Listen to the podcast here:
PhD Candidate in Computer Science at the University of Tulsa. Area of research is Identifying Malicious Domain names. My research falls into the domain of Security Economics, which looks at the economics around cyber crime, both from the attacker and defender points of view.
Watch the episode here:
Business Email Compromise: Everybody is at risk | Loop Holes in Email Compromises: How do you protect your business? / CyberSecurity Economics: How to know you’re at risk? – Geoffrey Simpson| CYBER EDITION
I’m bringing on an expert in cyber. We are going to be educated. We are going to be schooled. Why? This dude is currently serving as a Founder and CEO of both Breach Management LLC and Spiked Mace Software LLC. He is the first alumni to be appointed to the OSSM Board of Trustees. Now, he serves on the Academic Committee, Chairperson and is a member of the executive board. He’s a candidate for a PhD. Geoffrey Simpson, welcome.
I’m pumped because we are going to talk about some pretty amazing things but first, let’s humanize you a little bit. I’m reading now and it’s a stained glass artist. This wasn’t in the original information that I’ve got.
It’s some of those things that grabbed onto you, at least for me, as a child, seeing those stained glass windows in those churches. That love of that glass interacting with light is stuck with me. The arts always fit with STEM. My creative outlet for a long time has been stained glass. I love making stained glass lamps and specific pieces that bring in art and glass. That’s one of my muses there.
I like your statement that the arts always fit in with STEM because they are separated in a lot of conversations. I have never seen it that way either. I have always seen myself as the freak of the unicorn that has the bridge between the left and the right brain. I have been in cyber. I can throw amazing complex enterprise systems together, at least that’s what I have done. I’m also a musician. I’m an accomplished guitarist and drummer.
There’s a beautiful art to laying out those enterprise systems too. I partially fault the education to where they may be graded it up too much and make it too boring. Mathematics, engineering, software, cyber, and security are a beauty in and of themselves. There are so much creativity involved, even those things like you said, laying out enterprise network. That flows right into playing guitar. Other musicians are the same thing as well.
Plus, it was a good outlet because I don’t feel that you should ever shut a part of your brain off. That’s something that is always centered on me too, like stain glass with you, I would assume. If we can dive into some cyber stuff, I was told that you gave a lecture to the FBI. Did you give them a lecture or did you lecture them?
I gave them a lecture. The reason why I’m here is because of my PhD research. I temporarily retired. I was able to go out and work in the industry, start companies and do start-ups. I’m a lucky person. Being able to go back to school and get a PhD has been awesome for me. I’m in PhD program in Computer Science. I’m researching the area of Security Economics. Specifically, what I’m looking at is potentially malicious domain registrations by people that are registering these domains, trying to trick people into clicking these links, trying to attack them in Business Email Compromise attacks. There are so many parts to cybersecurity.
A Business Email Compromise is one of the largest components of that financially. We have seen a lot of data from the FBI and their Internet Crime Complaint Center, IC3. If you are in the United States and you have some cybercrimes occur, that’s who you report it to. You go to the FBI in their Internet Crime Complaint Center. They gave us data that we were able to parse through and look at the actual data from some of these actual fraud cases from Business Email Compromise. That spurred on some further research down the line on what I’m looking at.
It’s interesting to me that you are a candidate for your PhD in the economics of cybercrime.
It’s a Computer Science degree but my professor, Dr. Tyler Moore, is one of the computer scientists that testified before Congress in the Equifax breach. This area and this realm of computer science and cybersecurity are looking at the economics, what motivates these malicious actors, and then what is the cost to the companies to protect themselves. How much do you spend as an organized organization on cybersecurity and security in general? There is a point at, which you have diminishing returns. You could spend another dollar but you only get that small incremental point.
Some mathematical models can show you these points. One of them is called the Gordon-Loeb model that models out the implementation-wise, the spend and how much you need but what you need is your estimated losses or potential losses. When we look at Business Email Compromise, we look at these cases from the FBI so we can get a good estimate of your potential losses from Business Email Compromise. We can then plug that back into a number to say, “This is how much you should spend on security.”
Is there a general ratio that you see with that?
It comes down when you start looking at the numbers. A lot of common sense comes into it because it’s different when you have to look at who you are talking about because when you are looking at a small, midsize company, you might be able to easily describe the security infrastructure that needs to go on there as far as network security and physical security. Maybe you have a website as most people do and I will give this website from a company that’s local to me, Williams.com. Williams is a gas pipeline company so they are big on physical security and cybersecurity and looking at the IoT security because they have lots of devices out in the field communicating. There is a big focus on that.
From the critical infrastructure side, the domain aspect and the BEC side, somebody could go register VVilliams.com. That VV looks awfully lot like a W, they have a domain that they can start trying to sneak into emails and start trying to infiltrate Williams for some reason. They are trying to get them to pay a purchase order that suddenly shows up or requests a check. This is important because of state actors like Russia. This is the exact attack that they used in the Burisma case, where they were trying to infiltrate Burisma. They were using these types of malicious domain registrations to trick people inside of the Burisma organization into clicking these things and giving them the credentials.
It’s interesting because there are different threat actor profiles. That’s what I was in the White House advising the previous administration on 2020 when they were looking at inter-agency cooperation for these types of things too because that’s a mess as you know. CISA was the way that they tried to start this up. It’s getting better but the motivations behind the different types of threat actor profiles are very different.
At the University of Tulsa where I’m getting my PhD at, we are one of the cyber core universities where they bring in undergraduates and train them in the ways of cyberattacks and defense. At one point in time, we had an office of the Secret Service on campus because they were working so closely with the Secret Service and the government. They train these students to do that defense and attack for the United States. They go into the CIA and other organizations and do that. Those threat profiles, that’s a big aspect of what I do and what the other components in our computer science college do.
Different motivations exist. There are economic motivations for some but when you are talking about state actors, it could be geopolitical destabilization, is their motivation. When you look across the different types of profiles, some of the methods exactly what you are talking about Business Email Compromise, are still the same methods used across all profiles in all motivations.
Some of the data that we received from the FBI had geolocation on it. We were able to tell where the attackers were located or at least where the recipient banks where they are transferring the money to, also where the victims were located. We were able to compare that to different things in the United States trying to pinpoint what’s the main motivator for being a victim of Business Email Compromise. Some of the thoughts that ran through my head are, “Let’s get a list of the public companies in the United States.”
That’s where all the Business Email Compromise is going to be because they are attacking the big companies. I was like, “It’s going to be the banks. Do you know where the banks are located?” We did all this analysis and ran it through the R scripts and looked at everything. What it turns out is the main indicator of being a victim of Business Email Compromise is population density. No factor changes your percentage of chance of being a victim of Business Email Compromise. The answer is it happens to everybody.
When you say population density, it was the biggest determining factor that you saw as far as the number of attacks?
That was where the victims were. If there was a place as more popular for being a victim or is there a worst place to live in the United States or a safer place to live in the context of Business Email Compromise. There wasn’t. One of the super interesting things, we saw most of the attacks in the Business Email Compromise attacks, they tried to steal between $10,000 and $100,000. Those are the majority of attacks but there were quite a few attacks in between that $100,000 and $1 million range. What happens when you look at those numbers is, statistically, these malicious actors and these attacks were most successful at around $600,000.
Those attackers who are asking or trying to steal $600,000 were statistically more successful than the ones trying to steal $20,000. There are a lot of psychology that can go into those numbers but that’s astounding that the more you try to steal, the more successful. Those types of economics, when you look at them from a security context, that’s important to your business. As you know, cyber is not just a box that you buy. It’s so much training and people involved. Cybersecurity is people. In this case, things like training your employees to have a double verification on wire transfers. Even though that may not sound like cybersecurity, that sure is cybersecurity from my perspective and the FBI’s.
No doubt, because of measures that we recommended one of our clients put in place for the doublecheck measures on wire transfers is what saved them from a $258,000 fraudulent transfer. It was so intriguing because it’s exactly what you are talking about. It was the IDN and it was the same thing instead of Williams with a W, W turned into two Vs. The word I’s was in their name and an L was replaced for the I. It was incredible to see this transpire. The human aspect of it too is something that I preach all the time with this.
I’m glad you are on that track. That was $258,000. I’m stuck in the $600,000 a little bit in my head on why that was the case. I know we could go into the psychology of that. Do you feel that it’s because of the small ones? We have been accustomed to the small ones for so long. Back several years ago, it was like Prince Abu Dhabi is stuck in some crazy country, “Will you help me get the money across to my dear old grandmother?” We have seen that forever. Those were $1,000, maybe $5,000. I’m in this industry. If I would see something of $600,000 that that could be fraudulent, I would double-check to see if it’s for real like, “Is this something I need to pay?” I don’t know why. As I’m thinking about it when you said it, it’s like, “Why does that seem more legitimate?” Even when I think of it, it seems more legitimate to me at that time.
I have a specific case. My wife is a Chief Accounting Officer and Treasurer of a publicly-traded company. She gets to see a lot and do a lot. She’s very talented and smart. Being a Chief Accounting Officer, she gets to see these things. She had a controller that received an email. The name in the email was Gary Fields, which happened to be the CEO of the company. It was requesting a wire transfer for about $170,000. It said, for an acquisition. It was not public knowledge but they were pursuing an acquisition. If they had not had that voice to verification on the wire transfers, their company would have transferred that $170,000.
If you are a president or a CEO asking a controller of your company and if you are a medium to large size organization, $600,000 is not that much money. It does not look different and out of place. That’s why some of those succeeded. On the lower end, there are probably a lot of embarrassment too because the data that we are seeing got filtered through the FBI. You can imagine, if you are a business, let’s say you lose $10,000, $15,000, maybe that’s not that big of a deal. You are too embarrassed to report it. You don’t want the negative PR associated with it.
Reputation damage is huge.
We are going to see a lot of those not even reported to the Internet Crime Complaint Center. There’s ignorance too. Maybe you don’t even know to report it even though that there’s a potential for recovery about that. That’s part of the education too, to know that if something like that happens to you, you should contact your local police but also contact the FBI because if you contact them fast enough and it’s the case of a wire transfer, they do have a success percentage with recovering some of these wire transfers even at the smaller levels.
I’m sure there’s relativity that’s involved too because like you were saying, $600,000 to a large public corporation would not be that much money, but then there’s probably a threshold when you were talking about small and medium enterprises if you are doing $10 million a year, maybe even $1 million a year, that $600,000 might look more like $60,000. That might be something that could tank you.
You see a little breakdown in the smaller companies. Maybe you have a better grip on things. Your personnel have been there longer or they know the system better. The bigger companies with more moving parts, it’s easier to slip something into the cogs there. Maybe the psychology in a larger organization, even though they should have the processes in place, sometimes those processes break down. We are not just looking at these types of things in that being a threat. We have seen, as you have probably understood, this outlook vulnerability as to where people have been hacking into enterprise outlook servers. We have seen cases from the security economics when we are looking at this, these cases, these malicious actors intercepting emails on the outlook server and rewriting, changing, routing numbers inside of emails in the middle of the email transfer. It’s impressive, the extent they go to these links but the economics justify their actions. Their threat actor says they do this and they do have success or that you do have a high enough success, that’s why it works. That’s why they keep doing it. That’s why it’s still a threat because we haven’t fixed it.
I saw that you stated that there are different viewpoints between both the attacker and the defender for cybercrime economics. What do you mean by that?
The defender in these cases, it’s even hard to nail it down to say it’s cyber, a lot of these cases. The attacker may be purely economically motivated. That’s what we see a lot with these BEC attacks. I know with the Burisma attack that it was my primary motivation in doing that. That was a state-level attack looking at trying to get. I want to say out of politics on that one but that was a state-run attack. They had different motivations. From the defender’s standpoint, when we look at things like this V IDN, the negative externalities may not be worth it for Williams to go out and buy up all these domain names just because there’s a chance that somebody may register VViliams.com.
The attack may not even be attacking Williams themselves. The attack may be attacking Williams’ customers because they may try to attack the customers depending on what other business situation. When you look at even protections against this visual impersonation of domain names, not to demean the IT guy or the person in charge of maintaining your domain registrations, do you want them doing all this? In the case that you have copyright protection in place, is that your brand protection agency that goes out and says, “This may infringe on our copyright.”
If somebody is registering something Williams.com, maybe that infringes on copyright and maybe not, because there are a lot of people on the internet and a lot of people named Williams and it’s very difficult. Microsoft can make a better case when people start using things like SharePoint and Outlook or Microsoft or Office 365 because that maybe falls under brand protection but maybe it is a cybersecurity issue. There’s still not a clear answer on how to protect this or who even does the protections.
That’s a huge gap too. As I’m thinking about even large organizations or even down to the small and medium enterprise level, who’s the one that ends up taking the responsibility for this? Back in the days when the IT support and consulting thing started maybe several years ago, it was all a one-man shop. That one person did everything. They specialized in nothing when it came to technology. If they grew up in enterprise systems, it was, “I can take care of your servers.” “You need phones too. I have never done that but I can figure it out. I will put that underneath my umbrella.” For even larger corporations, I can see this being a conundrum because it’s not like compliance with HIPAA to where you have to designate a compliance officer within your organization. Do we have a cyber awareness officer that comes up? How does this conundrum get fixed?
It doesn’t even stop there. We mentioned this one type of malicious domain registrations replacing characters but there are also other types. One of the other ways the Burisma attack is they used multiple ways of a Business Email Compromise attacks. One of the ways is they leverage the use of their SharePoint. As we know, SharePoint is a Microsoft-hosted email platform but when you sign up for SharePoint as a company, you get a domain name like MyCompany.Sharepoint.com. This Burisma subsidiary had one of those. They registered, the subsidiary was Cub Energy but they are registered CubEnergy-My-SharePoint.com. That is one of the successful attacks that got into Burisma.
That type of attack plays off this third-level domain name. When we talked about the third level name, the first part of the domain name that we sometimes use like www.DomainName.com or the Mail.DomainName.com. That www or mail, that’s the third-level domain name. What we are also looking into is what happens when these malicious attackers start registering things likes www.Williams.com. That is another way that they could potentially trick people to click on these links. Somebody has MailWilliams.com. There are so many aspects of this that it keeps going. As you know with cyber, it’s that fractal landscape. It’s so wide. You can drill down on any specific piece of cyber. That’s why it’s so interesting to me and you and so much to learn about it. I learn new things every day. That’s why I love what I do in research, probably the same with you.
For me anyway, the interesting part is more so the economics and the psychology of it than the actual technology of itself because the tech is just the mode. Everybody uses tech now. Across all the different threat actor profiles and all their unique motivators, the methods of attack are pretty much the same. It’s like the toolbox is the same toolbox across the board, the economics of those different actor profiles too. Do you see different financial motivators for each of those?
We see some differentiation between the state-level actors and what we maybe even call script kiddies to a certain degree. From some of our other research, we have seen some of these malicious actors algorithmically generate some of these malicious domain name registrations. We can see some indication that this may be part of a hacking package or a BEC package that a malicious actor would obtain off from the internet. There are some motivations that we would see some economic differentiation there. What is super interesting though is this type of attack, the V IDN stuff, started gaining popularity, maybe we saw some evidence in 2005, 2006. It wasn’t much there but it started picking up in later years, 2015, 2016.
It spiked. It happened the data’s that they were looking at where we were looking at all these potentially malicious domain registrations, we had the name server information as well and where they are registered at. It turns out that a large portion of those was registered through Vistaprint. I don’t know if you are familiar with Vistaprint but they offer ten free business cards with a domain. They were doing a promotion where they are providing a free domain name when you sign up with them for free business cards. They were not charging your credit card until 30 days after you signed up.
The hackers, these malicious actors, figure out that they could get these free registrations. That’s what caused a big spike in this type of attack. What we saw was that competitor to Vistaprint saw how Vistaprint was growing even though a malicious portion. They started offering the same deal as well. We saw the malicious actors moved their registrations from Vistaprint out to these other competitors. Vistaprint started fixing that problem, fixing that hole. It ended up very quickly, Vistaprint was no longer hosting these types of malicious domains but it did disperse to these other names, servers and other registrars until it finally weeded out a few years later. It was so interesting to see the economics of Vistaprint offering a free domain but not charging a credit card until 30 days after causing this increase in the BEC attack. Therefore, causing larger theft and cyber insurance premiums to increase. There’s that butterfly effect of chaos showing its wings that this little change over here affects how much you are paying on your cyber insurance premium.
I didn’t know about the Vistaprint scenario. Were they even authorizing $1 or anything to make sure they were valid cards?
I can’t go back in time and look at that. Going back as a historian now or a researcher with the data, we can go back and read news articles and see what the industry thought of what they are doing at the time. They were not doing at least enough validation or they are using debit cards. I’m not sure what the loophole was on why they are doing that.
That was several years ago now at this point. Where are we at now? What’s taking place now to register these domain names in mass?
The Business Email Compromise is still on the rise. The FBI’s Internet Crime Complaint Center releases an annual report. The attacks are growing. As a researcher, my ultimate goal is to be able to say, “Somebody is registered a malicious domain name. You should do something about it.” The internet is too broad. There are too many things to look out for.
Business email compromise, when you said it took off in 2015, you and I know that it has been around for so long, what’s your opinion? I’m phrasing it that way intentionally because it’s always with any client base that I’m part of, it’s education. That’s everything we push. Even now coming to an email scenario where we are utilizing vendors that don’t straight up block email anymore. I have determined with my team that it’s more important for the person who is receiving the email to understand and notice some of the discrepancies that might exist with it because it’s like teaching a man how to fish principle rather than fishing themselves. Rather than blocking it, there are more that’s coming through.
Through integrations and inside Outlook or G-Suite, it will say, “This email looks like it has something a little funky to it. Would you report this? Here’s specifically what we see. Maybe you can analyze it on your own. Click here to contact your support team.” It’s very educational-based now, rather than technologically-based to where we are slamming down the gauntlet and saying, “This is not going through.” We have one person that can filter through these at some point like a quarantine report. That’s just another layer.
That’s the challenge though because as a researcher, I would love to be able to say, “Here’s an algorithm. Here’s an artificial intelligence machine learning model that tells you this is bad. Don’t click on this.” I would love to be able to write that. I would be rich if I did that but it’s not that easy because, as I have explained, there are so many different ways to do this. You asked what my opinion is. It is that multi-layered approach because when you look at network security, you have a whitelist or you could have a blacklist and start blocking things out. You could start blocking any clickable URLs in an email.
It all comes down to training. A lot of companies are moving to more secure communication methods between the vendors where it matters. When I say secure, I mean something that has an additional layer of authentication or at least any authentication whatsoever because as we know, email is a completely unsecure platform. If you are communicating things that are important to communicate, wire transfer IDs, account IDs, look at secure communication platforms. If that is a Slack channel, that’s a slack channel or that’s Microsoft Teams. We are seeing more communication between companies like this.
Large organizations and I’m talking about the largest companies like Walmart, have their own communication platforms that they already have their vendors on. They are utilizing those types of platforms to perform all their communication between their vendors and suppliers. That’s a model that I could see moving from those big companies down into the small company because I feel like there’s an opportunity to guarantee a secure communication channel between companies doing business with each other. After all, email is way too unreliable and unsecure.
I see the same trends myself that those types of systems are making their way downstream. They have been used by a lot of the big corporations for a while now. Still, the inverse of that email is not going away anytime soon. Talk about the economics, that’s how you market. If you still buy coffee as I do at Big Shoulders in Chicago, which is one of my favorite roasteries here in Chicago, I order 5 pounds at a time from them. I love getting their 15% off coupons to place my next order. That’s also economics but the threat actors know this.
Is it economically feasible or advantageous for them to try and insert themselves into those types of scenarios? We have already seen that a little bit with text messaging. I know I’m veering away from some of my research area here but in a past life in some of my startups, we did text message a waitlist for restaurants sending out text messages when your table is ready. I’m heavily involved with text message marketing. The good thing in the United States is the FCC cracked down on those types of things in the beginning.
When we see things like this data loss from Facebook that has names and telephone numbers, which is probably cell phone numbers, there are a lot of data online now. That means people can start sending you text messages that may release another wave of getting somewhere that is immediately viewable by the people. Text messaging has a 98% read rate within the first hour. That’s a concern of mine. Bringing that back to Business Email Compromise and enterprises and security. We have mentioned multifactor authentication. You have to have multi-factor authentication. When it matters, it needs to not be a text message. It needs to be an authenticator app that generates codes or another secure means of communication.
I was on stage, I said, “If nothing else, at least use a text but please, stop using texts if you have something else available to you.”
Most of us, myself included, have a lot of security by anonymity because nobody cares enough about me to steal my stuff. That’s what it comes down to. As a security researcher, I understand that any data that’s in electronic form can be stolen. That’s what I want people to know and understand. I still have data online but I protect myself in the ways I need to. You protect yourself in the ways you think you need to. I’m not scared to go online. I’m not scared to have my kids go online.
Same here, I’m not scared. Being an expert in this field too, somebody that’s very vocal about this, I laugh at myself and so do other people that work for me because things like Netflix, my Netflix account, are the most unsecure passwords in the world because I don’t care. There’s no way I don’t have a phone number on there. The only thing I use it is to watch movies. If somebody logs in and I get that suspicious notification that somebody logged on to my Netflix account from Ukraine, I’m okay.
To your point, you are phrasing when you said when it matters. There are a lot of things that do matter, especially when it comes to Business Email Compromises. A lot of things do matter so don’t just brush over it. When I was getting to the opinion piece too, I was curious about that because from the perspective of, “It will never happen to me.” We are out there, we are on a mission to help people understand that it can. It is all the time.
It does matter because a lot of people are, in this economy, maybe moving to more of a remote work situation, maybe they are doing more freelancing. It goes back into understanding maybe scare you into the repercussions of when you are responsible for maintaining a PII. When I say PII, I mean Personal Identifiable Information. If you have PII on your laptop or your computer and you are responsible for that, there are legal repercussions to you losing that. Each of the states in the United States has its own Data Breach Laws. Part of what makes it challenging in the United States is it applies to where your customers are, where the customers live. If you have data from customers that live in five different states and you fall into this breach notification requirement, you will have to notify them differently in each of those five states, potentially.
That is something, as a freelancer, that you have to realize that you are legally required to maintain the PII based on where the customers live. To a certain degree, that means you might have to look at encrypting your hard drive or encrypting the data. The BEC can happen to anybody. Even if you are a freelancer and you get an email and click on it, maybe it somehow grabs Excel files off your hard drive. If those Excel files are not encrypted, maybe they’ve got your customer list. You happen to keep their Visa card numbers in there because you haven’t because you are in between accounting systems and you still need to bill them. It’s real-world consequences. We are going to start seeing more like the United States started putting the reigns on Russia for doing all these attacks. We are going to see local authorities start bearing down on some of these cyber breaches because it’s starting to become a problem.
Once they get the right tools to do so as well. From what I have seen as well, especially being at the highest levels in our country, looking at this same as you, there is a gap in competency and the toolset available between the Federal Government, local municipalities, the local authorities. It’s getting better in my personal opinion, which is great. I was laughing too because when I choked Hunter Biden’s name and it has nothing to do with politics with his laptop and everything. He’s like, “Maybe it was lost.” It has nothing to do with Republicans, Democrats or whatever. It has everything to do with the stupidness of a human being. To your point, Geoffrey, it was his responsibility no matter what. It’s a human aspect. That’s all it is. It has nothing to do with what team he plays for.
It goes back to cybersecurity like we were talking about. There’s such a big human aspect in everything around cyber. It’s coming down. You make decisions on your firewall when you set it up. You make decisions on how to secure your network. You make decisions on how you are going to protect your organization yourself against Business Email Compromise attacks. These are things that, a lot of times, involve human decisions. Training and processes are important. Repeatable processes, training is a part of that.
Let’s end it with this because that’s a good bookend to this. What are some realistic ways, in your opinion, that some companies can protect themselves against V IDN or BEC?
A lot of this is you have to know if you are a target or not. A lot of the people that know they are a target, know that they are a target. Microsoft knows they are a target. They are actively looking at people registering domains that could be used in this type of scenario. I mentioned SharePoint because a lot of people use SharePoint. A lot of people are used to seeing a SharePoint URL in their emails. That is a big one. A big risk is anything that looks SharePoint in their email. That comes back to training. What can people do? It’s being on the lookout. There are no tools out there right now. Hopefully, maybe one day I will create tools that allow companies to go out and plug in their name and say, “Here are a list of potential things you should look at.”
Now, it’s not anything to be concerned about. It falls into the realm of your regular Business Email Compromise training, which is training people to look at the URLs not just what’s on the text on the screen but what is the actual HREF, which is the actual link it’s going to when you have your mouse hovering over it. There are other tools that you can integrate with your email that helps out with that and checks those. It does come back to training. I know there’s a good way and a bad way to do training. It was GoDaddy try to do some training with their employees to get them to not click on links and emails. They sent out an email saying, “Here’s your holiday bonus.”
It was a link. A lot of people clicked on it. It was under the guise of training for Business Email Compromise but maybe don’t promise a holiday bonus in an email. You don’t want to make it boring because nobody is going to sit and listen to boring training. You don’t want it to make it too much of a requirement. It needs to be educational so people learn. That’s the ultimate goal, is that you want them to learn, to look at links and maybe not click on everything. It’s okay to ask. To not click on the link, is the best way to say it.
Geoffrey, thank you so much for being on. Where can everybody find you? I know you want a certain level of anonymity.
I have a website, GeoffreySimpson.me. I’m not doing anything right now. I’m focused on the PhD. After that’s finished up, who knows what I will be doing, I may be going back to the startups and maybe getting a real job again.
Thanks for making me smile. Have a great day, brother.
- Breach Management LLC
- Spiked Mace Software LLC