Little over 2 years ago, while preparing a workshop about Cybersecurity for which I was invited by my good friend, former colleague and fellow lecturer Ralph Peters, I decided to write down my experiences and research. Since I realized there simply was too much material for the workshop, I asked Ralph for advice on which topics to included, and because I had so many topics available, also which topics to exclude. During this discussion, I literally told Ralph “I could fill several days with this” and Ralph replied “the workshop for our students is only 1 hour and you have enough material to fill a book”.
You have enough material to fill a book!
During the 3 hour drive back, that sentence didn’t leave my thoughts. You have enough material to fill a book. I was going to write about this, that much was clear. At first not even sure if it would become a book or a bunch of articles, it was immediately clear to me that I wanted to share my experiences and allow others to learn from that. Awareness! That was what I wanted to achieve. Make people aware of the risks and provide some practical advice on prevention.
Some of the experiences I wanted to write about are relatively harmless in the way I experienced them at first, but could (and some did) quickly escalate into serious problems. Other experiences were serious problems from the beginning so I decided to combine those to allow the readers to understand how something that looks like a minor thing could in reality be a serious problem without even knowing it. Like that one time where I found my name and my position at the company I worked for on a list of references of a company which I had never heard of before and never had anything to do with. It was obvious that they had taken my data and even my profile picture from the publicly available profile on a professional social media platform. I wrote the company an email to instruct them to take me of their list to which I never got an answer, and to be honest, I completely forgot about it after that. I considered it something silly and didn’t pay any further attention to it until about a year later.
I considered it something silly and didn’t pay any further attention to it…
That is when I started to get emails and calls from rather upset customers and suppliers of this company. The company and its owners had vanished into thin air, leaving a graveyard of unpaid bills and unfinished work, but their website was still up and there was my name. At the top of their list of references! That “something silly” quickly became a serious annoyance and from there on, it only became worse. I wished it would have been the end of the story when I had to testify in court about my connections to the company and the only shred of evidence I had was that email I had send to instruct them to remove me from their list of references because I had never had any dealing with them and they didn’t have my permission to use me as their reference. After the court hearing, I was very relieved and thought this nightmare was finally over but it wasn’t.
Several months later, we were in the final bidding phase of a tender. Our main competitor in the market and us were the last bidders left and we knew we had a better offer. We were invited for the final offer presentation for the tender review board and it wend fantastic at first. Suddenly, the purchasing director started to criticize our offer and products. Although this was the first time he joined the bidding process, I had a feeling that I had met him before but couldn’t figure out where that would have been or in which context. The criticizing continued and much to our surprise, our presentation was ended before we were even halfway through. The other members of the bidding board appeared to just as confused about this as we were. What happened, what did we do wrong? It all became clear on the way out. We said goodbye to everyone and while receiving a cold arrogant handshake from the purchasing director, he mentioned the name of the company that had abused my credentials as their reference. At that moment I remembered where I had seen him before. During the court hearing where he had represented his employer as one of the creditors!
What I thought was a silly simple thing turned out to be a costly abuse of my credentials. Even though the court ruled that I had no responsibility for the damages caused by that company, I was fully aware that I should have been much more persistent in making that company remove me as their reference and more. It was my mistake to let it be and not take matters in my own hand when there was no response to my request.
What I thought was a silly simple thing turned out to be a costly abuse of my credentials!
For quite some time, I believed this was an isolated and very unfortunate incident, and I was wrong about that, too. When I started to do research for what has become my book in progress, I found many people who experienced something similar and in some case with even more devastating consequences. Some allowed me to interview them and share their experiences and stories, others decided to not want to talk about it in any kind of detail and just confirm that it happened to them.
Besides my own experiences with abuse of credentials (yes, multiple experiences!), I have also seen it happen in my surroundings several times. Even recently while coaching a thrilling startup company. While negotiating a deal with a potential distribution partner, I did what I always do: check them thoroughly. Maybe driven by own experiences, I always take a look at the listed references and contact a couple of them. Much to my surprise, the startup company which was only in the preliminary phase of negotiations, was already listed as a reference and a “news statement” was posted that the potential distribution partner had obtained the exclusive distribution rights for their products. We hadn’t even received a formal quotation for their services but we were already listed as their reference! I contacted 2 other listed reference and got a similar story. The potential partner received a well formulated letter with a 24 hours deadline to remove the reference and a clear statement that legal steps would be taken when not complied within the deadline, something I should have done years ago when I found myself listed as reference without my permission.
This is just one example from my own experience and I am grateful for all the input and cases I receive from victims around the globe. I use these examples for the workshops I deliver (Cybersecurity for Road Warriors and Couch Potatoes), and as input for the book I am working on. Researching, evaluating, learning, fact finding, interviewing, writing, reviewing, rewriting, it is a lot of work and very motivating!