DINA TEMPLE-RASTON, HOST:
Do you remember what the subject line was on the email that you double-clicked on?
MAVIS: Not exactly verbatim, but it had to do with a document for our records.
KAREN DUFFIN, HOST:
This is Mavis (ph). She is a supervisor at her company. And we're only using her first name in this story for reasons that will become very clear in a minute.
TEMPLE-RASTON: And that email she got was from someone she actually knew, but it seemed a little off.
MAVIS: And I replied to the email. And I said, are you sure this was meant for me? And it came back and said, oh, yes, it's for you. And that's when I clicked on the email.
TEMPLE-RASTON: Wow. What did it look like?
MAVIS: It really had nothing to do with the type of documents that I deal with. So right away, it was like, oh, this is, you know, odd. And I never really thought anything of it.
DUFFIN: Then, a few days later, Mavis was in her sent box looking for another email. And that's when she saw it. Her computer, all on its own, sending out emails.
MAVIS: And you're just seeing sent, sent, sent, sent, sent, sent, sent, sent, sent, sent, sent, sent, sent. And then, right there, it was like, crap.
TEMPLE-RASTON: And not just because she realized she'd made a mistake, but because she knows breaking into her particular account is incredibly serious. She's not only a supervisor, she's a supervisor at a financial services company.
MAVIS: I thought for sure I was going to get fired. Yeah, no. Hands down.
DUFFIN: Mavis knew her account was a hacker's dream - a mother lode of Social Security numbers, banking information, retirement accounts, with bank statements and wiring instructions helpfully attached.
TEMPLE-RASTON: And she was just thinking, how could I have made such a dumb mistake?
MAVIS: And then you think of the time and the money that your company ends up having to spend because of something that you did.
DUFFIN: It feels awful to be the person who did something like that, but all kinds of companies are going through this right now.
DUFFIN: Those were Chinese hackers.
DUFFIN: They were hacking into cash registers.
TEMPLE-RASTON: The Democratic National Committee.
DUFFIN: Da (ph). That one was also phishing.
TEMPLE-RASTON: There are so many hacks so often, at this point, it may feel like there's no way to stop it.
DUFFIN: But there is a ray of hope. It's a little old-fashioned and very low-tech - about as low-tech as you can get.
TEMPLE-RASTON: It's been around for hundreds of years.
(SOUNDBITE OF SACHA JAMES COLLISSON AND VANCE WESTLAKE SONG, "BRING THE ROOF DOWN")
TEMPLE-RASTON: Hello, and welcome to PLANET MONEY. I'm Dina Temple-Raston.
DUFFIN: And I'm Karen Duffin. Dina is here with us today reporting this story, but she has covered terrorism and technology for NPR.
TEMPLE-RASTON: And while we've all been searching for some fancy, high-tech solution to all these hacks, this age-old remedy has been sitting in the corner biding its time, just waiting for us to notice.
DUFFIN: Can a dusty, old financial tool solve one of the most modern problems in the world?
TEMPLE-RASTON: Today on the show, we introduce you to a cyber SWAT team...
DUFFIN: And to Mavis' boss...
TEMPLE-RASTON: ...And some friends in Nigeria who urgently require your attention.
(SOUNDBITE OF SACHA JAMES COLLISSON AND VANCE WESTLAKE SONG, "BRING THE ROOF DOWN")
TEMPLE-RASTON: While Mavis was sweating over what she was afraid might have been a hack, her boss, Wendy (ph), was on a business trip, blissfully unaware of how serious this all was until the drive home.
WENDY: I got a phone call from a very important business partner of ours. And, you know, they're unhappy.
DUFFIN: The phone call was from one of the company's big clients. And they told Wendy, we just got this really weird email from Mavis.
TEMPLE-RASTON: And they say, we've been hacked before using an email that looks a lot like this. Any chance you guys got hacked?
WENDY: Oh, my. This is big. It made me shake inside.
TEMPLE-RASTON: But Wendy had been preparing for this for a year. She knew exactly what to do.
DUFFIN: Turn to that old-fashioned tool we talked about.
TEMPLE-RASTON: Something a lot more people have been doing lately.
DUFFIN: She pulled a big black binder off the credenza in her office and started flipping through the pages. And she finds a phone number in big block letters and begins to dial.
UNIDENTIFIED PERSON: You have reached the data security event hotline provided by the law firm of Mullen Coughlin.
CHRIS DILENNO: We get a call a day, at least. It's just happening all the time.
(SOUNDBITE OF BEEP)
TEMPLE-RASTON: That's Chris Dilenno (ph), and he's a data privacy lawyer with Mullen Coughlin. And anytime someone calls that hotline, he gets a text on his phone.
DILENNO: It just says, somebody called, and it's got the recording attached to it.
DUFFIN: He is the first responder to hacks like this for a very specific reason.
UNIDENTIFIED PERSON: The initial discussion will be protected by the attorney-client privilege. Thank you, and someone from Mullen Coughlin will be in touch with you shortly.
DUFFIN: Attorney-client privilege.
TEMPLE-RASTON: With a lawyer on the line, you can admit to the most embarrassing parts of the hack without ever being worried it'll get out later if you wind up in court.
DUFFIN: That's kind of genius.
TEMPLE-RASTON: Super genius. And Chris is part of Wendy's secret weapon that we mentioned before.
DUFFIN: Because about a year ago, as if she had foreseen poor Mavis clicking on that fateful email, Wendy had purchased protection, something fairly cutting-edge. She bought cyber insurance.
TEMPLE-RASTON: Now, there's been insurance for computer businesses for a while. Back in the 1990s, you could get insurance for errors in data processing.
DUFFIN: But the Internet introduced a ton of new threats.
TEMPLE-RASTON: It got so bad, there was even a big turning point. In 2003, the California Security Breach Information Act made it so if a company got hacked, they couldn't keep it secret anymore. They had to notify residents if their information was stolen.
DUFFIN: Which is how this started to get really expensive, not just because having to admit to a hack might provoke lawsuits or PR problems. Also, just the cost of telling everyone - not to mention maybe having to fund credit reports or some other remedy to make amends. That all starts to add up.
TEMPLE-RASTON: Which is where insurance comes in. It protects you against the unforeseen, whether it's a home invasion, health problems or even a hack. You pay a little now so you don't get stuck with a big bill later. Cyber insurance has become the new, new thing.
DUFFIN: Across the country, insurance brokers are now selling literally thousands of cyber policies every single day. And what companies get for their money are people like this lawyer Chris and this guy.
DEVON ACKERMAN: I lead two of our incident response teams for North America.
TEMPLE-RASTON: Incident response team - that's like a SWAT team for cyber?
ACKERMAN: (Laughter) You certainly could think of it like that. Yes, ma'am.
TEMPLE-RASTON: This is Devon Ackerman. He works with a private company called Kroll Cyber Risk. And he used to be an FBI agent, and he was chasing hackers for the feds. Think "CSI," but inside a computer.
DUFFIN: To keep that sweet, sweet attorney-client privilege intact, Chris, the lawyer, conferences in Devon, the former FBI guy, with Wendy, Mavis' boss.
TEMPLE-RASTON: Sounded like an emergency call.
WENDY: It sounded like an emergency call, and that's the way that they treated it.
TEMPLE-RASTON: Devon goes to the crime scene, Mavis' email account, and he starts investigating.
ACKERMAN: And what we look for are kind of what I would equate to the fingerprints of the actor or the bad guy when they're in the account.
DUFFIN: Step one you can think of as essentially dusting for digital fingerprints. Devon finds a foreign IP address from Lagos, Nigeria, in Mavis' account.
ACKERMAN: We then realized that we had unauthorized access we could confirm on the account for about a period of four days.
DUFFIN: A hacker in your account for four days is a really long time in a phishing attack like this one.
TEMPLE-RASTON: And this is what he could do with four luxurious days in her account.
DUFFIN: Rifle through it in search of gold. And he did this in a very simple way. Just type into the search window at the top of the email account...
ACKERMAN: Payment, wiring instructions, wire transfer and a host of other financially related search terms.
DUFFIN: OK. We've got the motive - check.
TEMPLE-RASTON: As the emails he wanted came in, he routed them to a folder she never used called an RSS feed.
DUFFIN: Wait; is this, like, a folder that all Outlook accounts have?
TEMPLE-RASTON: They do.
DUFFIN: All right.
TEMPLE-RASTON: If you look under your sent pane there, it's right there.
DUFFIN: Oh, I have one.
TEMPLE-RASTON: Yes, we all do.
DUFFIN: I honestly had no idea it was in there.
TEMPLE-RASTON: Nobody uses it.
So he replies, pretending to be Mavis. And he basically says, our routing number has changed. Please send it to this bank account instead. But lucky for Mavis, no one fell for it.
DUFFIN: So, like, A for effort, Nigerian hacker.
DUFFIN: But you get zero cash.
TEMPLE-RASTON: Zero cash, exactly.
TEMPLE-RASTON: On his way out the door, though, the hacker sent out a parting gift. Actually, there were a whole bunch of parting gifts.
ACKERMAN: Something we call burning the account, where they send out spam emails, and they move away from the account, and they don't come back.
TEMPLE-RASTON: The sent, sent, sent, sent thing that Mavis saw when she realized what had happened - that wasn't the hacker coming in. That was him going out.
DUFFIN: Those thousands of emails that he sent on his way out the door were the hacker cordially inviting Mavis' entire contact list to click on a link.
TEMPLE-RASTON: XOXO, Mavis.
DUFFIN: It's very sweet.
TEMPLE-RASTON: So this investigation is over. And insurance helped them through that phase by paying for people like Devon and Chris.
DUFFIN: The next step is preventing the next hack. And this new cyber insurance helped them do that, too, but in a way that's not as obvious.
TEMPLE-RASTON: Look; hackers gonna hack. We can't stop that. But there are two sides to every relationship, the hackers and the Mavises. What Wendy and her insurance policy can do is focus on the Mavises.
DUFFIN: Here's the lawyer, Chris, again.
DILENNO: Getting an insurance policy that covers cyber requires you to ask some hard questions about your data security knowledge, and that has to make you want to change your behavior.
TEMPLE-RASTON: Change your behavior - that's the other thing insurance helps you do.
DUFFIN: I always thought insurance was just about, you know, risk-pooling, actuarial tables. But it's really about behavior.
TEMPLE-RASTON: And changing it. Insurance sets up this very simple mechanism. You want to take risks? Then you pay more for your insurance.
DUFFIN: You want a discount? Then you better shape up.
TEMPLE-RASTON: And they offer the most effective motivation known to man.
DUFFIN: I assume you're talking about a mother's love.
TEMPLE-RASTON: Well, no. Even more than that - money.
DUFFIN: Sorry, Mom.
So if you want to get a lower cost on your homeowner's policy, you have to install a home security system.
TEMPLE-RASTON: If you quit smoking, great, here's a discount on your health care premium.
TEMPLE-RASTON: It's all motivation. I was with Wendy when she got a motivational email from her insurance provider.
WENDY: I emailed our agent this morning because I hadn't heard anything. Knowing that we are - ah, AIG quoted the renewal with limits with a 66 percent increase and increased the retention from 10,000 to 25,000. Ew, that's the deductible.
TEMPLE-RASTON: Increasing your premium by 66 percent and more than doubling your deductible - that motivates change.
DUFFIN: Now Wendy has her motivation. Time to pass it on to the employees. She puts her whole company through a cyber workout. Her program may sound familiar. It included the reliable standby - mandatory workshops.
TEMPLE-RASTON: No bagels.
DUFFIN: No bagels?
WENDY: We bring our employees together, and we talk about security.
TEMPLE-RASTON: It included the obvious.
WENDY: This is what you look for. Check the URL.
DUFFIN: Followed by the more obvious.
WENDY: And if you aren't absolutely sure, absolutely don't click on it.
TEMPLE-RASTON: Also, basic office hygiene.
WENDY: Our desks are clean. We don't leave data laying around.
DUFFIN: And if all of that doesn't work, there's always fear.
WENDY: You know, there's consequences out there, and we know it.
TEMPLE-RASTON: Do you think the behavior company-wide has changed? Do you think if a phishing email got into their mailboxes, they'd double-click?
WENDY: Our behavior has changed internally because people are more aware. They know that it can happen to anybody at any time. And they're more cautious.
DUFFIN: Wendy was able to convince a new insurance company that her new training program actually worked. She got a new policy with more coverage, but for less money.
TEMPLE-RASTON: Not to second-guess Wendy or her new insurance company, but I couldn't help but wonder, have they really changed? Have they really?
DUFFIN: You're so cynical, Dina.
TEMPLE-RASTON: I am a little cynical, so I decided to run a kind of cyber fire drill to, essentially, test the carbon units.
DUFFIN: Test Wendy's employees.
TEMPLE-RASTON: Exactly. So I called up my old pal, the investigator Devon, to see if he could help me with a little phishing expedition.
DUFFIN: Devon runs these kinds of tests for clients all the time. He artisanally crafts emails with a specific company in mind.
TEMPLE-RASTON: Like, if he was going to phish NPR, it might say, click here for free tote bags. For Wendy's company, it was financial. In fact, it looked a lot like the original email that fooled Mavis in the first place.
DUFFIN: He wants the emails to look really close to something that you would actually get.
TEMPLE-RASTON: I know that sometimes what happens is they slightly misspell a word. Like, let's say one of my clients is AIG Insurance. It'll be two Is, so it'll say, AIIG Insurance. Is it something like that?
ACKERMAN: You're very good at this.
TEMPLE-RASTON: So Devon launched his sting operation.
DUFFIN: Here at PLANET MONEY, we're calling it Operation Mavis.
DUFFIN: We told Wendy it was going to happen, but she didn't tell her employees.
(SOUNDBITE OF PHONE RINGING)
TEMPLE-RASTON: Hey, Wendy. It's Dina. How are you?
WENDY: Hey. I'm good. I'm waiting to hear.
TEMPLE-RASTON: Well, I've got Devon on the line so that he can tell you himself.
ACKERMAN: We phished your users two days ago.
WENDY: How many users?
ACKERMAN: We fished 109 users, and we had five users open the phishing email. We had one of those five users click the link in the email and continue to the phishing website.
TEMPLE-RASTON: In other words, they put in their name and password.
ACKERMAN: That is correct.
WENDY: That's not good.
TEMPLE-RASTON: So maybe things haven't changed as much as they thought. But then, Wendy surprised us.
WENDY: But I already know who it is. They self-reported.
WENDY: Yep. I got an email in our human resources inbox with a copy of the email from the person saying, I shouldn't have done this. I clicked. I put in my info, so I called our IT team, and I had them scan my computer.
TEMPLE-RASTON: One person clicked. Now, that might not sound like much progress, but any hacker will tell you the difference between someone alerting IT right away and, in Mavis' case, waiting four days - well, that's an eternity.
DUFFIN: There's a huge difference between, say, calling 911 minutes after a heart attack and calling 911 four days later.
TEMPLE-RASTON: So the training worked, and Wendy is paying less for her insurance coverage.
DUFFIN: The impact of a cold, hard insurance policy is actually a very human thing. It creates a system in which what I do affects you.
TEMPLE-RASTON: It whispers, we're all in this together.
DUFFIN: And in doing so, it becomes a powerful force pushing the world toward safety, good decisions.
TEMPLE-RASTON: Maybe even fewer hacks.
DUFFIN: It is so valuable, but yet, so unnoticed.
TEMPLE-RASTON: You just got a little mushy about insurance, I think.
DUFFIN: I did. It deserves it.
TEMPLE-RASTON: (Laughter) It's a beautiful thing. And that's great. Nice work, Wendy.
DUFFIN: But did Operation Mavis catch Mavis?
TEMPLE-RASTON: Oh, good. Good. OK.
WENDY: No, it was not. People are getting smarter. There's a conscious decision that has to be made. You can have all kinds of these things that you put in place, which we've done. But in the end, it's the people that have to make those choices. And we're relying on them to make good choices.
(SOUNDBITE OF FLORIAN GAZAN AND FREDERIC AUGER SONG, "CROISETTE BALADE")
DUFFIN: If you have a phishing mishap to confess, we are on Instagram, Twitter, Facebook. We are @planetmoney. Or you can email us at firstname.lastname@example.org.
TEMPLE-RASTON: Today's show was produced by Darian Woods and Sally Helm. Our editor is Bryant Urstadt. And our supervising producer is Alex Goldmark.
DUFFIN: We would like to give a very big thanks to Dina for reporting this for us and to tell you to stay tuned for her upcoming radio specials on technology. They will run on NPR.
TEMPLE-RASTON: I'm Dina Temple-Raston.
DUFFIN: I'm Karen Duffin. Thanks for listening.
(SOUNDBITE OF FLORIAN GAZAN AND FREDERIC AUGER SONG, "BAISER FATAL")
DUFFIN: Wait; do all Outlook accounts have an RSS folder?
TEMPLE-RASTON: They do. You just don't notice them.
DUFFIN: OK. Wait; I have to look.
TEMPLE-RASTON: They're under sent.
DUFFIN: Oh, wow. Wowsers.
DUFFIN: Oh, wow. Holy moly. Say that again.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.