Former U.S. Federal Bureau of Investigation (FBI) Special Agent and Cyber Security Task Force member John Iannarelli recently joined the CoatingsPro Interview Series to discuss what to watch for as the COVID-19 pandemic boosts cyber scams.
Just as maintaining good personal hygiene can help in our ongoing fight against the novel coronavirus, Iannarelli offers tips on how businesses and employees can utilize sensible ‘cyber hygiene’ to avoid destructive viruses of the computer world.
In this CoatingsPro online article, Iannarelli offers specific guidelines for the current crisis and beyond, and he elaborates on that advice in the podcast. See below for a complete transcript.
[This podcast was recorded on May 7, 2020.]
Stephanie Chizik: [intro] John, thanks so much for joining us today.
John Iannarelli: Stephanie, thanks for having me.
SC: If you wouldn’t mind, just give our readers a little bit of your background, that would be great.
JI: Happy to do so. I started off as a police officer years ago in San Diego. Went to law school, got my law degree and practiced for a bit in California. Then eventually went on, joined the FBI, where I spent about 21 years. During my FBI career, I had a variety of assignments. I was spokesperson for the FBI out of Washington but spent a lot of time in the cyber field, both at headquarters under executive staff and in the field directing cases. So I have a lot of background in several things we’re going to talk about today.
SC: That’s great. We’ve been doing these interviews with people about all things pertaining to coronavirus, and you definitely have a unique viewpoint of that as far as the cyber scams go. Can you give us a little background about what’s going on with those cyber scams?
JI: It’s a terrible thing for people at this time. They have enough to worry about. Not only do you have to worry about the coronavirus, but you also have to worry about all the cyber viruses that are out there. Because cyber criminals are going to try to take advantage of you whenever your guard is down. Traditionally we have seen scams in the past around holidays and major events. Well, cyber criminals have jumped all over the coronavirus. They’re using the backdrop of the virus to try to spread malware, steal your personal information, steal your money, access to your bank accounts, etc., and they’re absolutely ruthless. Your listeners have to be on guard for the threats that are out there.
SC: From what your article had said, a lot of it is that they’re preying upon the fear and anxiety that we’re already experiencing because of the virus. Is that the case?
JI: Absolutely. We’re all reading these emails that we’re receiving, updates on the coronavirus. What we should be doing, what gear should we wear, how is the pandemic affecting us here in the United States? Well, cyber criminals are creating fake emails with fake information pulled from legitimate sites, but they want you to click on links and in these links they’ve embedded malware. So while you’re busy trying to find a way to protect your family, the malware on your computer is not obeying any of the protection you have on that device. It is going into the system, stealing your information, installing keystroke loggers. So now, cyber criminals can see everything you’re typing, including when you go to access your online bank account. You’ve got to take some precautions to make sure that you’re keeping yourself safe during this time.
SC: One of the really surprising things that I hadn’t even thought about was that not only are they coming at it from maybe a professional standpoint, but additionally, on emails to students and teachers. As we all know, a lot of that has moved online also.
JI: Sure. The very people that in many respects are the experts to help us get past this pandemic, they’re targeting by sending out email messages that proport to look like they’re coming from the school, the employer. They may say something like, “From the university health center with the update on the coronavirus.” Again, getting you to click onto that information and download the malware. It’s not just affecting your personal information or whomever. Once it gets into the network for a business, in this case say a university hospital, it can lock up the entire system and prevent them from continuing to do research and treat and help people in this time of this pandemic.
SC: Definitely ruthless, like you said. What are the ways that we can work to protect ourselves? You had mentioned the term “cyber hygiene.” I think that was a good term to use.
JI: Right. Cyber hygiene, in the age of the pandemic, goes literally hand in hand. Well, you want to be washing your hands regularly. You also want to be exercising good cyber hygiene. What cyber hygiene is, for example, when you receive a link, don’t click on a link unless you're absolutely confident if comes from a trusted source. The email may say it’s from the CDC. Well, check the email header. When you click on the email address, is it really the CDC or does it resolve back to a gmail account? What you can always do is when you receive a link from someone, go directly to the website. The same link will be there. But by going to the website, you know it’s legitimate. As opposed to clicking on a link that may be corrupted and somebody sent to you to install malware on your computer.
The other thing, just some basic common cyber security methods for good cyber hygiene, you have to have a strong password in this day and age. Can’t use your pet’s name. You can’t make it a simple password. It has to be complex and you have to use a different password for everything. Because what happens is when one company is hacked and your password information is stolen, cyber criminals know, “Well, we have their user login name, their email address, and their password. That’s going to be good for everything else they log into.” Cyber criminals will go after you and your information by stealing from one password and using it everywhere else.
SC: How do you feel about those automatic password generators that create a new password almost every time you log into something, automatically? Are those safe?
JI: There are a variety of different options you have. One of the things I like to use is referred to as a password keeper. There’s a number of them out there, such as One Pass and Last Pass, and a variety of companies. In those situations, what you do is, you make up a single password that’s complex, and that’s the only password you have to remember. Inside the app, you put in all your login information for your various websites you go to, banking, whatever. It will computer generate a password that’s very complex, it will store it, and then it encrypts it. So when you want to access a website, you just type in your One Pass password and you go in, click on the website you want to go to, and it loads everything automatically. If it’s hacked, everything is encrypted so your information is safe. It’s just up to you to protect that one valuable password that you use nowhere else.
SC: That to me seems a lot more useful than having to remember 20 different very complex passwords, because we do want to be as safe as we can, obviously. It’s a good practice to have. Any other tips as far as cyber hygiene goes? I know that you had mentioned — another thing in the article was particularly to watch out for people who you are already friends with or know their email, to make sure that their attachments and links are also accurate.
JI: You have to be careful about the people you're communicating with. They may be perfectly well intentioned, sending you things, but they may unintentionally send you various links or downloads that have been corrupted or are malware and pass them along. Be careful about what you open. There’s no reason to be opening the latest joke or whatever when you're not sure where this download comes from. If it’s in the actual body of the email, you're fine. But it’s whenever you click on those links that take you to the internet through your web browser that you're exposing your computer and all your personal information.
Likewise, I have to tell you, make sure you're installing the latest updates for your computer — the operating system, any apps on your phone that say it’s time to update. People tend to ignore those things and the reason there’s an update, they found a flaw that enables hackers to get into the app and access whoever’s using it. You install that update, it fixes that access that otherwise had been unknown, and now you're going to be safe. As long as you're updating regularly, you have good anti-malware or anti-virus software on your computer, you should be fine.
SC: That’s a great tip. These also seem to be tips that people should just be implementing in their lives regardless of coronavirus. Do you see that this is just the way of life that we need to be following from here on out?
JI: Coronavirus and the threats that come with it are just the threat du jour. The reality is that cyber criminals are constantly changing and evolving. There was a time in the United States, long ago, people would go to bed at night without locking their doors because they felt safe. Now, none of us would go to bed at night without locking our doors. Well, it’s the same thing with your computer. You’ve got to make sure you have everything locked and safe because otherwise you're leaving your home, your belongings, all your valuable information unlocked for anybody to walk in and take it.
SC: That’s a great analogy. I’m not sure where you're calling in from, but I’m calling in from a city, so we definitely keep our doors locked here, that’s for sure. What kind of impact are you seeing in the industry in general? Are you seeing anything in your area that you might expect to see as a long-term effect, cyber related or otherwise?
JI: I think what we’re seeing is, because a lot of the scams, people are becoming more leery as to how they’re going to try to help out. Being cautious is a good thing, but we want to aid wherever we can assist. So when you see these websites asking for donations, for money to go to the Red Cross, we’ve had a number of scams of various cyber criminals impersonating legitimate aid organizations and stealing your money. Are people going to be willing to donate and help out as needed? Some are not going to, and that’s going to hurt overall.
But, again, you want to help any particular cause, charity, lend assistance financially, go directly to the website and there will be no problem at all. I think as soon as the general public — and it will happen in this generation — accepts the fact that cyber criminals are here to stay, people will be more careful of what they do online and recognize it’s generally a great place to be, just like walking down any street, but you wouldn’t be flashing your cash or doing anything that might draw attention to yourself unnecessarily. Same thing on the internet.
SC: That is a really great tip. A lot of our readers are having to transition to behind the computer — not necessarily something they had been doing before coronavirus. There’s obviously a lot of new virtual opportunities out there, whether it’s something like Zoom meetings or those kinds of things. Do you have any suggestions or things that people might be able to use virtually that you’ve experienced and seen as being positive?
JI: Sure. We’re seeing a lot of the things, the “Zoom bombing,” where people are interrupting Zoom meetings and highjacking them. I recently was called in on a situation where a company was conducting a Zoom meeting and somebody entered the meeting uninvited and started putting all Nazi paraphernalia pictures up on the video screen for everybody to see, using racial slurs. Needless to say, the meeting had to be stopped. Not to mention they were meeting with clients, so there’s a brand reputation that’s impacted. When we hear of these Zoom bombings, nobody’s hacking into Zoom. It’s good old-fashioned. They’re hacking into your email. So when you receive an email inviting you to a Zoom meeting, anybody who has your user credentials from another breach where they picked it up, as I discussed earlier, they can see your email traffic. They’ll look for a subject line that says “Zoom meeting,” and then they have the credentials. They can pop in just to mess up your meeting or maybe even ransomware that they’re going to continue doing it unless you pay a ransom. The answer to that is just like everything else: strong passwords on your email. Make sure that you use a different password for every application you have.
And when it comes to the Zoom meetings, don’t have an open-invitation Zoom meeting where there’s no password. This very phone call that you and I are engaged in: You set up a password, which is smart. Unless you have that password, then nobody can get in. By establishing a password and not making it an open meeting, you prevent anybody from hacking in and taking over. Finally, if you're going to have such a meeting, make sure as the host, you control the meeting. You control who can speak and when, as opposed to anybody can interrupt at any time at all, which generally makes the flow of meetings pretty bad anyway. But you want to take control and limit outside interference.
SC: I think that we’re going to have to be doing a lot more strategic planning when it comes to these kinds of virtual opportunities. Any positives you're seeing? I’m hoping to give a little bit of a positive slant as well, since we’re all going through a lot of stress and anxiety potentially in general. Silver linings you're seeing coming out of coronavirus or this experience in general?
JI: In the cyber world, absolutely. First of all, being unlike any other pandemic we’ve ever experienced, even going back to when there was the outbreak of the swine flu a little over 10 years ago. We have never been able to spread information more quickly and more accurately than we are today because of all the internet access and the apps. Much of the information that we have questioned coming out of China, if it’s accurate or not accurate. That is because people in China have gotten on the internet and shared what they believe to be the accurate information. We’re making all this information to people that generally don’t get out of their homes on a regular basis due to being elderly, ill, etc. and yet we can bring all this information to you.
Most importantly, you're not cut off in this time. No matter what, you are able to speak with people on a regular basis, whether it be by email, video chat, a number of things that technology has brought us closer, including doctors are seeing patients, keeping them safe and keeping the medical staff safe. This is a great time we live in. But with any technology and any new invention, criminals, the bad people out there, are going to try to capitalize. Whatever the next new thing is down the road, guaranteed, they’re going to try to capitalize on it. But we’re smart people. Everybody who’s listening is smart, just by taking the time to listen to this. By doing the right thing, you keep yourself safe, and you can enjoy the benefits of what technology has to offer.
SC: Thanks so much. I don’t have any other questions about cyber security but I would be remiss if I didn’t ask you about your experiences as an FBI agent. Any tales you can tell us that would be fun for our subscribers to hear?
JI: Oh, I could you a million stories. I’m going to gratuitiously promote — I’ve got a brand-new book coming out. As you know, I’m the author of four books. My fifth book, Disorderly Conduct: Tales From the FBI, is all funny stories of law enforcement and crazy things we worked on, etc. That will be available this fall. It just was an amazing adventure. The nice thing about the FBI, for 21 years, every day I went to work was a new and exciting day. There were no two days that were alike. I had a lot of great successes on a personal level, including one of the stories I tell is — I inherited a kidnapping case where a four-year-old was taken and the FBI had the case for nine years by the time I inherited it. An agent had retired and I took over the case. Nine years later, we wound up locating that little girl who was now 13, still alive and well, was able to reunite her with her family and arrest the person that had taken her. Opportunities like that you don’t get in any other job in the world, so being an FBI agent was always a calling for me and it was a wonderful, wonderful experience.
SC: We’ll be sure to link the book in our show notes today. Appreciate it, John. How can people find you if they want to reach out to you after listening to this?
JI: As an FBI agent, I’m pretty easy to find. Anybody that wants to contact me, they can go to my website, which is www.FBIJohn.com. They can follow me on Twitter, and I recommend they do because every day I put out a tip on how to keep yourself safe, both online and in the physical world. You can find me on Twitter @FBIJohn, and you can even give me a call at my office. It’s 866-FBI-JOHN.
SC: Perfect. Thanks so much for taking the time to talk with us today, John. Look forward to talking with you again in the future and sharing this information with our readers.
JI: Thanks for having me. Please, everyone out there, stay safe and we’re all going to get through this.
More information on John Iannarelli is available at his website, www.fbijohn.com.
Editor’s note: Listen to all of the other interviews in CoatingsPro’s COVID-19 podcast series.