How Clicking a Single Link Can Cost Millions | Ryan Pullen | TED

00:04

I received a phone call from somebody who needed my help.

00:06

And they explained to me

00:08

that this organization had suffered a cyberattack,

00:11

more specifically a ransomware attack,

00:14

which is designed

00:16

to both steal your data and make it unusable.

00:21

It replicates itself throughout the business

00:24

and can drive you down to paper-based controls.

00:27

And this was an opportunity that I saw

00:29

where I could influence something positively.

00:33

And it was my job to investigate what had happened,

00:36

how it happened and why.

00:41

And I saw something that I hadn't experienced before firsthand.

00:45

In 2017, the NHS suffered something similar,

00:49

and it cost nearly 100 million pounds to recover.

00:54

This incident cost around five million pounds to recover

00:56

and took 14 months.

00:59

Yet what I saw was the human impact.

01:03

How this happened?

01:04

A single individual clicked a link,

01:06

and a single individual enabled this, unknowingly,

01:10

to happen to an organization.

01:12

Multiple people were signed off sick due to stress,

01:15

and multiple people were unable to go to work the next day

01:19

and carry out their job.

01:22

Now, for me,

01:23

cybersecurity is a very technological-focused term.

01:28

And yet IBM did a study in 2021.

01:32

and 95 percent of cyberattacks

01:36

used a human element.

01:39

Now that's all well and good,

01:42

but what does that actually mean?

01:44

It means people can be exploited, too.

01:47

There’s no lines of code, and there’s no fancy software.

01:51

Cybersecurity is, as far as the media is concerned,

01:55

maybe teenagers in their bedrooms causing trouble,

01:59

stealing things and learning how to use them.

02:02

Yet what people don't see is the impact and how his day-to-day life.

02:08

And this incident for me,

02:10

made me think slightly differently around cybersecurity.

02:14

And recently I had an opportunity

02:17

which presented this thought process.

02:21

I was commissioned to evade security controls

02:26

for a very well-known building in London.

02:29

That’s a snazzy way of saying “break in.”

02:32

And effectively, it was my job to see if I could get past the security controls

02:37

and get into the building.

02:39

And so for me, thinking kind of outside of the box,

02:44

this building has floor to ceiling doors,

02:46

24/7 security team,

02:47

endless budget for this kind of thing based on where they are.

02:51

And so, thinking slightly outside,

02:55

I needed to come up with a different plan.

02:58

And ...

03:00

What I did was I tried to go down the social engineering route,

03:03

which is the art of kind of deception

03:07

and making people believe something without the full information.

03:12

And what I did was I walked in the front door,

03:16

dressed quite similarly to this,

03:18

and I was greeted by eight people

03:20

and I thought, oh, that's a bit over the top.

03:23

And it's because every single person should have the right information

03:30

and should know where they're going,

03:31

It’s very rare for them to be visitors.

03:33

And this person asked me,

03:36

"Why are you here? Who are you here to see?"

03:38

And I explained, I didn't have an appointment,

03:40

but I was here to see a specific person.

03:42

And they said, "Yeah, there's no chance you're getting in."

03:45

And I thought, oh goodness, I traveled all this way.

03:48

And yet what I know is people are empathetic,

03:51

and people want to help each other, right?

03:53

And so I made up a story and I said I was here for a legal matter,

03:57

and I was only able to achieve what I needed to achieve

04:00

on these premises.

04:02

And they said, "Yeah, sorry, we're still ..."

04:04

And I explained the urgency, and I made them feel sorry for me.

04:09

And what I was thinking about giving this talk,

04:12

I was going to pause and I was going to pretend that I was struggling.

04:16

And that emotion that you would have felt

04:17

where you wanted to help me

04:19

or you wanted me to continue, is exactly how this person felt.

04:23

They felt they were stopping me from doing my job, which they were,

04:28

but not for how they expected it.

04:31

And then I pretended to be on the phone in the foyer, pacing up and down,

04:35

pretending to be aggravated.

04:38

And then the manager came across with a QR code for me and said,

04:41

"So sorry for the issues, no problem."

04:43

And they showed me around a side passage away from the two rounds of security.

04:49

So I had my laptop bag with me with “the evidence,”

04:54

and it wasn’t checked and I was able to go in,

04:56

and I was able to go to the floor that I needed to.

05:00

And I was paid as a cybersecurity expert to evade the controls of this building.

05:05

And all I did was ask for access and make someone feel sorry for me.

05:09

And so that's two very different perspectives.

05:14

One, the five-million-pound job and took 14 months to recover

05:17

where I was helping people,

05:18

but the second, I was the aggressor

05:20

or the person trying to get in.

05:22

Now this is all enabled through the way that humans exist

05:26

and human behavior.

05:28

And cybersecurity as a whole doesn't really represent that

05:31

in a way that is sufficient, I don't think.

05:35

And so I have one more narrative and different perspective to share.

05:40

And it's when I was a victim.

05:43

This happened only a few weeks ago.

05:46

And what happened was I received a phone call.

05:50

It was around 8pm.

05:51

I received a phone call from a phone number.

05:55

And they said, "Hello, is this Mr. Pullen?"

05:58

And I said yes.

06:00

And they said, "We've seen your bank cards be used

06:03

in a different part of the country."

06:05

And I thought, oh goodness.

06:07

And what they explained was,

06:09

they explained there's been three different transactions

06:12

and would I like them to block them for me?

06:14

I said, "Yes please.

06:15

That would be really helpful."

06:17

And I Googled the number out of instinct,

06:19

and it was the phone number from the fraud line in the bank.

06:25

And something didn't add up.

06:27

And I'm a bit of a pessimist.

06:30

I don't really trust people.

06:32

And so I was instantly on the back foot,

06:35

and they're saying all of these things,

06:37

they were confirming my identity.

06:38

They told me where I lived, my mother's maiden name,

06:41

and they told me a few other bits of information the bank would know.

06:44

And all of this is to build a perception of credibility.

06:48

Why shouldn't I trust you?

06:50

And why shouldn't you be phoning me to help me?

06:54

And we go back and forth for around an hour and a half,

06:58

and there was a few things that didn't sit right with me.

07:01

And so when I was on hold, when they were blocking my transactions,

07:06

I phoned the actual fraud line and I said,

07:08

is there a way that I can verify their identity?

07:11

The person on the phone said, "They sound very professional and legitimate"

07:15

and they were.

07:16

I asked for their name, and they had a fake LinkedIn profile.

07:19

They had a fake crime reference number for me.

07:22

And ...

07:24

Me experiencing this firsthand,

07:27

having investigated things like this on a regular basis for mortgages

07:30

and transactions ending up in the wrong place,

07:33

I knew something wasn’t sitting quite right,

07:36

and the true person put a note on my account

07:40

and I explained to the person,

07:42

"Can you tell me what the note says, please?"

07:44

And that was the first time they got a little bit flustered.

07:48

And it took them five minutes and they said,

07:50

"We'll go and check with accounts team.

07:52

But in the meantime, can you tell me the code that it says in your mobile app?"

07:56

At which point I hung up, got my cards replaced, and I was OK.

07:59

But these three narratives

08:02

of cybercrime or scams or criminal behavior

08:07

are all technology-focused with the end goal

08:10

but are human-led.

08:12

And you may ask, "How is this possible?"

08:15

"Why can this be so easy?"

08:18

I've literally just walked into a building

08:21

and asked someone to let me in with a fake story.

08:24

And someone's phoned me up with a small piece of information

08:27

and built this incredible picture around, OK, yes, I should trust you.

08:31

And it's because data has a value in different pockets,

08:37

and with small bits of information you can build quite a narrative,

08:43

as you can see.

08:45

And so today,

08:47

what you would be able to do

08:49

on the kind of criminal underground, if you like,

08:52

would be buy 1,000 email addresses and passwords

08:55

for around six US dollars

08:57

a cup of coffee in some places, right?

08:59

That's 1,000 people's account details that you may be able to log into

09:03

or have tangible information to create a case,

09:07

and that might be pretending to be Amazon for a password reset.

09:10

It might be what location you went on holiday,

09:13

and we're going to do a bit more of a targeted attack that way.

09:17

And this information is available

09:21

because of vulnerabilities from a technical standpoint.

09:24

Yet this is to exploit human behaviors.

09:27

Take my parents, for example.

09:29

I think I’m in cybersecurity because my parents give me a balance.

09:32

My mom is 100 percent, 110 percent optimist.

09:35

Nothing's going to go wrong, everything's OK,

09:37

no one's going to hurt my little boy and all of this sort of stuff.

09:41

And my dad's much more on the pessimistic end where,

09:44

“Why do you want to know me?

09:45

Why do you want this information?”

09:48

And so that balance for me brings kind of both sides of the story.

09:54

And my mom is the sort of person that would have shared

09:57

the traditional WhatsApp messages,

10:00

250 pounds at Christmas and oh, how lovely that would be,

10:03

pay for your Christmas lunch and all those sorts of things.

10:07

And that then becomes a whole different attack vector,

10:10

because it's coming from someone you trust,

10:12

and they're sharing you a link

10:14

and they're sharing something you might want to click,

10:16

and you begin to trust it even more.

10:18

And so my talk is around really focusing on the ways

10:22

in which human behavior is exploited

10:25

and how we can benefit and protect each other.

10:28

And it's OK to call these things out.

10:30

And so there's some basic things you can do,

10:32

such as resetting passwords

10:34

and making sure you're not using the same password for all your accounts.

10:37

Because if one of your passwords did get leaked,

10:39

you would like to know, OK, it's just this one account,

10:42

and I understand that's the one I need to look after.

10:45

When many people will use the same profile for Facebook,

10:48

their bank -- their online banking, sorry,

10:51

and sites that you can purchase things.

10:54

So you might be able to go on Amazon

10:56

and buy an iPhone with someone's username and password, right?

10:59

Bank account details are stored.

11:01

And that creates a whole different perspective of risk and cybercrime.

11:07

And so for me,

11:09

I don't believe any generation can avoid this anymore.

11:14

Children are being raised with iPads,

11:16

and older generations are online shopping

11:18

because of convenience and accessibility to services they may not have had before.

11:23

And so I believe that understanding how these things may happen

11:28

and putting some light on them

11:31

can really impact the way in which people conduct themselves

11:36

and challenge when things may not feel quite right.

11:40

And so for me,

11:42

going through this journey and those three different perspectives,

11:45

the one where I was the person helping, five million pounds,

11:48

and seeing people really suffer.

11:50

The second one where I was putting people potentially in that position,

11:54

however fully ethically, and I was meant to be there for my job.

11:58

And the third where I was the victim,

12:00

it shows that it can take many different shapes based on information.

12:05

And information can come from social media.

12:09

And so if you're going on holiday to Mexico,

12:11

say, for your honeymoon,

12:13

you've saved up all of this money.

12:15

Wonderful, have a lovely time.

12:17

Yet someone you know or an acquaintance

12:21

or you have public visibility of your arrangements.

12:27

If someone knows that information

12:29

and they know the bank you may work with,

12:31

they could phone you whilst you land and say,

12:35

"We've seen your card be used in this location."

12:39

Now, how are you going to feel

12:41

if someone's saying your card is being used and it's you?

12:44

You're going to feel OK, cool, yeah, this is me, no problem.

12:48

And they say, "OK, can you just confirm your identity?

12:51

Because we want to make sure this is you.

12:54

Can you just tell me your card number?"

12:56

So you do, and then you're asked why you're there.

12:59

"I'm on my honeymoon."

13:00

"Have a lovely time."

13:01

All of these social engineering, empathetic side of behaviors.

13:06

And then you get down into the more conversational elements.

13:10

"OK, can you just confirm your card isn't going to expire?

13:13

When does it expire, please?"

13:14

There's many different ways you can pose questions to make people feel acceptance.

13:19

And then lastly, "Can you just check the security pin

13:21

so I know which card I'm going to disable?"

13:24

And by that time what you've done is

13:27

you've told someone you've got money in your bank

13:29

because you've been saving for this wonderful occasion,

13:32

and also you're not going to be in the country to do anything about it.

13:35

And so from a cybersecurity perspective,

13:38

exploitation can happen in many different ways,

13:41

and I don't think it's publicized around the human elements enough.

13:45

And so if you take one thing from today,

13:48

I ask that you see this as your opportunity

13:53

to make sure that you protect your own information and your loved ones

13:56

and your identity online.

13:58

There's no problem with using social media.

14:00

All I ask is you consider who you're sharing that information with.

14:04

The reason being that information is valuable, even if it's not to you.

14:08

It could build a picture,

14:11

and it could cause you some trouble.

14:14

Consider who you share your information with.

14:16

Thank you.

14:17

(Applause)