Back to videos
Why Many Companies Fall Victim to Hackers & What You Can Do To Avoid It
Can you believe that every 40 seconds a business is hit by a ransomware attack? Without the proper security in place, your organization is vulnerable to cyber criminals.
Prefer to read? (Transcription)
TOM: Today we’re going to talk about how not to be a victim, or how to make your business not be a victim of a hacking attack. And I know this is what we talk about each and every single time, but as I was talking about during the intro there with the diving sequence, the underwater sequence, we’re going to put a fine point on just one of those things that frustrates me to no end. It’s when we onboard new clients and we have to convince them that they need to spend money on security awareness training.
Even though I’ve said it so many times I’m sick of hearing myself say it, if I only had the budget for one thing, what do I buy? Continuous cybersecurity awareness training. That’s what you get. If you only have the money for one thing. Now, there’s a second part of that. You do have to establish a security-first environment. That doesn’t really cost anything but time. That’s more of leadership and coaching. But that security awareness training dovetails and goes hand in hand with that security-first environment culture that I know all of you want to establish in your organization because you need to. You have to. It needs to be just as established as locking the office door at 5:00 or 6:00, whenever you guys close up. And no one has keys except who’s authorized. All cybersecurity should be just that way. That’s the way your culture should be. It should be so obvious to everybody in your organization.
You can talk about it all you want to, but if you’re not providing that continuous cybersecurity training, you’re never going to get to a really good security environment. I don’t care how much more money you throw at it. We’ve got some stuff that’s super expensive, and if you buy everything we’ve got, like we use – we don’t even use everything. There’s some things that just aren’t suitable. But even if you were to buy everything we’ve got, if you don’t do continuous cybersecurity awareness training – and I know I’m beating this dead horse – you’re leaving a very, very big gap. I’m going to illustrate that with some movies later on in the Deeper Dive here.
All right, let’s move on, quit beating a dead horse. Why is cybersecurity awareness training so important? Over 90% of successful attacks are because of insider manipulation. They’ve been conned. They’ve been scammed. Over 90% of successful attacks are successful because someone on the inside allowed the hacker to get in and establish at least a foothold. Over 90%. If you get continuous cybersecurity awareness training, you’ll drop that in half. Then we’ll worry about the other layers.
But these are nothing more than scams and cons. With technology, with emails and instant messaging and modern-day phone technologies, it is so easy for anyone in the world to conduct a con, to conduct a scam, a confidence scheme that have been around thousands and thousands of years. This technology, this internet, just allows people to do it at scale. You’ve heard me talk about criminal syndicates and nation-states and all of this. All of this is done at scale now, but when it comes to manipulating human beings, the social engineering as we call it in the IT world, it’s nothing more than a confidence scheme or a con job that’s been around thousands of years, just using new technology.
When fax machines were invented, that was the whole origin of the Nigerian 419 scam. “You’ve inherited a lot of money. There was a plane crash with a Colonel Kirkham,” or whatever the one I got 20-30 years ago was. “Oh, there’s a Kirkham who died.” Guess what? I looked it up on the internet, and sure enough, there was a Kirkham who died in ap lane crash in Africa. They used authority. They did spear phishing. And it was over a fax. I thought I had $12 million coming. Of course, I have to give 20% to the council, or the barrister or the attorney. But that’s all it took. I’d give 20% of $12 million to get whatever that is, $9-something million, or $10 million, whatever it is.
Every single person – because everybody’s vulnerable to a con job. Every single person on the Earth is vulnerable to con jobs. It just depends on the talent of the con artist. It doesn’t depend on the technology. That’s just a transportation deal. But every single person in your organization – could be Mark or Patsy – could be a victim. That’s what it basically boils down to. When you’re thinking “How do I get a security-first environment?”, remember not to exclude anybody on your network, including yourself.
Or some of you may have an owner and you’re the head guy except for the owner, or you’re the managing partner except for the other partners, or you’re the utility manager except for the mayor. You’re the boss of your subdomain, but you’ve got somebody else that’s on your network. Anyone else on your network has to get the security awareness training because otherwise, that’s a weak link. Without the security awareness training, all the rest of the people doesn’t matter. So you want to make sure you create a security-first environment.
Let’s move on to the next one. Let’s look at some of these vectors. This is a part that I struggled with when we did a run-through, but these are different scam vectors, of which there are dozens and dozens and dozens out there. The first is vishing. Vishing is just a fancy way of using the phone to scam somebody. You call somebody up, you’re doing a 1:1 scam. Maybe it’s somebody you learned about. You know they bank at Citi and you call them up and impersonate Citibank saying, “Hey, we’ve got a security breach on your account.”
These days, with this new phone technology, this voiceover IP, it’s really easy for someone like me to set up an entire elaborate automated voice system that outbound dials at scale. Maybe I’ve bought a list of Citibank customers off the Dark Web. It has all the phone numbers in it, and I paid $10, or I paid a premium just because it’s got their name and phone number. I just plug it into a computer program and it outbound dials with this automated system. It says, “Hey, you’ve become a victim of personal identity theft” or whatever it may be. “Dial this number right away.” I create some urgency.
They dial the number and it goes into an automated system. “Press 2 if we’ve contacted you as a victim of a data breach. Press 1 for checking, press 2 for this,” whatever. I can do all this stuff cheap. Cheap, cheap, cheap. So I’m building this at scale. Then they call through and I’ve got a human being on the end. Maybe me, maybe somebody else, maybe one of my cohorts, my fellow con artists, a member of the team. So vishing is using interactive voice responders or traditional automated attendants and voiceover IP to scale up conning people.
Phishing is similar, but it is using emails, typically. An email comes in that looks like it’s from Citibank and says there’s been a breach on your account. “Click here.” They conveniently provided me with a link to click through to my Citibank. I sign in, and guess what? It’s a fraudulent webpage. It looks legit. I know that I’ve built fake bank websites. Sitting in the audience, while I’m being introduced to do a seminar, I have downloaded an entire bank website to my laptop, and it’s an exact copy of the real bank’s website. All I’ve got to do is manipulate the link that’s in the email that sends them there and I start capturing all their login information. That’s one of the things you can do with phishing. Another one is you can do a file attachment, Excel spreadsheet that’s got a ransomware attack on it.
So phishing is sending out emails like that at scale. I’m sending out hundreds, maybe tens of thousands, hundreds of thousands, maybe tens of millions depending on what Mark’s profile is or Patsy’s profile is and what my objective is and my overall financial strategy. Am I only going after people that have $100,000 to pay ransom, or am I going to be perfectly happy with getting $100 ransoms? That all works into a big phishing scalable attack.
Now, spear phishing is a targeted attack that uses opensource intelligence. What do I mean by opensource intelligence? You’ve heard of opensource software, right? The opposition is closed source software. The software you buy off the shelf, generally speaking, like Microsoft Word, Microsoft Windows, Mac OS, those are closed source software. That means no one can see the source code, the actual code that goes into making Windows run or Word run or Excel run or whatever. It’s closed source.
Opensource means the source code of the software is available for download and modification and review for security and things like that. Well, the same thing with intelligence gathering from a hacker perspective. What is public about IronTech Security that is opensource? A perfect example of that is we get a new employee. We’ve hired three people in the last couple of weeks, I think. Invariably, within 30 days, almost without exception – it might be 60 days, but almost without exception, they get a spear phish.
This is a phishing email that is directly targeted to IronTech. Why is that? IronTech has got a big, big target on its back because we are in the information security business and we protect our clients. So if someone can find a way to get into our organization, they can probably get into our client organizations, or at least it’s an entry point. It’s an attack vector that they might be able to exploit.
Of course we’ve got multiple layers around everything, and it’s not even that easy in our case, and most security companies. But anybody can be hacked, no matter who you are. If the NSA can be hacked, you can be hacked.
But the spear phishing attacks look at LinkedIn and go, “Oh, IronTech’s got a new employee.” They look at their title and they can probably figure out who they work for, whether it’s me or the president or Kindsey or whoever it may be, and then they craft an email. Maybe it looks like it’s from Kindsey and it goes to a new marketing person and says, “Hey, I need some Apple gift cards for a webinar that we’re doing. Go buy me 10 Apple gift cards at Sam’s and email me back all the numbers off of them” – which means you don’t need to have the actual card, you just need the number to redeem it.
Sometimes they come close to failing. That’s why our own people get – the very, very first thing they get is cybersecurity awareness training. We can go through all the other stuff about coaching them on protecting client information and don’t talk about this with your family, your spouse, or anybody else. This is what we do. We don’t even talk about who our clients are very often because that’s just puts another target on them. If we publish who all of our clients are, that makes them a target. One of the ways they can get to them is through us. So depending on the client, we’re very careful about that.
That’s what the difference between spear phishing and phishing is. Spear phishing is done after using intelligence. Oh, get this. A regular phishing attack has about a 5% success rate. If you do spear phishing – and this depends on the quality and the amount of opensource intelligence you’ve gathered, but on average, spear phishing attacks are 50% effective. Think about that. You’ve got a decent size law firm and you’ve on this call, you’ve got a decent size water utility on this call, you could be a victim of spear phishing.
And let’s not forget that you can still do spear phishing at scale. You can carefully craft and carefully word an email that might be – there’s 160,000 water utilities out there, the vast majority of which are very small. But you can carefully craft an email that looks like it’s legit and still be a spear phishing attack. You’ve just got to read the industry news. What’s the latest thing that came out? You could craft one very easily about an industrial control system – forgive me, but I can’t remember what manufacturers you guys commonly use.
Let’s say it’s a Siemens SCADA device. You could very easily craft a spear phishing to all the water utilities that has to do with an alert notice that says, “Hey, this is Siemens. We understand you have a Siemens ICS in your organization. Click here to learn more about a vulnerability that the FBI has found.” I could easily see that happening. If it hasn’t happened already, it will. Write it down, “Tom said it on this day, December 8th, 2020.” I said it. It’ll happen. They are going to do spear phishing at scale. It doesn’t matter if you’re in law or accounting or whatever you’re in. You can craft even spear phishes at scale.
What is a water holing? Water holing is another social engineering deal. It’s a strategy. Some of these are all interrelated. A water hole is a scam that capitalizes on the trust users have in websites they regularly visit. If you go to weather.com – and it’s been compromised. CNN.com has been compromised. All of these sites, anything you could think of, New York Times, all of these big, big, big sites have been compromised.
You go to weather.com, you’re just looking for the weather, and all of a sudden there’s a pop-up that says your computer has a virus. It’s not weather.com’s problem that they’re feeding a pop-up. It’s usually from their advertising channels. That’s the way those get in there. They’ve done a lot better job of cleaning that up. But that’s a scam. Microsoft is not monitoring your computer. Apple is not monitoring your computer for viruses. It’s a scam. But it looks legit. And because it’s already on a website that you trust, you’re more apt to believe in it.
Imagine if you combine some of these things. You combine things like baiting – I’m going to talk a little bit more about scams on top of scams and within scams and outside of scams that all leverage and dovetail in with each other. It’s just mind-boggling how these people use technology to do the same thing that’s been going on for thousands and thousands of years. Let’s talk about baiting. I got off on a tirade there.
There’s two theories on the Stuxnet Iran nuclear centrifuge deal 10 or 15 years ago when the attack occurred. The U.S. and Israel, through their cyber warfare arms, put a worm on the centrifuge network they use to refine the plutonium for nuclear weapons in Iran. It was air gapped. These control systems, this whole facility, there was no way to connect to the internet, period. So they couldn’t go in through traditional means, just hack their way through firewalls and intrusion detection systems and all of that.
They decided they had to use physical media to get the worm, the trojan, inside the facility. So baiting is taking something like a CD-ROM – which is dead these days, but USB flash drives are still being used, and one of the theories is that USB flash drives were scattered in the parking lot of the facility. One of the workers there was curious and plugged it into a computer when he logged in, and that let loose the worm that Israel and the United States created to sabotage the centrifuges.
That’s what baiting is. It’s like, “I wonder what’s on this CD-ROM.” One way to socially engineer and get my worm into, say, Citibank, is to drop a USB in the elevator of their headquarters in New York – I think it’s New York, pretty sure. And it’s got handwritten with a sharpie on it, “Executive salary worksheet.” Maybe I put it in two or three elevators and just leave. As soon as that’s plugged in somewhere, I’ve got access to the computer. That’s what baiting is. You give them something curious that they want to look at.
Quid pro quo. A very good example of that is using vishing and figuring out a list to call – it’s going to be larger companies. We’ve tired this before. We haven’t done it in quite a while, but we need to. You can call up people and say, “Hey, this is Tom with technical support. I understand you’re having a problem.” “Oh, I didn’t call you.” It doesn’t take too many of those calls before you finally find somebody who says they’ve been waiting all day on your call, and they’re happy to take it. They are going to give up control of their computer so you can fix the problem they’ve been having, but you didn’t even know they had a problem. You’re just doing the log numbers and you’re doing this at scale using modern day technology.
And perhaps the best way to wrap all of these things up is pretexting. No, I’m not talking about texting messages out of a phone. What I’m talking about is establishing context. In that quid pro quo example, I’m taking advantage of the fact that larger companies don’t know who the employee is that needs support and they don’t know who the person from support is calling. I’m also relying on the fact that most of them are going to have very poor security wrapped around the voice.
When I call up and I say, “I understand you’re having a technical support problem,” I’m using the assumption that somebody I’m going to talk to is having a support issue on their computer, so I’m establishing a context for the phone call. Once I get that person, I’ve got a gold mine. That’s what pretexting is. You can do it with water holding, with spear phishing absolutely. Spear phishing, if you just leave that email with somebody that’s new – “I know you’ve only been here a month, but we need to talk about this” or “I need you to do this” – that pretexting is establishing the context. You’re laying the foundation for the con to come and make it more believable, to establish authority.
These are the things that continuous cybersecurity awareness training will get you and your people, and it’ll make their personal lives much, much safer as well.
You want to learn more about this? Because I’m just scratching the surface. Here’s the easy way. We’ve got a hard way and an easy way. This is the easy way. Watch some movies. These are some of my favorites.
Sneakers. Robert Redford, Dan Aykroyd, Ben Kingsley, Mary McDonnell – you don’t know the name, but you’ll remember seeing her face – River Phoenix. This is one of his movies. I think he’s dead now. Sidney Poitier was in this movie, and then David Strathairn. It’s a movie about hackers. These guys were actually pen testers, penetration testing. That’s what they did. People paid them money to hack into their stuff, and they’d come in and tell them “Here’s where all your problems are.”
They don’t pay pen testers to fix the problems. They just say, “Here’s where our problems are,” and they pay a lot of money for that. that’s why we don’t do penetration testing because it’s a conflict of interest with us. But that’s what that movie is all about, and it’s from the early ’80s. It opens up with them socially engineering a bank and him withdrawing I think $100,000. He withdraws that money from the counter and then immediately walks upstairs to the executives’ offices, where they’re all waiting on him, spins the briefcase around, “Here’s $100,000 I just stole from your bank. A report will be coming. Where’s my check?”
That’s it. That’s what pen testing does. He was able to steal $100,000 from the bank using social engineering and other hacking methods. It’s a great movie.
Leverage. This is a TV series that most people never heard of. I think it was on TNT, but it’s probably on Netflix or Amazon now. All five of those people you see there are the main stars. Timothy Hutton. He’s an Academy Award winning actor. You may remember the movie – I think Red is where he won his Academy Award. At any rate, these are all different con artists and they have different specialties. You’ve got to have a grease man, and you’ve got to have Miss Daisy and all these different – Leon Spinks. You’ve got to have all these different characters to play certain roles to meet certain objectives in the overall con.
Leverage does this, and they’re the bad guys cheating the good guys. No, they’re the good guys cheating the bad guys, but they were bad guys. Anyway, it’s like criminals with a conscience of something. It’s not going to win any Emmy Awards, but every episode there’s always different things you can learn.
The Sting. I don’t care how old you are; if you’ve never watched Robert Redford and Paul Newman, the original Sting – I guess it’s the only Sting. It’s a con on top of a con inside of a con with other side cons the whole time. To this day, it’s still an awesome, awesome movie. And this just goes to show you – this movie is set in the early 1900s. They do use technology. They use the telegram. Morse code. But that’s it. That’s as far as they got.
So remember, these have been going on for thousands and thousands of years. This could’ve easily been done before the telegram was invented. Anyway, you’ve got to watch The Sting. It’s an all-time favorite of mine.
Burn Notice, another one that’s not an Emmy Award – actually, that might’ve been nominated a few times because the acting is pretty good in it, and the writing’s pretty good. I’d say it’s probably better than Leverage. Burn notice is what an ex-CIA agent gets when he’s been outed or disavowed. The whole pretense of this is the head guy there – Michael is the character name – got a burn notice overseas and he was in the middle of a job, and he’s on his own. He’s probably outed. He’s been cut off, no money. So the whole thing is about him getting paybacks every episode. I think it ran for about 7 seasons.
This one is much more up-to-date. Mr. Robot. It was a collaboration between Amazon and USA Network. If you do nothing but go watch the first 6 minutes of the very first episode, you’ll learn everything you need to know. This is a mixture of bitcoin and hacking and society and psychological manipulation. Much more than just social engineering and con jobs. It’s on all sorts of different levels. It’s a great one to learn about.
But of course, my all-time favorite is all of the Ocean’s 11 movies. I’m talking about all five. I’m not a big fan of the first one. I don’t like the fact that the money gets burned up. The Frank Sinatra, Sammy Davis Jr., Dean Martin, Peter Lawford. The first one. I’m not a big fan of that because they lose the money. And I gave it away. I don’t care.
The next one, with Pitt and Clooney and Carl Reiner, Bernie Mac, Damon, all these other stars, that’s where it gets good. That’s where it gets better. But all the rest of them. Even Ocean’s 8 with Sandra Bullock. Cons and social engineering and then regular hacking is all done throughout those.
Some of the technical stuff you see in movies is not accurate. We really can’t do what they say you can do. And some of the technical stuff inside of the Ocean’s movies is like that. But the social engineering things, those are based on real-life things. That spiel I had about we’ve got to have an Ella Fitzgerald, we’ve got to have a Miss Daisy, we’ve got to have a grease man – that’s referred to in the second origin Ocean’s 11. Some of those are actually made up, but some of those refer to real-life cons. I think in Ocean’s 12, they start naming off the whole con job. Bun in the Oven is the name of one, a Looky-Loo is the name of one. That’s the scene when they’re – at any rate, any of the Ocean’s movies are entertaining.
Let’s get back to business here. Besides cybersecurity awareness training, you’ve got to have other layers. That’s not the be all, end all, but if it’s all you’ve got the money for, do that first. But budget money for multiple layers. Spam filtering, password manager, these things.
The two most important other than security awareness, which you know, is get an EDR, not an AV. I’ve beat this into the ground many, many times. EDR goes by multiple names. It may be referred to as MDR. We’re starting to see EPP. I’ve even seen MeDR. These are all basically the same thing. I can go through the technical discussion of it if you’re interested, but the main thing is not to have an antivirus nor an EDR, MDR, EPP from an antivirus vendor. That’s not best of breed. If you can buy it off the shelf at Best Buy, it is not going to have a true EDR in it, or it’s going to be crappy.
The reason for it is AV only works on signatures. There are no virus signatures in a ransomware attack, and that’s the most likely thing that’s going to affect you. That’s your number one priority, defending against ransomware attacks, and AV will not do it. Period. It hasn’t been successful against ransomware attacks in probably 10 years, but especially in the last 4. Another reason is AV doesn’t use artificial intelligence or machine learning, so it doesn’t get any better. It’s just dumb software.
Above all else, if you get EDR, especially from us or anybody, it’s got to be human monitored. You’ve got to have those human beings. Those human beings have to be there to detect anomalies or to take an automatic notice and then really look into it, or to take a virus warning and really look into it. You’ve got to assess. It’s not over if an EDR traps a virus and kills it and that’s it. You’ve still got to have human beings because it could be a multiple payload or it could be doing lateral movement throughout the whole network. You’ve still got to have human beings looking at that as soon as possible. So no matter what, it has to be monitored by human beings.
Finally, the third thing on the three things y’all should have is monitored backup and disaster recovery. Once again, backup and/or disaster recovery plans have to be monitored to make sure they’re going to be there when you need them. And even then, it’s not 100%. It’s much less common now since we don’t use things like tapes and external drives. We’re backing up to the cloud. But it wasn’t that uncommon back in the tape backup days that you could test your tapes restore mechanism nine ways to Sunday, but when you actually needed the backup, tapes are fragile. You didn’t know the next time you cranked it up if the tape was going to work. Tapes were horrible, so you had to continuously test it, and even then, you weren’t 100% sure.
That’s a lot less now. Now we know if we crank up a virtual machine every morning, we’re pretty much assured it’s going to work when we need it. We’re not relying on that physical deal. It’s all 1s and 0s instead of a magnetic head going across a quickly moving tape. It’s like the difference between a streamed movie versus a VHS tape, basically. VHS tapes look like crap compared to downloading a movie on Amazon or popping a CD-ROM in, even.
But it’s got to be checked every day, both automatically and human beings have to lay eyes on it, and they have to mitigate and respond if there’s a problem. Say you outsourced your IT company and they put your backup in place. If you’re not paying them to monitor the backup, you don’t have a backup. You’ve got a wing and a prayer. You’ve got to pay for that monitoring so it’ll be there. Or you’re ensuring, you’re betting it’s going to be there. If you’ve done the risk analysis and that extra, I don’t know, $5 a month, you’ve dramatically lowered the likelihood that that backup is going to fail when you need it.
I’ve been doing this a little bit lately because, going back to the myths, everybody thinks this stuff’s too expensive. This is just a sample. Say you’re a small, small organization. You’ve only got 3 computers that need protecting. You have no industrial control systems. That’s it. This is just a sample price. I think more often than not, if that’s all you’ve got, it’d probably be less than $99 for all 3 of them. That’s $99 a month to really dramatically, dramatically decrease the likelihood that you’re going to be a victim of a hacking attack.
I am amazed at the number of organizations that won’t hesitate to spend $1,000 a year or $5,000 a year on a cybersecurity insurance policy, but they won’t invest in $600 a year to keep from having to use it. Because it’s the easy way out. The last thing you want to do is use your car insurance or your homeowner’s insurance. I’m going to get my bad wiring fixed in my house. I’m not going to not get it fixed because I’ve got homeowner’s insurance that’ll pay me back – although I’ve thought about it sometimes in other houses. [laughs] But I’m going to get the wiring fixed. I’m not going to say, “I don’t need to fix the wiring because I’ve got fire insurance.” You’re not going to do that.
You’ve got to treat cybersecurity the same way. You don’t let anybody get behind the wheel of a car that doesn’t know how to drive. You don’t go driving like a crazy idiot because you’ve got car insurance. You’ve got to look at cybersecurity the same way. The last thing you want to do is to have to pick up the phone and call an insurance company, especially a cyber insurance company, because believe me, they put so many loopholes in there these days that they’re expecting not to have to pay out.
So you need to get good security and then you need to go back to them and say, “Do I get a discount because I’ve implemented this advanced security stuff?”
All right, got to end the show because I’ve gone over a few minutes, I think, Kindsey. But anyway, call us and get a security assessment set up. We’re getting booked more and more and more, so the sooner you do that, the better. It’s only $495. There’s the phone number. There’s Kindsey’s email. Kindsey’s probably going to drop the – yep, there’s the security assessment link. If you haven’t gotten one, I encourage you to get signed up for one and get it on your calendar. You can take this information, by the way, give it to your IT guy, go hire somebody else. I don’t care.
There is value in this. We’re going to help you identify what needs to be protected. We’re going to look at what’s your most likely threat from. Is it a nation-state, is it criminal syndicates, is it a lone wolf, or is it negligent insiders, non-malicious insiders? We’re going to assess all that, determine what needs to be protected, and then we’re going to lay out a plan, say “Here’s what you need and here’s what it’s going to cost.” You can take that and do whatever you want to with it. It’s a bargain for $495.
And we’ve got another one that we charge $2,000 for. We can go in and do a lot more active scanning. If you’re interested in that, let us know, too. But at any rate, get on the calendar if you possibly can. It’s worth every penny. No obligation whatsoever, and if you know anything at all about us, you know how easygoing we are. If you tell us to quit bothering you, we will quit bothering you.
Did I cover everything, Kindsey?
KINDSEY: Yes, you did. It doesn’t look like we have any questions or anything.
TOM: I thought I had a challenge for somebody to give me a question. I’ve got a challenge. Has anyone heard the scam “I’ll tell you where you got them shoes”? Type in yes or no in the chat box. If you’re still with us. Sometimes I think people just get on here for the CLE, the learning credits.
Maybe we ought to put that secret code in there where you can’t get credits. [laughs] Okay, nobody can tell me? Well, I’ll just leave that as a standing question. If anybody can tell me – let me do the setup for you. Let me give you the context, the pretext on this. This really works better in real life than using technology. Actually, the only place I think I’ve ever seen it, and certainly the first place, was in the French Quarter in New Orleans.
Basically, it’s a kid, 10 or 12 or 14 years old. He approaches you on the street corner. He’s sized you up as a mark. He knows you’re a tourist. Number one, you’re on Bourbon Street, so he’s already 95% of the way there. He sizes you up, he makes sure there’s nobody around, and he runs up to you and he says, “Hey, for $10 I’ll tell you where you got them shoes.” You think, “There’s no way he knows I bought these at Shoe Carnival in Fort Smith, Arkansas. This is a no-lose scenario.”
So the standing question is: what is the con? I’ll leave that as a standing question, and the first qualified webinar attendee that gives me the correct answer gets a free security assessment. How’s that?
KINDSEY: There we go.
TOM: There it is. All right, guys, I enjoyed it. Just email Kindsey if you know the answer to that question, or me, firstname.lastname@example.org, and we’ll get you set up on that free security assessment. That’s it for today. Thanks for joining us.
KINDSEY: Thanks, guys.