Challenge Accepted Podcast – SVB, BEC, and the FBI

Share :

Challenge Accepted is a podcast from Arctic Wolf that has informative and insightful discussions around the real-world challenges organizations face on their security journey. 

Hosted by Arctic Wolf’s VP of Strategy Ian McShane and Chief Information Security Officer (CISO) Adam Marrè, the duo draw upon their years of security operations experience to share their thoughts and opinions on issues facing today’s security leaders.  

In this episode, our two hosts talk to Supervisory Special Agent Jeff Collins of the FBI. In his current role, Agent Collins oversees the Salt Lake City’s Cyber Task Force that is responsible for spearheading federal cyber investigations in Utah, Idaho and Montana. 

In their discussion, the trio discuss the potential cybercrime impacts from the failure of Silicon Valley Bank (SVB), explain why business email compromise (BEC) is a somewhat misleading name, and provide practical advice on how organizations can prevent BEC attacks from occurring to them. 

You can subscribe to Challenge Accepted via Apple, Spotify, Google, RSS, and most other major podcast platforms. 


Arctic Wolf – Challenge Accepted – Episode 7 

Ian McShane  0:14   

Hello, everyone. Welcome to the latest episode of Arctic Wolf’s Challenge Accepted podcast. My name is Ian McShane. And I’m Vice President of Strategy here at Arctic Wolf. 

Adam Marrè  0:23   

And I’m Adam Marrè, the CISO at Arctic Wolf. 

Ian McShane  0:27   

Awesome. I mentioned a couple of times on previous episodes, that’s what they call a callback in the industry. I mentioned a few times just how easy it is to get caught up in email scams and phishing and spam.

And in fact, I’ve mentioned a specific one from last summer about having gone into a sporting goods store and come outside and got a scam email purporting to be from that same sporting goods store and almost falling for it.

So with that in mind, and just everything that’s going on in the media, whether it’s about economic instability, there’s all this stuff that makes it a pretty ripe environment for adversaries to take advantage of in trying to, scan, or at least get end users to take some kind of action. So with that in mind, I’m stoked for today’s topic, where we’re going to talk about business email compromise, and we’ve got a very special guest who will introduce shortly.

You know, ransomware does catch a lot of the headlines, and rightfully so, I’m of the opinion that ransomware is the primary thing that organizations should be nervous and wary of when it comes to cybersecurity.

But honestly, it’s surprising how many organizations don’t really understand how prevalent business email compromise attacks are. And we’ve got a report coming up in, in a week or so where we’ve got some stats along the lines of 30%, almost of incident response cases that we handled, were some form of email compromise. And so Adam, how prevalent are those things in the real world? And how much of this do you see? 

Business Email Compromise: What It Is

Adam Marrè  1:59   

Well, this is a multi-billion dollar industry worldwide. And it’s an attack that was supercharged a number of years ago, really through cryptocurrency, but some other ways of monetizing it. So it’s really a moneymaker. Right? This is attackers that are focused on usually on making money.

Now, I don’t want to steal too much of our guest’s thunder today who can explain a lot more about BECs. But back when I was in the FBI, this was a very common investigation that we would have because it hits all kinds of businesses from large, to even very small mom and pops. And it just comes through email, it’s got an unfortunate name, business email compromise, it just doesn’t really cover the seriousness, or really sort of describe what it is.

But essentially, it’s an attack that comes through email, it usually preys upon creating a sense of urgency, will usually mask itself by making you think it’s coming from a customer that’s sending you an invoice or from an executive that wants you to do a money transfer, or something like that, creates that sense of urgency, gets the person who’s on the recipient, the victim, to not either go through normal procedures, or they don’t have good procedures, and they just do something quickly.

And then when the dust is settled, they’ve sent you know, $50,000 overseas or given the bad guys the W2s for the entire company, or whatever it is, depending on what the particular scam is, but I don’t want to go too deep into that, because I want to make sure that our guest has a chance to introduce that.

So why don’t we just jump into that, I’m really excited, we have today, Supervisory Special Agent, Jeff Collins from the FBI, on to talk to us about BEC attacks and maybe some other things.

Now, Jeff, and I go way back, we worked together in the bureau, but really excited to have him here to talk with us about this topic. And I think one of the things happening today that makes this relevant is kind of a really big event has happened with the failure of a US Ban,  major US Bank, especially major tech bank and Silicon Valley Bank. And we want to kind of use that as as part of the way we talk about BECs today.

But anyway, I’d like to introduce Special Agent Jeff Collins today and give him a chance to introduce himself. So hey, Jeff, thanks for coming on with us today. 

Jeffrey Collins (FBI)  4:34   

Thank you. It’s my pleasure. It’s really good to be here today. 

Ian McShane  4:37   

Yeah, great to have you here. One of the things we’d like to do is really understand how our guests or folks that appear on the podcast, got into cybersecurity and what their path was to get into that. So if possible, would you mind telling us a little bit how you got to where you are today? 

Jeffrey Collins (FBI)  4:53   

Sure, you know, I’ve been, I guess interested in computer technology since I was very young and just kind of navigated toward working in information technology, worked in various private sector companies over the years. But I guess I always felt like I was lacking a sense of fulfillment, and mission and purpose. And so I was I was kind of looking for that in the same field.

But I’ve always sort of enjoyed helping people and kind of trying to make a difference. And so I just kind of was on a path to government work, something that would help the American public and try to help the world in a sense, and still use my passion for technology. 

Ian McShane  5:48   

That’s great. It’s funny to hear so many folks in cybersecurity use the same words as like, mission and wanting to do good in general. So what kind of educational background do you have? This is something that you went through college with an eye on computer science, or did you take a path less trodden than that maybe? 

Jeffrey Collins (FBI)  6:06   

So both my Bachelor and Master’s degrees were in information systems, and I was passionate about implementing systems in a business environment. But when I got into my master’s degree, my program had a security emphasis, so a security concentration that I was able to choose and elect to take. And so I started into those courses and thought, ‘Okay, this is what I love.’

I love securing things, I love, kind of the hunt for going and looking for bad activity in a network. And it just presented a unique challenge that I hadn’t encountered up until that time. 

Ian McShane  6:52   

Gotcha. Yeah. And so, how did you get to know Adam? I’m interested to know if you’ve got any dark secrets or awesome stories that you’ve got about kicking doors down or something like that?  

Jeffrey Collins (FBI)  7:02   

Yeah. So it’s actually a great story. More than 15 years ago, Adam had moved into my neighborhood. We both lived in Southern Oregon. And he had moved into my neighborhood. And I met him at an event with some other friends and asked him what he did. And he told me and, and I immediately said, ‘Hey, that’s my dream job.’

I clearly remember that day of saying, that’s my dream job. And he was like, ‘really, you know, you’d be perfect for this.’ You’re passionate about cyber and security. And that’s exactly what we need in the FBI. And looking back to that moment, that was really the kickstarter to kind of where I am today. And Adam helped me sort of navigate the process of applying. And actually, we had started a workout group with a bunch of buddies in the area, and really with the goal of getting me in good shape to pass the FBI’s fitness test. Great memory.

And then fast forward, Adam and I ended up working together in Salt Lake City for the FBI, and so good friend for many years. 

Ian McShane  8:13   

That’s great. So just talking about the FBI, then what is your typical workday, work week looks like for you, and when you’re thinking about cyber and all those kinds of things at the FBI? 

Jeffrey Collins (FBI)  8:25   

So I oversee our FBI, Salt Lake City cyber task force, which is made up of local state, federal officers, analysts, computer scientist, a number of different roles. And we all sit in one space in our FBI office in Salt Lake City, and we cover any cyber investigations for Utah, Idaho and Montana. That’s kind of our area of responsibility.

And my day mostly consists of working closely with my team to try to further our cyber investigations. And so we’re looking to identify those that are attacking US citizens and try to locate them, and hopefully bring them to justice. So that’s that’s kind of what we’re working on. 

Adam Marrè  9:14   

Yeah, I often say it’s one of the greatest things I did in the FBI was getting Jeff to join because he’s had a significant impact. Internationally, he’s done investigations all over the world. Most recently, he was a legal attache, which is an FBI position and embassy in Japan. So he just spent about three years there, right?

Jeffrey Collins (FBI) 

Yep, that’s right.

Adam Marrè 

Yeah. Just recently returned from that to lead the task force in in Utah again. So yeah, really great to have you, Jeff. Glad to reunite here on the podcast. But let’s jump into the topic du jour. Could you just give us kind of a high level of what a business email compromise is and, who’s targeted and how prevalent they are today? 

The Growing Danger of BECs

Jeffrey Collins (FBI)  9:59   

Yeah, you’re right, a business email compromise the term itself is not broad enough, because it’s making you think of an actual business. When that’s not the case, it can affect anyone it can affect a potential homebuyer, anyone who’s essentially dealing in some sort of electronic financial transaction, it’s preying on those people, and preying on all of us, because we trust email.

And so it’s a scam that’s meant to target someone who’s using email and trick them into wiring funds to a fraudster, to an attacker, simply put, to divert those funds from a legitimate source to the attacker. And that’s accomplished in any number of ways, but they’re extremely prevalent today. Billions of dollars in loss every year. And it affects from the smallest business up to the largest corporation. And they’re extremely successful. 

Adam Marrè  11:06   

Can you just walk us through the story of one of these, I know you’ve investigated tons, but not giving details of a specific victim, but just kind of walk us through one iteration of what this might look like. 

Jeffrey Collins (FBI)  11:17   

So really the way these might work, it takes a little bit of time to plan, the bad actor might be doing some research, looking into a company trying to identify the employees in that organization, they may look at their profile on LinkedIn, try to identify targets of interest. And really, their goal is to try to then target that employee, either compromise their email, and get into their email, or try to impersonate them with a spoofed email.

And then, once they’ve gained access to that email account, they’re going to use that to insert themselves into an ongoing conversation. So the bad actor may try to just watch someone’s email. They get inside and watch and wait and look for that opportune moment where they can jump into that conversation, pretend to be one of the parties in that conversation. And then say, ‘hey, instead of wiring the funds to this bank, we made a change, and we need you to send it here instead.’

So the person on the other end is not expecting that to happen right? They’re not expecting to all of a sudden be communicating with a fraudster, they think they’re still emailing back and forth with someone they trust. And so the bad actor is able to change those wiring instructions and convince that person to send the money to them instead. So it’s really that simple. 

Adam Marrè  12:54   

And say, I’m going to buy a house. So it could just be I’m talking to the title company, I need to put something in escrow or do the down payment. And someone’s sitting in their email just waiting. And then as soon as they get the wiring instructions, they’ll quickly send an email right after that. It’s like, ‘oh, sorry, those aren’t the right ones. These are the right ones.’ 

Jeffrey Collins (FBI)

For sure.

Adam Marrè 

And then someone will send the money. And so that’s just like a regular person, not even a business.  

Ian McShane  13:17   

It’s not even a business. That sounds very similar to something that I think is called like CEO, scams, right? Where, and I’ve certainly had this a few times where I’ll get a WhatsApp message from an unknown number. And it’s like, ‘Hey, this is Nick Schneider, CEO of Arctic Wolf, I’m in a conference, can you do me a quick favor,’ blah, blah, blah.

And inevitably, it ends up the CEO needs $5,000 in Apple gift cards or something ridiculous. But is it similar? Is that kind of attack similar or linked to the same kind of criminal activity? 

Jeffrey Collins (FBI)  13:49   

Definitely. And usually the same set of actors. So they’re just trying any number of schemes to target people that would deal in some sort of financial transaction. 

Ian McShane  14:01   

So business email compromise is really quite a misleading term, really, for an umbrella catch all for this kind of thing? 

Adam Marrè  14:08   

Yeah, I recently actually had a friend reach out to me and say, they used actually a merger and acquisition and m&a activity as their cloak for this.

So apparently, I don’t know if they’ve compromised someone’s email or not. But they got to the controller of the entity of the company that was in another country and pretending to be the CFO said, ‘Hey, we’re doing an m&a. I need you to transfer this money from one of our entities to another, don’t tell anyone about it, because it’s m&a.’ So that’s how they got the secrecy thing. And it’s really urgent because we’re trying to buy this company.’

So how much is that good, like creating a sense of urgency and don’t tell anyone out and that kind of stuff? How much Jeff does that come into BECs that you’re seeing today? 

Jeffrey Collins (FBI)  14:54   

Yeah, that definitely plays into it. You know if you can express some urgency and get the person to wire the funds quickly it gives the victim organization less time to react, less time to confirm that it’s legitimate or not. And you’re trying to get them to send it fast. And then they can steal the money and move it on as quickly as they can. So yeah, definitely the case. 

CEO Fraud Tactics

Adam Marrè  15:22   

And I would say another aspect. And this is definitely what Ian was talking about CEO fraud, which is I think a type of BEC would be like, attackers watching the social media of executives, to see where they are, and then using that information in there spoofed or taken over email to gain the kind of be more legitimate, like, ‘Hey, I’m on vacation,’ and the person knows, ‘yeah, CEO is on vacation.’ What have you seen of that kind of activity out there? 

Jeffrey Collins (FBI)  15:49   

Yeah, that’s definitely the case, we’ve seen often where the bad actor will impersonate the CEO and they know the CEO is on vacation. They know they’re on a tropical vacation, possibly on a boat where they might not have cell phone coverage. And the bad actors going to insert themselves and say, ‘Hey, I’ve only got cell coverage for a couple minutes. And I really need you to wire this right away, I’m going to be losing coverage here momentarily. So please send this wire as fast as possible.’ And again,  preying on a sense of urgency, but we see that quite a bit. 

Ian McShane  16:33   

It’s funny, it’s not funny at all. But I was thinking of this exact thing earlier this week, mentioned the SVB bank happened recently. And I saw a lot of startup founders commenting on LinkedIn saying, you know, ‘SVB has been great to us in the past few years, blah, blah, blah,’ or other saying ‘our company isn’t affected, even though we had a presence with SVB.’

And what I’m thinking is like, that’s just opening yourself up there, you’re really oversharing on LinkedIn and opening yourself up to that kind of fraud, I would be as an attacker then looking at those companies for someone in the accounting department that maybe has only been there a short amount of time and is looking to make a good impression and be like, ‘hey, urgent issue, we now need to move it from HSBC, which we told the world we move to from SVB, and blah, blah, blah.’

So often, when I when I hear people talking about social media, and the risks of using social media its more about Facebook and Twitter that comes to top of mind, but certainly, this week, for me, the level of transparency on LinkedIn was interesting. And I can imagine opens them up to some specific targeted attacks there. 

Jeffrey Collins (FBI)  17:40   

For sure, you definitely want to limit what you post anywhere, personal or professional, because the attackers will use all of that to their advantage. 

Adam Marrè  17:50   

Yeah, so when there’s a big event, like, a worldwide event, some sort of disaster, a war, something breaks out, we all know that phishers use this, in general, and then they send out that sort of shotgun effect to everyone, ‘hey, we’re collecting money for the Red Cross ‘turns out to not be right. And that kind of comes out.

This seems to be a little bit different calamity with bank issues, banking issues around the world, reverberating from this SVB issue. How could you see attackers using this and the kind of information that Ian was talking about on on LinkedIn and social media for a BEC attack? Like, how would this be right for that kind of thing? 

Jeffrey Collins (FBI)  18:36   

I think the attackers are literally watching the news and looking for these events, and then crafting their fraud as a result, and thinking about, ‘how can we trick someone?’ And so they’re thinking, ‘what would that person expect to receive in an email,’ and then they are orchestrating a fraud around that.

And with these bank closures, I’m sure that many people are moving their funds, they’re emailing with their investment companies and requesting that funds be moved, and they’re trusting that email transaction and so, if the fraudster can just get in the middle of that conversation and prey on that, ‘hey, we’re losing money, and potentially you’re going to lose it all.’ Any day now, if this bank collapses, and so I could see that these bad actors are preying on that and can easily convince people to move the money somewhere else. 

Ian McShane  19:46   

Yeah, that makes sense.

Okay. Last question for you, Adam. So, obviously, there’s threat actors looking for opportunities and I’m sure Arctic Wolf being Arctic Wolf, we get plenty of those. But what’s the kind of guidance you give, Adam, as a CISO to the employees, like, how do you spot these types of attacks? Whether it’s through email, whether it’s through WhatsApp? How would people look out for these? Because by their very nature, they’re supposed to be realistic, right? 

Adam Marrè  20:15   

Yeah. So first of all, you target the folks in your organization that have access to this, right, they can transfer money, they have access to really important employee information.

I mentioned one, this is one I investigated, where it wasn’t a wire transfer, it wasn’t moving funds to a bank, it was actually getting the W2s of the employees so that they could commit tax fraud, tax refund fraud, right.

So there are other things, I’ll target an HR employee and say, and in that case, it was pretending to be the CEO, ‘hey, I need you to do this really quick. And you zip up all the 5000 WTS for the entire company and send them to me,’ you know, it ended up being a spoofed email address.

So there are different versions of this, what you got to do is you got to find the people that in the finance department, maybe procurement, HR, and you need to train them specially, and have them set up procedures that have controls.

In other words, you’re never going to change the banking information based solely on an email, right, you’re going to do it based on an email and a second step of verification, where I’m actually talking to the person, or we have code words, or certain phrases, or we only do it through this one system that you have to log into.

Because now, I’m getting a little deep here, but like we get deep fakes voice, right. And so you could be having a voice call. And it could sound exactly like especially if it’s a figure that’s done interviews and things in there, we can pretend to be that voice. But making sure you have controls in place to and three levels of verification, before you do things like transfer money, and making sure all your different departments have that. So if someone asks them to go out of band, they say no, and they don’t do it for anyone, not the CEO, not anybody to go out of band to send W2s, you only do it through this system that everybody has to log into.

So that’s step one, figuring out where those important places are, and putting the right procedures controls in place, technical and procedural to make sure that you are very resistant to fraud and this kind of scam.

The second thing you do is you want to make sure you have an education campaign for all of your employees. Because I mean, you see these on LinkedIn posted there all the time and other places where your CEO hits you up in a text and says, ‘Hey, so and so can I can you help me out?’ Yeah, and then ends up being you know, I need you to buy Amazon gift cards, whatever says, right?

You just need to make sure everybody knows, hey, this is never gonna happen. Right? You can just ignore those or report them to the security team. And then there may be more targeted ones. And that’s just where the general security awareness training comes in. And what’s great is when you see those, when your security team sees those, record them, keep them and then use them in your next security training. So you can show your employees, ‘hey, this happens to us. ‘And here’s one that came to employees, that did the right thing to report it to us. So those are two of the things that I see that I do in my organizations to try to make it so that we’re resistant to this kind of attack. 

Ian McShane  23:19   

And so that’s great for, you know, an organization of our size or a, fairly sophisticated organization. Jeff, what can I use this I use the word ‘normal’ in air quotes, what can normal people do to protect themselves against this? Because again, you know, if you don’t have the guardian angel Adam Marre, looking over your shoulder for you, like how are you going to detect these things? 

Jeffrey Collins (FBI)  23:44   

Yeah, I mean, it is difficult. But I think there’s a couple of things, right. So if the attackers are using phishing emails to target everyday citizens, then you need to do things that protect you from phishing emails, essentially. I mean, it’s that simple and you should be wary of any email that comes into your inbox, regardless of who it’s from, and should take steps to verify is it really from that person, and especially if it asks you to do anything. If it asks you to fill out a form, input your password anywhere, open an attachment, you should be very cautious about doing that.

And the easiest step is verifying that it came from that person and calling them confirming ‘Hey, did you really just asked me to input my username and password in my bank account website?’ You know, really that simple? So I guess that would be the first thing I would say to do. And like Adam said, if you’re at a business, even a small business, you should have some sort of procedures steps in place to have multiple levels of approval before any funds are sent. 

Ian McShane  24:59   

Gotcha, that makes sense. And one of the things I’m really passionate about when I talk to customers or organizations is understanding that they need to have a plan, and only then they need to have a plan. But understand that they need to know what that plan looks like, what was that was the Mike Tyson quote, like, everyone’s got a plan until they get punched in the face.

I get a lot of people telling me that they’ve got ransomware plans, but they’ve never tested them. And you know that something that sits in a Word doc that the staff frankly have no idea about? So if someone thinks that they have experienced a BEC attack, or they’ve realized they’ve transferred money, what should they do? Are they ever gonna get the money back? Should they just give up and carry on? Where should they start?  

What to Do After a BEC Attack?

Jeffrey Collins (FBI)  25:46   

Yeah, I guess the very first thing they should do is call their bank. If you think you’ve sent the money to the wrong place, call your bank and report the fraudulent activity, they may be able to help freeze or reverse the wire transfer. Even sometimes, once they’ve gone out the door, they can be reversed. And, you know, especially if that money hasn’t been withdrawn at the other end, they might be able to help you reverse it, and then the next thing I would say is immediately call the FBI, call your local FBI office, or report the activity at our Internet Crime Complaint Center,

That’s where we encourage the public to file complaints of this nature, we have teams that are monitoring for this type of fraud, and the moment we get a report related to this, it’s getting sent out to the appropriate office to work on it. And the FBI actually can often help in freezing and reversing those funds. I’ve had several instances where we’ve been able to do that for victims.

But time is of the essence, if the victim can report it quickly, we have a much better chance of helping them out. We’ve even had one here in Utah, that was upwards of $20 million in loss. And we’re actually able to get that frozen and reversed and get all the money back to the victim. 

Adam Marrè  27:17   

Yeah, that could be like a company ending level of money for many companies. 

Jeffrey Collins (FBI)  27:23   

Yeah, that definitely happens where this puts companies out of business. Completely.  

Ian McShane  27:29   

So yeah, you make an interesting point. And it’s gonna sound like it, but I remember he told me a few podcasts back that any business can pick up the phone and ask the FBI for help. And number one,I was blown away. And then recently, I’ve been glad to find that I was not the only person that didn’t realize you could call the FBI for help. But it’s genuinely the case, you can just look it up in the phone book and call your local FBI office, knock on the door and say ‘help?’ 

Jeffrey Collins (FBI)  27:56   

That’s 100% True. We really are here to help. We can’t go out and talk to everyone, we just don’t have that many resources, but we’re going to do our best to, you know, it’s really our goal to establish relationships with the public. My cyber team, specifically, we would love to connect with companies in the area, establish a relationship with them. And really, our goal is to establish that relationship before there’s ever an incident. So that when that incident happens, they know who to call, we already have a relationship with them, and we can respond and help in a timely manner. 

Ian McShane  28:37   

I would love to see, I don’t know if it’s something our marketing group can can help with. But I would love to see a campaign for all of our customers to like, call your local FBI office once a year or something, at least introduce yourself. 

Jeffrey Collins (FBI)  28:47   

Yeah, that would be great. We would love that. 

Adam Marrè  28:49   

Yeah, that’s awesome. And I love the point you made Jeff about time being of the essence. And just a point I want to make there is I think it’s really important not to kind of victim blame here. Because the faster an employee can report it, so if I’m the employee, like the poor secretary or controller at a company or whatever, and I did the dumb thing, the first thing I should do is I need to be get involved in fixing the problem and not try to hide it not freak out, right? And just jump in. Because that’s how you’re gonna solve it.

And I think making sure you have that kind of blameless culture in that way, like, ‘Hey, if you do the dumb thing, just trying to fix the error.’ Because I know as the FBI, that’s a way that we come in, we’re not saying like, ‘how dumb were you guys to believe this email?.’ We’re like, ‘let’s just fix it. Let’s, figure this out. And let’s fix it.’

And I think some people are afraid of that. And it is hard. It is hard when you’ve when you’ve done it, then you shouldn’t do that. But I think the point is, don’t worry about that. Let’s just get it fixed. And then we can figure that out later. 

Ian McShane  29:53   

Can you imagine being the guy or girl that will go click the button to send that $20 million and you know, when you realize I see something bad has happened. You’re like, well, I”m definitely gonna get fired.’ So what do I do here?

And I think, honestly it in most companies, certainly up until a couple of years ago, security was the stick that people were beaten with, rather than a carrot to help people improve their behavior. But I think that’s certainly starting to change as I think the culture of this blameless society or blameless cybersecurity society or community is going forward.

And honestly, the amount of times I try and talk to people about building trust between security and the workforce, because even today, the majority of someone’s detection and response is going to start and end with an employee. And if they know that they are not going to get into trouble by reporting to security, that they think they’ve done something wrong, you’re gonna get faster action there. 

Jeffrey Collins (FBI)  30:51   

Yeah most definitely. Yeah, like Adam said, we don’t name and shame anyone. We’re just there to help. And we’re not there to look for other problems in your company or network. We’re just showing up to try to make the victim whole and try to get the money back as fast as we can. 

Ian McShane  31:12   

Yeah, absolutely. 

Adam Marrè  31:15   

Yeah, well, hey, this has been amazing, Jeff, to have you on and talk about what’s going on with these attacks and in the current threat landscape, so really appreciate your time. Is there anything that you’d like to mention plug or talk about here? While we got you on the podcasts?  

Jeffrey Collins (FBI)  31:32   

I’ll thank you as well, it’s been a pleasure speaking with you all today. I hope that this message affects someone out there and they’re able to take some action and, and prevent a BEC from happening.

My only other advice would be to report everything you see, if you see something that’s suspicious, even down to the smallest, little detail, ‘hey, I got this suspicious email. It’s asking me to do something,’ please report that at

Sometimes, you’d be surprised, even something that small can help us piece together who’s doing this and find them, identify them and catch them. So you could be that one person that helps us solve a major group that’s conducting this sort of activity.

Adam Marrè  32:20   

So yeah, thanks. And that website is is the letter I the letter C, the number three dot gov correct?

Jeffrey Collins (FBI)  32:45   

That’s correct.

If you’re in the United States and want to report some of the FBI and suddenly kind of hurt, I’ll just capture in a different way. It’s not going into a black hole, even though you may not hear back directly what you’re saying people actually look at these reports, and something actually happens with them. Is that correct? 

Jeffrey Collins (FBI)  32:45   

100%. I’ll give you one example. We had a case here, that was a BEC scam, and it was maybe only $30,000 initially, so not a lot compared to some of these. And we were able to take a dozen other reports from the Internet Crime Complaint Center and piece together and show that actually, the person behind this $30,000 loss was responsible for upwards of $2 million dollars and other losses. And that all went into the person’s prosecution. The person was arrested and is serving about nine years in prison for those crimes. So it helps every little bit helps. 

Adam Marrè  33:30   

Yeah, that’s a great story. So IC, the number is a great place if you’re in the United States to report any crime and like Jeff said, it can be aggregated into a bigger case. Well, thank you so much for spending your time with us today, Jeff.

Jeffrey Collins (FBI) 

Yeah. Thank you. 

Ian McShane  33:47   

Thank you. Yeah, it’s been great. Thanks, everyone, for listening. Adam. As always, thanks for your time and your insights, and we will see you next time. 

Adam Marrè  33:54   

Great to be here. See you next time. 

Arctic Wolf

Arctic Wolf

Arctic Wolf provides your team with 24x7 coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.
Share :
Table of Contents
Subscribe to our Monthly Newsletter