Is the modern cybercriminal a solitary figure acting as a lone wolf? Or are they more often part of a sophisticated, white-collar pack? We discuss this with Mark T. Hofman, a well-known crime and intelligence analyst. Together, we explore the mechanics and motivations behind cybercrime. Spoiler alert: it’s not just about money.
In our talk, we examine the tactics of cybercriminals. How they exploit human behavior, not just system vulnerabilities, to target victims. We shed light on why people click on suspicious links. We also reveal organizations’ weakest links. Finally, we discuss what it means that cyber-attacks fail at the coffee machine.
Dive into the interview and learn how to build a strong human firewall in your business.
The interview's highlights
Cybercriminals don’t fit the stereotypes shown in movies. They operate within structured, business-like entities that use advanced tactics like ransomware-as-a-service.
Cyber attackers often seek thrills, not just money. The excitement of outsmarting the system often motivates them more than financial gains.
Cybercrime targets human error more than system flaws. It often exploits moments of inattention or bad luck. And has nothing to do with a victim’s intelligence.
Cyber awareness across all levels of staff is key for organizational security. Anyone, even IT admins, can become the weakest link in a cyber-attack.
Fostering a company culture of cybersecurity is key for digital safety. Just like looking both ways before crossing the street, taking precautions is a must.
Key insight #1: cybercriminals are smart individuals operating in company-like structures.
NordLayer: You often say in your keynote speeches that the idea of a lone cybercriminal is inaccurate. What is the reality?
Mark T. Hofman: Cybercriminals are often presented as 15-year-old teenagers with black hoodies sitting in a dark room. That’s a Hollywood myth.
The number one threat for many companies is ransomware and crime-as-a-service operations. The individuals behind these are not just kids. They're sophisticated and work within organized, business-like setups on the economy's dark side. These criminal organizations function like companies. They have customer support, quality management, recruitment, and specialists who negotiate ransoms.
For example, look at DarkSide, a group that attacked the Colonial Pipeline networks. Like many other cyber gangs, it is set up like a business with affiliates. They even issued a press release discussing their "ethics" and preferred targets.
NordLayer: Can you tell us more about how these ransomware-as-a-service structures work?
Mark T. Hofman: Everything starts with a ransomware creator, like DarkSide. They make ransomware that locks and encrypts data once it gets into a victim's computer.
What’s interesting is that DarkSide doesn’t interact with the victims. Instead, they operate through a network of affiliates responsible for infiltrating computer systems. These affiliates use DarkSide’s ransomware and subscribe to their malicious software.
The fees for using this service vary based on how much ransom is taken from the victim. This shows the sophistication and organization level within modern cybercrime enterprises.
Key insight #2: cybercriminals love the challenge of beating the system more than money
NordLayer: You've talked to quite a few cybercriminals. What really drives them?
Mark T. Hofman: When I talk with threat actors on the darknet, X, 4chan, various forums, and Telegram groups, I try to figure out as much as possible about their psychology and methods. In my keynote talks, I share this knowledge to help companies and government agencies understand how to protect themselves.
Here’s the scoop: many people believe they are only after money. Sure, that’s part of it. But for many, it’s not just about money. It’s more about the psychological trait of thrill-seeking or the challenge to beat the system. Many cybersecurity experts might disagree with this argument. But, if you already have millions of dollars in Bitcoin in your wallet and you still commit crimes, then your motive is not money but greed.
For example, cybercriminals often target government institutions, not because of financial gains but simply because they can. It's a game of cat and mouse. Or a game of chess that always gives you a challenge.
Another thing is that most cybercriminals start young, around 10 to 15 years old. They play with technology, take things apart, and try to find bugs or hacks in computer games. Here, it's a mix of boredom and thrill-seeking behavior. For many, school is boring, and there are more interesting hacks to learn on platforms like Reddit. YouTube is usually their entry point before going into the dark net. For many 11-year-olds, cybercrime is a way to gain recognition and respect.
In contrast, young soccer talents get support at school and the opportunity to join a soccer team. What support is there for coding talents? Mostly nothing. If we want to prevent cybercrime in the long term, we should give 11-year-olds a chance to use their skills for good purposes. Otherwise, they may learn the wrong things on the darknet and end up on the wrong side of the law.
Key insight #3: cybercrime exploits human psychology rather than system vulnerabilities.
NordLayer: In one of your YouTube videos, you said that cybercrime is not about technology but psychology. Why is that?
Mark T. Hofman: Over 90% of cyberattacks happen because of simple mistakes people make. And it's clearly a psychological problem, not a technical one.
It's people clicking on suspicious links, opening email attachments, plugging in USB flash drives they found in the parking lot, connecting to public Wi-Fi networks, having loud phone calls about sensitive topics at airport lounges, revealing their OTP (one-time password) on the phone, and falling for deception like honeytraps or well-made deep fakes. In short, cybercrime often uses human error—this is where psychology comes into play. And yet, this psychological aspect of cybercrime is often underestimated.
NordLayer: "I'm smart, I will never click on a suspicious link," many people say. Yet, they do click and get attacked. How does that happen?
Mark T. Hofman: It has nothing to do with their IQ. It's more about whether you’re paying attention at that moment or just having a run of bad luck.
For instance, if you get a phishing email about a recent Amazon purchase you didn't make, you might say, "Who would be so stupid to click on this?" But, if you did make an Amazon purchase 20 minutes ago and now you get an email claiming there's a problem with your order, you’re much more likely to click, and it has nothing to do with your intelligence. Everyone can fall victim to a cyber-attack.
NordLayer: How do cybercriminals analyze our weakest points?
Mark T. Hofman: Most of the time, they don't. For example, in many cases, phishing emails are not specifically targeted. They are sent out to thousands of users, hoping that someone will click on a suspicious link and take the bait.
I get phishing attempts from banks where I don't even have an account. It just shows cybercriminals shoot in the dark. But when they target someone, like in spear phishing, open-source intelligence (OSINT), and on social media, they smartly use the information about you that’s available online.
Say an IT admin lists an XY software skill on their LinkedIn profile. They get an email saying, "Critical security update for software XY," and even a tech-savvy IT guy might click. It shows everyone can fall victim to this type of attack.
NordLayer: How do you conduct cyber profiling? Is it similar to offline crimes?
Mark T. Hofman: Yes and no. In everything we do, we show something about who we are. Our behavior leaves personality traces. The same principle applies to cyberspace, where there are no physical traces but digital ones.
Cybercriminals decide when and how to attack, who to target, and what language to use in their threatening emails, ransom chats, or phone calls. They also leave a trail of their personality. And disclose their intentions or identity, which can be analyzed to learn more about them.
For example, the FBI uses a checklist to judge how serious a threatening letter is. Today, these letters aren’t letters anymore. They are social media posts, tweets, or emails, but their content can be analyzed in a similar way. So, some profiling methods used in the real world can also be applied in cyberspace.
Key insight #4: to create a robust human firewall, everybody in an organization must be aware of security.
NordLayer: Who is more at risk for online scams and cyber-attacks? IT professionals, who know the ropes or remote workers?
Mark T. Hofman: It's a common misconception that IT professionals are immune to cyber threats because of their expertise. In fact, the risk isn't about knowledge alone—it's about context.
Many cyberattacks fail at the coffee machine. What do I mean by that? For example, identity theft scams like CEO fraud exploit a lack of face-to-face talk. If I meet my boss at the coffee machine and ask them about a bank transfer, and they respond with, "What bank transfer? I didn't send you any email," the attack fails.
Working from home increases the risk of cyber threats, as people might fall for online scams that prey on individual mistakes and the absence of a 'coffee machine' moment of verification.
NordLayer: What are the most successful social engineering techniques that attackers use?
Mark T. Hofman: Attackers often combine three elements, which I call the dark triad of cybercrime: time pressure, emotion, and an exception. Be cautious if someone calls you, triggers emotions, creates time pressure, and asks you to do something unusual.
Deepfake technology has advanced to the point where someone can replicate your voice with just a half-minute of audio. I could clone your voice and make you say anything in any language. Imagine your partner calls you and says, "Honey, I'm in trouble, you need to send me money.” It's a combination of time pressure, emotion, and an unusual request, all classic signs of a scam. So, be careful when you get an urgent request for money, even if it appears to come from someone you trust.
NordLayer: Now, let’s discuss a cyber attack's "butterfly effect." How do small steps in an attack, such as a minor vulnerability, cause major problems across a system?
Mark T. Hofman: We need both technical security and a human firewall. Do you have a well-trained CISO or IT department? What do your interns or executive assistants know about cybersecurity? How security-aware are your C-level executives or your receptionist? Every chain is as strong as its weakest link, so we must reach out to everyone. My motto is "Make cybersecurity great again.” It’s because the main target group is people who are not interested in cybersecurity. They represent the weakest link. We must also make them security-aware.
Key insight #5: staying safe online is like looking both ways before you cross the street.
NordLayer: What can we do to become the human firewall?
Mark T. Hofman: I would be happy if people paid attention to the basics of cybersecurity. This includes using long and different passwords and enabling multi-factor authentication. Equally important are protective measures like firewalls, antivirus software, and VPNs at work and home.
We need physical and psychological awareness. This means being wary of third-party USB sticks, suspicious links, or email attachments and always keeping your software updated. Also, never leave your laptop or cell phone unlocked. Avoid buying USB sticks from online shops. And stay alert when emotions are triggered or something seems out of place.
When every employee understands that cybersecurity is a personal responsibility, not just the job of the IT, that's what I call the human firewall.
NordLayer: Can education reduce human errors in the future? And how can AI help us make fewer mistakes?
Mark T. Hofman: Discussions on cybercriminals’ forums focus on AI’s risks and benefits. They see its opportunities but also worry that their crimes might get harder if businesses and law enforcement agencies understand the full potential of AI. I think the threat actors’ concern is good news for us.
Of course, cybercriminals also exploit AI technologies, such as deep fakes, and specialized versions of Chat GPT tailored for attacks, such as WormGPT. I discuss the dark side of AI a lot in my talks. And AI also offers opportunities for defense and cyber profiling.
Basically, AI is like a knife. You can use it to make a salad or kill your wife. It’s a tool that can be used to create good and bad outcomes and will be used on both sides.
NordLayer: How can we engage and educate those not very knowledgeable about cybersecurity, including C-level executives?
Mark T. Hofman: At many cybersecurity conferences worldwide, I meet cybersecurity experts discussing cybersecurity topics with other cybersecurity experts. That’s great. But in the end, it's interns, regular employees, or C-level executives who often open email attachments or click on suspicious links.
Cybersecurity must be entertaining and relatable to make people aware of threats. I always say, „Make it about people, not just about business.“. If you include "Three ways child predators can exploit your child in World of Warcraft” in your cyber-awareness training, guess what? Suddenly, mothers will care more about cybersecurity.
I also address private life and the so-called "grandchild trick." Brief seniors in your family to be cautious when they get a WhatsApp message telling them, „Hi mom, I have a new number. “ Make cybersecurity matter to everyone.
Mark T. Hofmann, a crime and intelligence analyst and business psychologist, specializes in behavioral and cyber profiling. Featured on CNN, CBS, and 60 Minutes Australia and publications such as Forbes, Mark T. Hofman is also a popular keynote speaker, discussing the psychology of cybercrime and the dark side of AI.
How NordLayer can help
No matter if your team is in-office, hybrid, or fully remote, it's vital to enhance your security and make your employees aware of it. Contact the NordLayer team for a customized solution for secure network access for your organization.