Close Close
ThinkAdvisor

Regulation and Compliance > Cybersecurity

Legendary Ex-Fraudster Says Colonial Pipeline Attack Could Have Been Avoided

X
Your article was successfully shared with the contacts you provided.

Companies are easy marks for ransomware attacks because most opt not to equip their systems with technology that’s available to prevent them.

Had Colonial Pipeline done so, the gasoline transporter would have avoided the ransomware attack that shut down its operations in May, causing the firm to pay Russian hackers ransom of $4.4 million, Frank Abagnale argues in an interview with ThinkAdvisor.

A cybersecurity and fraud-prevention expert for nearly 50 years, the security consultant is, however, best known for posing in his youth as an airline pilot, physician, lawyer and more while cashing $2.5 million in forged checks, as portrayed by Leonardo DiCaprio in Steven Spielberg’s film “Catch Me If You Can.” 

After his release from prison, he became a consultant to the FBI, a relationship that continues today. 

Clients of his Abagnale & Associates include Bank of America, Experian, Goldman Sachs, Morgan Stanley, and the tech platforms Intuit and Trusona.

In the interview, he stresses that cryptocurrency continues as an enabler of ransomware attacks and predicts that they will indeed increase further, especially the more vicious attacks that disrupt operations of a company, institution or government.

“We’re just scratching the surface,” says Abagnale, co-host of the AARP podcast “The Perfect Scam.”

Since 2018, there has been an increase of about 150% in ransomware and extortion claims in the U.S. — and that’s just the cases that are reported, he notes.

Ransomware attacks rose more than 150% in 2020, and the average ransom demand doubled, according to Group-IB, an Interpol partner.

On June 3, the U.S. government said it would use protocols to deal with ransomware attacks that are similar to those it employs to fight terrorism.

Financial services firms are a popular target of ransomware attacks.

Abagnale, based in Washington, D.C., discusses the repercussions to advisory clients and what firms can do to protect against such assaults.

He also talks about ransom-payment insurance claims and recommends that President Joe Biden get tough with Russian President Vladimir Putin about ransomware attacks, most of which are perpetrated by hacking groups in Russia.

Last week the Justice Department recovered $2.3 million of the $4.4 million in Bitcoin that Colonial paid to DarkSide, a Russian hacking group.

A week earlier, JBS Meat Holdings, the world’s biggest meat company, paid ransom of $11 million in Bitcoin to hackers.

Abagnale thinks that ransom should never be paid.

“Are you that naïve to believe that they haven’t kept a copy of your information and that it won’t be resold?” he says. “You’re dealing with criminals!”

ThinkAdvisor interviewed Abagnale by phone on June 8. In time, the conversation turned to his personal life. 

That depiction of him on screen and in a Broadway musical, both based on his co-written autobiography, was a glammed-up version and far from “a biographical documentary,” he insists.

About a new book, “The Greatest Hoax on Earth,” which seeks to disprove his criminal exploits as they have been portrayed, he said: “I do not feel it worthy of a comment.”

Hera are excerpts of our interview:

THINKADVISOR: On May 6, Colonial Pipeline was the victim of a ransomware attack that for several days shut down its gasoline transport business, which supplies half the East Coast. They said their “cyber defenses were compromised ahead of the attack,” and that they had no plan. Your thoughts? 

FRANK ABAGNALE: The criminals stole all their passwords. That enabled them to get into the system. We have to get rid of passwords. We have the technology to go without them, but it’s a slow process to get people to change. If Colonial Pipeline had that technology in place, the ransomware attack wouldn’t have occurred.

Criminals are never looking for challenges. They’re looking for opportunities. They go after companies that have the least challenges to keep them from getting in.

Cryptocurrency enables ransomware attacks. We can live in a world with cryptocurrency or a world without ransomware. But we can’t have both.

So, then, companies aren’t doing enough to avoid such attacks?

If you make it easy for someone to steal from you, chances are they will. These criminals know no one will arrest them and put them in jail, because they’re thousands of miles away.

We can’t track them down, arrest and convict them and send them to prison, because it’s some guy sitting in Russia, China or India.

Why don’t businesses do more to protect themselves and their customers?

They have the attitude “It can’t happen to me” or “I don’t want to spend the money to put that security into our system.”

We have technology to protect companies from ransomware attacks. But if you don’t use it, you’re just waiting for someone to victimize you.

Financial services firms are popular targets of ransomware attacks. What’s the impact on clients?

Once they steal your data, if the firm doesn’t pay the ransom, that data is out there; and clients’ personal banking and other information gets sold down the line.

Before you know it, somebody is getting into your bank account or doing something in your name.

In general, do you think companies should pay ransom?

I believe you should never pay ransom. I know why some companies do. But you need to understand that [the attackers] are probably not giving you back everything they told you they were.

Are you that naïve to believe that they haven’t kept a copy of your information and that it won’t be resold? You’re dealing with criminals! If you pay ransom, you’re just encouraging more of that.

Does the FBI think that ransom should be paid?

No, though in the case of Colonial Pipeline, [transporting gasoline to] the Eastern Seaboard was disrupted; and they were saying it’s worth $4 million to make sure this problem goes away.

The government said on June 3 that it will use similar protocols to deal with ransomware as they use in fighting terrorism. Do you consider ransomware attacks terrorist attacks?

Yes. If it’s attacking your operations and shutting you down, and affecting millions of people, it’s a terrorist act.

We always knew they would attack the electric grid, the banking system — things that disrupt people’s lives. We’ve seen that now with Colonial.

About $412 million in ransom was paid in 2020, according to Chainalysis, a blockchain research and services company. Will ransomware attacks occur more frequently in the future?

We’re just scratching the surface. It’s a very serious problem and a very easy crime. We’re going to see much more of it.

Since 2018, there’s been about a 150% increase in ransomware and extortion claims. 

But many cases never get reported to law enforcement or the media because companies don’t want people to know they’ve been attacked and had to pay ransom.

However, now you’re going to see more attacks where they’ll disrupt operations. That’s more powerful than stealing customer data: The company is losing millions and millions of dollars a day.

So when the criminals say, ‘Pay me $3 million,” what’s that compared to the $20 million a day they’re losing?

What’s the chief reason ransomware attacks will continue to rise?

It will get worse because it’s such easy money to get — and look how much they can make!

Where do insurance companies stand when it comes to these attacks?

Most make ransom payments roughly 50% of the time. But if something is a terrorist attack, they won’t pay because that’s considered an act of war [and not covered]. 

The government said it’s now going to investigate “the larger cybercrime ecosystem.” What does that refer to?

All the cybercriminals on “the dark web” that operate around the world selling and buying information. That’s been going on for years.

What should a company do if they find they’re a victim of a ransomware attack?

Call the federal government. They now have agencies under the Department of Homeland Security that deal with this. They’re the ones who recovered about 75% of the money for Colonial Pipeline. 

The government is getting a little better at trying to capture some of the ransomware money and get it back, if they act quickly.

What happens to the crooks?

Most of the time, you can’t go after these criminals, who are mainly in Russia. The government there doesn’t care what they’re doing and does nothing about it. We don’t know if the Russian government is actually behind some of this.

Do you think that in their upcoming meeting, President Biden should confront Russia president Vladimir Putin about ransomware attacks?

Yes. In Russia, they know the criminals are doing this. They could stop it, but they just look the other way. We need to get hard on these countries and sanction them. 

The Russians aren’t going to tell these guys to stop unless something happens that affects them and they’re forced to stop [them].

What else can companies do to try to prevent these attacks?

One thing is that they need to know their vendors. Target has great technology; but [in 2013], hackers got into a vendor’s system, which was very easy to do. 

That’s how they were able to hook into Target’s system. [Target paid $18.5 million in the ensuing data-breach settlement.]

What other steps can companies take to try to avoid a ransomware attack?

JPMorgan Chase spends, on average, about half a billion dollars a year on technology, including technology for securing the bank. They take one to two years to vet it to make sure it absolutely works, and then they stay on top of it. So they go through a great deal to make sure they’re protecting their customers’ information.

Most companies’ first line of defense against cyberattacks remains their internal IT department. 

But if I shut down a company’s operations — like a fuel line or water system — that’s different from stealing personal information and data.

It took the Colonial Pipeline attack and the [JBS Holdings, largest meat processor] company attack [in May, in which ransom of $11 million in Bitcoin was paid], which started to disrupt the food chain, to finally get the government to say: “We need to do more, and companies need to do more to protect themselves from this happening.”

What could be the next big target for fraudsters?

The government is willing to give away $6 trillion [Biden’s proposed budget] over the next 10 years. We know that, historically, 10% of that will likely go down the tubes to fraud. Scammers will be looking to get a big chunk of that money. 

Whenever the government pays out money in a program or because of a national disaster, 10% of it ends up with people filing fraudulent claims — pulling scams against Medicare [and so on].

Did that happen when the government gave $630 billion to the states for unemployment insurance amid the pandemic?

So far, $68 billion of that money has been in fraudulent claims — people using other people’s information to apply for unemployment. The [DOJ] inspector general now says it’s likely to come to over $100 billion in fraud.

How were people able to do that?

The government indemnified the states from any fraud issues. So the states really didn’t do much to stop the fraud. 

All of a sudden people were calling the states — New Hampshire, for example — saying, “I work for [such and such company], and I need to get on unemployment.” [But they weren’t employees; they had stolen their identity]. 

Did the crooks get caught?

Most of the emails I’ve been receiving in the last month or so are from people saying, “I’ve got a tax bill from the IRS saying I owe taxes on $13,000 in unemployment insurance, but I’ve never been on unemployment in my life!” 

I explain: “Someone took your Social Security number and other information and applied for unemployment in your name and collected the money. 

“But the IRS assumes you got it, and they want you to pay taxes on it. So you need to prove you were working and never even applied for unemployment.”

You committed crimes as a youth; and a film and Broadway musical were based on your book, “Catch Me If You Can.” What are your thoughts about the movie and show making you famous? 

You wish deep down they never happened. The guy that [co-]wrote the book hyped things and exaggerated and embellished a lot. He took it so far out of reality. 

My real life didn’t happen that way; it wasn’t glamorous. It was a very lonely life for a kid, from a broken home, to be on the run. 

What did you do right after you were paroled from prison after serving five years?

Part of my parole obligation was educating federal law enforcement officers [about security]. But there was no compensation; so I had to find a job.

I got one at Pizza Inn in Houston. After six months, they wanted to put me in their management training program. But they found out about my record and fired me. 

I went to work for a grocery store. They also wanted to put me in their management training program, but they found about my record and fired me. I said to myself, I can’t hide what I did. I should have been transparent. 

But If I can train federal law enforcement officers, why can’t I train banks and corporations on how to protect themselves? 

So I started doing that and have been doing it for 45 years.

Do you ever hear from young people who say they’re tempted to commit a crime?

I get a lot of emails from kids in high school. I always tell them that when you do something wrong, it becomes a big burden in your life.

When you make mistakes, you have to live with them. Redemption can only happen in your own heart because there are a lot of people who are never going to allow for your redemption.

Please explain.

What I did as a teenager is still a huge burden to me. There are still people who don’t trust me for it and look at me in a negative way. I live with that every day. It’s everywhere I go. At church, people [mutter], “That’s the guy that did this and that. He’s a former criminal.”

They don’t care that you changed your life and did positive things. I know I’ll have to live with that for the rest of my life.

There’ll always be people judging me and looking at the bad things I did 50 years ago, not the good. I hope that when I pass away, people remember me for what I did with the rest of my life and not what I did as a young man 50 years ago.

(Pictured: Frank Abagnale)