August 2, 2025 • 50 mins
This episode explores the 'Grandparent Scam,' a prevalent and profitable fraud targeting seniors by exploiting their concern for their grandchildren. Experts Deirdre and John from Ireland's National Cybersecurity Center and the Ontario Provincial Police share insights into the scam's mechanics, the emotional impact on victims, and the challenges law enforcement faces in combating such crimes. They discuss the effectiveness of public-private partnerships, the importance of victim-centric approaches, and emerging fraud trends such as investment scams and bank imposter scams. The episode emphasizes the critical role of education, awareness, and reporting in preventing and mitigating the impact of these cyber frauds.
00:00 Introduction to the Grandparent Scam
00:37 The Emotional and Financial Impact on Victims
01:26 Fighting Back: The Role of Law Enforcement
02:38 Meet the Experts: Deirdre's Journey
04:44 Meet the Experts: John's Journey
06:35 The Global Scale of Cyber Fraud
08:11 Challenges in Handling Individual Fraud Cases
10:24 Community-Based Approaches to Support Victims
14:37 The Sophistication of Modern Scams
20:57 The Grandparent Scam: A Detailed Breakdown
28:01 Understanding Social Engineering
28:19 Cybersecurity Conversations with Vulnerable Populations
28:50 Fraud Prevention Initiatives
31:07 Challenges in Communicating Cybersecurity
32:35 Emerging Fraud Trends
35:35 The Importance of Reporting Fraud
37:53 Future Threats and Scams
40:58 The Role of Public-Private Partnerships
41:46 Final Thoughts and Next Steps
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:02):
It is called the grandparent scam.
It sounds relatively simple.
Fraudsters who prey on seniorsoften by using their grandchildren
as the driver of the scam and theirgrandchildren have been arrested in
an accident in desperate need of help.
It sounds simple, butit's very powerful and
(00:24):
it's huge in terms of its dollar impact.
It's hugely profitable and it's impossibleto estimate how much has been taken,
but people think hundreds of millionsor even billions of dollars , but we
can't get lost in the dollar impact.
The thing that always hits me is thatthese are real people who are often
taken for almost everything they have.
(00:46):
Lives are ruined, retirements are ended.
Life savings disappear.
But as terrible as it is, as a crimeof property, these people also suffer
in silence because they're ashamed.
They think they've been foolish andthey think they're to blame when in
reality they're dealing with expertsat human psychology and manipulation.
(01:09):
And if we're totally honest, we'veall been fooled at some time in
our lives . The fact is everybodyis potentially vulnerable, but
these people don't see it that way.
So they have the loss of everythingthey have and the shame of feeling
that they've been failures.
But there are people who are fightingback on behalf of the vulnerable,
and they do it day in and day out.
(01:31):
It's their job.
And if the victims are unseen, so areall too often these modern day heroes,
police officers who have dedicated theircareers to protecting the vulnerable,
it's tough and often maybeeven heartbreaking work.
You can't help everyone.
But there is also a myth that thebad guys, and that seems like a
(01:53):
trivial phrase, I'm gonna callthem evil criminal psychopaths.
There's a myth that there's nothingthat we can do about these so and sos.
But that's not true.
Sometimes the good guys win.
That's what I wanted to discuss inwhat I hope is the first of a series
of episodes on law enforcement and howthey deal with cybersecurity scams.
(02:16):
The show is largely about what's calledthe grandparent scam, something it has
been and probably remains as scourge,that affects seniors and others who
are vulnerable, but it also exploressome of the other aspects of law
enforcement and it features two ofmy favorite law enforcement friends.
I'll let them introduce themselvesas we join that discussion.
(02:38):
. I wanted to get you tointroduce yourselves so that
the audience gets to know you.
Deirdre, can we start with you and just.
Tell us, tell the audience who you are andhow you got to where you are right now.
Yeah, absolutely.
So I currently work in Ireland'sNational Cybersecurity Center.
But I started my career after brief stintas a postdoctoral researcher working
(03:00):
with our police service on Garona.
So as a civilian analyst.
And I came in working on big,kind of strategic issues, looking
at volume, crime looking at waysto prevent and disrupt crime.
And I did that for a couple of years andthen I went working in a local police
station in a division, in a more still inan urban location but outside of Dublin.
(03:21):
That's actually where I really gotinterested in the impact the crime
has on people, because it was a muchcloser connection between the crime,
the perpetrator, and the victim.
So still worked on some seriouscrime, but also high volume crime,
like theft, burglary, and duringthat time I got interested as well
in the fact that increasingly crimewas leaving a digital footprint.
(03:42):
And how to investigate that andhow to deal with that properly.
And it was still a relatively newphenomenon or evolving phenomenon
when I was working as an analyst.
So I went and did a master's oncomputer forensics and cyber crime
investigation for law enforcement.
And that's where I really gotinterested in the area of cyber crime.
I also spent a couple of years beforeI left on Gort na Móna working on our.
(04:05):
Strategy or corporate strategy,our policing plans and making sure
our annual plans translated downto the divisions and had an impact.
And implementing a number of highlevel recommendations around future
policing in Ireland, which reallyrelated to evolving our police force to
keep pace with the changing landscapeand the changing threat landscape.
(04:26):
And that involved working in terms of our.
National Cyber Crime Bureau and EconomicCrime Bureau working on staffing equipment
and transformation programs there.
I'm really excited to, to be hereand to have this conversation today.
So John, tell us a little bit aboutyou and how you got to where you are.
(04:49):
Certainly.
I started at immigration workingin modern war crimes, and then
I applied the Ontario ProvincialPolice because they wanted to stay.
Within the province of Ontario insteadof going to the RCMP where I worked
general patrol, and that's where Istarted getting exposure to frauds.
Then I transferred to a major crimeoffice in a county, Lennar County.
(05:10):
And with the new detectives, theyput you in frauds and sexual assault.
So I cut my teeth at that level.
Then eventually I. Entered into theanti rackets branch and the unit is the
Economic Crimes and Corruption Unit.
So I started there in 2015 and that'swhere we look at major economic fraud.
(05:31):
And as technologies evolved, we startedseeing more cyber enabled frauds and
then I did three secondments over tothe Canadian Antifraud Center as a law
enforcement liaison officer workingwith law enforcement nationally and
internationally, and that's wherethey gave me a lot of exposure to
the globalization of cyber fraud.
(05:51):
And how, one victim in, a smalltown could be targeted by organized
fraud groups around the world.
So it really opened my eyes to how complexand the scale of these cyber frauds
that are occurring around the world.
Yeah, it's really interesting and fromthe Canadian aspect of it, I've just
(06:13):
been so aware of how many groups havebeen here in our own province of Ontario.
Th there are a lot of, Iguess you could work anywhere.
It's telecommuting, but it's just amazing.
And I don't know if it'sthe same in Ireland.
Is there a reason whywe're targeted at all?
(06:35):
Yeah, I think the scale and theability of fraud as a service
and the use of technology allows.
Really anyone around the worldto be targeted as a victim.
So although we see it in Canada,I think, based on countries with
larger population, they're beinghit at the same rate as we are.
(06:55):
Anyone and everyone is essentiallya target online and through social
media with the deceptive techniques.
So when we look at Canada in ourpopulation of 40, 41 million we
see the exact same thing at scalein the US or in Ireland or Europe.
So the organized fraud groupshave just figured out how to
(07:15):
really use social engineering.
I think that's where a lot ofpeople really get victimized.
Yeah, absolutely.
I'd agree.
It, and it lowers the barriers toentry you or your traditional crime.
There are geographical or environmentalconstraints when it comes to online fraud.
They're removed.
(07:36):
And then you have the ability toincrease your own technical capability
or capacity by using online services tohelp you to, to per perpetrate the crime.
So it does lower that barrier toentry for a lot of criminals and
removes the geographical constraints.
And we would see very highlevels here in Ireland as well.
Obviously police service won't havethe full picture, but there's a lot
(07:58):
of really interesting surveys beingdone to estimate the true scale of it.
And we have some figures here,like a housing instance, a day, and
our population is only 5 million.
Yeah.
So
I guess the question thatpeople have is how do you.
(08:19):
How is this type of individualfraud perceived and dealt
with by law enforcement?
And I mean that because it's onething if a company gets ransomware
or is robbed or things like that.
Police have been dealingwith that for decades.
In terms of corporate robbery andthings like that, but the explosion of
(08:44):
individual fraud, the ability to handlejust that many cases, how do you cope
with that?
I. It is a real challenge.
I know within the OPP and a lotof police services, we're looking
at a victim centric approach onhow we handle an individual that
contacts a detachment and says, I'velost significant amount of money.
(09:04):
It's not even the loss of the funds.
It's a loss of their trust in.
Society as a whole we're seeingthese spoofing where they're
purporting to be law enforcement orgovernment or trusted businesses.
And I think it makespeople become recluse.
And when we do deal with that and avictim comes in, we try and provide them
(09:24):
supports on how to help them rebuildtheir lives and their confidence.
It's a really challenging.
Situation, especially when we'redealing with elderly people.
When we look at the grandparent scamsthere's a sense of safety that's lost.
The volume is extraordinarythat we're seeing across Canada.
So to try and manage it at scaleI. Is a very delicate balance on,
(09:45):
how do we support the victims?
Can we disrupt what the bad actor'sdoing to, can we help recover any funds?
Can we help the victimsget back on their feet?
And then how do we hold those people thatare committing these offenses accountable?
Especially when they're usingtechnology that masks who they are.
It's a real challenge.
But I think.
When we look at the Australian model,they've really figured out how to
(10:08):
hold organizations and institutionsaccountable and how to compensate
the victims and how to support them.
That model is really interestingto see what's happening.
'cause there's been a de declinein, in cyber fraud in Australia
as a result of legislative changesand changes with organizations.
I think that's a good point with alot of, with crime, even in general
it's a whole of society or a whole ofgovernment approach that you need to
(10:31):
follow to actually prevent, disrupt andsupport those who have been affected
So similarly to, to Canada, Irelandhas a very victim centric approach.
We've always followed a communitypolicing model and the victim is at
the center of everything that we do.
And I think inherent in that thenis that challenge around providing
those individual supports whilstdealing with instance at scale.
(10:53):
And providing the kind of expertise,like specific expertise in order
to deal with these incidentswas having the general expertise
around victim centric approaches?
Yeah I think when you look at, whenwe look at what we've done in the
OPP we've created a community serviceengagement officers and we've created
a PowerPoint presentation that allowspeople, in the organization to provide
(11:17):
these presentations and awareness pieceto their community, and they can tailor
it to the needs of the community.
And so when we call it the communitymobilization model, when we actually
see that there's a victim that's beentargeted this, then we, I. We bring in
services in the community to help supportthat person go through that sort of the
triage of the event the post event andhelp them try to get back on their feet.
(11:41):
So I really think.
Doing podcasts like this or bringingawareness out, I think that's the key to
having people recognize what is comingat them and how to reject these sort
of social engineered frauds that arecoming at them and then report to the
police or the Canadian Fraud Center.
And I really think having acommunity-based approach really
(12:02):
does help mitigate the amountof victimization that we see.
Or at least help them cope with it.
It's, one of the things that I thinkwe're all aware of, and I've said
this before and probably maybe theaudience is maybe bored of hearing
of it, but I do keep bringing it up.
My father told me he'd been defraudedand I. My father's a very well.
(12:24):
He's dead now, but he wasa very intelligent man.
He was well educated.
He was a big person in the communityand middle of the night, two in the
morning, and this is the old style, agrandparent scheme, , middle of the night.
Two in the morning, and we have, oneof my brothers has been in trouble.
There's no doubt about that.
(12:45):
He's had some issues and things like that.
We're a wide, big family.
Adopted, some of the kids,had tough upbringings, but my
parents brought them along.
So middle of the night, gets a call,needs bail, or whatever it was.
And it took him years to tellme this because he was ashamed.
And he knew after he sent themoney, he knew it was wrong,
(13:08):
but he didn't know what to do.
And I think that shame part ofit is one of the things that I
think these crooks depend on.
And so the community piece is big, but howdo we are we breaking through that shame
barrier with what we're trying to do?
I think we see some positive changes.
(13:30):
I, we see organizations like Interact orthe major financial institutions actually
putting information out there, whereasbefore it wasn't communicated as much.
For instance, even on Amazon, I wentto order something and boom, I pop up.
This could be a fraud or here are signs.
I think we're doing better atcommunicating that when you're looking
(13:51):
at the elderly that are targeted or olderpeople we're seeing a cognitive decline.
We're seeing they're sensitive to maybetheir family members are at the edge
where they put them in summer assistedliving, and it's that loss of independence
and that loss of sense of, pride.
And so I think they hold that inoftentimes and not tell their children.
(14:12):
And it's a real challenge breaking downthat, that stigma when we look at the
grandparent scam investigations we'vehad in Ontario and we had one particular
victim who lost $600,000, I think it wasthe West coast because she had cognitive
decline crew member the day before.
Four.
So it, it's a real challenge as peoplestart to lose their cognitive ability.
And you're right, there is, there'sthat insecurity piece that we see.
(14:37):
Do you think as well that we put out alot of messaging, but people still feel
yeah, but I wouldn't fall for that.
I think there's some interesting, that wethink we're communicating, but maybe we're
not always communicating enough or in theright way through the right channels and.
Really emphasizing that anyone can fallfor these because, if you get a call
(14:58):
in the middle of the night, you havevery little time to think there is an
emotional response that's gonna makeyou way more susceptible to falling.
For this, you're not super immunejust because you're more educated
or more formed than someone else.
You, you're still subject tothese social engineering tricks.
They do.
They're used because they work.
(15:19):
I think everybody's su subjectto this, and I've, again,
I've told this story before.
I'm extremely cautious.
I run a cybersecurity podcast.
I'm going to be hacked.
That's not, it's not if it went,I'm going to be hacked if I haven't
already been in and, but I tryto be as careful as possible.
I do everything I can beas careful as possible.
(15:43):
Saw a note from my other brother.
And he he's had some family problemsand his, his mother-in-law was dying.
There was just a whole pile ofhurt that was going on in his life.
And I get a note from, I seehis name and I click on it.
And I go, oh my God.
I haven't, I don't click on stuff.
Yeah.
And, but so everybody.
(16:03):
Can be set up.
And as I, I think as my interview withOperation Shamrock pointed out, there
are PhDs who are working with fraudsters.
These are not, I think everybody stillthinks of the Nigerian Prince, some guy
in a room and it's really done poorly andbad spelling and all this sort of stuff.
These are very sophisticated crime units.
(16:24):
That, that, that do this.
And they're knowledgeable.
They know what buttons to pushand how to get you to react.
And I think the other thing I think is,you guys tell me, but I think they take
more time than people think as well.
This isn't just iPhone, you scam you.
These people really work at it.
That's really interestingyou mentioned that.
(16:44):
Because it is a business for them,and they put a lot of time and effort.
They choose their people.
They're quick to be able to pivot.
They come up with a verysophisticated script.
When we look at TV shows and moviesthey're really authentic when you
see them about how policing operates.
These bad actors will embrace that.
They'll talk very authoratativewhen they develop their script on
(17:07):
how they're gonna pitch it to thevictims they use terminologies
that law enforcement would use.
Especially in this grandparent scam.
I. They, they prey on that senseof urgency like Deirdre was saying,
in, in the middle of the night.
And we as humans, we wannahelp out our loved ones.
We want to solve that problem and we'lldo anything to protect our loved ones.
(17:28):
And when that chaotic call or messagecomes in, it's that fight or flight.
How do we go about triagingit and making things right?
And I think a lot of peoplehave the good nature in them.
And then it's only after they'vebeen victimized that they realize,
oh my God, there was all thesered flags that went along with it.
(17:49):
Maybe the terminology wasn't right.
It's very exhausting to hear someof these things from the victims
because you just see that senseof trust that evaporates and now
they feel so vulnerable afterwards.
Like when you were talkingabout the corporate aspect
versus the individual aspect,
I think shame is a huge piece.
Yeah and what you should be doingis you should be taking action
(18:11):
and reporting where it's actuallylike everyone is looking at going.
Maybe I'm wrong.
Maybe I didn't get scammed.
Maybe I'm right.
You're trying to maybe justify youractions or hide what went wrong.
It's a natural human emotion.
Very difficult to overcome.
Yeah.
And are police forces set up totake, if they actually, if we could
(18:32):
convince people to report quickly,do we have the breadth to be able to.
To take that amount of, that's a lotof people being scammed out there.
Would we be able to eventake the number of calls?
What's interesting you mentionthat because we've seen.
The numbers of reporting thenumbers of losses just escalate.
When I started the Canadian AntifraudCenter, the reporting that we received in
(18:54):
2020 was 164 million in reported losses.
As of 2024, we're talkingabout 648 million in losses.
My friend Dave Coffey, who doesmedia for the Toronto Police and
Awareness, he said Toronto Policelast year had reports of over.
Almost 400 million in reported losses.
When we look at the states, we'retalking about $17 billion in losses.
(19:15):
So just in Ontario alone, that's astaggering amount of money that's lost.
So when we look at what the calls forservice the officers or the detectives
have, they're being overwhelmed with,petty crime or domestic violence and
what have you, the human trafficking.
And then to add on cyberon top of that it's a lot.
So that education pieceinternally is a big thing and
(19:36):
we're really working on that.
And then we're working onthat support mechanism.
It's a real challenge at scale to, tohandle all these victims coming in.
And that's why when we look atOperation Shamrock, that website
that they host is incredible.
Aaron West is doing such agreat job and they just put so
much good literature out there.
The Canadian Antifraud Centerwebsite is very great as well.
(19:56):
When we look at what to do if you're avictim, so they have these steps, within
the OPP, each detachment has mentalhealth nurses and support mechanisms.
So if, we identify a victim that hasthese needs, we can start support
them and then we can start conductingthat investigation at the same time.
So it is real challenge and we'reworking up at scale in the, at
least in our organization, to tryand tackle these investigations.
(20:19):
Yeah, and it very muchthe same in Ireland.
In my time in non garish y we put a lotof effort as well in that education piece
internally so that when somebody doespresent a report, the crime, that people
ask the right questions, record the rightinformation, support in the right way.
And I think that's as important asanything else because what you don't want
is that experience where someone reportsand they have a negative experience, or
(20:41):
they're not, they don't believe there'sanything that can be done for them.
They don't feel it was worth their while.
So it's been very similar here.
And I would say also just recent crimefigures, we'll see fraud reporting up,
so I do think that's a positive problem.
People are reporting.
So what are the things that, andmaybe we should just do, take a
brief breather and just go throughthis grandparent scheme just.
(21:04):
Quick outline of how itworks in the modern sense.
Like I said, I think I had untilI actually read your notes,
John, I had a vision of andtalked to Operation Shamrock.
I had this idea that it was still theold Western Union phone in the middle
of the night thing, but it's much moresophisticated . Can you just give us a
bit brief rundown of how this plays out?
(21:25):
What would the average experiencelook like or sound like?
Yeah.
So we started to see this trend in Europeand then it trends, it be, became trends
international where it started hittingCanada and the US And so what we, our
experience in Canada has been is we seethe, these older people that still have
landlines and so the bad actors behind thescenes will essentially look up candor 4 1
(21:51):
1 and identify a postal code and identifyan area that they want to target and.
Based on Canada 411, you havea phone number, you have an
address, and you have a name.
So that's perfect informationto start off with these frauds.
So the bad actors will havecouriers in and around that area
ready to attend the residence.
(22:12):
So what happens is there'll bea phone call that's unexpected.
At any time of the day where theelderly person or the older person
will get the call indicatingthat it's from a grandchild.
And so I'll use an example.
They'll say, Hey, grandma.
Yeah.
Hi.
Who's this?
It's your favorite grandson.
Who is it?
It's Johnny.
Oh, hi Johnny.
What's happening?
(22:33):
My throat's a little sore.
I had to go with the to get some medicine.
You wouldn't believe what happened to me.
I went with a friend.
There was a car accident and we rear-endeda pregnant woman or gotten a car accident.
And the police attended the scene.
They found some sort of drugsor contraband in the car.
As a role result, me and myfriend have been arrested.
Now the police tell me that I'm gonna bereleased on bail, but we need bail money.
(22:57):
Would you be okay to talk to, theofficer and then the second party
involved in this will come with a veryauthoritative voice and they'll say,
this is officer I'm with this detachment.
And they'll use a police jargon andbe very authoritative and they'll say
there's a gag order in place for the, weneed bail payment immediately in order
(23:18):
for your family member to be released.
And what the victim will start thinkingis, okay, I can't say anything.
Can't call mom or a dadbecause they're gonna be upset.
That's why the grandchild's called me.
Now there's instructions onto get funds and it's normally
under a $10,000 threshold.
And so they'll direct the victim to goto their local financial institution and
(23:38):
try and withdraw money out of the ATM.
They'll get a certain amount becausethere's a limit, and then they'll
go inside and they'll talk to theteller, and sometimes they're on the
phone with the bad actors the wholetime, or they've been told what to
say to the financial institution.
So for instance, you needmoney out to help your grand.
Child pay for a car, or we had one victimin that's wired $30,000 in Montreal on the
(24:02):
guys that it was for her sister's funeral.
So they come up, they teach the victims tocome up with some sort of story in order
to get the maximum amount of money out.
They go back home and thenthey contact the bad actors.
And the bad actors say there's a careerthat's gonna pick it up, put it in the
envelope, and put this incident numberon the envelope and hand it over.
And that's how the initial I. Grandparentcamp starts and then there's, they ask
(24:25):
for more money and we can talk about that.
I'm not sure if Ireland's seenthe same sort of pitch but that's
what's happening in Canada.
Yeah.
Si Similarly, we had a wave ofthem, I think around 2021 and 2023
with a similar kind of approach.
I'm not sure if they hadthe couriers pick it up.
Ireland's is a smallergeographical location.
But definitely that, that notso much being on bail, but
(24:47):
being like, I'm just, I'm stuck.
I've had a, crash or I've had a medicalemergency and can you get me some money?
Similar approach but not, Idon't think so much on the bail
front, if that makes sense.
More recently it's been otherkinds of frauds and scans.
(25:07):
Maybe we'll talk about that later.
But yeah, definitely a lot of publicawareness building at that time.
Yeah.
And how did they bridgefrom that to the big money?
You've said, they're taking hundredsof thousands of dollars in some cases.
Yeah.
And so what we see is the secondattempt, they'll know that there's a
chance that police have been calledand maybe waiting for the couriers
(25:29):
and what have you to be arrested.
So what they'll say to them is they'llsay There's been a. A change in the court
process we found additional information.
The Jeopardy has risennow for your grandchild.
In order to get them out of jail.
The bail is set at a higher amount,so they'll say I. Put money into
(25:50):
a professional career service likeour Purolator, our UPS or FedEx.
And just the caveat is theseprofessional career services it's against
their policy to send cash in mail.
So they'll tell them towrap it up a certain way.
They'll maybe put it into an itempackage it up, and then they'll send it.
And what they're doing isthey're sending it to rental
properties or abandoned locations.
(26:11):
And then another.
A person in this organized crime groupwill pick up the funds at that point.
We're also seeing if they don't havecouriers or if they don't have any.
Any capacity to intercept,they'll use cryptocurrency.
So the victims will take the cashout, they'll go to the cryptocurrency,
ATM machine, and Canada is numbertwo in the world for the most
amount of cryptocurrency machines.
Which is really interesting.
(26:32):
So the ability to just take your cashoutta your regular ATM and then go to
a crypto ATM, and they'll normally getQR codes and they just scan it and they
put their money in and then it's gone.
Or they'll wire transfer.
Etransfer the funds to a syntheticaccount that the bad actors have created
using identity, compromised information.
So that's how they get the big money.
(26:57):
And is it some, there's similar thingshappening in Ireland, Deirdre, or that,
because I'm almost amazed at how theyget this much money from old people.
It just, it's a lot.
I'm not working in the policingcontext anymore, so I don't have
detailed information around, aroundthe current kind of methods of
operation, but from what I see, it'sprobably more relying on money mules.
(27:19):
I'm really interested around thecryptocurrency piece because I'm not
sure what the older population inIreland that they would have, for the
vast majority, that they would havethat competency to actually do that.
But certainly there is an issuewith the students allowing
their accounts to be used.
And even now you would still see thatin surveys that people probably don't
(27:41):
really understand the impact of whatthey're doing if they were allowing
money move through their account.
So I think that's probably amore likely scenario in Ireland.
And then for larger amounts, I thinkit's more on building a relationship with
somebody in a trust piece rather than thekind of what you were describing, John.
From what I can see and from whatI know so slightly different.
But again, you're gettingthe same kind of impact,
(28:01):
but it's the same thing.
It, it's, you build a relationship,you create a situation, you
break down the barriers.
You use psychology or you use psychologyeffectively to get people to do
things they wouldn't otherwise do.
That's social engineeringand at its highest level.
What should we be doing about this?
I've recommended, like I said,that I think we have to have
(28:24):
the talk with our parents, whichis really a strange situation.
Used to be you had thetalk with your children.
Now the talk with our parents and withother vulnerable people in our communities
as cybersecurity professionals, a lotof my audience is work in cybersecurity.
What can we be doing thatwould help either to.
(28:46):
Stop this or
at least slow it down.
So while we were launchingour investigation in the op
project Sharp we wanted to.
Figure out how we can get the informationout to that specific demographic.
And we were looking at the olderCanadians and you mentioned this
earlier, there's so much informationcoming at you on social media, on the
(29:07):
news, or what have you that getting,that, that piece out that resonates
with the people is very challenging.
So my task, with this investigationwas to come up with a very robust
media and social media and awarenesscampaign and to see over my shoulder
here, I came up with a placard thatis almost like the locker or lose it.
Red is bad, green is good.
(29:27):
So what we did is welaunched our one week.
Fraud prevention initiative.
And we worked really closely with theRCMP because they're across Canada
with our policing municipal partnerswith the Canadian Anti-Fraud Center.
And so it was a joint effort and we didpodcasts, we did radio interviews, we
did news print we put out media releases.
(29:49):
We did a live chat.
We came up with a graphic in thebackground and we used it on social
media, but then we figured howdo we get to the granular level?
So we work with Ministryof Long-Term Care.
In Ontario.
We work with different groups thathelp elderly folks or older folks.
We worked with Canada 2 1 1 toput that information out there.
(30:10):
We work with the CanadianBankers Association.
To educate the tellers at the branches.
So it was all these sort of layersthat we put together that really tried
to put the information out there.
We were able to get fundingto put advertise on the back
of buses across Ontario.
And we took that model based onin Vancouver where they had big
advertisements on bus stops in a QR code.
(30:32):
So it was that awareness piece.
But I think to get backto the speaking to your.
Your your older family membersis to come up with that code word
that's only specific to your family.
It could be whatever, it could be theword blue so you know who these people
are and to try and target the educationto the children so that they can have
(30:53):
that discussion with the older adults.
And we found that to be very impactful.
That's a really good
idea.
Are there unique waysthat you've, oh, sorry.
Are there, sorry.
Interesting things orunique things you've seen?
From my perspective, what Iwould say is the awareness piece.
Just everything you said, John.
(31:13):
Absolutely true.
And we, we do it here as well.
But from my current role now incybersecurity sector, I think
one of the challenges we have iswe're deeply technical people.
Trying to make that translation intolanguage for people who understand
what's happening and understand whatthey can do and what's in their control
to do in a way that's not intimidating.
(31:35):
And I think that's a challenge because Ithink especially with an older population,
if you start talking about, sure.
It's, a safe website, H-T-T-P-S, checkingthat, checking for the padlock and all.
It can be a little intimidatingif they're not on social
media or technology every day.
So I think there is a challenge therefor us all the time to get better
(31:55):
and better at explaining the risk andwhat's within their control to do.
But certainly like that is whatwe're doing on a daily basis.
And we work very closely withinGarish Kona because we would get a
lot of reports of phishing attempts,emails, SMSs scans going on.
And we would share them withon Garcon and we work with them
around prime prevention advice.
(32:15):
And how to tackle them together.
And it's back to that bit of,it has to be a layered approach.
It can't be one organization on their own.
And what, I guess the questionis what's next in all of this?
What are you seeing that's newthat you, or that's coming up, or
ideas that you think are peopleshould be watching out for?
I think from what we're seeing is the bankinvestigator scam or bank imposter scam.
(32:40):
And it has a very similar mo to thegrandparent scam where it's that shock.
You're getting call from a financialinstitution saying that there's
been a suspicious transactionyour card's been compromised.
And in eastern Ontario we'reseeing the victims being told to.
(33:01):
Take their bank card that's beencompromised and put in a. Envelope and
put your PIN number and the courier'sgonna come pick it up and they'll
secure your funds in a governmentcontrolled bank account until this
investigation's completed and thesting operations been uncovered.
And so again they're targetingthe older population.
(33:22):
And, statistically from theCanadian Antifraud Center, we
see that elderly folks or olderpeople are getting hit 33% more.
Than the average.
And that could be a secondary fraud.
There's almost like a list.
If you've given money out now you'regonna be hit with another type of fraud.
It I see the bank investigator scam reallyjumping up when we look at the numbers.
(33:42):
In 2023 for the emergency grandparentscam, because we did so much awareness,
the reporting to the Canadian AgeFraud Center really jumped up.
So it went up to $11million in reported losses.
During that year, and I think thatwas because we're telling the people
report to your police report tothe Canadian Anti-Fraud Center.
But when we look at the fraudcategories that we saw at the
(34:03):
Canadian Anti-Fraud Center theyhave 30 different fraud pitches.
Now.
Some of the frauds are merged into one.
Title, like extortion, frauds.
But I think the biggest fraud lossesthat we're seeing is investment
frauds and crypto investment frauds.
Again, you may have some older peoplethat, aren't fixed income and want
to raise their their investments.
And so they're looking at these angles.
(34:24):
So that's a trend thatwe're seeing here in Canada.
I think there's a, an underlying thing.
So we see some of thesame kind of things here.
And there's an underlying themearound very limited time to think
or this fear of missing out.
So even if you focus on those thingsas you're red flags if you're, if
either of those things are present,then I think you should be concerned.
(34:47):
There's probably an opportunity aswell just trends that we would see is.
There are certain times whereparticular frauds are going to surface.
So in Ireland, and it might be thesame in Canada, when we have elections
and a new government is formed, oneof the early things they'll do is put
together a program for government.
And that's where they will makepromises around specific schemes and
grant schemes that they're going to do.
(35:08):
And I think there's an opportunityaround those particular times to
specifically raise awareness becausegrants for heating your home or
maybe transitioning to green energy.
Older people will beparticularly interested in those.
And if they're getting SMS to theirphones at the same time as they're
hearing on the radio, it feels real.
So I think there's opportunities for lawenforcement and for everyone involved
(35:29):
in cybersecurity to raise awarenessaround those peak times as well to try
and prevent some of this from happening.
And I think it's the really importantaspect of all this is that reporting.
When you report it to your lawenforcement it goes back to Sir Robert
Peele, the police of the public.
And the public.
They're police.
So police won't know what's happeninguntil they get those reporting from
the public and maybe see new trendsand little nuances that change.
(35:53):
And when we looked at theemergency grandparent scam.
It was really important for usto have the victim's report.
And why did that help?
We knew the bad actors whowere using prepaid phones.
And phone numbers.
And so when and let's not kidourself, they know personal
security on their own end.
So they're only gonna have a numberfor a certain amount of time before
they think it's maybe heated up andthey'll transition to a new one.
(36:16):
So by reporting that new number, thenwe can work with our telecommunications
companies and say, here's a badnumber that we've identified.
Please disrupt it.
So I think.
Reporting to Canadian Fraud Centeris really important as well.
'cause they have this disruption program.
So if you have a bad email, a bad phonenumber, a bad website a bad bank account
by sending that out and of course.
The anti-fraud center complies withprivacy constraints and laws, but we
(36:40):
can send that information out as a leadto these organizations where they can
now do their own investigation and deplatform these customers or clients.
I think that's really the otherpiece that is, is crucial.
And when you talk to Aaron West inOperation Shamrock, that disruption piece
is a real huge piece to their success.
(37:01):
With that reporting piece as well,what's really important is that
then that for your policing, foryour policing management, to, to
allocate resources effectively andefficiently to where you're going to
get the best impact, you need to knowwhere your instances are occurring.
And if you don't have those reportsof fraud, it's not going to get
the resources that it needs.
(37:21):
So I think from an internaland external perspective, that
reporting is really important.
Yeah, and a bit, it's abit like Whack-A-Mole.
And John, you said it, I mean we talkedabout the grandparent scheme, Deidre,
you said there are other ones in Ireland.
There are new ones that are constantlycoming up and they will evolve.
It's the same as withransomware or any other threat.
As soon as you find a way to, to holdthis one, they come up with their.
(37:45):
These people are very creative and theydo an incredible job at advancing this.
The question I have is how wecan cope with that volume of it.
There are other ones, and I'llgive you a couple that, that I
think are gonna come your way.
One is, you mentioned a QR codethat's out in the streets now.
If you see a QR code on thestreet, do not click on it.
Do not, unless you're absolutelycertain where it comes from.
(38:07):
'cause that's another scam.
The other one that we're seeing in Canada,I don't know if you see it in Ireland.
They, we have a nationalbroadcaster, the CBC.
You will find articles from the CBCthat look identical to the CBC telling
you that, a famous Canadian investor.
Has, has found a way to make a milliondollars overnight, and it's approved by
(38:29):
the CBC, and they're very good at this.
So I think we have an explosion.
And just as we're wrapping up, isthere any way we can deal with this?
I think there is, I think it's thatcommunication, that outreach piece.
I think it's thatdisruption piece as well.
So for instance, when I was at theCanadian Fraud Center, we would get
(38:50):
different organizations reach out andsay, I have been spoofed did that actors
will pay for search engine optimization.
And so within the Canadian FraudCenter, we had one member that was
solely responsible for disruption.
And then notifying, various.
So they, they have an ability tosend off the websites for disruption.
(39:11):
I think.
I think trying to report and tryingto disrupt, I think is a big piece.
But it's also letting the public knowwhere is legitimate authoritative
location for that information.
So to go to that instead of relyingon, the top search engine results or
like you said, the QR code having thatpause and think, should I scan that in?
I've seen a video in the US of acrime prevention officer ripping
(39:34):
off a QR code off a parking meter.
And the bad actors hadjust slapped that on there.
So it's really incredible.
It's a real challenge as weevolved in society and technology.
Yeah.
It's gonna get harder because it'sgonna be more difficult to spot
like a lot of the, language issues.
Threat actors will be able toovercome that with the use of LLMs.
They'll be able to better crafttheir messaging and make it feel
(39:57):
more authentic to the geographicalarea that they're targeting.
So this is gonna get harder andharder to spot from that perspective.
And I think also voice and videobe harder to see that this is
AI generated or inauthentic.
And I was thinking about thisearlier as well, and I was thinking
some of it is behavior change.
That you don't leave yourhouse without locking the door.
But you will click on a linkwithout checking or QR code
(40:19):
without checking the link first.
So how do you start to, automaticallydo these things without having to
think about it and think about things?
It probably comes from the youngergeneration up, that upward pressure
as well as the information campaigns,and I think so that the schools
and targeting schools and building.
Media literacy and digital literaryskills at an early age will protect
(40:41):
that generation, but also helpinform the older generations as well.
And Jim, you mentioned it on anotherpodcast that I heard that there was a link
that you got and you were able to put itin AI technology and it actually warned
you and told you what the issue was.
So I think that technologicalcomponent really is important.
But the other aspect is that privatepublic partnership, police can't
(41:02):
arrest our way out of cyber fraud.
It takes concerted effort from government,from private business to social media
companies to law enforcement, to allto come together in, in combat that.
I think that's the real solution here.
Yeah, I agree,
it's all around us.
Facebook.
Is they will not do anything.
I'm sorry.
I'm not a big Facebook fan.
(41:22):
A lot of older people are now on Facebook.
Young kids aren't, and theywill sell ads to anybody.
They don't care.
It's just obvious and, so there's so manyplaces now that people are vulnerable.
I guess it's a it increasesthe increases the.
The number of places thatyou can be attacked from.
(41:42):
It, it's just astonishing.
And yet, I think, and John, thank you.
And Juju, thank you.
I think you, you could have some hope onsome of this, which I think is important,
but if you had one wish, what would it be?
If you could have one wish thatyou could make happen to make
the public's life better or yourjob better, what would it be?
(42:03):
I'll let you start.
Dietra.
Oh yeah, thank you.
The tough one.
Yeah.
I'm gonna actually just buildon the point John made it right.
Information sharing, actually howto share relevant action, actionable
information easily and quickly.
Where it needs to goand who needs to see it.
(42:23):
Because that information sharing is reallykey in cybersecurity more generally.
And it helps to buildresilience and it helps to.
Better learn the how things areevolving in real time, so you can
get that two-way information sharingand public-private partnerships.
I think that, iron all ofthat out would be fantastic.
Yeah.
I think building on that awarenessand education piece my wish would be
(42:48):
that there would be more educationput out to the public and Deidre said.
Talking to kids at a young age, like Idrive my kids to school and in the car
we talk about things and it's amazing.
My dad's sorry.
My son was saying, I justgot this text message.
There's no way that this came from here.
And it's I. Thank you.
My years of droning on forstuff, they've picked it up.
So I think having more the private publicpartnership bringing up that awareness,
(43:11):
I think that will help us through these.
And, your podcast, Jim, is incrediblebecause you raise the bar on
information sharing on here are thethreats, here are the trends here.
You should be aware of that.
And I think that's a real hugepiece that I'd love to see more.
Yeah, because it's areal challenge, isn't it?
When you're constantly beingbombarded with all these reports,
it's to get some kind of conciseand actionable information.
(43:35):
It's really important.
Yeah I it's tough to sort through it all.
Just last piece in this and then I'lllet you guys go but it's the idea of.
Of investment . It's easy totalk about feet on the street.
It's not sexy to talk aboutfingers on the keyboard, so getting
funding is, and getting enoughresources is always an issue.
(43:58):
But if there's something I should be doingas an episode, and we've had this first
chat and I thank you both for it, what if,what should I be doing next as an episode
that, that we could make a big difference.
I think it'd
be really interesting totalk about the job scams.
We're seeing a massive increase in that.
And it's targeting.
Everyone that's vulnerable,newcomers to Canada, maybe
students get in a university.
Maybe we'll try andtransition into another job.
(44:19):
Opportunities.
We've seen this erosion of workfrom home, and I think that's
really appealing to people.
So when you see that coming intotext message, Hey, make this kind of
money work from home, and it's reallyutilizing, crypto and the digital
transfer of funds around the world.
And then you don't even have to havebad actions in Canada to facilitate it.
And so when we look atthe grandparents scam.
We knew that in order to get the cash,they would have to have some sort of
(44:43):
money mule to move the through the system.
But when you look at that sort ofdigital hit and you don't need anyone
in Canada, and then you can use cryptoto get it out, I think that's the
real threat vector that we're seeing.
That's a real challenge to try andrecover those funds or hold people
accountable in other parts of the worldthat may not work with Canada, the US.
It's a real challenge.
So I think that's one we've donethese crypto investment scams.
(45:04):
I think the other one, because I thinkyou'll have a lot of people that are
in business world listening to thisis the business email compromise.
And to me, in my humble opinion, I believethat's one or two rivaling ransom attacks
because it's so easy to get those funds.
Yeah.
In Europe we have the network andinformation security directive.
One N two is now enforced and it's beentransposed into Irish law and it puts
(45:29):
significant obligations on the managementboard of companies actually in relation
to their cybersecurity practices and theycan be fined and held accountable for.
Instance in their organization.
So I actually, that whole business emailcompromise for small and medium sized
enterprises, I think that would be areally interesting one to do as well.
And even exploring the differentregulatory structures in, in
(45:51):
different countries, actually.
So if you're operating inEurope, if you're, you will be
subject to this legislation.
It also has a very wide breadth.
So we have 70 operatorsof essential services.
At the moment, we'll probablyhave 4,000 entities in scope.
And a lot of them will be lookingat this for the first time.
And Deirdre, it's interesting youmentioned that 'cause I had a major
financial institution here reach outto me and had a victim that didn't feel
(46:14):
comfortable reaching out to the police.
But I had that relationship and I wasable to tell call Michael Rahan, who's
the detective superintendent with Gardaand call him on his personal phone.
And he was having bangers andmash in a pint at six o'clock
and he was able to call the head.
Of the financial institution in Irelandand was able to freeze the money.
And so I grabbed that information inCanada and I shipped it over to him
(46:36):
and as a result, they arrested twoNigerians for money laundering in Ireland.
So it's just that instant internationalconnection that can really have success.
. I'm just amazed at the personal networks that you guys have.
'cause every I'm getting to knoweverybody but everybody knows everyone.
I, I see, oh, I talked to Aaron WestJohnson says, oh yeah, I know who Aaron.
Every you're building such an effectivepersonal network of law enforcement.
(47:00):
I just find this astonishing.
So important.
And Erin calls me one of her Avengers.
I have a meeting this next weekwith her, with a bunch of detectives
in the US and Canada and Europe.
And so we talk about differenttrends and how we can put our
brains together to combat thingsthat we're seeing around the world.
So it's really interesting.
Sorry, Deidre cut you off.
I was just say it's a lovely partof chief culture actually, that.
Okay.
Policing organizations are generallyquite big, geographically dispersed.
(47:22):
We've won police service in Ireland,but it's obviously spread across 500
odd stations, but it's always done.
All those personal connections.
It's, I'll do this for you outof ours because I know and trust
you and I will, do it for thevictim, but do it for you as well.
And so lovely part of this culture.
Personally, I think it would beinteresting to delve a little bit more
into why you, we the money mules piece.
(47:45):
Yeah, because it's a younger generationthat, it's often university students
and they are more willing to takethe risk for the financial rewards.
They have a higher risk threshold.
I think that would be a reallyinteresting one to delve into and again.
(48:05):
There's an evidence-based policing centerin the UK and the Met have a strategic
intelligence unit and they have behavioralanalysts, and they look at things like
when you put out like a parking fine, howcan you structure the language so that
people will actually reduce their speed?
And I think that's something thatwill be interesting to explore in,
in terms of cybersecurity advice aswell, is how can you tailor this and.
(48:25):
Word it so that peopleactually follow the advice.
Because some of the surveys that arecoming out in Ireland at the moment
will say maybe a third of people willlook, have a strong password, will
check links, but most people don't.
So I think despite all of thecommunication that we're putting out,
it's not actually changing behaviors.
So how can you actually maybebring those two disciplines
(48:47):
together to get some traction?
Interesting.
Yeah.
Using technology and maybe us usingsocial engineering for a change, I
think that's a really great thing.
I think I'm gonna try anddo a program around that.
If anybody's listening to thisout there and you've got experts
in it, get in touch with me.
I'll go digging for someexperts on social engineering.
But I think that's one of thethings, maybe we should start.
(49:10):
We should start using the tricksthat the crooks are using.
Good for you.
Great stuff.
Thank you both of you for doingthis and I'll I'm just glad
you spent the time with us
and that's something thatthis program should try to do.
Yeah.
Showcase it.
Successes.
Yeah, definitely.
Yeah.
Sometimes you win by winning.
(49:31):
Like you don't always have to.
Everybody says you'lllearn from your mistakes.
You can learn from your mistakesall you want, but you can also
learn from your successes.
Yeah, it also gives peopleconfidence, isn't it?
Okay, maybe in my case nothingcan be done, but I see that it
has worked for other people.
There have been successful operations,there have been successful arrests.
It gives people confidence that it'sworthwhile engaging, it's worthwhile
(49:51):
reporting, and that you're not alone.
Good stuff.
Thank you guys.
And what a beautiful note to leave it on.
You're not alone.
And that's our show.
Let me know what you think.
You can reach me@technewsday.ca or.com.
Use the Contact Us link on the site.
You can also find show notes there,
and this episode came up rather quickly,so it might take me till next week to get
(50:14):
some of the useful links that I'd like topost in there, but stay tuned for them.
Thanks to our guest, Deirdre and John, fortaking the time to share their expertise.
But above all, thanks to you.
You've taken the time to spendwith us and we're glad you did.
I'm your host, Jim Love David Shipleywill be back with the cybersecurity news
on Monday morning, and I'll be back inthe news chair on Wednesday morning.
(50:38):
Stay safe and above all.
Enjoy your weekend.
Hug your loved ones.
It is called the grandparent scam.
It sounds relatively simple.
Fraudsters who prey on seniorsoften by using their grandchildren
as the driver of the scam and theirgrandchildren have been arrested in
an accident in desperate need of help.
It sounds simple, butit's very powerful and
(00:24):
it's huge in terms of its dollar impact.
It's hugely profitable and it's impossibleto estimate how much has been taken,
but people think hundreds of millionsor even billions of dollars , but we
can't get lost in the dollar impact.
The thing that always hits me is thatthese are real people who are often
taken for almost everything they have.
(00:46):
Lives are ruined, retirements are ended.
Life savings disappear.
But as terrible as it is, as a crimeof property, these people also suffer
in silence because they're ashamed.
They think they've been foolish andthey think they're to blame when in
reality they're dealing with expertsat human psychology and manipulation.
(01:09):
And if we're totally honest, we'veall been fooled at some time in
our lives . The fact is everybodyis potentially vulnerable, but
these people don't see it that way.
So they have the loss of everythingthey have and the shame of feeling
that they've been failures.
But there are people who are fightingback on behalf of the vulnerable,
and they do it day in and day out.
(01:31):
It's their job.
And if the victims are unseen, so areall too often these modern day heroes,
police officers who have dedicated theircareers to protecting the vulnerable,
it's tough and often maybeeven heartbreaking work.
You can't help everyone.
But there is also a myth that thebad guys, and that seems like a
(01:53):
trivial phrase, I'm gonna callthem evil criminal psychopaths.
There's a myth that there's nothingthat we can do about these so and sos.
But that's not true.
Sometimes the good guys win.
That's what I wanted to discuss inwhat I hope is the first of a series
of episodes on law enforcement and howthey deal with cybersecurity scams.
(02:16):
The show is largely about what's calledthe grandparent scam, something it has
been and probably remains as scourge,that affects seniors and others who
are vulnerable, but it also exploressome of the other aspects of law
enforcement and it features two ofmy favorite law enforcement friends.
I'll let them introduce themselvesas we join that discussion.
(02:38):
. I wanted to get you tointroduce yourselves so that
the audience gets to know you.
Deirdre, can we start with you and just.
Tell us, tell the audience who you are andhow you got to where you are right now.
Yeah, absolutely.
So I currently work in Ireland'sNational Cybersecurity Center.
But I started my career after brief stintas a postdoctoral researcher working
(03:00):
with our police service on Garona.
So as a civilian analyst.
And I came in working on big,kind of strategic issues, looking
at volume, crime looking at waysto prevent and disrupt crime.
And I did that for a couple of years andthen I went working in a local police
station in a division, in a more still inan urban location but outside of Dublin.
(03:21):
That's actually where I really gotinterested in the impact the crime
has on people, because it was a muchcloser connection between the crime,
the perpetrator, and the victim.
So still worked on some seriouscrime, but also high volume crime,
like theft, burglary, and duringthat time I got interested as well
in the fact that increasingly crimewas leaving a digital footprint.
(03:42):
And how to investigate that andhow to deal with that properly.
And it was still a relatively newphenomenon or evolving phenomenon
when I was working as an analyst.
So I went and did a master's oncomputer forensics and cyber crime
investigation for law enforcement.
And that's where I really gotinterested in the area of cyber crime.
I also spent a couple of years beforeI left on Gort na Móna working on our.
(04:05):
Strategy or corporate strategy,our policing plans and making sure
our annual plans translated downto the divisions and had an impact.
And implementing a number of highlevel recommendations around future
policing in Ireland, which reallyrelated to evolving our police force to
keep pace with the changing landscapeand the changing threat landscape.
(04:26):
And that involved working in terms of our.
National Cyber Crime Bureau and EconomicCrime Bureau working on staffing equipment
and transformation programs there.
I'm really excited to, to be hereand to have this conversation today.
So John, tell us a little bit aboutyou and how you got to where you are.
(04:49):
Certainly.
I started at immigration workingin modern war crimes, and then
I applied the Ontario ProvincialPolice because they wanted to stay.
Within the province of Ontario insteadof going to the RCMP where I worked
general patrol, and that's where Istarted getting exposure to frauds.
Then I transferred to a major crimeoffice in a county, Lennar County.
(05:10):
And with the new detectives, theyput you in frauds and sexual assault.
So I cut my teeth at that level.
Then eventually I. Entered into theanti rackets branch and the unit is the
Economic Crimes and Corruption Unit.
So I started there in 2015 and that'swhere we look at major economic fraud.
(05:31):
And as technologies evolved, we startedseeing more cyber enabled frauds and
then I did three secondments over tothe Canadian Antifraud Center as a law
enforcement liaison officer workingwith law enforcement nationally and
internationally, and that's wherethey gave me a lot of exposure to
the globalization of cyber fraud.
(05:51):
And how, one victim in, a smalltown could be targeted by organized
fraud groups around the world.
So it really opened my eyes to how complexand the scale of these cyber frauds
that are occurring around the world.
Yeah, it's really interesting and fromthe Canadian aspect of it, I've just
(06:13):
been so aware of how many groups havebeen here in our own province of Ontario.
Th there are a lot of, Iguess you could work anywhere.
It's telecommuting, but it's just amazing.
And I don't know if it'sthe same in Ireland.
Is there a reason whywe're targeted at all?
(06:35):
Yeah, I think the scale and theability of fraud as a service
and the use of technology allows.
Really anyone around the worldto be targeted as a victim.
So although we see it in Canada,I think, based on countries with
larger population, they're beinghit at the same rate as we are.
(06:55):
Anyone and everyone is essentiallya target online and through social
media with the deceptive techniques.
So when we look at Canada in ourpopulation of 40, 41 million we
see the exact same thing at scalein the US or in Ireland or Europe.
So the organized fraud groupshave just figured out how to
(07:15):
really use social engineering.
I think that's where a lot ofpeople really get victimized.
Yeah, absolutely.
I'd agree.
It, and it lowers the barriers toentry you or your traditional crime.
There are geographical or environmentalconstraints when it comes to online fraud.
They're removed.
(07:36):
And then you have the ability toincrease your own technical capability
or capacity by using online services tohelp you to, to per perpetrate the crime.
So it does lower that barrier toentry for a lot of criminals and
removes the geographical constraints.
And we would see very highlevels here in Ireland as well.
Obviously police service won't havethe full picture, but there's a lot
(07:58):
of really interesting surveys beingdone to estimate the true scale of it.
And we have some figures here,like a housing instance, a day, and
our population is only 5 million.
Yeah.
So
I guess the question thatpeople have is how do you.
(08:19):
How is this type of individualfraud perceived and dealt
with by law enforcement?
And I mean that because it's onething if a company gets ransomware
or is robbed or things like that.
Police have been dealingwith that for decades.
In terms of corporate robbery andthings like that, but the explosion of
(08:44):
individual fraud, the ability to handlejust that many cases, how do you cope
with that?
I. It is a real challenge.
I know within the OPP and a lotof police services, we're looking
at a victim centric approach onhow we handle an individual that
contacts a detachment and says, I'velost significant amount of money.
(09:04):
It's not even the loss of the funds.
It's a loss of their trust in.
Society as a whole we're seeingthese spoofing where they're
purporting to be law enforcement orgovernment or trusted businesses.
And I think it makespeople become recluse.
And when we do deal with that and avictim comes in, we try and provide them
(09:24):
supports on how to help them rebuildtheir lives and their confidence.
It's a really challenging.
Situation, especially when we'redealing with elderly people.
When we look at the grandparent scamsthere's a sense of safety that's lost.
The volume is extraordinarythat we're seeing across Canada.
So to try and manage it at scaleI. Is a very delicate balance on,
(09:45):
how do we support the victims?
Can we disrupt what the bad actor'sdoing to, can we help recover any funds?
Can we help the victimsget back on their feet?
And then how do we hold those people thatare committing these offenses accountable?
Especially when they're usingtechnology that masks who they are.
It's a real challenge.
But I think.
When we look at the Australian model,they've really figured out how to
(10:08):
hold organizations and institutionsaccountable and how to compensate
the victims and how to support them.
That model is really interestingto see what's happening.
'cause there's been a de declinein, in cyber fraud in Australia
as a result of legislative changesand changes with organizations.
I think that's a good point with alot of, with crime, even in general
it's a whole of society or a whole ofgovernment approach that you need to
(10:31):
follow to actually prevent, disrupt andsupport those who have been affected
So similarly to, to Canada, Irelandhas a very victim centric approach.
We've always followed a communitypolicing model and the victim is at
the center of everything that we do.
And I think inherent in that thenis that challenge around providing
those individual supports whilstdealing with instance at scale.
(10:53):
And providing the kind of expertise,like specific expertise in order
to deal with these incidentswas having the general expertise
around victim centric approaches?
Yeah I think when you look at, whenwe look at what we've done in the
OPP we've created a community serviceengagement officers and we've created
a PowerPoint presentation that allowspeople, in the organization to provide
(11:17):
these presentations and awareness pieceto their community, and they can tailor
it to the needs of the community.
And so when we call it the communitymobilization model, when we actually
see that there's a victim that's beentargeted this, then we, I. We bring in
services in the community to help supportthat person go through that sort of the
triage of the event the post event andhelp them try to get back on their feet.
(11:41):
So I really think.
Doing podcasts like this or bringingawareness out, I think that's the key to
having people recognize what is comingat them and how to reject these sort
of social engineered frauds that arecoming at them and then report to the
police or the Canadian Fraud Center.
And I really think having acommunity-based approach really
(12:02):
does help mitigate the amountof victimization that we see.
Or at least help them cope with it.
It's, one of the things that I thinkwe're all aware of, and I've said
this before and probably maybe theaudience is maybe bored of hearing
of it, but I do keep bringing it up.
My father told me he'd been defraudedand I. My father's a very well.
(12:24):
He's dead now, but he wasa very intelligent man.
He was well educated.
He was a big person in the communityand middle of the night, two in the
morning, and this is the old style, agrandparent scheme, , middle of the night.
Two in the morning, and we have, oneof my brothers has been in trouble.
There's no doubt about that.
(12:45):
He's had some issues and things like that.
We're a wide, big family.
Adopted, some of the kids,had tough upbringings, but my
parents brought them along.
So middle of the night, gets a call,needs bail, or whatever it was.
And it took him years to tellme this because he was ashamed.
And he knew after he sent themoney, he knew it was wrong,
(13:08):
but he didn't know what to do.
And I think that shame part ofit is one of the things that I
think these crooks depend on.
And so the community piece is big, but howdo we are we breaking through that shame
barrier with what we're trying to do?
I think we see some positive changes.
(13:30):
I, we see organizations like Interact orthe major financial institutions actually
putting information out there, whereasbefore it wasn't communicated as much.
For instance, even on Amazon, I wentto order something and boom, I pop up.
This could be a fraud or here are signs.
I think we're doing better atcommunicating that when you're looking
(13:51):
at the elderly that are targeted or olderpeople we're seeing a cognitive decline.
We're seeing they're sensitive to maybetheir family members are at the edge
where they put them in summer assistedliving, and it's that loss of independence
and that loss of sense of, pride.
And so I think they hold that inoftentimes and not tell their children.
(14:12):
And it's a real challenge breaking downthat, that stigma when we look at the
grandparent scam investigations we'vehad in Ontario and we had one particular
victim who lost $600,000, I think it wasthe West coast because she had cognitive
decline crew member the day before.
Four.
So it, it's a real challenge as peoplestart to lose their cognitive ability.
And you're right, there is, there'sthat insecurity piece that we see.
(14:37):
Do you think as well that we put out alot of messaging, but people still feel
yeah, but I wouldn't fall for that.
I think there's some interesting, that wethink we're communicating, but maybe we're
not always communicating enough or in theright way through the right channels and.
Really emphasizing that anyone can fallfor these because, if you get a call
(14:58):
in the middle of the night, you havevery little time to think there is an
emotional response that's gonna makeyou way more susceptible to falling.
For this, you're not super immunejust because you're more educated
or more formed than someone else.
You, you're still subject tothese social engineering tricks.
They do.
They're used because they work.
(15:19):
I think everybody's su subjectto this, and I've, again,
I've told this story before.
I'm extremely cautious.
I run a cybersecurity podcast.
I'm going to be hacked.
That's not, it's not if it went,I'm going to be hacked if I haven't
already been in and, but I tryto be as careful as possible.
I do everything I can beas careful as possible.
(15:43):
Saw a note from my other brother.
And he he's had some family problemsand his, his mother-in-law was dying.
There was just a whole pile ofhurt that was going on in his life.
And I get a note from, I seehis name and I click on it.
And I go, oh my God.
I haven't, I don't click on stuff.
Yeah.
And, but so everybody.
(16:03):
Can be set up.
And as I, I think as my interview withOperation Shamrock pointed out, there
are PhDs who are working with fraudsters.
These are not, I think everybody stillthinks of the Nigerian Prince, some guy
in a room and it's really done poorly andbad spelling and all this sort of stuff.
These are very sophisticated crime units.
(16:24):
That, that, that do this.
And they're knowledgeable.
They know what buttons to pushand how to get you to react.
And I think the other thing I think is,you guys tell me, but I think they take
more time than people think as well.
This isn't just iPhone, you scam you.
These people really work at it.
That's really interestingyou mentioned that.
(16:44):
Because it is a business for them,and they put a lot of time and effort.
They choose their people.
They're quick to be able to pivot.
They come up with a verysophisticated script.
When we look at TV shows and moviesthey're really authentic when you
see them about how policing operates.
These bad actors will embrace that.
They'll talk very authoratativewhen they develop their script on
(17:07):
how they're gonna pitch it to thevictims they use terminologies
that law enforcement would use.
Especially in this grandparent scam.
I. They, they prey on that senseof urgency like Deirdre was saying,
in, in the middle of the night.
And we as humans, we wannahelp out our loved ones.
We want to solve that problem and we'lldo anything to protect our loved ones.
(17:28):
And when that chaotic call or messagecomes in, it's that fight or flight.
How do we go about triagingit and making things right?
And I think a lot of peoplehave the good nature in them.
And then it's only after they'vebeen victimized that they realize,
oh my God, there was all thesered flags that went along with it.
(17:49):
Maybe the terminology wasn't right.
It's very exhausting to hear someof these things from the victims
because you just see that senseof trust that evaporates and now
they feel so vulnerable afterwards.
Like when you were talkingabout the corporate aspect
versus the individual aspect,
I think shame is a huge piece.
Yeah and what you should be doingis you should be taking action
(18:11):
and reporting where it's actuallylike everyone is looking at going.
Maybe I'm wrong.
Maybe I didn't get scammed.
Maybe I'm right.
You're trying to maybe justify youractions or hide what went wrong.
It's a natural human emotion.
Very difficult to overcome.
Yeah.
And are police forces set up totake, if they actually, if we could
(18:32):
convince people to report quickly,do we have the breadth to be able to.
To take that amount of, that's a lotof people being scammed out there.
Would we be able to eventake the number of calls?
What's interesting you mentionthat because we've seen.
The numbers of reporting thenumbers of losses just escalate.
When I started the Canadian AntifraudCenter, the reporting that we received in
(18:54):
2020 was 164 million in reported losses.
As of 2024, we're talkingabout 648 million in losses.
My friend Dave Coffey, who doesmedia for the Toronto Police and
Awareness, he said Toronto Policelast year had reports of over.
Almost 400 million in reported losses.
When we look at the states, we'retalking about $17 billion in losses.
(19:15):
So just in Ontario alone, that's astaggering amount of money that's lost.
So when we look at what the calls forservice the officers or the detectives
have, they're being overwhelmed with,petty crime or domestic violence and
what have you, the human trafficking.
And then to add on cyberon top of that it's a lot.
So that education pieceinternally is a big thing and
(19:36):
we're really working on that.
And then we're working onthat support mechanism.
It's a real challenge at scale to, tohandle all these victims coming in.
And that's why when we look atOperation Shamrock, that website
that they host is incredible.
Aaron West is doing such agreat job and they just put so
much good literature out there.
The Canadian Antifraud Centerwebsite is very great as well.
(19:56):
When we look at what to do if you're avictim, so they have these steps, within
the OPP, each detachment has mentalhealth nurses and support mechanisms.
So if, we identify a victim that hasthese needs, we can start support
them and then we can start conductingthat investigation at the same time.
So it is real challenge and we'reworking up at scale in the, at
least in our organization, to tryand tackle these investigations.
(20:19):
Yeah, and it very muchthe same in Ireland.
In my time in non garish y we put a lotof effort as well in that education piece
internally so that when somebody doespresent a report, the crime, that people
ask the right questions, record the rightinformation, support in the right way.
And I think that's as important asanything else because what you don't want
is that experience where someone reportsand they have a negative experience, or
(20:41):
they're not, they don't believe there'sanything that can be done for them.
They don't feel it was worth their while.
So it's been very similar here.
And I would say also just recent crimefigures, we'll see fraud reporting up,
so I do think that's a positive problem.
People are reporting.
So what are the things that, andmaybe we should just do, take a
brief breather and just go throughthis grandparent scheme just.
(21:04):
Quick outline of how itworks in the modern sense.
Like I said, I think I had untilI actually read your notes,
John, I had a vision of andtalked to Operation Shamrock.
I had this idea that it was still theold Western Union phone in the middle
of the night thing, but it's much moresophisticated . Can you just give us a
bit brief rundown of how this plays out?
(21:25):
What would the average experiencelook like or sound like?
Yeah.
So we started to see this trend in Europeand then it trends, it be, became trends
international where it started hittingCanada and the US And so what we, our
experience in Canada has been is we seethe, these older people that still have
landlines and so the bad actors behind thescenes will essentially look up candor 4 1
(21:51):
1 and identify a postal code and identifyan area that they want to target and.
Based on Canada 411, you havea phone number, you have an
address, and you have a name.
So that's perfect informationto start off with these frauds.
So the bad actors will havecouriers in and around that area
ready to attend the residence.
(22:12):
So what happens is there'll bea phone call that's unexpected.
At any time of the day where theelderly person or the older person
will get the call indicatingthat it's from a grandchild.
And so I'll use an example.
They'll say, Hey, grandma.
Yeah.
Hi.
Who's this?
It's your favorite grandson.
Who is it?
It's Johnny.
Oh, hi Johnny.
What's happening?
(22:33):
My throat's a little sore.
I had to go with the to get some medicine.
You wouldn't believe what happened to me.
I went with a friend.
There was a car accident and we rear-endeda pregnant woman or gotten a car accident.
And the police attended the scene.
They found some sort of drugsor contraband in the car.
As a role result, me and myfriend have been arrested.
Now the police tell me that I'm gonna bereleased on bail, but we need bail money.
(22:57):
Would you be okay to talk to, theofficer and then the second party
involved in this will come with a veryauthoritative voice and they'll say,
this is officer I'm with this detachment.
And they'll use a police jargon andbe very authoritative and they'll say
there's a gag order in place for the, weneed bail payment immediately in order
(23:18):
for your family member to be released.
And what the victim will start thinkingis, okay, I can't say anything.
Can't call mom or a dadbecause they're gonna be upset.
That's why the grandchild's called me.
Now there's instructions onto get funds and it's normally
under a $10,000 threshold.
And so they'll direct the victim to goto their local financial institution and
(23:38):
try and withdraw money out of the ATM.
They'll get a certain amount becausethere's a limit, and then they'll
go inside and they'll talk to theteller, and sometimes they're on the
phone with the bad actors the wholetime, or they've been told what to
say to the financial institution.
So for instance, you needmoney out to help your grand.
Child pay for a car, or we had one victimin that's wired $30,000 in Montreal on the
(24:02):
guys that it was for her sister's funeral.
So they come up, they teach the victims tocome up with some sort of story in order
to get the maximum amount of money out.
They go back home and thenthey contact the bad actors.
And the bad actors say there's a careerthat's gonna pick it up, put it in the
envelope, and put this incident numberon the envelope and hand it over.
And that's how the initial I. Grandparentcamp starts and then there's, they ask
(24:25):
for more money and we can talk about that.
I'm not sure if Ireland's seenthe same sort of pitch but that's
what's happening in Canada.
Yeah.
Si Similarly, we had a wave ofthem, I think around 2021 and 2023
with a similar kind of approach.
I'm not sure if they hadthe couriers pick it up.
Ireland's is a smallergeographical location.
But definitely that, that notso much being on bail, but
(24:47):
being like, I'm just, I'm stuck.
I've had a, crash or I've had a medicalemergency and can you get me some money?
Similar approach but not, Idon't think so much on the bail
front, if that makes sense.
More recently it's been otherkinds of frauds and scans.
(25:07):
Maybe we'll talk about that later.
But yeah, definitely a lot of publicawareness building at that time.
Yeah.
And how did they bridgefrom that to the big money?
You've said, they're taking hundredsof thousands of dollars in some cases.
Yeah.
And so what we see is the secondattempt, they'll know that there's a
chance that police have been calledand maybe waiting for the couriers
(25:29):
and what have you to be arrested.
So what they'll say to them is they'llsay There's been a. A change in the court
process we found additional information.
The Jeopardy has risennow for your grandchild.
In order to get them out of jail.
The bail is set at a higher amount,so they'll say I. Put money into
(25:50):
a professional career service likeour Purolator, our UPS or FedEx.
And just the caveat is theseprofessional career services it's against
their policy to send cash in mail.
So they'll tell them towrap it up a certain way.
They'll maybe put it into an itempackage it up, and then they'll send it.
And what they're doing isthey're sending it to rental
properties or abandoned locations.
(26:11):
And then another.
A person in this organized crime groupwill pick up the funds at that point.
We're also seeing if they don't havecouriers or if they don't have any.
Any capacity to intercept,they'll use cryptocurrency.
So the victims will take the cashout, they'll go to the cryptocurrency,
ATM machine, and Canada is numbertwo in the world for the most
amount of cryptocurrency machines.
Which is really interesting.
(26:32):
So the ability to just take your cashoutta your regular ATM and then go to
a crypto ATM, and they'll normally getQR codes and they just scan it and they
put their money in and then it's gone.
Or they'll wire transfer.
Etransfer the funds to a syntheticaccount that the bad actors have created
using identity, compromised information.
So that's how they get the big money.
(26:57):
And is it some, there's similar thingshappening in Ireland, Deirdre, or that,
because I'm almost amazed at how theyget this much money from old people.
It just, it's a lot.
I'm not working in the policingcontext anymore, so I don't have
detailed information around, aroundthe current kind of methods of
operation, but from what I see, it'sprobably more relying on money mules.
(27:19):
I'm really interested around thecryptocurrency piece because I'm not
sure what the older population inIreland that they would have, for the
vast majority, that they would havethat competency to actually do that.
But certainly there is an issuewith the students allowing
their accounts to be used.
And even now you would still see thatin surveys that people probably don't
(27:41):
really understand the impact of whatthey're doing if they were allowing
money move through their account.
So I think that's probably amore likely scenario in Ireland.
And then for larger amounts, I thinkit's more on building a relationship with
somebody in a trust piece rather than thekind of what you were describing, John.
From what I can see and from whatI know so slightly different.
But again, you're gettingthe same kind of impact,
(28:01):
but it's the same thing.
It, it's, you build a relationship,you create a situation, you
break down the barriers.
You use psychology or you use psychologyeffectively to get people to do
things they wouldn't otherwise do.
That's social engineeringand at its highest level.
What should we be doing about this?
I've recommended, like I said,that I think we have to have
(28:24):
the talk with our parents, whichis really a strange situation.
Used to be you had thetalk with your children.
Now the talk with our parents and withother vulnerable people in our communities
as cybersecurity professionals, a lotof my audience is work in cybersecurity.
What can we be doing thatwould help either to.
(28:46):
Stop this or
at least slow it down.
So while we were launchingour investigation in the op
project Sharp we wanted to.
Figure out how we can get the informationout to that specific demographic.
And we were looking at the olderCanadians and you mentioned this
earlier, there's so much informationcoming at you on social media, on the
(29:07):
news, or what have you that getting,that, that piece out that resonates
with the people is very challenging.
So my task, with this investigationwas to come up with a very robust
media and social media and awarenesscampaign and to see over my shoulder
here, I came up with a placard thatis almost like the locker or lose it.
Red is bad, green is good.
(29:27):
So what we did is welaunched our one week.
Fraud prevention initiative.
And we worked really closely with theRCMP because they're across Canada
with our policing municipal partnerswith the Canadian Anti-Fraud Center.
And so it was a joint effort and we didpodcasts, we did radio interviews, we
did news print we put out media releases.
(29:49):
We did a live chat.
We came up with a graphic in thebackground and we used it on social
media, but then we figured howdo we get to the granular level?
So we work with Ministryof Long-Term Care.
In Ontario.
We work with different groups thathelp elderly folks or older folks.
We worked with Canada 2 1 1 toput that information out there.
(30:10):
We work with the CanadianBankers Association.
To educate the tellers at the branches.
So it was all these sort of layersthat we put together that really tried
to put the information out there.
We were able to get fundingto put advertise on the back
of buses across Ontario.
And we took that model based onin Vancouver where they had big
advertisements on bus stops in a QR code.
(30:32):
So it was that awareness piece.
But I think to get backto the speaking to your.
Your your older family membersis to come up with that code word
that's only specific to your family.
It could be whatever, it could be theword blue so you know who these people
are and to try and target the educationto the children so that they can have
(30:53):
that discussion with the older adults.
And we found that to be very impactful.
That's a really good
idea.
Are there unique waysthat you've, oh, sorry.
Are there, sorry.
Interesting things orunique things you've seen?
From my perspective, what Iwould say is the awareness piece.
Just everything you said, John.
(31:13):
Absolutely true.
And we, we do it here as well.
But from my current role now incybersecurity sector, I think
one of the challenges we have iswe're deeply technical people.
Trying to make that translation intolanguage for people who understand
what's happening and understand whatthey can do and what's in their control
to do in a way that's not intimidating.
(31:35):
And I think that's a challenge because Ithink especially with an older population,
if you start talking about, sure.
It's, a safe website, H-T-T-P-S, checkingthat, checking for the padlock and all.
It can be a little intimidatingif they're not on social
media or technology every day.
So I think there is a challenge therefor us all the time to get better
(31:55):
and better at explaining the risk andwhat's within their control to do.
But certainly like that is whatwe're doing on a daily basis.
And we work very closely withinGarish Kona because we would get a
lot of reports of phishing attempts,emails, SMSs scans going on.
And we would share them withon Garcon and we work with them
around prime prevention advice.
(32:15):
And how to tackle them together.
And it's back to that bit of,it has to be a layered approach.
It can't be one organization on their own.
And what, I guess the questionis what's next in all of this?
What are you seeing that's newthat you, or that's coming up, or
ideas that you think are peopleshould be watching out for?
I think from what we're seeing is the bankinvestigator scam or bank imposter scam.
(32:40):
And it has a very similar mo to thegrandparent scam where it's that shock.
You're getting call from a financialinstitution saying that there's
been a suspicious transactionyour card's been compromised.
And in eastern Ontario we'reseeing the victims being told to.
(33:01):
Take their bank card that's beencompromised and put in a. Envelope and
put your PIN number and the courier'sgonna come pick it up and they'll
secure your funds in a governmentcontrolled bank account until this
investigation's completed and thesting operations been uncovered.
And so again they're targetingthe older population.
(33:22):
And, statistically from theCanadian Antifraud Center, we
see that elderly folks or olderpeople are getting hit 33% more.
Than the average.
And that could be a secondary fraud.
There's almost like a list.
If you've given money out now you'regonna be hit with another type of fraud.
It I see the bank investigator scam reallyjumping up when we look at the numbers.
(33:42):
In 2023 for the emergency grandparentscam, because we did so much awareness,
the reporting to the Canadian AgeFraud Center really jumped up.
So it went up to $11million in reported losses.
During that year, and I think thatwas because we're telling the people
report to your police report tothe Canadian Anti-Fraud Center.
But when we look at the fraudcategories that we saw at the
(34:03):
Canadian Anti-Fraud Center theyhave 30 different fraud pitches.
Now.
Some of the frauds are merged into one.
Title, like extortion, frauds.
But I think the biggest fraud lossesthat we're seeing is investment
frauds and crypto investment frauds.
Again, you may have some older peoplethat, aren't fixed income and want
to raise their their investments.
And so they're looking at these angles.
(34:24):
So that's a trend thatwe're seeing here in Canada.
I think there's a, an underlying thing.
So we see some of thesame kind of things here.
And there's an underlying themearound very limited time to think
or this fear of missing out.
So even if you focus on those thingsas you're red flags if you're, if
either of those things are present,then I think you should be concerned.
(34:47):
There's probably an opportunity aswell just trends that we would see is.
There are certain times whereparticular frauds are going to surface.
So in Ireland, and it might be thesame in Canada, when we have elections
and a new government is formed, oneof the early things they'll do is put
together a program for government.
And that's where they will makepromises around specific schemes and
grant schemes that they're going to do.
(35:08):
And I think there's an opportunityaround those particular times to
specifically raise awareness becausegrants for heating your home or
maybe transitioning to green energy.
Older people will beparticularly interested in those.
And if they're getting SMS to theirphones at the same time as they're
hearing on the radio, it feels real.
So I think there's opportunities for lawenforcement and for everyone involved
(35:29):
in cybersecurity to raise awarenessaround those peak times as well to try
and prevent some of this from happening.
And I think it's the really importantaspect of all this is that reporting.
When you report it to your lawenforcement it goes back to Sir Robert
Peele, the police of the public.
And the public.
They're police.
So police won't know what's happeninguntil they get those reporting from
the public and maybe see new trendsand little nuances that change.
(35:53):
And when we looked at theemergency grandparent scam.
It was really important for usto have the victim's report.
And why did that help?
We knew the bad actors whowere using prepaid phones.
And phone numbers.
And so when and let's not kidourself, they know personal
security on their own end.
So they're only gonna have a numberfor a certain amount of time before
they think it's maybe heated up andthey'll transition to a new one.
(36:16):
So by reporting that new number, thenwe can work with our telecommunications
companies and say, here's a badnumber that we've identified.
Please disrupt it.
So I think.
Reporting to Canadian Fraud Centeris really important as well.
'cause they have this disruption program.
So if you have a bad email, a bad phonenumber, a bad website a bad bank account
by sending that out and of course.
The anti-fraud center complies withprivacy constraints and laws, but we
(36:40):
can send that information out as a leadto these organizations where they can
now do their own investigation and deplatform these customers or clients.
I think that's really the otherpiece that is, is crucial.
And when you talk to Aaron West inOperation Shamrock, that disruption piece
is a real huge piece to their success.
(37:01):
With that reporting piece as well,what's really important is that
then that for your policing, foryour policing management, to, to
allocate resources effectively andefficiently to where you're going to
get the best impact, you need to knowwhere your instances are occurring.
And if you don't have those reportsof fraud, it's not going to get
the resources that it needs.
(37:21):
So I think from an internaland external perspective, that
reporting is really important.
Yeah, and a bit, it's abit like Whack-A-Mole.
And John, you said it, I mean we talkedabout the grandparent scheme, Deidre,
you said there are other ones in Ireland.
There are new ones that are constantlycoming up and they will evolve.
It's the same as withransomware or any other threat.
As soon as you find a way to, to holdthis one, they come up with their.
(37:45):
These people are very creative and theydo an incredible job at advancing this.
The question I have is how wecan cope with that volume of it.
There are other ones, and I'llgive you a couple that, that I
think are gonna come your way.
One is, you mentioned a QR codethat's out in the streets now.
If you see a QR code on thestreet, do not click on it.
Do not, unless you're absolutelycertain where it comes from.
(38:07):
'cause that's another scam.
The other one that we're seeing in Canada,I don't know if you see it in Ireland.
They, we have a nationalbroadcaster, the CBC.
You will find articles from the CBCthat look identical to the CBC telling
you that, a famous Canadian investor.
Has, has found a way to make a milliondollars overnight, and it's approved by
(38:29):
the CBC, and they're very good at this.
So I think we have an explosion.
And just as we're wrapping up, isthere any way we can deal with this?
I think there is, I think it's thatcommunication, that outreach piece.
I think it's thatdisruption piece as well.
So for instance, when I was at theCanadian Fraud Center, we would get
(38:50):
different organizations reach out andsay, I have been spoofed did that actors
will pay for search engine optimization.
And so within the Canadian FraudCenter, we had one member that was
solely responsible for disruption.
And then notifying, various.
So they, they have an ability tosend off the websites for disruption.
(39:11):
I think.
I think trying to report and tryingto disrupt, I think is a big piece.
But it's also letting the public knowwhere is legitimate authoritative
location for that information.
So to go to that instead of relyingon, the top search engine results or
like you said, the QR code having thatpause and think, should I scan that in?
I've seen a video in the US of acrime prevention officer ripping
(39:34):
off a QR code off a parking meter.
And the bad actors hadjust slapped that on there.
So it's really incredible.
It's a real challenge as weevolved in society and technology.
Yeah.
It's gonna get harder because it'sgonna be more difficult to spot
like a lot of the, language issues.
Threat actors will be able toovercome that with the use of LLMs.
They'll be able to better crafttheir messaging and make it feel
(39:57):
more authentic to the geographicalarea that they're targeting.
So this is gonna get harder andharder to spot from that perspective.
And I think also voice and videobe harder to see that this is
AI generated or inauthentic.
And I was thinking about thisearlier as well, and I was thinking
some of it is behavior change.
That you don't leave yourhouse without locking the door.
But you will click on a linkwithout checking or QR code
(40:19):
without checking the link first.
So how do you start to, automaticallydo these things without having to
think about it and think about things?
It probably comes from the youngergeneration up, that upward pressure
as well as the information campaigns,and I think so that the schools
and targeting schools and building.
Media literacy and digital literaryskills at an early age will protect
(40:41):
that generation, but also helpinform the older generations as well.
And Jim, you mentioned it on anotherpodcast that I heard that there was a link
that you got and you were able to put itin AI technology and it actually warned
you and told you what the issue was.
So I think that technologicalcomponent really is important.
But the other aspect is that privatepublic partnership, police can't
(41:02):
arrest our way out of cyber fraud.
It takes concerted effort from government,from private business to social media
companies to law enforcement, to allto come together in, in combat that.
I think that's the real solution here.
Yeah, I agree,
it's all around us.
Facebook.
Is they will not do anything.
I'm sorry.
I'm not a big Facebook fan.
(41:22):
A lot of older people are now on Facebook.
Young kids aren't, and theywill sell ads to anybody.
They don't care.
It's just obvious and, so there's so manyplaces now that people are vulnerable.
I guess it's a it increasesthe increases the.
The number of places thatyou can be attacked from.
(41:42):
It, it's just astonishing.
And yet, I think, and John, thank you.
And Juju, thank you.
I think you, you could have some hope onsome of this, which I think is important,
but if you had one wish, what would it be?
If you could have one wish thatyou could make happen to make
the public's life better or yourjob better, what would it be?
(42:03):
I'll let you start.
Dietra.
Oh yeah, thank you.
The tough one.
Yeah.
I'm gonna actually just buildon the point John made it right.
Information sharing, actually howto share relevant action, actionable
information easily and quickly.
Where it needs to goand who needs to see it.
(42:23):
Because that information sharing is reallykey in cybersecurity more generally.
And it helps to buildresilience and it helps to.
Better learn the how things areevolving in real time, so you can
get that two-way information sharingand public-private partnerships.
I think that, iron all ofthat out would be fantastic.
Yeah.
I think building on that awarenessand education piece my wish would be
(42:48):
that there would be more educationput out to the public and Deidre said.
Talking to kids at a young age, like Idrive my kids to school and in the car
we talk about things and it's amazing.
My dad's sorry.
My son was saying, I justgot this text message.
There's no way that this came from here.
And it's I. Thank you.
My years of droning on forstuff, they've picked it up.
So I think having more the private publicpartnership bringing up that awareness,
(43:11):
I think that will help us through these.
And, your podcast, Jim, is incrediblebecause you raise the bar on
information sharing on here are thethreats, here are the trends here.
You should be aware of that.
And I think that's a real hugepiece that I'd love to see more.
Yeah, because it's areal challenge, isn't it?
When you're constantly beingbombarded with all these reports,
it's to get some kind of conciseand actionable information.
(43:35):
It's really important.
Yeah I it's tough to sort through it all.
Just last piece in this and then I'lllet you guys go but it's the idea of.
Of investment . It's easy totalk about feet on the street.
It's not sexy to talk aboutfingers on the keyboard, so getting
funding is, and getting enoughresources is always an issue.
(43:58):
But if there's something I should be doingas an episode, and we've had this first
chat and I thank you both for it, what if,what should I be doing next as an episode
that, that we could make a big difference.
I think it'd
be really interesting totalk about the job scams.
We're seeing a massive increase in that.
And it's targeting.
Everyone that's vulnerable,newcomers to Canada, maybe
students get in a university.
Maybe we'll try andtransition into another job.
(44:19):
Opportunities.
We've seen this erosion of workfrom home, and I think that's
really appealing to people.
So when you see that coming intotext message, Hey, make this kind of
money work from home, and it's reallyutilizing, crypto and the digital
transfer of funds around the world.
And then you don't even have to havebad actions in Canada to facilitate it.
And so when we look atthe grandparents scam.
We knew that in order to get the cash,they would have to have some sort of
(44:43):
money mule to move the through the system.
But when you look at that sort ofdigital hit and you don't need anyone
in Canada, and then you can use cryptoto get it out, I think that's the
real threat vector that we're seeing.
That's a real challenge to try andrecover those funds or hold people
accountable in other parts of the worldthat may not work with Canada, the US.
It's a real challenge.
So I think that's one we've donethese crypto investment scams.
(45:04):
I think the other one, because I thinkyou'll have a lot of people that are
in business world listening to thisis the business email compromise.
And to me, in my humble opinion, I believethat's one or two rivaling ransom attacks
because it's so easy to get those funds.
Yeah.
In Europe we have the network andinformation security directive.
One N two is now enforced and it's beentransposed into Irish law and it puts
(45:29):
significant obligations on the managementboard of companies actually in relation
to their cybersecurity practices and theycan be fined and held accountable for.
Instance in their organization.
So I actually, that whole business emailcompromise for small and medium sized
enterprises, I think that would be areally interesting one to do as well.
And even exploring the differentregulatory structures in, in
(45:51):
different countries, actually.
So if you're operating inEurope, if you're, you will be
subject to this legislation.
It also has a very wide breadth.
So we have 70 operatorsof essential services.
At the moment, we'll probablyhave 4,000 entities in scope.
And a lot of them will be lookingat this for the first time.
And Deirdre, it's interesting youmentioned that 'cause I had a major
financial institution here reach outto me and had a victim that didn't feel
(46:14):
comfortable reaching out to the police.
But I had that relationship and I wasable to tell call Michael Rahan, who's
the detective superintendent with Gardaand call him on his personal phone.
And he was having bangers andmash in a pint at six o'clock
and he was able to call the head.
Of the financial institution in Irelandand was able to freeze the money.
And so I grabbed that information inCanada and I shipped it over to him
(46:36):
and as a result, they arrested twoNigerians for money laundering in Ireland.
So it's just that instant internationalconnection that can really have success.
. I'm just amazed at the personal networks that you guys have.
'cause every I'm getting to knoweverybody but everybody knows everyone.
I, I see, oh, I talked to Aaron WestJohnson says, oh yeah, I know who Aaron.
Every you're building such an effectivepersonal network of law enforcement.
(47:00):
I just find this astonishing.
So important.
And Erin calls me one of her Avengers.
I have a meeting this next weekwith her, with a bunch of detectives
in the US and Canada and Europe.
And so we talk about differenttrends and how we can put our
brains together to combat thingsthat we're seeing around the world.
So it's really interesting.
Sorry, Deidre cut you off.
I was just say it's a lovely partof chief culture actually, that.
Okay.
Policing organizations are generallyquite big, geographically dispersed.
(47:22):
We've won police service in Ireland,but it's obviously spread across 500
odd stations, but it's always done.
All those personal connections.
It's, I'll do this for you outof ours because I know and trust
you and I will, do it for thevictim, but do it for you as well.
And so lovely part of this culture.
Personally, I think it would beinteresting to delve a little bit more
into why you, we the money mules piece.
(47:45):
Yeah, because it's a younger generationthat, it's often university students
and they are more willing to takethe risk for the financial rewards.
They have a higher risk threshold.
I think that would be a reallyinteresting one to delve into and again.
(48:05):
There's an evidence-based policing centerin the UK and the Met have a strategic
intelligence unit and they have behavioralanalysts, and they look at things like
when you put out like a parking fine, howcan you structure the language so that
people will actually reduce their speed?
And I think that's something thatwill be interesting to explore in,
in terms of cybersecurity advice aswell, is how can you tailor this and.
(48:25):
Word it so that peopleactually follow the advice.
Because some of the surveys that arecoming out in Ireland at the moment
will say maybe a third of people willlook, have a strong password, will
check links, but most people don't.
So I think despite all of thecommunication that we're putting out,
it's not actually changing behaviors.
So how can you actually maybebring those two disciplines
(48:47):
together to get some traction?
Interesting.
Yeah.
Using technology and maybe us usingsocial engineering for a change, I
think that's a really great thing.
I think I'm gonna try anddo a program around that.
If anybody's listening to thisout there and you've got experts
in it, get in touch with me.
I'll go digging for someexperts on social engineering.
But I think that's one of thethings, maybe we should start.
(49:10):
We should start using the tricksthat the crooks are using.
Good for you.
Great stuff.
Thank you both of you for doingthis and I'll I'm just glad
you spent the time with us
and that's something thatthis program should try to do.
Yeah.
Showcase it.
Successes.
Yeah, definitely.
Yeah.
Sometimes you win by winning.
(49:31):
Like you don't always have to.
Everybody says you'lllearn from your mistakes.
You can learn from your mistakesall you want, but you can also
learn from your successes.
Yeah, it also gives peopleconfidence, isn't it?
Okay, maybe in my case nothingcan be done, but I see that it
has worked for other people.
There have been successful operations,there have been successful arrests.
It gives people confidence that it'sworthwhile engaging, it's worthwhile
(49:51):
reporting, and that you're not alone.
Good stuff.
Thank you guys.
And what a beautiful note to leave it on.
You're not alone.
And that's our show.
Let me know what you think.
You can reach me@technewsday.ca or.com.
Use the Contact Us link on the site.
You can also find show notes there,
and this episode came up rather quickly,so it might take me till next week to get
(50:14):
some of the useful links that I'd like topost in there, but stay tuned for them.
Thanks to our guest, Deirdre and John, fortaking the time to share their expertise.
But above all, thanks to you.
You've taken the time to spendwith us and we're glad you did.
I'm your host, Jim Love David Shipleywill be back with the cybersecurity news
on Monday morning, and I'll be back inthe news chair on Wednesday morning.
(50:38):
Stay safe and above all.
Enjoy your weekend.
Hug your loved ones.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.