Tony Sales, co-founder of We Fight Fraud talks to Johanna Hamilton AMBCS about his career, social engineering and how it’s not hackers but ‘nice people’ who unwittingly hand over the keys to the digital kingdom.

Tony Sales is warm, charming and has a talent for putting people at their ease. It’s easy to believe he’s your friend, made of the same stuff and to tell him things that perhaps you wouldn’t under normal circumstances. Tony Sales is the perfect salesman. The perfect social engineer. In fact, reverse a few decades and he was making stacks of cash from a life of crime doing just that.

Following two stints in prison, Sales is using his skills in a new direction – to fight the bad guys. Going from criminal, into a legitimate partnership with Solomon Gilbert (a 23 year old hacker) and Andy McDonald (Chief advisor of WFF and former head of the Metropolitan Police Fraud Squad at New Scotland Yard), he talks about how ‘We Fight Fraud’ is making a difference.

On his poacher turned gamekeeper role, Sales admits: ‘Ex-criminals are the best type of people to have in those sorts of roles. They know the way in and they look at the weaknesses. When I do a speech I say, “hands up all the people in the room that have actually committed a fraud?” Afterwards people will say “I have tried it here” or “I did try this little bit there” and I suppose that that's the point. I didn't just try one or two things. I tried multiple things on multiple occasions. Thousands of times. It's because crime for me was a way of life.

‘I was definitely born in the circumstances of someone that would end up in the life of crime. I have all the factors that most criminals have in their background. But I wanted to be different. You can even relate my crimes to me wanting to change who I am and that's why I committed a lot of identity thefts because I wanted to be someone different.

‘The title of my book is called How I Got Away with Stealing £30 Million, but the conclusion of the book is very different because I didn't really get away with anything. I suffered massively and I went to prison. I kind of had an awakening. I can probably never repay what I've done in lots of people's eyes but I can have a damn good go at it.’

Every company has security vulnerabilities

What has followed is a partnership that has shown big corporations the holes in their security, both technologically and where the human weaknesses are.

You can change your passwords, put up a firewall, create a VPN, back up your data, install antivirus protection, but it won’t stop the nice man who has just phoned for a new password, or the person carrying boxes, who can’t quite reach their pass to get through the front door.

‘All I need is a nice person. A nice person is going to do whatever I want them to do aren't they? There's a million different ways that I could use a nice person.

‘If you've got decent, hard-working, honest people in your team, all they are going to see is decent, hard-working things. They're not going to look with jealousy or at how to steal. Their upbringing has not been about that, they've never had to be a predator. If you don't come from that, it's a very different world.’

The trouble is, nice people expect people to be nice and criminals, are not. Identity fraud is 50% walking the walk. If you walk into a building, say you’re an out of town CEO, you know something about the workforce, something about the business, you can be believed. If you’re wearing expensive clothes, shoes, a watch that costs an average person’s yearly salary, you’re halfway there.

‘The whole world has been trained to believe that if I pull up in a limo, that I'm wealthy. So, I've half beat you already because your assumption is what lets you down. Assumptions can lead anywhere. Those same assumptions are what criminals’ prey on continuously, whether that be online in romance scams: “babe I need to send you some money, my business is closing down”, and now you're involved in money laundering and you didn't even realize it – just because I've been talking to you on a website for six months. “My online boyfriend told me to do it”, “Where is he? Where does he live?” People don't realize this stuff happens on a daily basis.

Letting an ex-criminal break in

So, moving away from organised crime and into crime in organisations. How does Sales feel walking into a room of bankers? And how do the bankers feel about letting a convicted felon break into their companies?

‘When you turn gamekeeper, sometimes showing these guys can be quite difficult as well because they don't want to hear it. It was a conundrum I had for a while. How do you take an industry that's so set in its ways and tell someone who's been working in a job for 30 years?

‘I think that in the 10 years that I've been working this side I think I've grabbed the industry by the scruff of the neck and actually pulled it into the 21st century. There are so many scams that now everyone talks about. No one was talking about money muling five years ago or ransomware 10 years ago, when I was. I'm not a genius, but I've just been immersed in that world for so long that I can just see what's coming. I’ve been the wolf and most people in the corporate world are sheep.’

Trying the locks

Unauthorised access to networks often occurs, not through technical lapses but through human mistakes. Social engineering is one of the biggest threats to network safety – because it’s as simple as clicking a rogue link, answering an email from a bogus CEO or even accepting a payment for an online friend.

Sales and his team are paid to break into companies – any way they can. He goes through a checklist of doors he might try to get in. Doors that are physical as well as metaphorical.

‘So, if you think about invoice fraud and CEO impersonation, you can buy a bot that will learn how you and I talk and it will just monitor us, learn the language we use. How to talk back and impersonate how the CEO talks to their PA. It will convince the PA to send money urgently. And if it’s coming from the CEO, why wouldn’t you?

‘It’s really rare that the digital tester can't break a company digitally. Sometimes, it comes down to social engineering and to human error. So then we see if we can phish them. Then if that gets nowhere, we’ll hit the phones.

‘I'm going to interact with you. Find a name. Most companies are leaking data all over the place and so it's quite easy to pull that from open-source intelligence gathering. Then no matter how good a company is digitally from the outside, inside always exists weakness.’

Companies are getting wise to phishing scams. They’re installing better identification techniques so phishing attacks don’t get through to the recipients, and large corporations are making ongoing training in security on all fronts compulsory. So how can these threats occur?

‘You have the internal threat; I've compromised you; I've blackmailed you or I'm paying you to commit my act for me. Even if you're as secure as Fort Knox, you can still be taken down with corporate espionage. We’ve seen what’s happened with solar winds – third parties are vulnerable.’

While most of the breaking in is electronic, Sales is not above reusing some of his less noble skills.

‘Years ago, we tested a big financial institution. They were doing an audit and I stole the computer from the auditors. They didn’t expect our tests to be physical as well as digital. I can socially engineer my way in, but I'm strong as well, I can drop down from a drainpipe and get in. Most pen-testers aren’t going to go down that road. I've dropped down from roofs and picked locks and stuff. Nice people who play by the rules just don’t think in that way – but we do it regularly.’

The rise of crypto currency

So, now we’re moving more towards a cashless society, will crime be transformed? Will bitcoin be making all the criminals millionaires?

‘We've just written a white paper on it that will be revealed at We Fight Fraud Live, where we talk about how crime's gone cashless. Crime has totally changed and become digital. At the moment the industry's only seen the hackers which mostly are middle class. You have not seen criminals yet. These criminals will come and take you with a gun. That’s a progression. If you think about armed robbery in the '80s. If I'm a criminal, I'm looking at every business out there like a bank in the '80s.

‘There have already been loads of people tied up for their bitcoins. I said it long before that ever happened. It's obvious. People say you're scaremongering, but it's just seeing what's coming.’

Training and passing on the knowledge

The training isn’t like any on the market. Generally, cyber training is a bad episode of Friends, talking about password patterns over a chocamochalatte, or something animated with a tinny soundtrack. The We Fight Fraud team is determined to change that and to make the training something the team will want to participate in – because it’s like a drama series.

‘We developed a drama series called “Crooks” that has its own banking system, its own energy systems, its own retailers and we just play out attack scenarios. We then go on to look at other factors where we can mitigate those risks.

‘There's ten different modules all lasting between three to four weeks. You can start at any time and you'll just fit into the next module. Each month we send a letter out with all the latest stuff that's going on out there we put to all the characters and then we play that out. So, you're invested in the characters. It's like watching EastEnders but for our industry.

‘There’s not a company on the planet that is 100% secure. You just always have to be on top of your game.’

See Tony Sales and his team at their annual conference