The Importance of Women Mentoring Women in Asset Protection

By Stefanie Hoover, CFI

The APEX Women Virtual Conference has an impressive list of panelists and topics, and I am excited about this meeting. It got me to thinking back wistfully on my career and wishing I had had some mentors like those in this assembly.

Mentorship sounds so great in theory, but in real-life is a bit trickier. The biggest obstacle, if you’re trying to find a woman mentor, is to find another woman in LP. Then to try and find one who doesn’t work with you or is your boss, one who has the time, energy and follow-up, PLUS, finding your own energy to keep the relationship going, someone you connect with on a personal level: it sounds exhausting! There can be a litany of excuses why one never really gets on the mentorship boat. Don’t get me wrong, there were a lot of co-workers and managers who I could bounce ideas off or get opinions from, but is that really what a mentor does? Thinking back to my rookie years and the many mistakes I made, I realize how truly impactful a woman mentor could have been on my career.

With so few women in the industry, we do ourselves a disservice by not mentoring others. Hopefully, you work for a company with mentorship programs, or you have had the good luck to cross paths with a mentor who stuck with you for a while. If you are new to the industry, the thought of reaching out to someone you don’t know and asking them to be your mentor might be VERY intimidating. Start with conferences like APEX Women, get to know a few people, ask questions, and you may just find someone who you click with. If you are a veteran, be humbled and appreciative if someone asks you for advice or to be a mentor, it really is the ultimate compliment.
Remember, it begins and ends with you. You hold the power to invest in yourself, so I encourage you to find a mentor, build relationships and create opportunities.

Unraveling the Mystery of the Dark Web

This article originally appeared in Loss Prevention Magazine.

Investigators Can Use the Dark Web as a Tool to Discover Potential Threats to Retail Brands

The dark web burst into public awareness in 2013 when the FBI shut down Silk Road, an online black market, and arrested its founder, Ross Ulbricht. The FBI found him through an elaborate sting operation involving an undercover law enforcement agent posing as a drug dealer on the dark web. Through this undercover operation, the FBI was able to find and locate a Silk Road administrator, who gave them access to information about Ulbricht’s Bitcoin account.

When Ulbricht discovered the administrator had been arrested, he asked the undercover agent posing as a drug dealer to murder the admin. Investigators staged the torture and killing and sent photos of what they said was the corpse to Ulbricht. Ultimately, these questionable tactics led to Ulbricht’s own arrest.

The media immediately picked up on such an exciting topic. The dark web was known for facilitating illegal activity, including money laundering, drug sales, and even murder. The appeal of the secrecy and mystery behind the dark web led to many articles and news reports; unfortunately, this coverage also propagated a lot of misinformation.

The Dark Web Explained

The dark web is one of many layers of the Internet, and a lot of terms are associated with this subject. The surface web, also known as the open or clear web, is the part of the Internet we are the most familiar with. It refers to all the websites that are automatically indexed by search engines, which makes them relatively easy to access. Despite being the most well-known part of the Internet, the surface web makes up less than five percent of the Internet.

The deep web, or invisible or hidden web, makes up the largest portion of the Internet—between 92 and 96 percent. It is an online repository of back-end information and includes financial transactions, public records, medical records, and password-protected sites. Deep web addresses consist of a random string of alphanumeric characters, and these websites are encrypted but still accessible using a regular Internet browser. This content is not automatically indexed, so it is a lot harder to find information on your own. Many services exist to help law enforcement and other investigators access the deep web, such as TLO and Accurint, a LexisNexis service.

Tor was designed to be safe, not fast, so it is much slower compared to the Internet we are used to. It is important to remember that the Tor network is a service that is independent of the Tor browser, which is simply a tool to access this network.

Like the deep web, the URLs are composed of random alphanumeric characters, but with most often the top-level domain (TLD) of .onion for anonymous sites or .onion.to for non-anonymous sites. Tor sites are sometimes referred to as Tor hidden services, onion sites, or simply onions. The very common misconception is that the dark web and the deep web are the same; in fact, though their web addresses seem similar, it is the .onion top-level domain that indicates a dark web site and requires a special browser to be accessed.

The dark web’s primary purpose is anonymity, not illicit activity. People use the dark web when they want to protect their identities, for whatever reason. Tor was developed in the 1990s by the United States Naval Research Center as a military-grade application designed to help clandestine operators protect their identities while transferring information. The dark web uses a relay methodology to hide a user’s identity behind three proxy layers. Each relay has its own geographical location, which makes it very difficult to trace a user.

One of the weaknesses of this system became apparent soon enough: although foreign hackers could not identify the specific users on Tor, they could be sure that they were all US government agents, since no other government was on the dark web. The federal government resolved this issue by making the dark web available to the public in the early 2000s; by increasing the number of users on the dark web, it became significantly more difficult for foreign governments to identify US clandestine agents and operations. The Internet Frontier Foundation, which is largely funded by the federal government, picked it up and continued to develop the code. In 2006, they officially announced the Tor project to the public and made the Tor browser available for use.

Today’s dark web is a versatile tool, which is what led to the creation of online black markets such as Silk Road and AlphaBay, which was shut down in 2017. Though Ulbricht claimed to have founded Silk Road based on the libertarian ideal of a completely free market, Silk Road was best known as a platform for selling illegal drugs.

The FBI investigation and subsequent shutdown of Silk Road gained global attention. The story of Silk Road’s rise and fall essentially drove the dark web to become what it is today: a hotbed of online black markets.

Users can track their orders and interact with customer service agents, just like they can with any other online retailer. Setting up a cryptomarket does not require a high degree of technological experience. Like e-commerce sites on the surface web, templates exist for dark web sites as well, which means that anyone can easily start selling on the dark web.

These sites even sort illicit goods into categories such as fraud, drugs, counterfeit items, weapons, software and malware, stolen credit card and financial information, and stolen personal identifying information, which often have specific search controls to allow potential buyers to search the listings by location, social security number, birth year, credit limit, and much more.

After his arrest in 2013, Ulbricht was convicted of money laundering, computer hacking, conspiracy to traffic fraudulent identity documents, and conspiracy to traffic narcotics by means of the Internet. He is currently serving two life sentences without the possibility of parole. Many people have criticized the FBI for its dubious methods of investigating and arresting Ulbricht, even going as far as to accuse the FBI of entrapment. However, Ulbricht was clearly guilty of his crimes. Despite having created Silk Road with possibly good intent, he eventually got caught up in the greed of monetizing the platform, which is what actually led to his arrest.

Unlike Ulbricht, the founder of AlphaBay, Alexandre Cazes, created his online black market in 2014 with the specific goal of creating the “largest eBay-style underworld marketplace,” a claim he made on the AlphaBay website. Through AlphaBay, Cazes made over $23 million in revenue and lived in luxury in Thailand where he owned many mansions and even had multiple wives. He was arrested in 2017 and found dead of apparent suicide in his jail cell in Thailand days later. AlphaBay was officially shut down a few days later.

How People Pay on the Dark Web

The leading form of payment on the dark web is cryptocurrency, with Bitcoin being the most common type of cryptocurrency exchanged. Cryptocurrency is a digital currency, where transactions are recording on a public ledger, usually a blockchain, and every process is protected by cryptography, which is simply the practice of secure communication.

People on the dark web use cryptocurrency because it is decentralized, digital, and almost completely anonymous. No banks or governments can control cryptocurrency. Instead, cryptocurrency is controlled by its users and a blockchain to maintain its integrity. As a digital currency, cryptocurrency can be instantly exchanged online without needing a physical representation of its value, such as paper money.

Cryptocurrency is a pseudo-anonymous system. Although it is impossible to trace transactions back to their senders or recipients because the blockchain only has a record of each user’s public identity, you could theoretically find out a user’s identity if you had the private key to their account.

When users purchase goods on the dark web, such as drugs, they usually transfer cryptocurrency to be stored in escrow, just like someone does when they buy a house. The cryptocurrency sits in escrow until the buyer confirms they have received their order. This prevents sellers from ripping off buyers.

However, sellers on the dark web don’t often try to rip people off. To them, the dark web is simply another method of delivery for products they have already been selling. Though they are criminals, these sellers operate just like typical businesspeople. They are motivated by money, which is what keeps them honest. This incentivizes them to sell high-quality products and provide good customer service in order to entice buyers to return.

Sellers on the dark web provide customer support the same way as many other e-commerce retailers by contracting overseas customer service call centers. These call centers, often located in countries like Romania and India, are simply providing a service, whether they are doing so for a legitimate retailer or for someone on the dark web who sells drugs.

The Dark Web and Retail Asset Protection

How does all this secretive and potentially illegal activity relate to retail? The dark web is where people go when they want to learn about something or communicate without others knowing who they are. Although drugs are the most common illegal commodity found on the dark web, there are more immediate threats for private retailers—stolen credentials, stolen credit card information, counterfeit merchandise, and hacking tools, just to name a few. Criminals can even use the dark web to learn about company security policies, which stores are best to steal from, and which EAS tags a company uses, so they can learn how to defeat them.

Because the dark web is primarily used for secure communication, it can facilitate organized retail crime planning, research, and discussion. People can also use the dark web for hacking as a service (HaaS), where a hired hacker serves as a contractor. Some of the services offered in hacking as a service include gaining access to another person’s social media accounts, denial of service (DoS) and distributed denial of service (DDoS) attacks on websites, network infrastructure attacks to bring down communications, and even command and control of a huge botnet army. Hiring a hacker is just as much a crime as hacking itself since inducement to commit a crime is itself a crime under US law.

According to a hacking-as-a-service website called “Hire An Hacker,” many hacking-as-a-service websites intentionally use bad English to disguise their identities and make it harder to figure out where they are located. Other hacking services include Facebook account hacking as their most requested service, along with smartphone hacking, backdoor computer access, database modification hacking for websites, and even a way to fix one’s credit score. Service costs start at $350 for “easier” jobs, such as email account hacking, and can go up to nearly $2,000 to hire someone to deface or even completely delete a website.

Hackers can also facilitate identity and credit card fraud by stealing this information and selling it on the dark web. In 2016, credit card fraud totaled $24 billion in losses, half of which affected cardholders in the United States.

In April 2017, the then-unidentified group called the Shadow Brokers published a collection of the National Security Agency’s (NSA) most coveted hacking tools, including ways of exploiting most versions of Microsoft Windows, allowing essentially anyone to download cyber weapons. The authors of the WannaCry ransomware attack, a worldwide cyber attack in May 2017 that encrypted users’ data and held it for ransom in exchange for Bitcoin payments, used the EternalBlue exploit originally developed by the NSA and later released by the Shadow Brokers. The Shadow Brokers also offered a subscription service for the latest hacking malware for tens of thousands of dollars a month.

Some dark web users believe they are impossible to trace, so they will keep the same usernames they employ on the surface web. This makes investigators’ jobs a lot easier. Furthermore, because the dark web is not automatically indexed, criminals must advertise their products and services. There are even directories for providers of illicit services. Forums, both on the surface web and the dark web, discuss the relative merits of various dark web marketplaces and services. All this makes it surprisingly easy for investigators to locate bad actors.

On the other hand, investigative targets can be tough to pin down because dark web sites come and go quickly. They must constantly adapt to changing circumstances, like pressure from competitors or law enforcement activity. When these illicit marketplaces gain visibility, their operators often simply move outside the United States. In fact, most of the most prolific fraud sites technically exist on the surface web and often don’t bother with the dark web. They use top-level domains based in countries with lax fraud policies, such as Samoa (.ws), Cameroon (.cm), Cocos Islands (.cc), or Oman (.om).

Protecting Yourself from Cyber Crime

Fighting back against cyber crime is really a war, and as in any war, you need to have a strategy. It is important to prepare a plan for deterring cyber crime and responding to an attack. This can make all the difference between a minor incident and a major financial and public relations nightmare.

Understand your company’s information systems. Use data inventory and data mapping to gain a thorough understanding of what you are trying to protect. Include all the obscure data sources that are easy to overlook.

Classify the data. Some information is highly sensitive and valuable, while other information is not. You must create a clear process for distinguishing the various level of information sensitivity.

Create clear guidelines for data access. Not every employee needs to have access to all the information in a company. Structure this access based on need.

Secure the data. Use encryption and passwords to protect your information, regardless of its level of sensitivity.

Define cyber crime clearly, so everyone understands. All employees must be aware of current threats and issues, including those affecting the company’s customers. What reaches them could eventually reach you, so if they understand and report cyber crime early on, you can respond much more quickly.

Conducting Investigations on the Dark Web

Even with your company’s measures to protect itself from cyber crime, as a security professional, sometimes you feel the need to do more. Though only a very small portion of the Internet is on the dark web, you still might find it helpful to use the dark web when conducting investigations. Below is a how-to guide for searching the dark web.

Search for dark web URLs on a regular search engine. Even though the dark web is generally not indexed, it is possible to use a search engine to see what non-anonymous dark web sites exist. Use the search term [something illegal] inurl:.onion.to. For example, you can use this tip to see if dark web sites have shoplifting master lists for specific retailers or how-to guides for defeating various types of EAS tags. The caveat is that this method will only capture a very small amount of the information. It’s a quick and simple trick and will yield less that 5 percent of what is actually available on the dark web.

Check your company policy before starting an investigation on the dark web. Although using the dark web is completely legal, many companies have strict policies against it.

Use a computer dedicated for searching the dark web. An even greater risk is that bad actors could discover your information and access your system, so you do not want to put your personal or work computer at risk. Instead, buy a cheap computer for this specific purpose.

Download the Tor browser. The Tor browser is the most common way to access the Tor network. Other browsers and methods are available, but the Tor browser is the most secure way to date.

Connect to the dark web using a virtual private network (VPN). A VPN adds another layer of anonymity and prevents third parties from seeing your web traffic. Instead of using your home or work network, connect to a VPN while conducting your investigations on the dark web. Do not use a VPN provided by your workplace, as this defeats the purpose of protecting your work from any potential attacks.

Create a new email address for the dark web. Once you are logged into the Tor network, create a new email address that you will only use on the dark web. Do not log in with any other email addresses.

Do not use any identifiable or personal information. Do not use your real name, photos, previous usernames or even passwords you have used before on the surface web. This will put you at risk of being traced back to your personal or work accounts.

Do not download content from the dark web. If you want to save content you need for an investigation, use the screen capture tool or a screen recording software. If you feel it is necessary, work with a technical expert or download content into a “sandbox,” a virtual space isolated from the rest of your computer to protect it from any possible malware.

Myths and Misconceptions

People often associate the dark web with weapons, drugs, human trafficking, and child pornography. But a 2016 study by Terbium Labs showed that only 47.7 percent of .onion domains hosted illegal activity.

There are many fabricated stories about the dark web, often created and spread by the media and most of which are untrue or simply impossible. Below is a list of the most common myths and misconceptions and why they are not true.

Myth: It is illegal to access the dark web. Accessing the dark web is completely legal. Furthermore, the content of the dark web is mostly legal—over 50 percent of the dark web does not contain illegal or illicit content. Some people fear that searching the dark web will bring law enforcement knocking at your door. That’s what criminals are worried about. As a retail security professional, your only concerns should be the bad guys themselves.

Myth: The dark web is only for criminals. The dark web was made for anonymous, not illegal, activity. That means that many dark web users just want to research or communicate without revealing their identities. These users can range from citizens of countries with strict Internet censorship laws who want to read the news to protestors who are fighting against oppressive governments to LGBT citizens of a country where homosexuality is illegal. Licensed physicians even post free drug-related advice on forums. They know drug addicts are less likely to seek out medical advice on their own, which means health care professionals need to go out and find them on their own.

Myth: Terrorists use the dark web to communicate. Though terrorists could easily use the dark web to communicate with one another, there are many other encrypted forms of communication that are more easily accessible. They typically use popular messaging platforms such as WhatsApp, Signal, and Telegram, which are more accessible and exist on multiple platforms such as smartphones.

Myth: The dark web is where mass shooters buy weapons. This is not an issue of concern in the United States, where someone can purchase a military-grade assault rifle at a gun show much more easily. However, the person who killed nine people and injured twenty-one others in Germany in July 2016 bought his gun from the dark web since firearm laws are much stricter in Europe. German police were able to discover his use of the dark web via two separate investigations into other attempts to use the dark web to obtain weapons.

Myth: You will be hacked if you go on the dark web. If you use the same safe Internet practices you use on the surface web—don’t share your personal information and don’t download content from an untrusted source—then you will not be hacked on the dark web.

Myth: You can “stumble” upon scary sites. The dark web is part of the deep web, which is not automatically indexed, as explained earlier. This means you have to actively look for sites on the dark web. It is impossible to “accidentally” come across criminal content. That can only happen if you are seeking it out.

Myth: “Red rooms” are everywhere. Red rooms refer to the supposed websites where people live stream themselves mutilating or even murdering someone for “entertainment.” However, they are mostly urban legend when it comes to the dark web. The Tor network is too slow to stream live video. If red rooms do exist, they would be found on the surface web, and it is highly unlikely that you would find one.

A New Tool

The dark web has a mysterious and dangerous reputation and a very colorful history. However, it is actually a simple concept to understand and use in your work. Like any investigations, you need the right tools, a clear idea of what you are looking for, and a healthy level of caution to protect yourself and your organization. With a solid understanding of the dark web in mind, you can use this new tool to your advantage and discover potential threats before they come actual attacks against your company.


Tom’s column is featured in every issue of Loss Prevention Magazine. To subscribe to the printed version of the magazine and enjoy other great content, visit losspreventionmedia.com.

How Retailers Can Use Computer Vision to Adapt to Changing Times

By: Ben Skidmore
This article originally appeared in Loss Prevention Magazine.

Interview with Tom Meehan, CFI

Meehan is chief strategy officer and chief information security officer for CONTROLTEK. In his dual role, he leads the company’s solutions development strategy and retail-specific strategic initiatives, while championing information security technologies and protocols for CONTROLTEK and its partners. He is an LP expert in cyber security, retail technology, and information technology. He currently serves as Innovation Team Chair with the Loss Prevention Research Council, retail technology editor at LP Magazine, and cohost of the LPRC podcast.

Loss prevention professionals have been faced with the robust job to combat shrink, discourage theft, increase efficiency, improve performance, lower costs, support safety…and the list goes on. The coronavirus pandemic has sped up these challenges and threats exponentially, while presenting the added layer of health safety to the mix.

In the turbulence of this change, keeping up to date is a constant challenge, and digital technologies have frequently been discussed and continue to be the answer as future-proof options for retailers. One of the most widely discussed technologies is artificial intelligence (AI), and one of the forms of AI most easily applicable to the retail environment is computer vision.

What is computer vision and how does it work?
Computer vision is an emerging technology that enables retailers to harness the power of video to automate the process of identifying threats in real time, leading to quicker and better decisions. In simple terms, it is defined as a field of artificial intelligence that replicates the complexity of the human vision system to enable computers to “see” and understand the visual world. Using content from digital images, videos, and deep-learning models, computer algorithms mimic the way human vision acquires, processes, analyzes, and understands visual information to identify and classify objects.

There are several types of computer vision features used in different ways, but simply put, when a computer is supplied with images, it uses algorithms to analyze for distinctions such as shapes, colors, borders, distance between shapes, and other patterns to identify a profile of what the picture means. When these algorithms are complete, the computer will theoretically be able to use this learned data to find other images that match that profile.

How can a retailer use computer vision?
Though computer vision has a lot of potential applications that haven’t been fully discovered, for retailers the solutions already exist. Facial recognition technology is a form of computer vision that has been tested and proven in retail. It is particularly useful in helping retailers detect shoplifters and alert when known bad actors enter stores. A cloud-based computer vision platform even allows retailers to access information across multiple locations.

Computer vision technology can also provide traffic and behavior analytics by using real-time, accurate visitor counts and classification, so retailers can understand customer traffic by knowing a customer’s path through the store, where they spend time, and how much time is spent there. Powerful, deep-learning technology allows retailers to know the behaviors and demographics for optimized marketing, sales, and rewards program effectiveness.

How can computer vision help retailers with challenges presented by COVID-19?
Because of its endless potential, computer vision technology can be adapted to address current challenges, such as the pandemic. Computer vision features that have been adjusted in response to COVID-19 challenges include temperature screening, mask compliance, and occupancy verification. Thermal imaging, originally intended to detect intense heat for early indication of fire, can be used to screen temperature and detect elevated body temperature of individuals entering a facility. Mask detection to identify a person as a robbery threat can be adapted to detect a face mask for health compliance. Facial recognition can determine unique customer counts for occupancy verification allowing retailers to stay within social distancing guidelines.

What are your thoughts on the accuracy of thermal imaging?
You must ensure you have the correct camera or imager and have a clear understanding of its ability and limitations. Thermal imaging that is widely available isn’t medical grade. It simply uses the sensor to detect body temperature. Like any noncontact temperature screening, there are many variables one must consider, such as ambient temperature, abnormal body temperature related to the environment, distance, and the weather. So, yes, this technology can detect an elevated body temperature, but it’s just one way of helping to keep your customers and employees safe.

How can someone integrate computer vision technology into an existing loss prevention strategy?
Like most AI solutions, computer vision is what you make of it. Investing in computer vision solutions on a smaller scale won’t prevent you from expanding its use in the future, and its future-proof design means you can integrate computer vision as your retail loss prevention methods change.

CONTROLTEK’s solution CMatch AI is scalable with the ability to operate as a standalone, plug-and-play device or as a cloud solution to save information for enterprise-level monitoring. The automation of CMatch AI eliminates the need for human interaction to support public health and safety, reducing labor costs and providing real-time information. CMatch AI helps retailers reopen stores safely and streamline compliance with new COVID-19 policies, while remaining adaptable for what changes may come.


To subscribe to the printed version of the magazine and enjoy other great content, visit losspreventionmedia.com.

Cyber-Security Strategies during COVID-19

This article originally appeared in Loss Prevention Magazine.

Cyber crime has always been an issue, and the era of COVID-19 is no exception. In recent months, bad actors have been taking advantage of both individuals and businesses during this vulnerable time through phishing scams with COVID-specific themes, anything from fake websites to access your coronavirus stimulus check or impersonating regional health authorities to share fake news.

The pandemic has also seen a wave of bad actors attempt to infiltrate major corporations, with the hope that they have been overwhelmed by pandemic-related issues and have weaker cyber-security protocols. In June, Amazon Web Services reported that they had to defend themselves against a significant denial-of-service (DDoS) attack with a peak traffic volume of 2.3 terabytes per second (TBps), the largest ever reported. Before that, the previous largest DDoS attack recorded was 1.7 TBps, mitigated by NETSCOUT Arbor in March 2018. The Australian government also came under cyber attack in June, from what the prime minister described as a “malicious” and “sophisticated” state-based actor.

The best way to protect ourselves from cyber criminals is for both the public and private sectors to work together to prevent bad actors from accessing our systems while also educating the public about how to identify and avoid phishing scams and other malware.

Working Together to Prevent and Respond to Cyber Crime

Private companies often have more-advanced technological innovation that can not only prevent bad actors from infiltrating their systems but also track and analyze these attempts. This technology can be very helpful for law enforcement to find and arrest cyber criminals, which will offer justice to victims of cyber crime while also increasing the risk of cyber crime, making it less enticing to others.

In April 2020, the World Economic Forum launched the Partnership against Cybercrime initiative with the goal of unifying the public and private sectors in working to prevent cyber crime. This initiative involves creating a global framework where governments and private companies can collaborate to improve the effectiveness of cyber-crime investigations and enhance the potential of disruptive actions against cyber-criminal infrastructures.

Educating the Public to Protect Themselves from Cyber Crime

The sudden and unplanned shift of so many office employees to long-term remote work has introduced a wide range of challenges for both businesses and individuals. For example, video conference meetings on Zoom have become a necessary replacement for regular in-person meetings, but these virtual meetings are not always secure. Zoom meeting rooms can be easily found and infiltrated by unwanted visitors, or even transcribed and posted online without meeting participants’ consent.

Shifting to remote work also means companies have had to move sensitive information to online servers, so employees can access these files, which opens up their organizations to the possibility of unauthorized external access. While many businesses are incorporating cyber-security strategies in their organizations as they grow, one large group has not caught up: schools. In an effort to keep up with the digitization of education, public schools have moved a lot of resources and teaching tools online, but they often lack the dedicated funding and resources to secure this data—and these obstacles already existed before learning moved online during the COVID-19 pandemic. Because of this, schools struggle to follow industry-wide best practices for cyber security, such as having a dedicated cyber-security expert review and update their security protocols and regularly patching system vulnerabilities. With so many teachers and students abruptly moving everything online, anything from Zoom class meetings to online school portals, if not properly encrypted or otherwise secured, can become an opening for a cyber criminal to infiltrate the school’s system. These vulnerabilities can lead to cyber criminals accessing sensitive information via school VPNs or Remote Desktop Protocol and even sending ransomware to unsuspecting students and teachers.

Major organizations, like university campuses and businesses, have more secure systems in place to protect users who are accessing the Internet. However, with everyone working and going to school from home, their private home WiFi networks are often not equipped with the layers of security a commercial network typically has. This has led to more people becoming vulnerable to phishing attempts and other malware that normally would be filtered out by their organization’s cyber-security protocols.

On top of this, COVID-19 has created a very vulnerable environment for the public—we are all afraid of contracting the virus or unintentionally infecting others. This fear is very easy for bad actors to take advantage of in phishing scams and provides them with a foothold to access your private information, such as via an email claiming that employees at your work have tested positive for COVID-19 and asking you for sensitive company information.

Fortunately, the same rules for identifying and avoiding malware still apply:

  • Do not click links or open attachments in an email from an unfamiliar email address.
  • Do not click ads while you’re browsing the web, even if it’s for a legitimate website. It’s always safer to visit the website directly or search for the sale the ad is promoting.
  • Do not give out private information, such as your social security number or a two-factor authentication code, over the phone, via email, or on a website that isn’t verified. Secure organizations, such as your bank, will not ask for personal information that way.

Another step for individuals to take to protect themselves is to enable any security protocols they can find on their router. This is as simple as looking up exactly which kind of router you have and how to log in and turn on the security features.

As the COVID-19 pandemic continues to create long-term demands for remote work and more online activity, we must be vigilant in not only maintaining our cyber-security strategies but also in being proactive to prevent cyber attacks and address any possible vulnerabilities before they pose a problem. One of the most important lessons we are learning during this pandemic is that we are stronger and more successful when we work together, and that is clear in the steps we must take to protect our businesses and to educate the public in proper cyber security.


Tom’s column is featured in every issue of Loss Prevention Magazine. To subscribe to the printed version of the magazine and enjoy other great content, visit losspreventionmedia.com.

Why You Should Leverage OSINT and Social Media Monitoring during COVID

This article originally appeared in Loss Prevention Magazine.

Social media has revolutionized connectivity because it is so easily accessible: by definition, social media exists on an open public platform. This means that social media can also be used as a tool for open-source intelligence, more commonly referred to as OSINT. OSINT is intelligence collected from publicly available sources and is an effective method of data collection for retailers of any size. OSINT can open a new world of data for retailers, who can then gather data from every public source available and use OSINT tools to narrow the scope of their search.

In recent years, OSINT has become a very popular security tool for retailers, thanks to its versatility and easy accessibility. OSINT’s flexibility makes it appealing to retailers of all sizes, from nationwide chains with large teams dedicated to cyber security to local small businesses who want to use social media to track community activity. In the time of COVID-19, OSINT is especially important. Its potential to monitor security threats can vastly improve how your loss prevention team predicts future trends across your business, from sales to safety.

With more retailers moving large parts of their businesses online, cyber security is even more essential, and OSINT with it. The public data from mainstream social media networks, such as Facebook, Twitter, and Instagram, contains valuable information for retailers about how their businesses are perceived by consumers. During the COVID-19 pandemic, we are seeing a lot of users turn to social media to comment on how retailers react to the pandemic or even to reach out to retailers with customer service questions. By developing an organized OSINT strategy, your retail loss prevention team can quickly find and analyze data that affects broad aspects of your business.

Open-Source Intelligence in Loss Prevention

When it comes to security, physical or digital, OSINT is indispensable, especially when it comes to location-based data. Along with giving your LP team insight into customer feedback, OSINT can also give retailers important context into active and potential threats to their businesses. As loss prevention professionals, we have become familiar with the idea that cyber criminals tend to stay a step or two ahead of security professionals when it comes to using new technology. The same concept has surfaced during the COVID-19 pandemic: cyber criminals are using the crisis to launch new phishing scams that take advantage of the public’s anxiety to gain access to their private accounts.

In April, Google reported more than 18 million daily malware and phishing emails related to COVID-19, in addition to over 240 million daily spam emails about the novel coronavirus. Like most social engineering tactics, these phishing scams use either fear or finances to create the sense of urgency that provokes victims into falling for the scam. Some examples of COVID-19-related phishing scams include:

  • Impersonating reputable government organizations, such as the World Health Organization, to trick victims into sending money as a donation or downloading malware
  • Pretending to have information about government stimulus payments
  • Acting as a remote worker’s employer enacting new workplace policy
  • Purporting to be a medical expert offering critical health advice regarding COVID-19

PhishLabs is also providing a regularly updated list of the latest coronavirus-themed attacks, such as email lures, URLs, and domains, on their website at phishlabs.com/covid-19-threat-intelligence.

Beyond Social Media Monitoring: Using OSINT During Times of Crisis

Though the information from OSINT is easy to access, it is important that retailers are using it effectively and efficiently, which involves a two-step process: monitoring and analyzing. For retailers who want to track and analyze data on a larger scale, using an OSINT tool to do the work of collecting and understanding the data is definitely worth investing in. While manual social media monitoring could mean combing through thousands of data points, one by one, before your LP team can see a pattern, using an OSINT tool to search for and analyze the data can find important patterns much more quickly, allowing you to dedicate more time and resources to responding to consumer feedback, security threats, and more. For example, an OSINT tool lets you choose what kind of data you want to collect, such as geotagged posts or images only, to help LP teams narrow down their searches.

Echosec, my tool of choice for OSINT, is using their technology to conduct real-time monitoring of the COVID-19 crisis, collecting data from around the world to give people insight into how the pandemic is affecting our world in many different ways. Following their updates can help to give your LP team some ideas on how to use OSINT and social media monitoring to address the COVID-19 pandemic specifically.

Though it is difficult, if not nearly impossible, for businesses to have prepared for a crisis like the global COVID-19 pandemic, retailers can still adapt how they respond during this crisis. Clearly, OSINT is an invaluable tool for loss prevention and security teams, but you can also use the data from OSINT to help other parts of your business, such as sales and marketing. One of the many unfortunate consequences of the COVID-19 crisis is how retailers of all sizes have taken a hit due to a drop in sales and interruptions to their supply chains. If you are already investing in an OSINT tool, then I recommend using it in as many ways as possible.

An OSINT tool can collect a vast range of data from users discussing your organization on social media, which includes how they feel about your products, your service, or your overall reputation during the crisis. For example, Top Rank Marketing suggests adjusting your OSINT tool’s dashboard to collect data about topics, questions, and concerns beyond your typical searches.

Like many new technologies, OSINT can be a powerful tool, but it should only make up one part of your loss prevention strategy. As loss prevention professionals, it is important that we incorporate technology with a solid understanding of human behavior and society, so we can protect our physical and digital assets at work while educating consumers about proper cyber-security techniques at home.


Tom’s column is featured in every issue of Loss Prevention Magazine. To subscribe to the printed version of the magazine and enjoy other great content, visit losspreventionmedia.com.

Speaking Out in a Pandemic – Rod Diplock

This interview originally appeared in Loss Prevention Magazine. Read the full article here.

At the onset of the novel coronavirus pandemic, like most companies we approached it as we had approached past crises. Our preparedness and remote capabilities allowed us to provide uninterrupted, reliable, and responsive customer support. Our long-term relationships and constant communication with our supply chain partners allowed us to avoid disruptions. And our distribution centers, which are considered essential services, ensured employees followed safe and healthy measures while staying fully operational to deliver for our customers.

We quickly discovered this pandemic was unlike any other crisis any of us had experienced, and there was no playbook to navigate the unprecedented challenges. We stuck with the basics and focused on our core values. In everything we do at CONTROLTEK, we provide solutions that protect. We are the people that deliver, and our focus and commitment is devoted to our customers.

We kept business as usual delivering loss prevention solutions for our retail partners while also evaluating whether our customers needed different solutions to “protect” in this moment. The impact of this crisis increased the concern of protecting the health and safety of people, and we began to hear from our customers the need for personal protective equipment (PPE) such as hand sanitizer, masks, face shields, countertop shields, and gloves. We have provided essential security and operational supplies to our retail, banking, and logistics customers for many years. We were able to leverage our diverse supply chain to secure the vital PPE our customers were looking for from trusted sources. These relationships allowed us to also manage the costs as best we could with the current demand and deliver it very quickly for our customers.

We are extremely grateful for the partnerships that we have throughout the retail industry, and it has never been more important to us to provide our partners the support and solutions you need. We look forward to continuing to support those on frontlines in any way we can. As we begin to experience the new normal, we are here to collaborate and will continue to work diligently to offer resources, tools, and solutions to best support the retail industry.


This interview was featured in the May/June 2020 issue of Loss Prevention Magazine. To subscribe to the printed version of the magazine and enjoy other great content, visit losspreventionmedia.com.

Using Social Media as a Security and Threat Assessment Tool

How OSINT Can Keep You Safe and Change What You Know

This article originally appeared in Loss Prevention Magazine.

Today, social media is just about everywhere. Facebook alone has almost 2.5 billion monthly active users. By now, most of us use some sort of social media to keep up with friends and family and to network professionally. With social media, the reach and frequency are unlimited. Its ease and usability allow anyone, from any age group, to report news or information regardless of its accuracy or merit. Just imagine: a large portion of the population walks around with high-definition cameras in their pockets and the ability to broadcast live video in real time to an audience of billions. But social media has many more uses beyond making personal connections.

Social media has revolutionized connectivity because it is so easily accessible: by definition, social media exists on an open public platform. This means that social media can also be used as a tool for open-source intelligence, more commonly referred to as OSINT. OSINT is intelligence collected from publicly available sources and is an effective method of data collection for retailers of any size. OSINT can open a new world of data for retailers, who can then gather data from every public source available and use OSINT tools to narrow the scope of their search.

Leveraging Social Media in Your Investigations

So how can your team tap into this world of information and use it to achieve your goals? It’s helpful to remember that thieves like to brag about their achievements. They’ll often share their activities with like-minded friends on social media. So a cache of stolen goods might just show up in a Facebook post or for resale on eBay. When chronic offenders or accomplices are identified, a security or law enforcement team can begin to monitor their social media activity. That can provide clues to past crimes—and hints about future ones.

You can collect data from social media using platform features that already exist, such as geolocation. With location-based monitoring, you can gather information to help you make decisions about hours of operation and staffing. You can also use the native search function to track activity about your store and potential threats. In this example, simply use the name of your organization with key phrases such as “gun,” “bomb,” and so forth.

Many social media platforms make their data available through application programming interfaces, or API. An API is simply a set of instructions that allow developers to interact with the platform’s technology. For example, Twitter’s search allows people to access their search function to create their own tools for collecting information. Twitter provides three ways for users to access their data:

Twitter Search. This is Twitter’s native search function, and it’s easy and free to use. Simply plug in your search terms, such as “burglaries, Town Name, USA” to get all the tweets related to that subject. The downside is you can only see the last 3,200 tweets related to your search—a lot of information, but not enough to get the whole picture.

Twitter Streaming API. Though it is similar to the Search API, the Streaming API can send you tweets in real time. This is particularly helpful for time-sensitive operations, such as a robbery or another ongoing event. The downside is that you only receive a sample of tweets containing your search terms, anywhere from 1 percent to 40 percent of relevant tweets.

Twitter Firehose. As its name suggests, this function sends you a lot of data. It’s guaranteed to send you 100 percent of tweets that meet your search criteria. This is incredibly helpful for security or law enforcement professionals who want a comprehensive overview of activity about a specific subject. But as you might have guessed, the Twitter Firehose is not free. Access to the Twitter Firehose is handled by GNIP, a social media API aggregation service that Twitter acquired in 2014.

How to Use Other OSINT Tools

OSINT existed before social media did, and a vast trove of publicly available information still exists beyond social media. We all know the information is out there, but few of us have the expertise, time, or patience to ferret out the parts we need. That’s where OSINT tools come in. Although free tools are available, you get what you pay for. They are still helpful tools for a security or law enforcement team, but remember that you are only getting a small fraction of the relevant data. To get a more comprehensive view of the data you want, you’ll have to pay for it.

According to Infosec, these are the top five tools used by penetration testers and even malware actors:

  1. Maltego, a software used for OSINT forensics that collects data from open sources and visualizes that data in a graph format.
  2. Recon-Ng, a full-featured OSINT framework written in Python.
  3. theHarvester, a tool to gather emails, subdomains, hosts, employee names, open ports, and service banners.
  4. Shodan, a search engine that lets you find specific types of Internet of Things (IoT) devices using a variety of filters.
  5. Google hacking or Google dorking, a computer hacking technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites use. The Intext search is especially helpful in OSINT as it helps to search for specific text on a page.

According to a report from Thales, retail is the prime cyber-crime target. As I discussed in a previous article about the dark web, criminals can use the dark web to learn about company security policies, which stores are best to steal from, and which EAS tags a company uses, so they can learn how to defeat them. The dark web is a great place to find information about potential threats to your organization, but it can be difficult and even dangerous to your cyber security to access.

My tool of choice today is a paid open-source intelligence service called Echosec. It incorporates Twitter Firehose along with all the social media platforms that offer open-source intelligence. It also offers Beacon, a discovery tool for the dark web. I find Beacon to be an essential tool for dark web investigations because it allows me to search the dark web using keywords and narrow down the results, which you cannot manually do in the dark web because there is no search engine to index its content.

Like many new technologies, these tools can be helpful for both security professionals and criminals. It all depends on what a user does with the data. When collecting personal data, either on your own or with an OSINT tool, you should always consult your legal department to determine the proper protocols for using and storing this information. Few things are more sensitive than customer data—or more damaging should this data be compromised in any way.


Tom’s column is featured in every issue of Loss Prevention Magazine. To subscribe to the printed version of the magazine and enjoy other great content, visit losspreventionmedia.com.

Phone Interview Tips for Superheroes

By Stefanie Hoover, CFI

By now your inbox has probably been saturated with tips on how to stay productive while working from home. Most of them may seem fairly obvious, as a work-from-home professional for the past seven years, I still read them looking for new ideas. For my investigator friends, I thought this would be a good time to get out and dust off some pointers for conducting phone interviews. Chances are high that people are still stealing and that you will still have to deal with it—no matter that you are quarantined.

As we all get used to a new normal for the near term, hopefully you’ll get excited about the prospect of phone interviewing, whether you’re a veteran or a rookie at the “art of interviewing” over the phone. Instead of presenting the entire method, here are some boiled down tidbits as a refresher.

First, let’s look at it for what it is—a chance to be a Superhero while still wearing your jammies, sweatpants, or whatever makes you comfy and productive. Especially in this strange time, doesn’t everyone want to picture Batman in a onesie? Batman, just doing his thing remotely, scanning his laptop while Alfred works at least six feet away in the other room, catching bad guys and using the Bat Phone to get confessions. (Yes, I am home bound, and the imagination is starting to kick in).

Tip #1. Make sure your versions of Alfred know they need to be quiet during your phone call. 
Set up something for them to do ahead of time that will take at least two hours. It’s not that you’ll need two hours to do the interview, you’ll need this time to focus on your prep and wrapping up the call. I can vividly remember starting an interview during naptime and having to juggle the mute button while I found something for the dogs to chew on. It’s more than awkward trying to have a business conversation with a dog barking. Oh, and make sure you remember if the mute button is on or not. I’m not naming names, but a customer once heard me telling my dog to sit, and it was pure comedy!

Tip #2. Have all your tools at the ready.
I’m a big fan of phone interviews and this is one of the reasons: you can absolutely be looking at evidence while you’re talking to the subject, they have no idea. Continuity and flow of the conversation is very important during a phone interview. Don’t let yourself get too distracted by looking for documents. Have you ever noticed when someone on the phone with you is looking at their email? They suddenly give vague answers and seem checked out. Same thing for a phone interview but magnified, the subject is listening very intently to what you’re saying so you must be engaged the entire time. No checking Facebook!

Tip #3. Make sure the witness at the other end is fully prepped.
It’s their time to be like your sidekick Robin. Robin was a Superhero too, right? They need to know how this process works and exactly what their role is so they can feel like a Superhero when you’re done. Go through the what-ifs that might come up. “Robin, here’s what you’re going to do if they hang up on me. This is the plan if they won’t sit down and pick up the phone. Here’s the next step if they refuse to talk. Here’s our plan if they won’t write a statement. Here’s the final phase after we get the written statement.” Go through all the scenarios ahead of time and remember, Robin has likely never been a witness to a phone interview before, so this is all new territory.

Tip #4. Have the rest of the Justice League lined up to ready to help. 
Human resources, your boss, and store management, if needed, should be aware of what’s happening (follow your company guidelines). Even though I found that phone interviews were smoother and easier to handle than a face-to-face interview, you never know when something will go sideways. This is not the time to surprise your team. Have your ducks in a row ahead of time and get your business partners briefed so they can make informed decisions quickly. Especially during these stressful days, don’t add to the burden on your team.

Tip #5. Lastly, practice your method ahead of time, including the rationalizations you plan to use. 

I’m pretty sure Batman tries out throwing those little metal bat shaped things before he goes out and uses them. You should practice, too! In a phone interview, it’s important to exude confidence with your voice, as that’s all the interaction you’re going to have with the subject. No body language here. Confidence comes with practice. Use your significant other, who’s probably at home too, as a guinea pig. Get on your phones and do the introductory statement, ask for honest feedback. Or connect with your other homebound loss prevention teammates and practice over the phone. This time in our history is an opportunity to get some training and hone some skills we’ve been too busy to complete. Turn lemons into lemonade people!

We’re going to get through this, I’m hearing great things from many of my retail friends about teams pulling together. Let’s help each other and lift up our communities. We’ll rise above it, just like The Dark Knight Rises, and be back out there fighting crime in person soon enough. Stay healthy Superheroes!

Get More Done: Optimize Virtual Meetings

Most companies have moved to remote-work models, so most meetings are taking place via virtual conference applications. Don’t let this shift have negative impact on your business practices. Optimize your virtual meetings with these quick tips.

Establish “House Rules”

To keep everyone on the same page and keep the meeting running efficiently, establish rules for the meeting. Some helpful rules include:

  • Create a meeting agenda and send it out ahead of your meeting. Inform participants of any pre-work that needs to be done, so everyone comes prepared to contribute to the meeting.
  • Create time allotments for each topic and assign a timekeeper to manage the time for efficiency.
  • Ask participants to mute their microphone when not talking to avoid distracting background noise.

Encourage Participation

Keep the discussion open by encouraging every participant to share their ideas and opinions. Some ways to encourage participation include:

  • Open the meeting with introductions. Say hello or ask specific questions to individuals to make them feel included.
  • Call on individuals for their input on a topic. Assigning pre-work helps to make sure participants aren’t caught off guard.
  • Assign an individual to lead a certain portion of the meeting.

Wrap Up and Assign Next Steps

At the end of the meeting, it is important to recap important takeaways from the conversation to ensure alignment and clarity on next steps.

  • Review next steps and assign tasks so participants have a clear understanding of their responsibilities.
  • If there are areas that need further clarification, set a meeting to continue the conversation.
  • Set the next meeting during the call. Have everyone pull up their schedules to eliminate back and forth email communications.

Securing a Remote Workforce

The evolving Coronavirus pandemic has many companies deploying work-from-home arrangements. Cybercriminals are taking advantage of this shift by crafting new phishing and malware operations. Ensure your team is equipped with these quick cybersecurity and remote work tips.

5 Email Safety Tips for Remote-Work Employees

  1. Never click links for more information or download attachments when sent from an unknown or unrecognized sender.
  2. Before you click a link, hover over it to see the actual web address that is linked. Check for misspellings or wrong domains within a link. If the address does not match or looks suspicious, don’t click.
  3. If you receive a suspicious email from a colleague, look closely at the sender email address to ensure it is accurate. In doubt, pick up the phone and call the sender to check for legitimacy. If you are unsure about an email from an outside source, talk it through with a colleague or contact the business or organization using contact information from their official company website.
  4. Don’t send sensitive information such as login IDs, password, date of birth, social security number, credit card information, or other personal information in response in email.
  5. Report suspicious messages as spam to your email provider or IT department.