Navigating the Cyber Minefield: Key Insights from Jim Stickley at Corelation 2025

By John San Filippo

Known for his fast-paced, information-packed sessions, Jim Stickley, cybersecurity expert and CEO of Stickley on Security and Mahalo Banking, took a different approach at the 14th Annual Corelation Hybrid Client Conference, which was held in San Diego from May 14-16. He dedicated the entire session to fielding audience questions. “So the way I look at this is, if this session’s terrible, it’s kind of your fault,” he said with a touch of humor. This interactive format provided a dynamic platform to explore the most pressing cybersecurity challenges facing credit unions and their members today. 

From Malware to Modern Ransomware

The first question tackled the distinction between malware and ransomware. Stickley clarified, “So ransomware and malware, they really are the exact same thing.” He explained that malware, the long-standing term for malicious software including viruses, has evolved, with ransomware being “basically just the like the end all, be all of what malware is.”

He detailed how ransomware has moved beyond simply locking files – a threat often neutralized by good backups. The new wave incorporates data exfiltration and session capturing. “Now if you’re doing online banking,” Stickley warned, “it can capture your session while you’re on... and they could be on the same session.”

This evolution has dramatically impacted the dark web. What was once a marketplace for stolen data has become a free-for-all if a ransomware victim refuses to pay. Stickley explained the criminal shift: “I’m going after the organization itself...I’m going to release all of your member data on the dark web unless you pay me.” If the ransom isn’t paid, the data is often dumped “for free so criminals don’t have to pay anymore.” For an identity thief, he lamented, “the world’s my oyster now...I can just jump on the dark web on any given day and download tons of records...and I don’t pay a dime anymore.”

His blunt advice on paying the ransom? “Even if you pay the ransom, you’re just delaying the inevitable...to me, it’s kind of pointless to pay the fee. Either way, your data is going to get released.”

Unpacking the Brutality of “Pig Butchering”

The session delved into the disturbing “pig butchering” scam, named after the way victims are fattened before being fleeced. Stickley described its typical pattern: a seemingly innocent text message like, “Hey, is this Alex?” The goal is to initiate conversation and build a deep, often romantic, relationship over months. “They want to get a relationship with whoever these people are,” he said. “And most of the time, they’ll either befriend them or actually start dating them. And they’re really, really, really good at this.”

Once the victim is emotionally invested, the scammer introduces a fraudulent cryptocurrency investment platform, showing fake high returns to build confidence. “The people go, oh, well, I’ll take a look,” Stickley explained. “And they go to the site. The sites look super legitimate.” After seeing supposed gains, victims are encouraged to invest heavily. “And then these people dump in a lot of money,” leading to devastating losses, sometimes “hundreds of thousands of dollars.” For a stark look at this global issue, Stickley recommended HBO’s Last Week Tonight with John Oliver segment on the topic, which explores both the victims and the perpetrators, many of whom are also victims trapped in forced labor camps.

AI: A Double-Edged Sword in Cybersecurity

Artificial intelligence (AI) featured prominently, both as a threat multiplier and a tool. Stickley acknowledged the potential for AI chatbots in scams like pig butchering, noting that while he hasn’t seen confirmed victims yet, “Could AI chatbots be used for pig butchering? The answer is, absolutely, it could.” He described demos where AI can carry on incredibly realistic conversations, making lonely or gullible individuals particularly vulnerable. “If I was going to scam you guys, I’d be using chatbot,” he admitted, “I mean, who has the time to do it all yourself?”

More immediately apparent is AI’s role in creating convincing deepfakes for investment scams. Criminals are using AI to generate videos of trusted public figures endorsing fake investment opportunities. “You literally will see a message that’s Warren Buffett talking to you, telling you, hey, I recently spun up this new thing...You should either download this app or you should go to this website. We’re giving crazy returns,” Stickley warned. These deepfakes are appearing on platforms like LinkedIn and Instagram, leveraging trust to increase success rates.

Passkeys: A Glimmer of Hope for Authentication

Shifting to defense mechanisms, a question arose about alternatives to passwords, specifically passkeys. Stickley is optimistic about their potential. He explained that passkeys use a secure encryption key tied to a specific device, making them much harder for criminals to exploit even if intercepted. “If a criminal was to capture your passkey and somehow get it, put it on their computer or on their phone and try to log in, it’s not going to work. It’s completely dead.”

However, passkeys face challenges. “Passkeys are still in their infancy,” Stickley noted. Issues like device loss and the current need for passwords as a backup undermine their full security benefit. “So, until we get to the point where everybody has truly adopted passkeys, and that’s just the new norm...We’re kind of in this weird state.” Despite some lingering vulnerabilities related to social engineering, he sees passkeys as “the best chance we have right now. The next stage in trying to reduce risk.”

Breaches are Inevitable, Training is Paramount

Perhaps the most impactful takeaway came from a question about “the single most effective security measure.” Without hesitation, Stickley declared, “Training your employees. They are your number one risk. There’s no bigger risk you have to your credit union at all than your employees.” He asserted that most breaches can be traced back to human error – a click, an opened attachment, a lapse in judgment.

Effective training, he argued, must foster an environment where employees feel safe reporting mistakes. “You want to train your staff when they get that ‘it felt weird, I made a mistake, I did something wrong’ feeling, they’re not going to get fired for telling you,” Stickley urged. Rapid reporting can significantly reduce damage, as “normally the damage isn’t done in the first hour or sometimes even in the first day. The damage is done over time.”