When you buy through affiliate links in our content, we may earn a commission at no extra cost to you. Learn 
Techopedia speaks with Frank Abagnale of “Catch Me If You Can” fame, one of the world’s most respected authorities on forgery, embezzlement, secure documents, cybercrime, and scams, about his philosophy for cybersecurity.
More than 14,000 financial institutions, corporations, and law enforcement agencies use Abagnale’s fraud prevention programs. and in 1998, he was selected as a distinguished member of “Pinnacle 400” by CNN Financial News — a select group of 400 people chosen on the basis of great accomplishment and success in their fields.
Last year the Society of Former Special Agents of the Federal Bureau of Investigation made Abagnale an honorary member, and he was the recipient of the first-ever Lifetime Achievement Award given by InfraGard — a partnership between the Federal Bureau of Investigation (FBI) and private sector members to protect US critical infrastructure.
But the wider audience will remember him from his depiction in the 2002 Steven Spielberg blockbuster movie “Catch Me If You Can”.
Enjoy our fascinating, exclusive interview with a man who has fought on both sides of the battlefield and is one of the pre-eminent voices in the cyber threat landscape today.
Key Takeaways
- Time to end the password: ‘Passwords were invented in 1964 when I was 16 years old’
- Prevention is better than the cure: ‘Once you lose your money, you will probably never get it back’
- Insecure infrastructure: ‘I am very concerned that hackers could wreak havoc on US systems’
On Abagnale’s Cybersecurity Philosophy
Q: What is your three-point philosophy for cybersecurity? And how important is the education piece of that philosophy??
A: I have been teaching at the FBI Academy and the field offices of the FBI for over four decades. In addition, over the past 48 years, I have conducted more than 3,000 seminars around the world on cybersecurity, identity theft, counterfeiting, embezzlement, forgery, and scams.
During my entire career, I have worked on a very simple three-point philosophy – prevention, verification, and education. Prevention because once you lose your money, you will probably never get your money back.
They may arrest the individual. They may convict them. They may even send them to jail for ten years, but you won’t recover your money.
Verification because anything today can be replicated, duplicated, counterfeited, deep-faked, or AI-manipulated. So today, you must be 100% sure that the person on the other end of that device is who they say they are.
However, education is the most powerful tool for fighting crime. If I can explain to you how the scam works and you understand it, you will not be a victim of that crime.
Q: In addition to minimizing loss of funds for business and protecting people from identity theft and scams, does cybersecurity have a deeper purpose??
A: I believe that cybersecurity has a huge place now and in the future.
When young people ask me what career they should look into, I tell them that cybersecurity would be their best opportunity.
Over the next several years, we will need more than half a million cybersecurity professionals. I am not talking about learning how to write code but learning how to detect ransomware, malware, phishing emails, and other hacking scams.
Cybercrime Now vs. the Past
Q: As organizations rush to bring new technologies to market, does cybersecurity suffer?
A: Absolutely. Unfortunately, in this country, we build a lot of technology for both commercial and consumer use, but we very rarely vet that technology. We are so quick to get the technology to the marketplace for reasons of return on investment or “we have to get it out by Christmas.”
No one stops to ask the question: How would someone misuse this technology in a negative, self-serving way?
I always tell my audience and my clients that there is no foolproof system. If you believe you have a foolproof system, you have failed to take into consideration the creativity of fools. However, you can develop technology that is so difficult to manipulate that it would be like me asking you to move the Empire State Building over two blocks in two days. Now and in the future, we will have to do a much better job of building security into our technology.
Q: How does cybercrime today compare to scams of the past??
A: Technology breeds crime. It always has and always will. AI is going to cause a tsunami of problems because of criminals’ ability to commit all types of crimes and scams. Fifty-plus years ago, when I forged checks, you needed a million-dollar printing press, color separations, negatives, plates, and typesetting.
Today, you can create a four-color check on your laptop in less than 15 minutes with corporate and bank logos. And you can buy security check paper online or in any office supply store and print it out on your laser printer.
Q: Why is it easier for fraudsters to pull off scams today than it was for you some 50 years ago? And will it be even easier in a few years??
A: First, we live in a too-much-information world. Today, you can commit a crime from thousands of miles away and never fear that you’ll be caught. Even if you are caught, the chance that you’ll be prosecuted and sent to jail is almost zero.
For example, what would have happened if, after I was arrested by the FBI, a judge had said, “Mr. Abagnale – no bail. Be back in two weeks for a hearing.”
Do you think I would have really come back? It would just have been “Catch Me If You Can” all over again.
The Future of Cyber Warfare
Q: Where do you see the future of cyber warfare going in the next five or ten years??
A: We recently discovered that Chinese hacking groups maintained access to US infrastructure systems for at least five years before they were discovered.
I am very concerned that hackers could wreak havoc on US systems in the event of a major conflict between the US and China. I believe hackers are already targeting our critical infrastructure, such as our water treatment plants, electrical grid, oil and natural gas pipelines, and our transportation system.
To quote FBI Director Christopher Wray, “To give you a sense of what we are up against, if each one of the FBI’s cyber agents and intel analysts focused exclusively on the China threat, Chinese hackers would still outnumber FBI cyber personnel by at least 50 to 1.”
Q: Why are cybercriminals becoming more sophisticated in terms of social engineering?
A: Thank goodness most people are honest. Because they are honest, they have no idea that they are being deceived. So when the criminal calls a bank’s call center, it is easy to turn the conversation around so that the criminal is gathering information rather than giving information.
Q: Is there any technology today that can defeat social engineering? If not, will there ever be??
A: There is no technology, and there never will be any technology, including artificial intelligence (AI), that can defeat social engineering. You can only defeat social engineering through education. You must teach the individual to recognize when they are being socially engineered.
Q: Why is it important for an organization’s technology leaders to instill a security-first culture from the top down??
A: The most important job anyone has in an organization, from the CEO to the janitor, is protecting the information entrusted to them by their clients and customers. It is important to instill in your employees that this is their most important job.
Q: How can businesses detect and prevent cyberattacks??
A: We develop great technology in this country, and there are great and effective proven technologies that work. If you don’t use it, it’s worthless. The concept that “this costs too much” or “this can never happen to us” just means you will be a victim at some point.
Passwords Are for Treehouses
Q: Why do you say that “passwords are for treehouses”??
A: Passwords were invented in 1964 when I was 16 years old. I am now 75 years old, and we are still using passwords. How is that possible when we know, according to Microsoft, that 80% of network intrusions are a result of compromised user passwords?
The Colonial Pipeline incident shut down the entire northeast corridor, and it was the result of a compromised user password. Eighty-one percent of hacking-related breaches involve weak or stolen passwords. In 2021, Microsoft said there were 579 password attacks every second, which is equivalent to 18 billion attacks a year.
The average consumer manages over 191 pairs of usernames and passwords. You can buy login credentials to someone’s bank or Uber account on the dark web for as little as $7.00 [According to Forrester Research Inc., the typical cost of just one password reset is about $70, and Gartner Inc. estimates that 40% of IT support tickets are related to password resets.]
For the past 20 years, I have sat on the Board of Advisors of a technology company. We developed the no-password technology known today as a passkey. The passkey has been adopted by the FIDO Alliance, Apple, Google, and Microsoft. Today, every device has passkey technology. This will eventually do away with usernames and passwords. This is long overdue.
Q: What is the most effective way for companies to protect their data?
A: First, don’t store what you don’t need. Avoid having anything that paints a target on you. When possible, use one-way hash algorithms that even your team cannot revert to the data. If all else is not going to work, use encryption to store anything sensitive.
Generative AI will play a major role in making it harder to know who is on the other end. Deepfakes will become the norm. For that, companies must use the next level of identity verification that is immune to GenAI. These technologies already exist and cost money as they use authoritative data sources to verify documents and identities.
Q: Why are businesses reluctant to go passwordless? What will it take to convince them?
A: Businesses are not reluctant, but rather, they’re waiting to see if their competitors will implement first. Such is the nature of humans, and the adoption of new tech usually follows this path. In banking, for example, many financial institutions are not early adopters – but fast followers. What it takes to convince most organizations is a business case that showcases how the solution will improve cost, speed, or ease of the user experience.
About Frank Abagnale
Frank Abagnale is one of the world’s most respected authorities on forgery, embezzlement, secure documents, cybercrime, and scams. For over 48 years, he has worked with, advised, and consulted with hundreds of financial institutions, corporations, and government agencies around the world.
Abagnale has been associated with the Federal Bureau of Investigation for over four decades and lectures at the FBI Academy and for the FBI field offices.
On January 18, 2023, Abagnale was the recipient of the first-ever Lifetime Achievement Award given by InfraGard — a partnership between the Federal Bureau of Investigation (FBI) and private sector members to protect US critical infrastructure.
On June 12, 2023, the Society of Former Special Agents of the Federal Bureau of Investigation made Abagnale an honorary member. He is a former faculty member at the National Advocacy Center, which is operated by the Department of Justice, Executive Office for United States Attorneys.
More than 14,000 financial institutions, corporations, and law enforcement agencies use his fraud prevention programs. In 1998, Abagnale was selected as a distinguished member of “Pinnacle 400” by CNN Financial News – a select group of 400 people chosen on the basis of great accomplishment and success in their fields.
The 2002 Steven Spielberg blockbuster movie “Catch Me If You Can” was based on his life, and Abagnale has also written numerous articles and books, including his most recent book, “Scam Me If You Can – Simple Strategies to Outsmart Today’s Rip-off Artists.”
