At the start of 2023, the UK postal service Royal Mail was hit with an ultimatum: pay $80m (£67m) or continue to have international shipments blocked. The demand came from Russian-linked hackers the LockBit group, who had infiltrated Royal Mail’s software. Royal Mail refused to pay and eventually reinstated its overseas deliveries, but the cyber-attack came at a huge cost to the company and others that depend on its service. Ransomware attacks like this one are on the rise. So too are phishing attempts, emails and texts that try to fool recipients into clicking on links that contain malware or ask for personal information. Ian Sample speaks to the Yale law professor and author Scott Shapiro about cybercrime, how attacks hack into our psychology and what individuals and governments could do to stop it. Help support our independent journalism at theguardian.com/sciencepod

Phones, bored teenagers and yes, the British press.

Broke into their accounts, stole nude pictures and then leaked them onto the internet.

He hacked his school records, changing grades.

Now we're more likely to hear about data breaches involving big companies, organised criminal gangs and serious sums of money.

It's been described as a mass cyber heist.

And now on a hacker's website, a warning in broken English.

Get in touch with us to discuss a ransom payment or we'll publish your data online.

Hackers might break into computers and networks by unleashing malware attacks, sending phishing emails with dodgy links, or exploiting flaws and vulnerabilities in operating systems.

Cybercrime performed by so-called black hat hackers is a huge, huge problem.

It costs countries and citizens billions of dollars every year.

So today we're exploring the cryptic world of hacking and asking how criminals tap into our psychology, how AI could make hacking an even bigger threat, and what we should be doing to keep ourselves safe.

From The Guardian, I'm Ian Sample and this is Science Weekly.

Scott Shapiro, you're a professor of law and professor of philosophy at Yale University and you've written a book called Fancy Bear goes fishing, which explores the world of hacking and cybercrime.

It explains why we all need to be better acquainted with this kind of thing.

We'll come to what that title means later.

But first, what got you interested in all of this?

Lyle Troxell What got me into it was the previous book that I had written, The Internationalist, was a history of war.

And when I started talking about it, everyone wanted to know, okay, what about the next phase of war?

And I thought, you know, I could figure that out because I had a strong technical background.

In college, I had been a coder for 10 years.

And when I went to look up about hacking, I could not understand anything about it.

But I was really surprised that somebody who even had a very strong technical background couldn't understand what was going on.

And part is because there was no literature out there that explained it to generally educated people how hacking works.

And how hard is it to learn the kind of coding needed to understand hacking?

I mean, is this the kind of coding that sort of a lot of people could pick up with enough effort or are the people doing this kind of hacking computer geniuses?

I definitely think the stereotype is of the savant, but I, for example, teach students, my law students, how to hack.

And 1 of the things we want is people who have very little computer experience, like they should know how to surf the internet and use email.

And by the end, they're really, they're killers.

I make them tell me what their final projects are going to be because I'm afraid that they're going to violate federal law.

They make the press now we have data breaches, malware, we hear about all of these things now.

And over the pandemic, it may have actually seemed like it was becoming more frequent.

But can you give us a sense of how big cybercrime is today?

It's hard to say exactly, because there's a lot of shame associated with cybercrime.

People feel stupid for having been tricked, yet we're all tricked.

But at least in the UK, on the basis of surveys of communities, it turns out that half of all property crime is cybercrime.

And Scott, do we have a sense of how much cybercrime costs countries, companies, and so on?

The estimates range from $600 billion a year to 6 trillion.

So 6 trillion, that's roughly 10% of global GDP.

Tell us about some of the sort of the common cyber crimes that we might fall victim to.

Almost All of the ones that we individually would get caught up in is phishing emails, you know, deceptive emails.

We click on a link or we download attachments which have malware in them.

But a lot of us get caught up in situations where we didn't do anything, but maybe our colleagues did.

Like, you know, when big organizations have their networks breached and all the data exfiltrated.

So there's a way in which what any of our colleagues do affects us and that's something that is just a function of a networked workplace and a networked society, that we are all connected.

And have you got a sense of the sort of culture around hackers and hacking?

I mean, you know, we often think of the stereotypical hacker being this young male teen, often, you know, the tech geek sitting around in their bedroom wreaking havoc on companies around the world that they've never even seen.

Is that a fair picture or is that just sort of really outdated or the stuff of the movies from the 80s and 90s?

Well, it really is, at least historically, true that it's mostly young men, boys.

At least in the West, the pathway into hacking often comes through gaming culture.

And so the boys get interested in cheat sheets and modifications and things like that.

And because gaming culture is highly misogynistic, although my understanding is that it's changing, women get forced out.

So that kind of stereotype is true, But there's this idea of hackers as loners.

And that's incredibly important for motivation.

Because what motivates so many hackers to get into it is cloud.

Hacking isn't just done by young men in their bedrooms for cloud.

It's done by different people for different reasons.

There are security experts trying to spot issues before anyone else does, organised groups trying to steal or extort money, and states spying on each other.

Sometimes it isn't just spying either, but direct involvement in other countries' politics.

That took me on to the title of Scott's book, Fancy Bear Goes Fishing.

Fancy Bear is the code name that was given by the cybersecurity firm CrowdStrike for an elite hacking unit within the GRU, Russian Military Intelligence, that breached the Democratic National Committee in March, April of 2016, exfiltrated information, then sent it to WikiLeaks, which was then posted.

The most prominent example of this was the hack of John Podesta's Gmail account.

So John Podesta was the chairman of Hillary for America and Fancy Bear sent a phishing email that said, you know, somebody in Ukraine has your password, you need to change your password.

IT wrote back, this is a legitimate email.

He meant to write, this is not a legitimate email.

And so either John Podesta or his assistant, somebody in the staff clicked on it, entered his credentials, then Fancy Bear got all of his emails and posted them.

And even though there wasn't that much in it that was actually nefarious.

There was a sense of just utter chaos that this generated.

Everyone kind of flipped out about his shrimp risotto recipe.

1 of the great ironies is that despite all the ridicule that Hillary Clinton was given for but her emails, her campaign, Hillary for America, used excellent cybersecurity and Fancy Bear could not get in.

That's why they went to John Podesta's personal email.

Scott, it seems like with some of these attacks, they're not always incredibly technically difficult, but they're sort of tapping into psychological weaknesses.

Our brains have developed all these shortcuts.

So 1 of the shortcuts is when you're afraid, act quickly to remove the threat.

And that's exactly how so much phishing works.

They try to frighten you, and when we are frightened, we try to act really quickly because that's the shortcuts that allow us to survive.

Often that just moment of pause, you'll see things that you didn't see before.

Mason I know people listening are going to be thinking, yeah, what do we do about all of this?

But before we do, I'd love to hear how you see this developing from here on, the kinds of attacks developing from here on.

And obviously, we've seen an awful lot on AI in the press lately.

Are AI-powered attacks going to become the new thing?

I know they already exist, but is that going to become more common, do you think?

So biometric authentication, you know, thumbprints, you hear my voice, facial recognition, well, there's voice cloning, there's facial simulation, 3D printers to print out fingerprints, So that's 1 thing.

Another thing is that 1 of the big barriers to cybercrime is language.

So lots of times we can detect phishing emails from the non-idiomatic English that's used.

So now you can write a really well crafted, grammatically correct phishing email.

And so, let me mention something that I just read 2 days ago.

Chat GPT, if readers have played around with it or read about it, know that it often hallucinates.

And a lot of people use Chats GPT for coding.

So they'll type in, you know, how do I do this?

But sometimes it makes up programs or modules to use.

So what hackers do is they figure out what those names are, then they build the module and put malware in them.

And then people read it and they say, oh, I should get this module and then they download the malware.

This kind of hallucination attack is just, I was just, you know, I was impressed.

At the start of Russia's invasion of Ukraine, We heard a lot about cyber attacks and obviously all of that's still ongoing.

And it did bring this focus onto how is cyber going to play out in future warfare?

Is that something that you think we're going to be seeing more of that's going to become kind of an inevitable part of the whole sort of landscape when the wars take place in future.

I have a somewhat idiosyncratic, though correct, take on this, which is that, so when Russia first invaded Ukraine last year, Everyone predicted massive cyber war.

And I'm on the record saying, no, we're not going to see a massive cyber war.

Why do you need cyber when you have bombs?

I think that cyber weapons are weapons of the weak.

They are used by countries that for various reasons do not want to use what's called kinetic attacks, you know, troops on the ground, bombs.

Why did Russia attack the United States using cyber?

Because they're not going to bomb the United States.

Wouldn't people say back to you, well, why use bombs when you can use cyber if you can sit in a hut somewhere and try and bring down, you know, a power system somewhere, that's probably been more effective than chucking a load of bombs at it.

I mean, is it that cyber weapons actually aren't that effective?

Will Russia be able to occupy the Donbass with cyber?

There's a problem of interoperability too.

Malware that works for 1 system doesn't work for other systems.

It's very, very hard to take down a country just with cyber.

There's just too many systems, too many operating systems, too many configurations.

Not saying it's impossible, but unbelievably difficult.

They get the grid back up, and now they're really mad.

A lot of us, even those of us who feel pretty comfortable online, who spend a lot of our time online, a lot of our lives online, we'll still find a lot of this stuff pretty obscure and impenetrable when it comes to the actual, you know, the mechanics of hacking.

What are the kinds of things we can do to protect ourselves?

And I don't know if there are things you do yourself.

When I get an email from somebody I don't know, and there's a link in it or an attachment, I write back to them and I say, excuse me, who are you?

Sorry, please tell me more about yourself.

Now they could still trick me, but life is short and I got to get through my day and so I cut some corners.

Is there any thinking around how we can effectively stop people going into this in the first place?

Can we dissuade people from becoming hackers?

I mean, it's actually a pretty appealing thing to do, right?

How are you going to stop people finding it exciting?

So 1 of the things that the UK, for example, has been a pioneer is by addressing what's called the pathways to cybercrime, which is ensuring that kind of low level offenders are diverted into the legitimate cybersecurity industry as opposed to like, you know, thrown in jail for a little bit of time or fined or something like that.

It's estimated that there are 3 and a half million cybersecurity jobs that are waiting to be filled.

If we can take those who are budding malicious hackers and divert them, We can potentially eliminate 1 attacker and gain a defender.

Mason We live obviously and have done for some time now in a digital age.

We've got AI coming on in leaps and bounds.

There's always going to be organized criminal groups and states are always going to be having a pop at each other.

What do you finally, Scott, want to see states, governments be doing to tackle this issue?

Scott Cunningham 1 of the things I'd like them to do is to change the rules to make it harder for cyber criminal gangs to operate.

So almost all cyber crime is conducted using cryptocurrency.

The main cryptocurrency used by cyber criminal gangs is Bitcoin.

And there needs to be greater regulation on cryptocurrency exchanges and brokers.

So opening a crypto account should be like opening a bank account.

There needs to be know your customer regulations, anti-money laundering regulations put in place so that people can't just move all this money around.

You know, We keep on talking about how hacking is a technical activity.

Of course, it's a technical activity, but the natural thing is to think that, well, if it's a technical problem, obviously it needs a technical solution.

But in fact, what I think is it's primarily a human problem which requires a human solution.

The government's job is to create rules to protect us.

That's why in the book I try to explain that these technical vulnerabilities are really the result of political vulnerabilities.

There are rules that allow people to engage in this activity and I would like states to become more educated and to step up and to do their part.

We've put a link to his book on the podcast webpage at theguardian.com.

And I promise it isn't a phishing attempt.

The producer was Madeline Finlay, the sound design was by Joel Cox and the executive producer was Ellie Burie.


Speaker 0: This is The Guardian.

Speaker 1: Phones, bored teenagers and yes, the British press.

Speaker 2: Broke into their accounts, stole nude pictures and then leaked them onto the internet. He hacked his school records, changing grades. It was easy. Too easy.

Speaker 1: Now we're more likely to hear about data breaches involving big companies, organised criminal gangs and serious sums of money.

Speaker 0: It's been described as a mass cyber heist. And now on a hacker's website, a warning in broken English. Get in touch with us to discuss a ransom payment or we'll publish your data online.

Speaker 1: Hackers might break into computers and networks by unleashing malware attacks, sending phishing emails with dodgy links, or exploiting flaws and vulnerabilities in operating systems. Cybercrime performed by so-called black hat hackers is a huge, huge problem. It costs countries and citizens billions of dollars every year. So today we're exploring the cryptic world of hacking and asking how criminals tap into our psychology, how AI could make hacking an even bigger threat, and what we should be doing to keep ourselves safe. From The Guardian, I'm Ian Sample and this is Science Weekly.

Scott Shapiro, you're a professor of law and professor of philosophy at Yale University and you've written a book called Fancy Bear goes fishing, which explores the world of hacking and cybercrime. It explains why we all need to be better acquainted with this kind of thing. We'll come to what that title means later. But first, what got you interested in all of this? Dr.

Speaker 2: Lyle Troxell What got me into it was the previous book that I had written, The Internationalist, was a history of war. And when I started talking about it, everyone wanted to know, okay, what about the next phase of war? What about cyber war? And I thought, you know, I could figure that out because I had a strong technical background. I studied computer science.

In college, I had been a coder for 10 years. And when I went to look up about hacking, I could not understand anything about it. But I was really surprised that somebody who even had a very strong technical background couldn't understand what was going on. And part is because there was no literature out there that explained it to generally educated people how hacking works. So I thought maybe I would do that.

Speaker 1: And how hard is it to learn the kind of coding needed to understand hacking? I mean, is this the kind of coding that sort of a lot of people could pick up with enough effort or are the people doing this kind of hacking computer geniuses?

Speaker 2: I definitely think the stereotype is of the savant, but I, for example, teach students, my law students, how to hack. And 1 of the things we want is people who have very little computer experience, like they should know how to surf the internet and use email. And by the end, they're really, they're killers. I make them tell me what their final projects are going to be because I'm afraid that they're going to violate federal law. Mason Everyone's will

Speaker 1: have heard of, you know, big hacks. They make the press now we have data breaches, malware, we hear about all of these things now. So obviously a huge problem. And over the pandemic, it may have actually seemed like it was becoming more frequent. But can you give us a sense of how big cybercrime is today?

Speaker 2: It's hard to say exactly, because there's a lot of shame associated with cybercrime. People feel stupid for having been tricked, yet we're all tricked. So don't feel stupid. This is a new world we're all learning. But at least in the UK, on the basis of surveys of communities, it turns out that half of all property crime is cybercrime.

Speaker 1: And Scott, do we have a sense of how much cybercrime costs countries, companies, and so on?

Speaker 2: The estimates range from $600 billion a year to 6 trillion. So 6 trillion, that's roughly 10% of global GDP.

Speaker 1: Tell us about some of the sort of the common cyber crimes that we might fall victim to. I mean, how do they actually work?

Speaker 2: Almost All of the ones that we individually would get caught up in is phishing emails, you know, deceptive emails. We click on a link or we download attachments which have malware in them. But a lot of us get caught up in situations where we didn't do anything, but maybe our colleagues did. Like, you know, when big organizations have their networks breached and all the data exfiltrated. So there's a way in which what any of our colleagues do affects us and that's something that is just a function of a networked workplace and a networked society, that we are all connected.

Speaker 1: And have you got a sense of the sort of culture around hackers and hacking? I mean, you know, we often think of the stereotypical hacker being this young male teen, often, you know, the tech geek sitting around in their bedroom wreaking havoc on companies around the world that they've never even seen. Is that a fair picture or is that just sort of really outdated or the stuff of the movies from the 80s and 90s?

Speaker 2: Well, it really is, at least historically, true that it's mostly young men, boys. At least in the West, the pathway into hacking often comes through gaming culture. And so the boys get interested in cheat sheets and modifications and things like that. And that starts escalating. And because gaming culture is highly misogynistic, although my understanding is that it's changing, women get forced out.

So that kind of stereotype is true, But there's this idea of hackers as loners. That's not true. Hackers are extremely social. They're social online. And that's incredibly important for motivation.

Because what motivates so many hackers to get into it is cloud. They want to be known as elite.

Speaker 1: Hacking isn't just done by young men in their bedrooms for cloud. It's done by different people for different reasons. There are security experts trying to spot issues before anyone else does, organised groups trying to steal or extort money, and states spying on each other. Sometimes it isn't just spying either, but direct involvement in other countries' politics. That took me on to the title of Scott's book, Fancy Bear Goes Fishing.

Scott, who is Fancy Bear?

Speaker 2: Fancy Bear is the code name that was given by the cybersecurity firm CrowdStrike for an elite hacking unit within the GRU, Russian Military Intelligence, that breached the Democratic National Committee in March, April of 2016, exfiltrated information, then sent it to WikiLeaks, which was then posted.

Speaker 1: And do we know how they did that?

Speaker 2: Oh, yes, we do know how they did that. They did it largely through phishing. The most prominent example of this was the hack of John Podesta's Gmail account. So John Podesta was the chairman of Hillary for America and Fancy Bear sent a phishing email that said, you know, somebody in Ukraine has your password, you need to change your password. He sent the email to IT.

IT wrote back, this is a legitimate email. God, it hurts me every time I say this. He meant to write, this is not a legitimate email. And so either John Podesta or his assistant, somebody in the staff clicked on it, entered his credentials, then Fancy Bear got all of his emails and posted them. And even though there wasn't that much in it that was actually nefarious.

There was a sense of just utter chaos that this generated. Everyone kind of flipped out about his shrimp risotto recipe. 1 of the great ironies is that despite all the ridicule that Hillary Clinton was given for but her emails, her campaign, Hillary for America, used excellent cybersecurity and Fancy Bear could not get in. That's why they went to John Podesta's personal email.

Speaker 1: Scott, it seems like with some of these attacks, they're not always incredibly technically difficult, but they're sort of tapping into psychological weaknesses.

Speaker 2: Absolutely. Our brains have developed all these shortcuts. So 1 of the shortcuts is when you're afraid, act quickly to remove the threat. And that's exactly how so much phishing works. They try to frighten you, and when we are frightened, we try to act really quickly because that's the shortcuts that allow us to survive.

So what I would suggest is slow down. Just think for a second. Often that just moment of pause, you'll see things that you didn't see before.

Speaker 1: Mason I know people listening are going to be thinking, yeah, what do we do about all of this? And we're going to come to that. I know you've got stuff to say on that. But before we do, I'd love to hear how you see this developing from here on, the kinds of attacks developing from here on. And obviously, we've seen an awful lot on AI in the press lately.

Are AI-powered attacks going to become the new thing? I know they already exist, but is that going to become more common, do you think?

Speaker 2: I would be shocked if they did not. So biometric authentication, you know, thumbprints, you hear my voice, facial recognition, well, there's voice cloning, there's facial simulation, 3D printers to print out fingerprints, So that's 1 thing. Another thing is that 1 of the big barriers to cybercrime is language. So lots of times we can detect phishing emails from the non-idiomatic English that's used. Now, ChatGPT changes all that.

So now you can write a really well crafted, grammatically correct phishing email. And so, let me mention something that I just read 2 days ago. Chat GPT, if readers have played around with it or read about it, know that it often hallucinates. It often says things exist that don't. And a lot of people use Chats GPT for coding.

So they'll type in, you know, how do I do this? And it'll give you the code. But sometimes it makes up programs or modules to use. So what hackers do is they figure out what those names are, then they build the module and put malware in them. And then people read it and they say, oh, I should get this module and then they download the malware.

This kind of hallucination attack is just, I was just, you know, I was impressed.

Speaker 1: At the start of Russia's invasion of Ukraine, We heard a lot about cyber attacks and obviously all of that's still ongoing. And it did bring this focus onto how is cyber going to play out in future warfare? Is that something that you think we're going to be seeing more of that's going to become kind of an inevitable part of the whole sort of landscape when the wars take place in future.

Speaker 2: I have a somewhat idiosyncratic, though correct, take on this, which is that, so when Russia first invaded Ukraine last year, Everyone predicted massive cyber war. And I'm on the record saying, no, we're not going to see a massive cyber war. Why do you need cyber when you have bombs? I think that cyber weapons are weapons of the weak. They are used by countries that for various reasons do not want to use what's called kinetic attacks, you know, troops on the ground, bombs.

Why did Russia attack the United States using cyber? Because they're not going to bomb the United States. Dr. Dan Sayers

Speaker 1: Wouldn't people say back to you, well, why use bombs when you can use cyber if you can sit in a hut somewhere and try and bring down, you know, a power system somewhere, that's probably been more effective than chucking a load of bombs at it. I mean, is it that cyber weapons actually aren't that effective? Dr. Will

Speaker 2: Smith Yeah, they're not that effective. They're irritants. Let's put it this way. Will Russia be able to occupy the Donbass with cyber? No.

There's a problem of interoperability too. Malware that works for 1 system doesn't work for other systems. It's very, very hard to take down a country just with cyber. There's just too many systems, too many operating systems, too many configurations. Not saying it's impossible, but unbelievably difficult.

And then what are you going to do? They get the grid back up, and now they're really mad.

Speaker 1: A lot of us, even those of us who feel pretty comfortable online, who spend a lot of our time online, a lot of our lives online, we'll still find a lot of this stuff pretty obscure and impenetrable when it comes to the actual, you know, the mechanics of hacking. What are the kinds of things we can do to protect ourselves? And I don't know if there are things you do yourself.

Speaker 2: I do. I enable two-factor authentication. That's an easy 1 to do. It's very hard to hack. When I get an email from somebody I don't know, and there's a link in it or an attachment, I write back to them and I say, excuse me, who are you?

Sorry, please tell me more about yourself. Now they could still trick me, but life is short and I got to get through my day and so I cut some corners.

Speaker 1: Is there any thinking around how we can effectively stop people going into this in the first place? Can we dissuade people from becoming hackers? I mean, it's actually a pretty appealing thing to do, right? It's exciting. How are you going to stop people finding it exciting?

Dr. Lyle Troxell

Speaker 2: Yeah, absolutely. My God, I love doing it. It's really, really fun. So 1 of the things that the UK, for example, has been a pioneer is by addressing what's called the pathways to cybercrime, which is ensuring that kind of low level offenders are diverted into the legitimate cybersecurity industry as opposed to like, you know, thrown in jail for a little bit of time or fined or something like that. It's estimated that there are 3 and a half million cybersecurity jobs that are waiting to be filled.

If we can take those who are budding malicious hackers and divert them, We can potentially eliminate 1 attacker and gain a defender.

Speaker 1: Mason We live obviously and have done for some time now in a digital age. We've got AI coming on in leaps and bounds. There's always going to be organized criminal groups and states are always going to be having a pop at each other. What do you finally, Scott, want to see states, governments be doing to tackle this issue?

Speaker 2: Scott Cunningham 1 of the things I'd like them to do is to change the rules to make it harder for cyber criminal gangs to operate. So almost all cyber crime is conducted using cryptocurrency. The main cryptocurrency used by cyber criminal gangs is Bitcoin. Bitcoin is not anonymous. It's synonymous.

And there needs to be greater regulation on cryptocurrency exchanges and brokers. So opening a crypto account should be like opening a bank account. There needs to be know your customer regulations, anti-money laundering regulations put in place so that people can't just move all this money around. You know, We keep on talking about how hacking is a technical activity. Of course, it's a technical activity, but the natural thing is to think that, well, if it's a technical problem, obviously it needs a technical solution.

That's what the engineers should do. But in fact, what I think is it's primarily a human problem which requires a human solution. The government's job is to create rules to protect us. That's why in the book I try to explain that these technical vulnerabilities are really the result of political vulnerabilities. There are rules that allow people to engage in this activity and I would like states to become more educated and to step up and to do their part.

Speaker 1: Scott, huge thanks for coming on.

Speaker 2: Thank you so much. This was wonderful.

Speaker 1: Thanks again to Scott Shapiro. We've put a link to his book on the podcast webpage at theguardian.com. And I promise it isn't a phishing attempt. And that's it for today. The producer was Madeline Finlay, the sound design was by Joel Cox and the executive producer was Ellie Burie.

We'll be back on Thursday. See you then. This is The Guardian.

See all Science Weekly transcripts on Applepodcasts

Cybercrime: what does psychology have to do with phishing?