Editor’s Note: As digital threats become increasingly sophisticated and data volumes continue to surge, email remains a cornerstone of modern investigations. In this timely webcast, HaystackID® experts John Wilson and Rene Novoa share how legal and forensic teams can streamline email investigations with AI-driven triage and smarter workflows. From uncovering critical clues, such as login alerts, to navigating Business Email Compromise (BEC) attacks, the session highlights practical strategies for identifying key evidence more efficiently. Wilson and Novoa also explore how targeted reporting and behavioral profiling are reshaping investigative responses under pressure. Whether dealing with compliance mandates or urgent cyber incidents, speed and precision are now non-negotiable. Read on for the full conversation and key takeaways.
Expert Panelists
+ John Wilson, ACE, AME, CBE
Chief Information Security Officer and President of Forensics, HaystackID
As Chief Information Security Officer and President of Forensics at HaystackID, John provides consulting and forensic services to help companies address various matters related to electronic discovery and computer forensics, including leading forensic investigations, cryptocurrency investigations, and ensuring proper preservation of evidence items and chain of custody. He regularly develops forensic workflows and processes for clients ranging from major financial institutions to governmental departments, including Fortune 500 companies and Am Law 100 law firms.
+ Rene Novoa, CCLO, CCPA, CJED
Vice President of Forensics, HaystackID
As Director of Forensics for HaystackID, Rene Novoa has more than 20 years of technology experience conducting data recovery, digital forensics, eDiscovery, and account management and sales activities. During this time, Rene has performed investigations in both civil and criminal matters and has directly provided litigation support and forensic analysis for seven years. Rene has regularly worked with ICAC, HTCIA, IACIS, and other regional task forces supporting State Law Enforcement Division accounts and users in his most recent forensic leadership roles.
[Webcast Transcript] Faster Finds, Fewer Files: A Smarter Approach to Email Investigations
By HaystackID Staff
In today’s high-stakes investigative environment, email remains one of the most valuable and overlooked sources of insight. During the recent HaystackID webcast, “Faster Finds, Fewer Files: A Smarter Approach to Email Investigations,” digital forensics experts John Wilson and Rene Novoa discussed how email, despite the rise of platforms like Slack and WhatsApp, continues to serve as a goldmine of evidence in legal, compliance, and cybersecurity matters. From login alerts and two-factor authentication messages to ride receipts and cloud access notifications, email often provides the critical breadcrumbs that help investigators trace hidden behaviors and uncover digital missteps.
Wilson and Novoa shared how traditional, time-intensive review methods are being replaced, or at least strategically supplemented, with triage-first workflows and precision tools that help teams zero in on what matters most. They emphasized that in regulated industries, where email remains the default archivable channel, forensic investigations increasingly rely on faster, smarter solutions to isolate relevant messages, detect behavioral anomalies, and build contextual profiles from years of communications. Leveraging AI, investigators can now rapidly process vast email stores to pinpoint threats like data exfiltration or unusual access patterns without combing through every message manually.
The panelists also addressed the growing sophistication of BEC attacks, noting a dramatic rise in financial impact, from an average cost of $75,000 per incident in 2020 to nearly $300,000 today. With threat actors impersonating executives and referencing internal projects to create urgency, fast action is critical. Investigators must now respond within hours, not days, using targeted email collection and concise reporting to empower decision-makers, often before formal documentation is complete.
As email investigations become more complex and time-sensitive, Novoa and Wilson emphasized the need for forensic teams to adapt quickly and intelligently. Their message was clear: the future of email investigation lies in precision, not volume. From AI-enabled triage to behavior-based analysis, investigators now have tools that can help them move faster, reduce noise, and deliver defensible results when it matters most. Read the full transcript below to explore the strategies, challenges, and tools shaping the next generation of digital investigations.
Transcript
Moderator
Hello everyone, and welcome to today’s webinar. We have a great session lined up for you today. Before we get started, there are just a few general housekeeping points to cover. First and foremost, please use the online question tool to post any questions you have, and we will share them with our speakers. Second, if you experience any technical difficulties today, please use the same question tool, and a member of our admin team will be on hand to support you. And finally, just to note, this session is being recorded, and we’ll be sharing a copy of the recording with you via email in the coming days. So, without further ado, I’d like to hand it over to our speakers to get us started.
John Wilson
Thank you very much. Hi, everyone, and welcome to another HaystackID webcast. I am John Wilson, your expert moderator for today’s presentation and discussion, “Faster Finds, Fewer Files: A Smarter Approach to Email Investigations.” This webcast is part of HaystackID’s ongoing educational series designed to help you stay ahead of the curve in achieving your cybersecurity, information governance, and eDiscovery objectives. We are recording today’s webcast for future on-demand viewing and will make the recording, along with a complete presentation transcript, available on the HaystackID website at HaystackID.com. Today, my colleague Rene and I will explore modern challenges and email investigations, as well as the emerging methodologies that can help uncover relevant communications, identify risk indicators, and accelerate responses. Before getting into the agenda, Rene and I will quickly introduce ourselves. Go ahead, Rene.
Rene Novoa
Hello everybody. My name is Rene Novoa. I’m the Vice President of Forensics here at HaystackID. Let’s put my photo up. I specialize in running our forensic lab here in Chicago. I also work closely on our R&D projects and closely examine emerging technology, as well as how we address modern challenges and predict future challenges as we observe the advancement of technology and its landscape over the next 18 months. I am very excited to share what we’re diving into and what’s coming up next. Thank you very much.
John Wilson
And I’m John Wilson. I’m the CSO here at HaystackID, as well as the President of Forensics. I’ve been working in eDiscovery and digital forensics for 30 years, and it’s what I love and what I’m passionate about. I’m always happy to share any information I can with the community. So from there, we’ll jump right in. Today, we’re going to run through why email investigations are important and discuss how to move away from some of the historical legacy methods we’ve utilized. Not to say we’re moving away from them. Still, there is a shift and adding new technologies and new methodologies that I think are important to deal with the amount of data that’s out there and to find the data in a shorter timeframe to become more actionable in a faster way to find the specific things you need, which is that precision over volume and finding what you’re looking for versus having 80 million emails. However, we’ll then discuss some of the real-world lessons, activities, and applications, as well as how we utilize these technologies, why they make sense, and how to optimize them to move your cases into the future. And then, we’ll open the floor for questions. If you have questions as we proceed, please feel free to ask them. If we can answer them at that point, we will. Otherwise, we’ll try to address all the questions at the end of the presentation.
Rene Novoa
That sounds great, John. I think email is just one of those quirky things. It’s one of those technologies that has come back around for advancements and ways to look at it. Just as we’ve done with mobile devices and computers, we’ve had to make adjustments in how we approach them, but I think email has been largely overlooked. It’s something that’s been around for a very long time. I remember back in the day when I had AOL, and you had the DISC, and many people have been preserving email since the beginning of time, saving everything. We discuss why emails still reign supreme in investigations because one of the first, if not the first, technologies of communication was widely adopted by the masses early on. We exchanged a lot of emails. It was cool to have a cool email address where you either used your name or a code name. However, you saved everything and used it for various purposes, from signing up to win cars and attend festivals at conferences to getting credit cards in college. And we’d use that email, and we’d receive a ton of information. A lot of information was being sent to us for us to digest and then forward, and we’d forward funny emails. I remember receiving those emails, and I communicated mainly through Signal, Telegram, WhatsApp, and the native messaging apps, where we sent our jokes, shared personal information, and discussed buying a home or a car. It was all done either by fax or email of some sort. I think many great nuggets and insights are often overlooked in emails because there is so much valuable information that can be gathered from an investigative standpoint.
John Wilson
And you start talking about, and I’ve mentioned this in many of my presentations, including those in this format, that there is a shift towards people moving from email to Slack and Team chats. They’re not communicating as much via email, but many of those platforms still end up in email. Slack still sends notifications of the messages to your email, including the messages. There is still a lot of that information available. And I’ve always talked about the growing trend that there’s not as much in the US business. Email remains the primary means of communication, but in many places outside the US, third-party platforms have become the primary means of communication rather than email. They’re communicating via Slack and WhatsApp, among other platforms. However, a lot of that information is still landing in emails. There is still value and importance to email beyond the fact that it remains prevalent in the US and many major countries, where communications and business records continue to occur via email. When discussing financial services companies and other heavily regulated organizations, many of these entities have required their employees to ensure that their communications remain within email and not on third-party platforms. They have a much harder time archiving and recording them to meet their regulatory and compliance requirements.
Rene Novoa
John, but even beyond that, I mean just for the email investigations, when I try to change my password on iCloud, I get an email saying, Hey, is somebody logging into you? There’s a trail that I’m attempting to log into my iCloud account. I need my two-factor authentication. Even some of my banking information sends me a code to my email. Often, in investigations, people forget that they engaged in all this nefarious activity on a specific website or are using Telegram or another source to communicate or conduct their actions. However, many of the things we do can be traced back to emails, where there’s a nugget of whether we’ve logged into a system that hasn’t been noticed or whether we’ve approved it. However, that information can be very valuable in an investigation if someone is trying to conceal something or they’re part of a repository that they’ve signed up for. They’re running out of space, resulting in an email being sent, right? And, by the way, I never logged into it, but you wouldn’t be receiving this information if your email wasn’t attached to this service. Dating sites, repository sites, and all sorts of two-factor authentications that require those codes are very much nuggets to keep in mind when conducting investigations. It may not be the content, and it may not be the smoking gun, but it does go into the ability to track behavior and possibilities that lead us in that direction.
John Wilson
Absolutely, and it’s essential to discuss this because we’ve had cases where we were conducting a departing employee investigation and were able to identify that this individual was using a cloud-based repository site to exfiltrate information. It was not a mainstream site by any means. The only way we knew about that site was through his email and the two-factor authentication email codes that he received to his email. And that’s what led us down the path of, hey, maybe he’s using this. Then, we were able to go back and identify that there was a lot of activity and a lot of data that was exfiltrated to that site, which would not have been apparent before we knew that individual was using it. This was very interesting because he was doing it from terminals at the office that multiple users used, but he was uploading the data to the site, which wasn’t on the flag list. It wasn’t identified. So all of that traffic was just allowed to go through. It was a very carefully manufactured situation to bypass the data loss prevention tools and things. It was very interesting that we figured out the site was where he was moving the data in this way. And it was only because he had two two-factor authentication things that showed up in his email.
Rene Novoa
Yeah, funny to that story; I have a lot of filters on mine because I get a lot of noise over the years. I never wanted to get rid of my email address, but then I realized how much of my location data was stored in my email due to all my Uber and Lyft rides. I get a receipt, and it really tracks me where I have been and what I used, and maybe we don’t get that information from the phone. Still, upon reviewing emails, we have a whole system of ways to track the geolocation of individuals based on these other apps that send receipts, which people want to either write off or log for tax purposes. But many people create filters. I don’t think I’m out of the norm to get all that noise out of the way, but it does log the location from start to finish, including timestamps and a lot of good forensic artifacts that can be built upon in everyday use, such as email accounts.
John Wilson
Absolutely. I mean, even looking at your Uber emails, they contain the address. It says this is the address you went to, this is where you were picked up, and all that information is contained in there. It provides great meat for various types of investigations. It’s a great lead-in; hey, there’s a lot of potentially high-value information in the email. Still, there are also significant risks, privacy concerns, and challenges to accessing all that information, particularly when it comes to business regulatory investigations or compliance efforts.
Rene Novoa
Oh, no, absolutely. I couldn’t agree more. As we delve into these investigations, we discuss BEC and explore the intricacies of what it entails when distant actors attempt to gather background information or gain insight into a company or organization. They have access to someone’s routine and where they go can actually build a profile for someone to learn about someone’s habits and their likes, all through the things that we sign up on email from Target to Amazon to Sephora beauty products and all sorts of things that Chipotle reward points that builds that you can build a profile of how a person’s going to act, where they’re going, and some of those things that we can build to start building these type of emails. When we start discussing phishing and spoofing, how do they obtain so much information about us? Well, they got access to our email, and it was compromised, and now they’ve learned so much about us because of our filtering and how we store emails and the amount of how far back they can build that profile and using AI now, and we’ll get into that a little bit, but it could be done super quick. Give me a summary of this individual over the last five years, including his favorite likes, dislikes, and where he went. And with a matter of minutes, we have a full investigative profile on a target. Now, we can then we will get into that. I’m getting ahead of myself. I get excited about learning these nuggets, but you can see how advanced technology can utilize this massive amount of data to come up with a great scheme. Hopefully, I’m not giving anybody any ideas.
John Wilson
Definitely. We’ll circle back to that for sure.
Rene Novoa
Hundred percent.
John Wilson
It is important to understand, historically, how email has been done. You did a full mailbox collection because the indexing and the services themselves don’t necessarily index all the data, or there are a lot of data types that may be in there that get skipped, and there are a lot of challenges. There is a significant cost associated with gathering all that mail, as it can be large, and things have only gotten bigger; attachments have also increased in size, and the volume of email has grown substantially. Everything related to email has gotten bigger and larger. You used to get text emails almost never; now, you rarely get just a plain text email anymore. They’re all HTML-driven. They have a specific style sheet, and they review the emails, images, attachments, and all the other content that goes in there.
Rene Novoa
Even your signature is becoming interactive, and some of them include video or moving parts, which means that all of this content has to be stored and saved for each email.
John Wilson
Then you’re faced with the cost of collecting that larger mailbox, which is not a big deal. The collection cost is relatively low, but then you’ve to process it and filter it. How am I going to filter it? What tools will I use? You’re getting into manual filtering and the information, and you’re also having to deal with, ‘Hey, is there data in this email that I don’t want to see?’ It raises privacy concerns and privilege concerns. Various challenges come up when you’re looking at someone’s mailbox, especially when you start talking about executives at a company, founders at a company board, advisors, and consultants who have talked to multiple companies. Company A can’t really know what the secret formula is over at Company B, even though the consultant was helping both companies with their different formulas. Numerous challenges accompany these privacy, security, and privilege concerns.
Rene Novoa
When we discuss manual filtering and the potential for human error, what is the starting perspective? I know you’ve been doing this a long time and have had emails where the attachments were part of it; you could search that, and you could OCR some of the PDFs, but when we start looking at modern attachments, we start looking at some of those types of attached links or depending on what the common phrase is. We do the manual search, and we could be missing a lot of data and displaying more data than necessary where we start talking about that secret recipe, that secret code because we didn’t find it in our normal search because it was part of some sort of attached link modern attachments that do get pulled based on this collection method. Now, we’re exposing ourselves to that risk and having our privacy compromised. It can also lead us away from conducting the right search for malware or some other malicious file that could seriously corrupt our system. So I think as we get into the old ways of doing it and looking at messages, it becomes overburdensome, especially with the amount of information that we’re going to look at; looking at Google Vault or even Google, the search engine is only going to search what it’s capable of. And I think a lot of things can be missed when people want just to say, ‘Hey, can I search my email and give you what I think is relevant?’ I think a lot of it’s either missed or overly overproduced. What would the thought be on that?
John Wilson
That’s exactly right because you have to discuss the modern attachments or the linking. Are those items indexed, or are they partially indexed, or are they not indexed at all? And those are all things that are very hard to verify and can have significant impacts. And then, especially with these more modern systems, where modern links are very much built into the system and the process, when you send an email, it’s just sending the link; the information isn’t included in there. Then, you start running into longer processing times. You may have to collect those modern links as a separate effort and reconstruct them, or you may have collected them all, but then you’ve got a much larger mailbox than you necessarily need.
Rene Novoa
And then what’s the time to process that? How does that speed up an investigation when you have those monitor attacks? Would you have to pull them, and could you be pulling a lot more data because you’ve attached a larger size than email can normally handle? I think it was originally three megabytes, or five at the maximum, and now it has expanded to anything larger, over what was it, 25? Now it gets into a link, but now we can start sending 4,000 videos because we’re linking it to our OneDrive, we’re linking it to our Google vault, so it can explode tremendously from not only the collection, the filtering, and the processing just within the last couple of years it has exploded.
John Wilson
Absolutely. It has definitely exploded, and there’s definitely, it takes a fair amount of time to do all of that.
Rene Novoa
That’s what puts the most pressure on our forensics teams: trying to be, I don’t want to say, cost-effective. We leave out information, but ensure that we’re doing the best job possible and that we’re indexing and collecting the relevant data. Still, with the rising amount of information and the complexity of the data, it’s also storing, processing, and producing in a way that can be readable because we’re able to put so many different data into emails. It puts quite a bit of pressure and risk on our teams to work efficiently to produce the data that people are used to having inside of email.
John Wilson
Yeah, absolutely. You look at the rising volumes and the cloud complexity; both of those are significant factors. Additionally, you must consider regulatory scrutiny and compliance requirements, such as those applicable to financial firms, brokerages, and similar entities. They have compliance requirements that say that any off-channel communications have to be archived and available for discovery for a significant period of time. However, if a modern attachment is utilized, it may or may not be easily accessible from the collection point. If you go back and say, ‘Hey, we’re archiving in place, and we’re just going to save; we’re going to archive all of the mailboxes, but it’s archiving the link, not the actual document.’ And so, then you have to deal with the methodology: how do we get to that actual document? And all of that comes down to the need for speed, forensics, and meeting regulatory investigations. When you receive a regulatory investigation, you must review the documents that were subject to your compliance requirements. They’re not saying, ‘Hey, yeah, take as long as you need to get it figured out.’ Hey, I want a report within 30 days of X, Y, and Z, and there aren’t many patients there. There is a very specific timeline and set of requirements regarding how they must perform or cooperate with that.
Rene Novoa
Finding a fast way to not only triage but also understand the volume and type of information and then target a specific date range is crucial. This enables us to produce results and ensure nothing is left on the table, which is really what we’re aiming for in terms of speed and energy. I think that in this conversation about how we get there, how we conduct these investigations, and especially for two-hour Senate investigations, where you may only have two weeks to produce a certain amount of mail. You want to ensure you have a methodology that’s not just relying on screenshots or saving individual emails and trying to produce that as the best practice. There are many things to dissect as we delve into lessons from the field and the things we’re seeing out there that make our jobs more complicated than simply collecting emails and running keyword searches or GRE expressions. We’re at a new level here.
John Wilson
It’s important to understand each type of case. There are different requirements. For an insider threat investigation, I need to look at different things. I have a much different timeline of how that has to go, what I need to see, and what I need to accomplish. If the business has been compromised, it is essential to determine which mailbox was compromised, the specific compromise methodology used, how the compromise occurred, and what the intruders were able to view in that mailbox so that they can meet their notification requirements. All of these different types of cases. Consider an eDiscovery contract case or a contract dispute. Did he or did the custodian see the contract or not see the contractor? Did they alter the contract or not alter the contract? What actions were taken? All of those things have different needs and requirements, but the unifying thing that we see when you talk about lessons from the field is that data volumes have gone up. The time we have to take action has decreased, while the requirement to avoid certain content due to privacy or security concerns or to gain access to specific content has certainly grown.
Rene Novoa
From the top two, the insider threat investigation and BEC investigation, you’re working against the clock. Even if the request is, Hey, just look at the last two weeks; we may have an individual who may be walking out the door that afternoon within the next 10 days. And so it’s not just about processing the data, but also about understanding real intelligence from these situations. And even if we have the ability, which the technology is there, is not to collect the whole mailbox, but hey, can you guys quickly grab this next 10 days or the last month, but get intelligence from the data process for it to make sense, to make actionable action items next steps. Because when you have an insider threat, you’re often against the clock, as a departed employee is probably the most common scenario, or you have somebody who’s already in cahoots with someone and they’re doing something, so you want to catch them in the act. We need to be able to examine it and make some determinations about how to proceed with the investigation and what level of damage control is necessary, especially if we start looking into BEC. We will get into the spoofing and phishing techniques that are very popular and have been quite lucrative for the bad guys or the people who are causing havoc in our industry. However, we need to examine the various approaches to system misconfiguration. We can definitely look at that. I don’t feel that it’s as fast as damage control, insider threat investigation, or even regulatory. You still need to have actionable items. You need to build intelligence on large amounts of data or a short amount of difference of data, but you have to be able to understand what you’re looking at very, very quickly.
John Wilson
Absolutely, a hundred percent.
Rene Novoa
We’re getting into the big thing in this talk, which is the BEC. Many people may not even realize that it’s the BEC that people may not understand that terminology, but it is an everyday news report that I hear or something that I see on social media about how these scams and how these investigations are taken advantage of everyday people. And we’re going to get into some of the red flags of what we see, but the common tactics of phishing credential thefts, the executive impersonation is probably the far most that most people are aware of where it’s that sense of urgency, like, Hey, I really need to get this money. I’m in a meeting. I need you to wire me $250,000 or $1 million. Sometimes, when an executive or a higher-level person requests this information, there is a duty to respond without conducting due diligence or even with some training, and they may not realize what is happening because it has become so well-integrated with AI, and the bots have improved. People have learned from past mistakes to cause that sense of urgency that we’re just sending the money over or they’re just doing the action item that’s being told via email because maybe email is more of a trusted form of communication as opposed to a random text message saying, we have the latest crypto insiders, please send money. That’s a whole other topic in itself, but that’s probably the most common one that we’re seeing in account takeovers, obviously, because someone will say, ‘Hey, change your password,’ and it’s coming through email. And I’ve seen that you’ve seen that a lot. You’ve seen that in that movie. I think it was called Black Hat. They did that exact account takeover when they took over the CIA’s big system, and it literally was an account takeover based on an email to reenter your password. We’re seeing this reflected in our movies, Hollywood, and everyday life, but some people, I think, just don’t realize that it can happen to them.
John Wilson
Yes, and definitely, when discussing BEC, you have to acknowledge that threat actors are becoming substantially more sophisticated. They’re reviewing information about a company and finding a starting point. Once they access a mailbox, they extract that information and use it to make a smarter and more intelligent attack against other individuals within the organization. They understand the vernacular, how you speak to your CEO, your CFO, and the other key people, because they’re analyzing all that communication that you’ve had using AI to really impersonate that person. It’s crazy, crazy stuff. How sophisticated they’re getting. A really interesting metric for 2024 was that ransomware is actually on the decline, but BECs have absolutely exploded and people just don’t realize how much targeting and how focused these attacks and these BEC attacks on organizations, how sophisticated they’re getting, how professional and how much intelligence because they’re going out and looking at the company’s website, they’re looking at the company’s social media, then they’re looking at the individuals, they’ve now looked at the website and know who the CFO and the CTO and the CEO are, and they go out to those people’s social media to understand how they behave, how they speak, what their language is, and then they’re using that to integrate all that into the attack so that then now when you get an email from your CEO, it sounds just like all the other emails that you’ve received from your ceo, so it doesn’t look inauthentic and doesn’t raise the hair on the back of your arms because it’s talking just like your CEO talks to you when he sends you an email. Those things become really, really complicated and intriguing.
Rene Novoa
You hit the head on the nail on that one. I think I was talking to you earlier, possibly this week, and we were discussing some of the BEC investigations. I just did a quick search and found that since 2020, the average attack has been costing about $75,000 per transaction, which would catch somebody. They’re now averaging almost $300,000 per incident. And I’m not talking about the overall there’s millions of dollars being lost, but getting one individual to transfer money to do a task, to buy gift cards, to wire some money for a special project that the insider knew the name of the project and say, Hey, this is for Project Castle or whatever, and please send them money. And, as you said, they found a way to talk, which allowed them to then go outside the normal bounds and use that sense of urgency to get the money forth. As with email spoofing, it’s becoming really hard to detect if you’re not paying attention. And I know that many organizations, even organizations like ours, put those tests and training in place to really be able to spot what a good email address and domain are, as well as those that you should expect. I mean, when I was putting this together, I actually thought that there was a typo. I missed the Smitty and the Joe Smith to the Joe Smithy. I literally thought, ‘Oh, we made a mistake on this slide.’ It took me a while to catch that extra ‘y.’ So, it can happen just that quickly, where they’re not; they’re slightly changing the domain or changing the name. They’ve been coming up with a lot of creative ways besides adding one, or they used to add something very obvious. I can see how it can trick people with a slight change in the email address because, I mean, I don’t know about you. Still, I receive hundreds of emails a day and 20 calls from people knocking on the door, so it’s very easy for a mistake to happen if I’m not paying attention while scanning an email and realize that money needs to be sent.
John Wilson
Absolutely. I mean, the mistakes do happen, and they are hard to notice, and they’re getting more sophisticated. It used to be Google.com, and then the spoof was G00GLe.com. The intelligence and the systems have gotten much better at identifying that. There are many tricks that they use, and it really only takes that one little slip-up. The one person who doesn’t look and pay close enough attention to really open the door is the one who gets access to all the emails, and they can figure out how the communications are occurring. They then start doing much more advanced levels of attack.
Rene Novoa
Let me go off-script here. Do you feel that perhaps BBCs or these types of investigations, especially email and spearfishing, are under-reported due to concerns about reputation and embarrassment because it was an email scam? It wasn’t malware; it wasn’t anything super sophisticated, but rather a sleight of hand of some word-smithing to get someone to do something. Maybe they lose only $20,000. Do you think it may be underreported how many people are affected by these attacks?
John Wilson
Oh, it’s a hundred percent under-reported. It’s significantly underreported. Sometimes, it takes people a long time to discover it. It’s also the embarrassment factor. They don’t want to let people know that it occurred. And that really all plays right into the need to do these investigations quickly and actively. It contributes to the need to move it along and accomplish those goals as quickly as possible because you also have a lot of regulatory changes that now require a lot of states now require, if you have an incident, you’ve got to report it to the regulatory authorities, or you have to do your breach notifications within certain timeframes. And those penalties and challenges have significantly increased as well, getting that information out there.
Rene Novoa
That is crazy because the other number I saw, which is the total amount of these types of investigations and frauds involving bad actors, is up to $55 billion since they started tracking this. And suppose you’re right, which I agree with you, but as you’re stating here, that is way underreported, there is really. In that case, I can see why we’re moving away from ransomware and toward a more public approach. People are paying because if that number is, let’s say, 30% higher, $55 billion is lost from organizations that fall victim to these types of attacks. You can see where this trend is going, where you can do this under the radar. It doesn’t get CNN or Fox News or whatever news agency you’re watching to get like, oh, this organization, a malware took down this hospital, FBI is involved, they’re not going to pay, but if we can do this quietly where we got tricked, we sent $250,000 and somehow get through it. Still, as an organization, you’ll probably find that more people are doing that, which is very unfortunate because we won’t learn from these attacks if we don’t hear about them.
John Wilson
Absolutely. And really, this all ties right back into everything. We’re talking about how we’ve to be quick, we’ve to be targeted, and we’ve to move fast. I received a valuable statistic from the Secret Service at the cybercrime task force I’m involved with, and they stated that if you don’t take action within 72 hours, the money is gone. If you can take action within 72 hours, a lot of times, money can be recovered. That’s a really important stat.
Rene Novoa
That’s the only stat that matters in the sense of how you react and make sure that your workflows and you have your vendors, your inside guys, are able to detect this. I think the detection is going to be the hard part, understanding to have the technology to respond just as fast because some of these collections that I’ve done in large boxes, even if we do target collections that are only three months, can take several hours and into the process and then try to figure out. So trying to go for more of that surgical, more of that scalpel precision, I think is very much needed in where this industry is going as far as I see a lot of new players in the market that are looking at this and taking this type of these investigations serious, and I think that’s why we like talking about some of these new things. I don’t think it’s a new topic, but I believe it’s underreported within the industry, particularly in the context of many conferences you attend. They’re not necessarily focusing on this as much because there’s still a lot to learn and develop. I still think it’s very young in the investigation stage.
John Wilson
As this slide shows, we discuss conducting early case assessment; however, the key for us, and where we’re finding great success, is moving to a triage level at the point of collection. We figure out what we need and collect only those specific things, which helps us achieve number two, which is to minimize overcollection and preserve privacy. We got very focused. We understand what we’re looking for and understand the event. We can start triaging that information, identifying key players and key information, and collecting only those elements. This allows us to move much faster while still being defensible and providing repeatable workflows.
Rene Novoa
Well, it gives you the ability to report on it with a report that’s only 20 pages, as opposed to 600 when you’re dumping emails. I think when it reads like an intelligence report, you’re getting more actionable intelligence, not just a dump of saying, Hey, all these emails had keywords in it, but not only being able to do it quickly but to really make sense of that data. And I think that’s why the triage is so important because it really not only limits, it could be a lot of emails, but to understand why they’re important and really what is the driving force us to investigate that many emails because if you only have 72 hours, you need to be able not only to come to collect or preserve, collect, collect and preserve target scalpel, make intelligence information to be able to report it to the FBI and say, this is what we have, and this is where we think it is to be able to stop the money transfer, be able to hold up the money. That’s a big task to accomplish all that and not produce a 600-page report. And I know myself, and you have been part of those days when we would dump phones or computers, and we would give them to someone on a CD or DVD. It was like 6,000 pages that someone had to do keyword searches just in the report. I think we need to adopt a more precise, scalpel-like approach with actionable intelligence, not only on BECs but in almost everything, from mobile devices to computers to networks. But that’s a different conversation. That attitude and tone need to be consistent throughout what we’re doing.
John Wilson
That is exactly right. You’ve got to use the analytics, you’ve got to use the information to find the key communications, so you’re looking at the textual content of the email, you’re triaging that mailbox; hey, which emails have information that may be suspect or may be of concern or is out of compliance, whatever your investigation type is, and you’re looking at that and then figuring out, okay, now I’ve got these attachments that are related to those emails and I can go collect those specific set of emails instead of collecting the whole mailbox. That’s really where we see things going, and I think what drives a lot of our success is the ability to identify the key information and bits as quickly as possible through that triage-level investigationto identify the key information and bits as quickly as possible.
Rene Novoa
Yeah, absolutely. I think it’s the workflows, and as we incorporate more automation workflows for all these types of investigations, we’ll find more actionable intelligence much faster. These are some of the things we’ve been discussing in terms of smarter email and text. We’ve been trying to hammer this home of getting there faster. Reducing costs is great for the client, and it’s still great for us because we’re able to complete more work more efficiently. We’re able to produce that information and help out whether that corporation or that client, but having faster insights builds that trust in the community and understanding how to handle these attacks as opposed to it taking a very long time, being very expensive, but by the time you solve it and you’ve charged all this money, or you collect all this money where you spent all this money, there’s not good actionable items. The joy comes of getting something faster, having an actual item and having a good result at the end of the day, having it defensible, making sure that the process is intact, the methodology is strong, and it just helps us build better tools and protections as we move forward for our organization as well as for the ones that we help.
John Wilson
Yeah, absolutely. I mean, the key when we talk about using smarter email tactics and doing triage is all about enhancing defensibility and reducing the time to get to actionable intel, allowing us to move a case forward.
Rene Novoa
That’s exactly where you’re going into it. Being able to make that awareness, proactive defensive strategies, and all those factors are playing a role. Those taxes and things we’re discussing are currently overlooked for many reasons. It’s an additional step to ensure that we’re now hardening our emails and the way we train on emails, because I don’t think we trained very much on emails before. I’m not saying our organization, but when I talk to people, we’re doing a lot of training on all sorts of cyber attacks and text messages on your phones, and we’re implementing MDMs here. We’re doing all the protections, but as simple as behavioral analysis and understanding how you’re receiving emails and the steps that you need to do to protect your organizations along with insider training, but also having an avenue of being able to attack and respond to these type of malicious bad actors that are inside of threads, which is even harder to get. We also have these other ones that are more like spoofing emails.
John Wilson
We’ve discussed the full spectrum, but it’s essential to recognize the value of minimizing privacy exposure in today’s world, as more and more states have privacy concerns. Increasingly, countries are raising privacy concerns, and an increasing number of events are unfolding on a global scale. Limiting your privacy exposure to only what you need to expose as a significant value, not just in time, but also cost, but also risk and reducing that risk of your investigation, exposing information that you shouldn’t have had access to for privacy concerns can also be important and is a key contributing factor to these new smarter workflows that we’re delivering.
Rene Novoa
Being able to get in there, look at the email, look at the header, make an assessment is how they came in, this is the email address so that we can then start flagging certain domains, kind of seeing the characteristics and then being able to report out and maybe see who else that email may have been moved to. Was there malware involved, or was it just straight intelligence gathering? And I think if we’re able to look at a small segment of where they specifically came in through these types of new tools and techniques that we’re developing and working with vendors for those workflows, methodologies we’re getting much faster so that there are a lot of workflows that you, you’re doing an investigation within under two hours from start to finish, identifying understanding of what the threat is and then having that remediation factor. Maybe it’s just training; we need to shut this down. We need to call the bank and close certain accounts. It’s essential to understand that we’re targeting the one email that came in and assessing the damage. I mean, I think the secret sauce of that investigation is not about how many emails were collected or the attachments, but the flow of how they came in, the effect they had on the organization, and where they may have spread to, so that actual items could be identified and corrected.
John Wilson
Absolutely. The corrective actions, or the post-actions that are the outcomes of these investigations, become critical, and it is essential to take those actions faster. The bleeding helps save costs in that regard as well. And as we talked about in recovery, when you’ve had one of these fraudulent transactions occur, time is of the essence, so everything you can do to get there faster, to get there smarter, and to get to the information you need to get to directly is going to help an investigation and help you achieve those results and accomplish that in a much faster timeframe.
Rene Novoa
One aspect that people need, I see as a difference, is an investigation, and the BBC is an email. It’s not like a mobile or computer investigation, where you get a report that tells a story, with an executive summary and these things collected. We have our chain of custody; we have this workflow; this is what we believe our expert report is. Sometimes, those expert reports can take a few days to write, develop, and refine before being sent out. These investigations need to be really hard-focused. There should be a summary of what we’ve done, but we need to understand that this is not the final report to be displayed in court. This is something for us to gather information, gain an understanding, and assess what I think the key to success in running a successful triage collection, preservation, and BEC investigation is: the quick 72 hours. What are we going to do? What do we understand? What do we need to do next, aside from getting this polished, well-written forensic report that meets your expectations? You need to understand that you may need to obtain a report, possibly at nine o’clock at night. It must be read and understood, and action needs to be taken that evening to achieve that success. Therefore, it needs to be written and showcased quickly in a way that makes sense to the individual reading it. Do you follow that same logic or have a thought on that?
John Wilson
No, I mean, I do. I think that reporting is probably a whole separate presentation.
Rene Novoa
I want to throw that out there and challenge it, especially from a CSO. Coming from me, I want to get the facts out to the customer. I want them to understand that we need to do this because I want to save that money, and I also understand that there’s the documentation, which becomes the next piece.
John Wilson
The reporting is critical, and getting to the actionable intel, okay, I now know this is how they compromised the user. It was a man-in-the-middle attack through an email link that was clicked. Here’s the email address, here’s the IP address, here’s where it went. Here’s where the man in the middle was accomplished. Understanding that intelligence as quickly as possible helps you prevent your organization from being further damaged by the same attack, especially since they’ve access to a mailbox or a data repository within the organization. They’ve now used that to gain intelligence about the organization, including how people communicate, with whom they interact, and the structure of the chain of command. And so, they’ve now gained all that intel, and they go to the right people to obtain higher levels of access or higher levels of transactions. To me, it’s the same whether it’s an eDiscovery case, an internal investigation, or a BEC: it’s about getting to actionable intel as quickly as possible.
Rene Novoa
Yeah, that time just flew right by. That’s an excellent way to end that, John. I couldn’t agree more, and we’re on the same page regarding achieving that end result. Many exciting things are coming not only from Haystack but also from vendors and, I think, from the community. We’re going to see a transformation in these investigations as they become more mainstream and people are more aware of the effects and how to prevent them.
John Wilson
Absolutely. Agreed.
Rene Novoa
Do we have any questions? We’re coming up in the last five to so minutes.
John Wilson
We have just a few minutes left, so please feel free to ask any questions you may have.
Rene Novoa
Alright. I think that’s a wrap.
John Wilson
I will thank you for joining today’s webcast. We truly value your time and appreciate your interest in our educational series. Don’t miss our upcoming June 18th webcast, “Make Your ECA Process Work for You: GenAI’s Role in Enhanced Legal Decision-Making.” During the program, legal and tech experts will share how teams can use GenAI tools to streamline and strengthen early case assessment. Visit our website, HaystackID.com, to learn more, register for our upcoming webcast, and explore our extensive library of on-demand webcasts. Once again, thank you for attending today’s webcast. We hope you have a great day.
About HaystackID®
HaystackID® solves complex data challenges related to legal, compliance, regulatory, and cyber requirements. Core offerings include Global Advisory, Cybersecurity, Core Intelligence AI™, and ReviewRight® Global Managed Review, supported by its unified CoreFlex™ service interface. Recognized globally by industry leaders, including Chambers, Gartner, IDC, and Legaltech News, HaystackID helps corporations and legal practices manage data gravity, where information demands action, and workflow gravity, where critical requirements demand coordinated expertise, delivering innovative solutions with a continual focus on security, privacy, and integrity. Learn more at HaystackID.com.
Assisted by GAI and LLM technologies.
SOURCE: HaystackID
