legal.”
The guy took me under his wing. To this day, he gives me references, advice, everything else. It started with that then it went to the head of the identity theft counsel, he took me in under his wing, Microsoft comes in and hires.
Today, I lead a completely blessed life. I don't think I deserve it, I really don't, but I work my ass off to try to justify the life that I have. I'm adamant about trying to not be remembered as the guy who stole everything, I'd like to be remembered as the guy who turned it around. That's it.
Got you. In turning it around, what are you doing now to—I don't want to say this—make amends, but what are you doing in your turning it around?
The catchphrase is, “I try to protect people against the type of person that I used to be.” But I do a lot of consulting. I consult with Fortune 50, Fortune 500 companies, financial institutions, and got a couple of podcasts. I've got The AnglerPhish Podcast, I had The Online Fraudcast, which was very successful. Getting ready to launch The Unethical Life. A couple other websites are getting ready to come up. I work with AARP—I’m basically their spokesperson right now. Work with AARP, work with consumer groups, with educational institutions, with law enforcement.
I get to talk at Quantico twice a year right now to the CISO Academy over there, and I work hard every day. I really am adamant about trying to make amends. I don't think there's anything I could ever do to make up for the damage that I caused but I do think that that is important that every choice from this point on is a good choice instead of a bad. I'm blessed. I'm blessed that I've been granted the opportunity to help people instead of harm people and, by God, I'm not going back to that.
Turns out that once you got a taste of doing things right and helping people, that's a pretty good taste.Turns out that once you got a taste of doing things right and helping people, that's a pretty good taste. -Brett Johnson Click To Tweet
That's awesome. What do you tell people in terms of, “I don't want you to become a victim of who I was”? What do you tell people to do or watch out for?
I do a lot of presentations, except for 2020 when COVID shuts down everything. I usually keynote 50, 70 conferences a year. I talk to a lot of consumers as well. The thing that people don't understand, people think that cybercriminals are these upper tier computer hackers able to break into anything like, “Got you.” That's not the truth.
On the criminal side, you have these computer geniuses, but their numbers are really, really small. The 98%, 99% of cybercriminals out there, they're just very good social engineers. They know how to manipulate someone using technology and psychology into giving up information, access, data, or cash.The 98%, 99% of cybercriminals out there, they're just very good social engineers. They know how to manipulate someone. -Brett Johnson Click To Tweet
You have to understand, first of all, that cybercrime is not rocket science, it's not complicated to defraud someone or a business. Once you understand that, you also have to understand that, “Hey, everyone's information is available.” This idea that some people have that, “What can we do to make sure our information isn't compromised?” That ship has sailed, that's done. What was it last year, 1500 breaches, 2.6 billion records compromised just last year. That ship sailed.
That we know about.
That we know about. That's just reported.
In the database.
There you go, exactly. The question then is, if all our information is available, what can we, as people, do to make sure if a criminal has it, that he or she can't use it? Typically it's a he. What can we do to make sure he can't use that information? It's protecting yourself. Again, it's not rocket science.
You freeze your credit. Not only your credit, but you freeze the credit of every single person in the house. Twenty-five percent kids, 25%, one in four children will be victims of identity theft, synthetic fraud, tax fraud, medical fraud. That's where it hits kids—25%—that’s the number one victim group of identity theft. Freeze the credit of every single person in the house—became free September 18th, 2018. That's number one.
Understand that a credit freeze only stops all new account frauds. All your existing credit cards, your bank accounts, everything else, a criminal can still access those and victimize you. What you have to do is you have to monitor those accounts and place alerts on the existing accounts. For example, Discover card has a $0 alert, meaning that if someone just buys your Discover card information, pings it, see if the card's still active, you get that SMS text message saying, “Hey, some idiot’s trying to hit you right now and you could do something about it.”
This is a trifecta of security. The final thing is 80% of every single person on the planet uses the exact same password and login across multiple websites. Man, oh, man. The answer is, “Can we get rid of passwords?” Evidently, the answer to that one is no. In the meantime, find yourself a password manager and start to use that thing because we, as human beings, we're never taught what a secure password is. We think that we can be random; human beings can never be random.
Find a password manager, let that take that job out of your hands, and go like that. The final thing that I say, I talk about scams a lot and things like that, but we have to understand what our place is in the criminal spectrum, because a criminal will victimize you depending on who you are and what you do.
If I'm looking to defraud someone, the way that I will hit you is different if you work payroll or if you're a CEO compared to if you're working food service for 20 years. I'll still victimize you, but the way that I'll do it differs. The same thing if you're a company or institution. Do you have data that can be stolen and resold on the black market, or do you have data that your company has to have in order to operate? That will determine whether I steal it, sell it, or lock it down with ransomware. Understand your place in the cybercrime spectrum, design security around that.
You talked so much about social engineering and as a kid, learning how to social engineer. What could people do to be on the lookout for social engineering techniques?
Sure, there's so much interesting stuff going on on that. Yet, I understand the way a scam works. The reason a scam works is you start with a scammer and you start with the potential victim, and they're on opposite sides of this field. The idea from a scamming point of view is to get that victim over on your side of things, because if that victim doesn't trust you, you're not going to get cash, or access, or information, or anything else like that.
What establishes trust these days? In a modern world, trust is established by tools, technology, and social engineering. Technology, we've got our cellphone, we tend to trust the information that comes across the cell phone. Scammers use spoofed phone calls, they use proxy addresses to spoof location, they use spoofed phone numbers to spoof who they are. That establishes base levels of trust.
For the audience, can you clarify what a spoofed telephone number is and caller ID? You don't have to share all the details of it, just the high level.
OK, so when I pick up the phone and I call you, it will say Brett Johnson coming through from Birmingham, Alabama. I can change that phone call, and actually, you don't even have to be technically proficient to do it. There are online services like SpoofCard or any number of services out there that will make the caller ID, instead of it's showing the number you're calling from, it can make it look like you're calling from the Social Security Administration, or the sheriff's office, or the IRS, or the hospital. Any number of things like that—that’s a spoofed phone call.
A proxy address, think of your computer as having a home phone number. That home phone number is the IP address. A proxy allows you to spoof that home phone number of the computer, the IP address. Instead of making it appear that it's in Birmingham like I am, I can use a proxy that makes it look like I'm in France, or South America, or California, or wherever I wanted to make it look like at that point.
That's the tools. And then finally, the tools and tech, that lays a base level of trust is the social engineering. How good of a liar or a conman is the scammer to get someone to trust them? Have a story.
There are different ways you could social engineer someone, but typically what it is it's establishing rapport, having some conflict in there because there's a problem, there's an issue, you're trying to scare the person, any number of things like that.
You see the phone calls with senior citizens come through and it'll come up saying Social Security Administration. They pick up. The way it works is the person looks at her phone, it says Social Security Administration, so they trust the tech, they trust the caller ID, it's correct. The scammer uses a tool, the spoofed phone number to say the Social Security Administration, so that's base level of trust on both of those.
Then the social engineering pops in. “Hi, this is James D. Lasky with the Social Security Administration. Look, we're going to shut down your number. Looks like there's been a lot of fraud committed on that. What we need you to do is go down there. We need you to pay a bond. Look, we don't take credit cards right now. We don't do that. No, don't hang up because if you hang up, we've got a warrant right now for your arrest. They’re en route to get you right now. If you hang up, you may get put in jail and may have to spend a few days there. You don't want to do that because you know how prisons are.”
“What I need you to do is go down to Walmart, buy a Green Dot card. Green Dot prepaid card. Load that up with $500. Stay on the phone with me while you're doing it. Once you get the information, just send me the card number, that way your bond will be covered at that point. Yes, it's completely legal. You see I am with the Social Security Administration. I want to tell you, you hang up, you get disconnected, right there you're going to jail and you don't want to do that.”It all boils down to instilling some degree of desperation in the victim. Getting the victims to act out of desperation. -Brett Johnson Click To Tweet
You try to scare the person, try to manipulate them. A lot of scams are the long cons, especially romance scams or something like that. It's about building rapport, befriending the person, then the fear of loss. I want to see you but I can't, I don't have the money or my son's about to die and I need the money for that. You try to manipulate the victim into giving cash because the victim is desperate. It all boils down to instilling some degree of desperation in the victim or the potential victim, getting the victim to act out of a degree of desperation.
What I say is that you need to approach everything with a degree of objectivity, because when you're a victim, being objective goes out the window all of a sudden. The scammer's job is to make sure you're not objectively thinking. You need to take a breath, step back, and consider what's being told to you. It becomes problematic so I'll also suggest that people try to find a buddy—I don't care if it's your worst enemy—but someone that you could run the stuff by. Does this sound right to you? That way you get that objective point-of-view. Also never respond to any type of unsolicited request for anything, information, access, data, or cash. If someone's calling you, emailing you, knocking on your door, or snail-mailing you, don't respond to that.
The problem is, Chris, people like to trust. We, as human beings, want to believe the best in everyone and a lot of people just don't realize that there are predators out there and they will victimize you.
I talk about Ronald Reagan a lot. Ronald Reagan said trust but verify. I want people to trust each other but I want you to verify every single thing that you possibly can. That's where a site like What Is My IP comes in a lot of the time. It's one of these tools that can be used for verification.
Man, that's the thing that I always tell people as soon as someone is trying to trigger you emotionally, that has to be the first and foremost, the biggest thing that you should worry about when someone is trying to get you upset, trying to scare you—“Something’s going to happen quickly if you don't do this.”
To get you to act out of emotion instead of just reason, that's always a trigger right there.
It's funny because I've talked to so many people, and even after the fact, that they're like, “Yeah, I should've known, but in the moment, I just didn't think I was being emotional. Somehow, in the moment, it seemed reasonable to pay with an iTunes gift card on my utility bill.”
I'll tell you an even worse one. I talked to a lot of victims over the past four years. Time and time again, victims of scams at some point, most of them, ones that I've actually talked to and interviewed, most of them really suspect that it's a scam but we—when I say we, we as a society and medium—we tend to blame the victim. Someone gets a phishing email and our response is, “Why would you be stupid enough to click on that link?” Or someone sends money in a romance scam: “I would never send money to someone I don't know; why are you that stupid?” We tend to blame the victim.
What happens is, is because we're blaming the victim, the victim, even though they think it might be a scam, they're scared of being judged, so they tend to alienate themselves from that support group they've had—family, friends, associates—they don't talk to those people because they're afraid those people are going to judge them. All of a sudden, they've alienated themselves from their support group and the only person they have to talk to is the scammer. The scammer's just going to continue to reinforce and then it becomes a point of, at some point, you start to realize it is a scam but you, as a person, you don't want to admit that and you start thinking just a little more, just a little more. If I just stick with it just a little bit more, everything will work out all right. I've already given this much, just a little bit more. The scammer, he's all about getting every single thing you've got.
I've talked to people who have lost their homes. I talked to a lady who gave $1.1 million to a romance scammer. She got to the point, she actually borrowed $200,000 from her father to pay the scammer. It's not just the high dollar stuff like that. I talked to a lady, her son that his mom was just on Social Security and she lost her house, lost her retirement, everything else because at the end of the day, a scammer doesn't give a damn whether he's taking the last drop of food out of your mouth or anything else, it's just about him putting money in pocket.
I think that's one of the hard things for people to understand is, I think sometimes people think about whether they've got bills to pay or they're just trying to make ends meet. I'm not convinced that it's always about that.
No, it's not that. I was a scammer, I was. And I will tell you that, OK, as a scammer, you may tell yourself, too, when you're starting out, “Oh, I'm just trying to pay the bills.” But when you get better, you're stealing all kinds of money and it's not about paying the bills, it's about not giving a damn about the victim and trying to justify that. You're trying to steal as much as you possibly can and you don't care about anybody else but yourself—that’s the fact of the matter.
Actually I have a question because you said earlier before we started recording, “Ask me any question.”
I'll ask the question. At what point, as a scammer, do you make that transition of just not caring about people or not caring about the victim? Not that you were like, “Oh, I really care about this person, but I’m gonna steal from them anyway.” But at what point does the person being a victim just water under the bridge?
The answer to that lies in whether the scammer is a sociopath or not. My answer to that is that most scammers are not. I'm fortunate enough that I've worked with the Certified Fraud Examiners Association,. They’ve got this thing called the Fraud Triangle.
One of the legs of that triangle is justifying, and that's the same thing with cybercriminals. Unless you're a sociopath, you have to convince yourself that you're a good person, that you're doing it for some reason. I convinced myself I did it for my family, I did it for my sister, my wife, my stripper girlfriend. And you have to believe those justifications because if you don't, it's pretty damn hard to look at yourself in the mirror. It wasn't even when I was at the beginning stages of being a criminal.
At one point, there was a lady, she's selling a silver coin collection on eBay, a single parent, selling it to put a roof on her house for her and her children, and I stole that from her and justified it. I'm doing it because I have to survive on my end. No, I'm doing it because I'm an asshole, but a criminal has to justify that and believe the justification because it really is the point of not being able to look at yourself in the mirror.
What I did was I compartmentalized everything. I said that online, I'm a horrible person, and in the real world, I'm a good person. I would give to homeless people. I would do all this other stuff. You see this in the movies time and again. John Gotti giving out Christmas turkeys, Frank Lucas in American Gangster giving out cheer, that's bullshit. It's not because you're a good guy, it's because you're trying to justify your actions to convince yourself that you're a good guy.
There's no beneficial thing about being a criminal. It's not about being a Robin Hood or anything else, or Jesse James. Jesse James was scum. I was scum. Everyone that victimizes or hurt somebody is scum, but you have to justify that.
Got you. Any parting advice to the audience before we wrap up?
Sure, be vigilant, be proactive. Too many times people are reactive in security or in their own security at home. It's not a point. If you're waiting to be victimized, I promise you it's going to come. The only reason you've not been victimized right now is there's so much information out there that it's like the worst lottery in the world. There are just not enough criminals to take advantage of it right now, but it's coming.
Take a proactive response to security, even if you're signing on to one of these identity theft protection services or you've got all the anti-malware in the world and everything else. Be sure that you know exactly what's going on with your accounts and that you're proactive across the board. Don't wait for it, but be proactive because there are predators out there looking for you.
Do those three things that I mentioned: freezing credit, monitoring accounts, password manager. Be aware of the environment. Be aware of the sites you're going to. Oh, my God. If you got kids in the house, what's the possibility of them downloading movies or music? No, could happen. Be aware of that.
Other than that, just stay safe, stay vigilant. Don’t live a life being scared of things. I think we can't be scared in our lives.
Got you. If people want to find out more about you and follow you on social media, where can they find you?
Sure, you can find me on LinkedIn. That tends to be the channel for Brett Johnson. I raise a lot of hell, and I bitch a lot on Twitter. I've had a Twitter account for four years. Only found out recently that Twitter is a platform to complain about things. Who would've thought? I found my Twitter purpose: I complain a lot. But anglerphish.com is my main website. You guys are welcome to go there.
If you got any, and I mean this, anyone that's got any problems, I will help you as much as I possibly can. You can reach out to me, you can call me directly. The only reason I won't pick up is if I'm on stage, which during COVID, I'm not. You can call me directly, you can email me, I'll help you as much as I can to make sure you guys are safe. Chris, I appreciate you talking to me, I really do.