- Brett Shannon Johnson, a former cybercriminal, now advises on cyber security to prevent identity theft.
- He used to run a dark network and was arrested by the Secret Service.
- Johnson said putting a freeze on your home loan is one of the first steps to safety.
This how-to essay is based on a conversation with Brett Shannon Johnsona former cybercriminal turned cyber security professional. Business Insider confirmed Johnson’s criminal history using court documents and contemporary news reports. The conversation has been edited for length and clarity.
I am a reformed cybercriminal who previously committed credit card fraud and identity theftbut thankfully I got my life back.
I helped build and run an early version of the “dark web,” which provided a trust mechanism that many criminals continue to use to this day. In October 2004, the Secret Service arrested 33 people connected to my network. They picked me up four months later and offered me a job as an informant. I’m the idiot who continued to break the law for the next 10 months while working for the Secret Service until they found out.
I was arrested, escaped, caught and then sent to prison to serve seven years. Anyway, I was given the chance to turn my life around and I took it. I know I didn’t deserve this, but I am so blessed.
I now consult and speak as a cyber security expert and help protect internet users from the types of crimes I committed.
How to build an internet security toolbox
Protecting yourself from someone like me starts with understanding your place on the cybercrime spectrum – everyone has a place.
If you work in food service, that’s different than if you’re a CEO or working on payroll. I’ll still take you, but it changes. I’m unlikely to hit a food service employee with a compromising business email or send them a deep fake. Figure out what is realistic and design security around that.
Whenever I give a presentation about protecting yourself online, I tell people to think of it as building a toolbox. The criminal has a toolbox, and in it, they have a variety of tools with which they can attack you. As a defender, you should have a toolbox, too, to prevent one stolen identity.
The good thing is that the tools you need are not very sophisticated.
1. Use online situational awareness
Humans tend to have very good situational awareness in the physical world. If we are in a store, we know if something is wrong or if something is just not right. This doesn’t translate very well in an online environment, but it should.
Realize that every platform and every website you go to has predators – every single one of them. That doesn’t mean don’t go there, it just means being aware of it. If we can have that awareness in the back of our head, it will automatically increase our level of security.
2. Freeze the credit everyone in your house
Contacting the three major credit agencies to block access to your credit accounts is the best way to stop new account fraud.
Freezing credit is free. Unfortunately, only about 12% of the population has one. A credit freeze it stops all new account fraud so, as a criminal, I can’t pull your credit report.
It’s a good idea to freeze the credit of every single person in your household, including children, because children are often targeted for identity theft. Most adults have existing accounts. It does not stop cheating on them. So you should also monitor those accounts.
3. Set up alerts on accounts where you can
You should also be aware of your email, retail, social media, bank and credit card accounts. Every account has value to an attacker.
Make sure you have alerts on those accounts that communicate whenever they are accessed or used.
4. Practice good password security
Make sure you are practicing good password security. Most people use the same or similar credentials on multiple websites, and hackers know this. This opens you to fill in the credentials.
It is an automated program. I can log you out, get your password, and log into your Hulu account. I go to sleep, plug in those credentials, and this program will actually ping tens of thousands of different websites overnight and see where it’s accessed.
If you use the same credentials for Hulu as you do for your Chase account, Bank of America, tax records, or whatever, I have access to those too.
To avoid this, I use Google Chrome’s free password manager, which generates unique passwords for each login and stores them for you.
5. Set up multi-factor authentication for your accounts
Multi-factor authentication is an incredible tool. It’s not bulletproof, but when you use it in conjunction with other tools, you become much safer.
I used to preach about password managers. These days, I am not recommending them explicitly because they have had some problems. I use a combination of passkeys, authenticators, and a password manager.
6. Watch what you share on social networks
Realize that those 3000 friends on Facebook are not friends. One of the things I used to do was see what a person was up to on Facebook. I would pull up your identity profile and see what you had posted of interest. I would learn your birthday, your mother’s maiden name, when you are going on vacation, things like that.
So watch what you share on social media.
Getting inside the mind of a cyber criminal
You should understand that these attacks occur for one of three reasons. It is status, money or ideology.
Most attacks are based on money. When cybercriminals attack for status, it’s to impress their fellow criminals. They are trying to do something no one else can do and earn respect – which equates to more money at the end of the day. When it comes to ideology, someone has pissed them off and they are looking to attack them.
The criminal is just looking to profit at the end of the day. This means they attack the most hanging fruit. They are looking for the easiest approach that gives them the biggest return on that criminal investment.
If you only set the basic level of security, you are no longer the lowest-hanging fruit. This matters because, as a criminal, I’m not going to waste my time trying to hit you when there are much easier targets out there.
Editor’s note: This article was originally published in September 2022 and has been updated.
