Dave reveals a stealthy trademark scam. Joe describes the invocation of a judge's name to lure a victim. A listener shares a business scam from India. Joe interviews "Shannon," a listener who enjoys wasting phone scammer's time.
Shannon: [0:00:00] If they're going to waste their time calling me, well, I'm going to make it my entertainment.
Dave Bittner: [0:00:05] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast. This is the show where every week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [0:00:25] Hi, Dave.
Dave Bittner: [0:00:26] Later in the show, we've got Joe's conversation with someone named Shannon (ph) - just Shannon. She deals with telemarketers in some pretty unique ways. But before we jump into all of that, a quick word from our sponsors at KnowBe4.
(SOUNDBITE OF CARNIVAL AMBIENCE)
Dave Bittner: [0:00:43] Step right up and take a chance. Yes, you there. Give it a try and win one for your little friend there. Which were the most plausible subject lines in phishing emails? Don't be shy. Were they, A, my late husband wished to share his oil fortune with you or, B, please read, important message from HR or, C, a delivery attempt was made or, D, take me to your leader. Stay with us, and we'll have the answer later. And it will come to you courtesy of our sponsors at KnowBe4, the security awareness experts who enable your employees to make smarter security decisions.
Dave Bittner: [0:01:23] And we are back. Joe, before we get to this week's stories, we get letters.
Joe Carrigan: [0:01:27] We get letters.
Dave Bittner: [0:01:28] We get letters (laughter).
Joe Carrigan: [0:01:29] Lots of letters.
Dave Bittner: [0:01:30] Yes.
Joe Carrigan: [0:01:31] I'm harkening back to David Letterman, who's still on.
Dave Bittner: [0:01:32] Yes, yes. And in this case we're actually starting to get jokes.
Joe Carrigan: [0:01:37] Good.
Dave Bittner: [0:01:37] Yeah, listeners are sending us jokes. So this is from a listener named John (ph). And he said, I thought you could use this on one of your podcasts. Evidently this is from the Reddit group Dad Jokes.
Joe Carrigan: [0:01:48] (Laughter).
Dave Bittner: [0:01:49] John knows us - knows us well. (Laughter).
Joe Carrigan: [0:01:51] Right, yeah. I believe it's called a subreddit. I think that's what the kids call it.
Dave Bittner: [0:01:55] I see, OK. All right. Well, I'll take your word for it, over on the Reddit. So the joke is, how did the hackers get away?
Joe Carrigan: [0:02:02] I don't know. How did the hackers get away?
Dave Bittner: [0:02:04] I don't know. Guess they just ransomware.
Joe Carrigan: [0:02:06] (Laughter).
Dave Bittner: [0:02:11] Thank you, John, for sending in that joke.
Joe Carrigan: [0:02:13] Oh, that's good.
Dave Bittner: [0:02:13] That's a good one.
Joe Carrigan: [0:02:15] I'm laughing too hard at that one.
Dave Bittner: [0:02:16] Yeah.
Joe Carrigan: [0:02:17] Harder than I should be, I think.
Dave Bittner: [0:02:18] Yeah. Let's jump into our stories here. Joe, I'll kick things off this week. You know, when you run a company, you - one of the things that you want to do is register your trademark.
Joe Carrigan: [0:02:27] Yes.
Dave Bittner: [0:02:27] With the Trademark and Patent Office. And here at the CyberWire, we did just that when the company was spun up. We registered the trademark for the CyberWire with the logo and all that sort of stuff. Well, we got a letter recently in the mail. And this was from the Patent and Trademark Bureau.
Joe Carrigan: [0:02:43] Bureau.
Dave Bittner: [0:02:44] Trademark Bureau.
Joe Carrigan: [0:02:45] Right. But it's actually Patent and Trademark Office, isn't it?
Dave Bittner: [0:02:47] Well, this is from the Patent and Trademark Bureau. They're in Philadelphia, Pa.
Joe Carrigan: [0:02:52] OK.
Dave Bittner: [0:02:52] United States of America.
Joe Carrigan: [0:02:53] All right, my flags are already up 'cause I know it's the PTO, Patent and Trademark Office.
Dave Bittner: [0:02:57] Yep.
Joe Carrigan: [0:02:57] And it's in, I think, Alexandria, Va.
Dave Bittner: [0:03:00] Well, this is - their website is patentandtrademarkbureau.com.
Joe Carrigan: [0:03:06] Dot com, there's another red flag.
Dave Bittner: [0:03:06] So there's a very official-looking correspondence here sent to our company. And it says, your trademark is about to expire, renewal date, September 2018. And there's a lot of official wordage here about how patents and trademarks work. And it says, please return this document with your signature and/or company stamp on the appropriate space. If you would like to renew your trademark, your trademark will be renewed for the period of another five years. The renewal fee is $925. And it goes on and says a bunch of other things. It has an actual picture of our logo here. They took the CyberWire logo and put it in here. Very official-looking, however, this, as you have already predicted, is not from the actual Patent and Trademark Bureau.
Joe Carrigan: [0:03:49] Right.
Dave Bittner: [0:03:49] There is some fine print here. (Laughter).
Joe Carrigan: [0:03:52] Oh, there's fine print.
Dave Bittner: [0:03:53] There is. It says, by signing this document, you automatically empower Patent and Trademark Bureau to renew the trademark stated above on your behalf.
Joe Carrigan: [0:04:03] Interesting.
Dave Bittner: [0:04:04] So here's what it comes down to. These people are not the Patent and Trademark Office.
Joe Carrigan: [0:04:08] They are not.
Dave Bittner: [0:04:09] No. This is a very official-looking letter.
Joe Carrigan: [0:04:11] How long ago did you file the trademark for the CyberWire?
Dave Bittner: [0:04:14] 2013, so the timing is right.
Joe Carrigan: [0:04:16] OK. Well, it's not, though, because a quick Google search reveals that trademarks last 10 years.
Dave Bittner: [0:04:22] Well, I think the initial renewal is five years.
Joe Carrigan: [0:04:25] Really?
Dave Bittner: [0:04:25] Between the fifth and sixth year, yeah. Yeah, so that part makes sense.
Joe Carrigan: [0:04:28] OK.
Dave Bittner: [0:04:28] So these folks, you know, somehow they're pulling up a - probably a list of...
Joe Carrigan: [0:04:33] They're probably getting this list from some publicly accessible database that PTO runs...
Dave Bittner: [0:04:37] Exactly, exactly. But they want to charge you $925 to renew this on your behalf. The actual price (laughter) for...
Joe Carrigan: [0:04:45] The actual retail price is...
Dave Bittner: [0:04:46] Exactly - without going over, the actual retail price is $100.
Joe Carrigan: [0:04:51] Bum-bum-bada-ba (ph).
Dave Bittner: [0:04:51] Wahh (ph). Right. So this is a scam. It's - it's very interesting to me that in the fine print they say who they are and what they're up to. But it's a misdirection. These folks are up to no good.
Joe Carrigan: [0:05:05] Yep, they're looking to make a quick $800 off Dave Bittner and the CyberWire.
Dave Bittner: [0:05:09] Right. (Laughter). That's right. That's right. And it is very official-looking. All of the paperwork involved with this is very official-looking. There are bar codes on it.
Joe Carrigan: [0:05:18] Do they have a phone number?
Dave Bittner: [0:05:19] They do.
Joe Carrigan: [0:05:20] You should call them and say, hey, how many people actually do this? How many people actually fall for this?
Dave Bittner: [0:05:24] (Laughter). Right.
Joe Carrigan: [0:05:25] That would be great. I think you should - we live in Maryland. So we can't actually call them without telling them - record them without telling them that we're recording this. But maybe you tell them you're recording it. And say, and I've got a question for you. Actually, they'll probably just hang up.
Dave Bittner: [0:05:39] Yeah, probably. Well, you can report these sorts of things to the Federal Trade Commission at ftc.gov, which is where - the government websites, right?
Joe Carrigan: [0:05:48] Right.
Dave Bittner: [0:05:49] So if you get one of these in the mail, just be wary. The lesson here is there are a lot of these types of scams going around. Someone...
Joe Carrigan: [0:05:56] I'm not even sure this is illegal.
Dave Bittner: [0:05:57] Well, that's the thing.
Joe Carrigan: [0:05:59] I think the cloak of legality on this is that they're just providing a service to complete the registration for you. And they just charge an exorbitant amount.
Dave Bittner: [0:06:06] That's right.
Joe Carrigan: [0:06:06] People are free to pay it or not pay it.
Dave Bittner: [0:06:08] That's true. But it's still...
Joe Carrigan: [0:06:09] It is a scam. It's a scam.
Dave Bittner: [0:06:11] It's immoral, yeah.
Joe Carrigan: [0:06:13] Total scam.
Dave Bittner: [0:06:13] (Laughter) Right, exactly.
Joe Carrigan: [0:06:14] This is an illegitimate business model, in my opinion, and I have real ethical concerns with it.
Dave Bittner: [0:06:18] Absolutely, there you go. So just be aware. When you get these things in the mail, especially - busy, day-to-day goings on of a company, it's easy to see something like this and think it's just another fee that you have to pay, something from the federal government.
Joe Carrigan: [0:06:29] Right, and just (unintelligible) check, and...
Dave Bittner: [0:06:29] Just - yeah, get this off your desk and off you go. So beware. These scams are out there.
Joe Carrigan: [0:06:35] Yep.
Dave Bittner: [0:06:36] All right, that's what I have this week. Joe, what do you have for us?
Joe Carrigan: [0:06:39] This week my story comes from Garrett Brown at WTHI in Terre Haute, Ind.
Dave Bittner: [0:06:44] Garrett Brown, inventor of the Steadicam?
Joe Carrigan: [0:06:45] No, this is a different Garrett Brown I think.
Dave Bittner: [0:06:47] Oh, OK.
Joe Carrigan: [0:06:48] This man is much younger.
Dave Bittner: [0:06:49] I see.
Joe Carrigan: [0:06:50] A woman named Jennifer Stowe received a call that looked like it had come from the Parke County Sheriff's Office.
Dave Bittner: [0:06:56] OK.
Joe Carrigan: [0:06:57] The number was right and everything.
Dave Bittner: [0:06:58] Right - oh.
Joe Carrigan: [0:06:59] OK, this is another scam call, right?
Joe Carrigan: [0:07:02] The caller says they're from the sheriff's office and tells Ms. Stowe that they have a warrant out for her arrest for failure to appear for jury duty. And of course she could either pay a fine of $900 or go to jail. Those are the two choices that they give her.
Dave Bittner: [0:07:16] Oh, wow.
Joe Carrigan: [0:07:16] The scammer mentions the name of a judge who allegedly signed the warrant. And it's the name of a judge that Ms. Stowe knows. Ms. Stowe knows the name of this judge.
Dave Bittner: [0:07:27] OK.
Joe Carrigan: [0:07:28] Right. So this actually lends it a little more credibility.
Dave Bittner: [0:07:32] Right. So Ms. Stowe had had - I don't know - some run-in where she had to be appear before a judge.
Joe Carrigan: [0:07:38] Right.
Dave Bittner: [0:07:38] So she was familiar with this - the name of this judge.
Joe Carrigan: [0:07:40] She knew who the judge was.
Dave Bittner: [0:07:42] OK.
Joe Carrigan: [0:07:42] During the conversation, they start probing her for more personal information, including financial information to pay the fine. And like, give me your bank account number. What's your routing number? What's - all this other stuff.
Dave Bittner: [0:07:51] Oh.
Joe Carrigan: [0:07:51] Yeah, whatever it is - give me your credit card number. They also had her date of birth. And they had an address where she lived 16 years ago. Now, Ms. Stowe is a smart woman. She recognizes that the address is 16 years old.
Dave Bittner: [0:08:03] Right.
Joe Carrigan: [0:08:03] And it tips a red flag. How long have you lived at your address, Dave?
Dave Bittner: [0:08:06] About 12 years now.
Joe Carrigan: [0:08:08] I've lived at my address for 14 years. So in two more years, a 16-year-old address for me will be a valid address, right? So if somebody says, you know, your address is this, and they're looking at 16-year-old data - or right now, if they're looking at 14-year-old data - it'll be the correct address.
Dave Bittner: [0:08:23] Right.
Joe Carrigan: [0:08:24] Right? So I see how this scam works. But because the address was old and because they were prodding her for financial information that was not really relevant to a warrant or anything, she, you know, had enough red flags go, OK, this is a scam. Here's what they had on her. They had her name. They had her date of birth. They had an old address. And they had the name of a judge that she was familiar with. And here's what I think happened.
Dave Bittner: [0:08:44] OK.
Joe Carrigan: [0:08:45] I think they went to the Indiana court system's website, where you can just search through judicial cases.
Dave Bittner: [0:08:52] Right.
Joe Carrigan: [0:08:52] Right? In Maryland, your date of birth - if you've ever been - even I think traffic tickets are listed in there. And your date of birth is in that system in Maryland.
Dave Bittner: [0:09:02] OK. And this is a public database? You can go search anybody's name...
Joe Carrigan: [0:09:04] It's a public database. It's public records. Anybody can search it.
Dave Bittner: [0:09:05] ...And find...
Joe Carrigan: [0:09:07] This information's not hard to come by.
Dave Bittner: [0:09:09] Right, legitimate reasons why this information is in the public record.
Joe Carrigan: [0:09:12] Correct.
Dave Bittner: [0:09:12] Yeah.
Joe Carrigan: [0:09:13] So if you have ever been party to a lawsuit - and it's not just being a plaintiff. You can be - or not just being a defendant. You can be a plaintiff. You can be a witness. And your information may be in some states' records.
Dave Bittner: [0:09:25] OK.
Joe Carrigan: [0:09:26] So they go out, and they search these things. And then they start making scam calls based on all the information that's really easy to collect. And it's remarkably well-targeted. So it's just another scam call. But I think the angle of using the judicial case search is an interesting angle. And it's a great place to find lots of stuff. I'm not sure, maybe, this stuff should be online. Maybe it should be something where you have to go to a courthouse to find it. But then - I don't know. I don't know how I feel about that. You know, I have to think about that.
Dave Bittner: [0:09:52] Yeah.
Joe Carrigan: [0:09:53] Of course, the sheriff's office is trying to catch the scammer. They probably won't catch this scammer. The scammer may not even be in the United States. A phone number is remarkably easy to spoof when you're making a call.
Dave Bittner: [0:10:03] Right.
Joe Carrigan: [0:10:03] OK? They do warn about giving out personal information on a phone call. So I have some tips from Joe here.
Dave Bittner: [0:10:10] OK.
Joe Carrigan: [0:10:10] One, never provide any information to inbound callers.
Dave Bittner: [0:10:15] OK.
Joe Carrigan: [0:10:16] I just don't do that. And remember this. I've said this before. I'll say it again. No government agency will ever call you about a warrant. They will just show up to serve you with it, whatever kind of warrant it is. If you're going to get served with a notice to appear or you're going to get served with an arrest warrant or you're going to get served a search warrant, they're not going to call you before they show up because that provides you an opportunity, particularly for arrest and search warrants, to change the situation - like be difficult to find or get rid of any contraband you may have.
Dave Bittner: [0:10:46] Right.
Joe Carrigan: [0:10:47] I have an anecdote about this.
Dave Bittner: [0:10:49] OK.
Joe Carrigan: [0:10:49] I received a telephone call on my cell phone from someone claiming to be my insurance company for my medical insurance.
Dave Bittner: [0:10:55] OK.
Joe Carrigan: [0:10:55] It may very well have been for my insurance company. I said, you know, I don't provide information to inbound calls. And the person on the phone said, we understand that, that it's a security risk. You can give us a call back. Call us back on the number that is on your cell phone.
Dave Bittner: [0:11:08] On the caller ID.
Joe Carrigan: [0:11:09] On the caller ID. And I said, right. Never do that.
Dave Bittner: [0:11:14] (Laughter). Right, right.
Joe Carrigan: [0:11:14] Never do that. That is - that is the worst thing you can do. You're calling the scammer back, if it's a scammer, right? This person was probably from my medical insurance company because they wanted to talk about something that was - that was good for lowering their costs, right? They weren't...
Dave Bittner: [0:11:27] Yeah.
Joe Carrigan: [0:11:28] They were looking to save themselves some money, based on the content of the call. But never call back the number that they call you on. Look the number up.
Dave Bittner: [0:11:36] Right.
Joe Carrigan: [0:11:36] Right? And call that number.
Dave Bittner: [0:11:38] Right. Yeah, but - yeah. Better safe than sorry.
Joe Carrigan: [0:11:40] Correct.
Dave Bittner: [0:11:41] To make that extra - that extra step, that extra call to make sure you're actually talking to them.
Joe Carrigan: [0:11:45] Yep.
Dave Bittner: [0:11:45] And how many times, if that happens, you call them. And they say, no, we didn't call you.
Joe Carrigan: [0:11:49] That's when you go, oh, hey, thanks for that information.
Dave Bittner: [0:11:51] Yeah. All right, another good story. Let's move on to our Catch of the Day.
Joe Carrigan: [0:11:55] My favorite part of the show.
(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [0:11:59] So this week's Catch of the Day was sent in by a listener. His name is Ravi (ph). And he's actually in India.
Joe Carrigan: [0:12:06] OK.
Dave Bittner: [0:12:07] And he said, hello, this is one of the phishing I had recently received. And it goes like this.
Dave Bittner: [0:12:14] (Reading) Hello, Dear. Do you know about vet oil liquid? It is available in India for medicinal use. We need up to 100 to 200 liters urgently. Our company is using it for research and development of cancer and weight loss medicines. We used to buy from Yemen. But now we are not getting supplies because of the crisis in Yemen. Recently, my friend found the contact of seller in India, Mumbai, through a reliable source. Their product is good, and their price is also cheaper than the price we used to buy from Yemen. But I don't want to refer my company direct to the seller because of the profit involved. I'm looking for someone in India who can do the business with me, and the profit would be shared between us. If you can buy the product and resale it to our company, we would make a huge profit. Our company director will also send the purchasing manager to make the purchase of this product from you over there in India. If you are willing to do this business with me, I will refer my director to you as the supplier and also send you the main seller contact where you can get the product in India. You will be like a middleman between our company and the seller in India. It is 100 percent genuine and legitimate, so you don't need to worry about anything.
Joe Carrigan: [0:13:24] Phew, I'm always glad when they tell you that.
Dave Bittner: [0:13:26] (Reading) I will guide you throughout the entire transaction, which should be completed within a week or two weeks. And it's signed, Miss Nicole.
Dave Bittner: [0:13:34] All right, so first of all, thanks, Ravi, for sending this in. This is a good one, not unlike the Nigerian prince scam, I suppose, the promise of profits through becoming a partner in some sort of business.
Joe Carrigan: [0:13:47] Yeah.
Dave Bittner: [0:13:47] A get-rich-quick scheme, right?
Joe Carrigan: [0:13:48] No business is ever going to introduce a middleman. If this guy actually does work for a company and knows where he can buy the stuff cheap, why would he increase his costs by involving a middleman and funneling money to you? Why doesn't he just buy the product directly from the supplier in India? Why does he need another supplier in India? This just doesn't make any sense.
Dave Bittner: [0:14:08] No, it doesn't. But you can understand how people could fall for this.
Joe Carrigan: [0:14:11] Sure, oh, yeah.
Dave Bittner: [0:14:12] The promise of a quick buck, the reassurance that it's 100 percent genuine.
Joe Carrigan: [0:14:16] Well, that's - that's what makes me want to send this guy an email, is - oh, good. He said it's 100 percent legitimate.
Dave Bittner: [0:14:23] Right. Well, yes, he wouldn't lie about that.
Joe Carrigan: [0:14:25] No, of course not.
Dave Bittner: [0:14:25] No. All right, well, thanks for sending that in, Ravi. That is our Catch of the Day. Coming up next, we've got Joe's interview with Shannon. But first, a message from our sponsors at KnowBe4.
(SOUNDBITE OF CARNIVAL AMBIENCE)
Dave Bittner: [0:14:42] And what about the biggest, tastiest piece of phish bait out there? If you said A, my late husband wished to share his oil fortune with you, you've just swallowed a Nigerian prince scam. But most people don't. If you chose door B, please read, important message from HR, well, you're getting warmer. But that one was only number 10 on the list. But pat yourself on the back if you picked C, a delivery attempt was made. That one, according to the experts at KnowBe4, was the No. 1 come-on for spam email in the first quarter of 2018. What's that? You picked D, take me to your leader? No, sorry. That's what space aliens say. But it's unlikely you'll need that one unless you're doing "The Day the Earth Stood Still" at a local dinner theater. If you want to stay on top of phishing's twists and turns, the new-school security awareness training from our sponsors at KnowBe4 can help. That's knowbe4.com/phishtest.
Dave Bittner: [0:15:45] And we're back. Joe, you handled the interview duties this week. Tell us who you're talking to.
Joe Carrigan: [0:15:51] I spoke with Shannon because I heard through the grapevine how she enjoys wasting the time of scammers who call her. So I thought it would be good to - just to get her on the show and see what she does and get her techniques because we've talked about this in the past, where if we can change the economic proposition for spam calls to make them to the point where they're not profitable by wasting their time, then perhaps we can actually, as a society, put a dent in it.
Dave Bittner: [0:16:13] All right, well, let's check it out. Here's your interview with Shannon
Joe Carrigan: [0:16:16] When was the last time that you had a phone call come in to your number that you actually got the opportunity to waste somebody's time?
Shannon: [0:16:23] Oh, just yesterday. I work from home, so I have a lot of phone calls that come in. Their target time is usually during the day, I believe, when most people are gone, for some reason. But being that I am - that I do work from home, gives me a chance to interact with quite a few of them.
Dave Bittner: [0:16:37] And what was the nature of this latest call?
Shannon: [0:16:39] The latest one wasn't too horrible. It was a utility scam where they're trying to convince you that they can lower your utility rates. For that one - I do like to waste their time. I figure if they're wasting my time, I'm going to waste theirs right back.
Joe Carrigan: [0:16:53] Right.
Shannon: [0:16:54] And try to discourage them from calling me back because it doesn't seem to matter how many do-not-call lists you're on. They're calling regardless. The biggest thing that I do is ask questions.
Joe Carrigan: [0:17:03] OK.
Shannon: [0:17:04] Because the more questions that you ask them, A, the more time it's taking and the more they feel that they've got you on the hook. I never have any intention of following through with any of it, so I make them go through the whole process. Tell me all about this. How is this going to work? You know, how did I - how did I qualify?
Shannon: [0:17:20] As soon as they ask me a question, I respond with a - with a question every time. You know, they'll be like, well, do you have Toledo Edison? No, I don't. And go right into, but tell me, you know, how did I qualify for this? How are we doing this? You know, how are you guaranteeing this lowest rate? You know, what is your lowest rate that you're guaranteeing? Just come back at them with questions immediately because then they feel obligated to answer that.
Joe Carrigan: [0:17:42] And that costs them their time. And they don't move on to the next person.
Shannon: [0:17:47] Exactly. You know, I don't have the utility companies. They have no idea that I live in a small town that has private utilities. So I have a lot of fun with the utility scammers because I get them to the very end. You know, I'll be 15, 20 minutes into it and say, now, how does this work considering that, you know, I'm on these private utilities? How will that work? Oh, well, we can't do that.
Joe Carrigan: [0:18:08] (Laughter).
Shannon: [0:18:10] Well, then why are you calling me every week? Because I've been through this with you people.
Joe Carrigan: [0:18:14] Have you ever gotten a tech support call?
Shannon: [0:18:16] I get those. I do. Are you talking the Microsoft, you have a virus, and you need to give us your credit card so we can fix it?
Joe Carrigan: [0:18:22] Right, exactly, those calls.
Shannon: [0:18:24] Yes, I do get those. And for a long time, I just simply hung up on them.
Joe Carrigan: [0:18:28] Right.
Shannon: [0:18:28] I mean, I know better than to know that it's real. But then I got tired of it. So now I try to waste their time too. The best one I did was probably actually just a couple weeks ago. I got one. And I kept the guy on hold by having basically a one-sided conversation with my cat, which sounds weird. But I just kept telling him, hold on just a second. Hold on just a second. Hold on - no, just a second - and would carry this side conversation on with the cat, who of course didn't answer.
Joe Carrigan: [0:18:51] Right.
Shannon: [0:18:52] But just kept him on hold, basically, for probably 15 minutes before he finally got that I was never actually going to come back and talk to him.
Joe Carrigan: [0:18:59] Right.
Shannon: [0:19:00] Or also with them, I let them go through the whole spiel. I'll - I immediately will turn my computer off if I'm doing that.
Joe Carrigan: [0:19:06] Right.
Shannon: [0:19:06] I don't want them to actually get in. But I will pretend as though I'm going along with it. Sure, you know, oh, oh, oh, well, it's not doing that. No, it's not telling me that answer. Oh. Oh, my gosh, this is really broken. I'm glad you called. You know, and let them feel like you're going along with it.
Joe Carrigan: [0:19:23] Right.
Shannon: [0:19:24] And then you finally, at the end, say, did you get the location? - to somebody in the background. And then they hang up pretty quickly.
Joe Carrigan: [0:19:31] Oh, OK. So you actually - you put the fear in them that you're tracing the call back.
Shannon: [0:19:35] I do. I do - I'm to that point where I do. Those are - those are the most frustrating ones because I think that - I know that there are elderly people that do fall for that, who - I know personally that have. And I - you know, I feel awful that - because they are very convincing at times. And I don't want people to fall for that. So if I can make their lives just a little harder, I will.
Joe Carrigan: [0:19:57] We talked about changing the economic game for them on "Hacking Humans." So the idea is that these people go through a hundred no's to get to the one yes. So they get - they go through 100 people who just hang up on them and realize it's a scam. And then the 101st person, they start talking to.
Joe Carrigan: [0:20:15] When you just hang up on them, you actually - even though you're protecting yourself, you're actually doing them a favor because if you spend time with them that they then can't capitalize on, that they don't have a payoff at the end, you change the game - because it's really easy to go through 100 no calls to get to the one yes call. But if those hundred no calls each start costing them 15 minutes, that changes the economics of it entirely.
Shannon: [0:20:41] Right. I agree. That - that's honestly partly why I do it. You know, I don't want to make it easy for them. I don't want them to think this is an easy job, scamming people. They're going to have to work for it a little harder. And, you know, obviously we'd love to see them stop. But I don't think that they will.
Shannon: [0:20:56] You know, I've even figured out ways to keep the robocalls that you get online longer. They are only set up to respond to certain responses. So you come up with responses that they don't know what to do with. And it keeps them on a loop. One word, possibly. Possibly, they don't know what to do with. They're not sure if that's a yes or a no. And it will keep them on a loop for sometimes 10, 15 minutes.
Joe Carrigan: [0:21:19] So as long as you keep saying the word possibly, it stays on.
Shannon: [0:21:22] Yep - because they keep asking, you know, are you interested? Possibly - you know, never ever say yes because then they have you recorded as saying yes. And who knows what they're applying that to.
Joe Carrigan: [0:21:32] Right.
Shannon: [0:21:33] If you say no, they hang up right away.
Joe Carrigan: [0:21:35] Right.
Shannon: [0:21:36] Keep them on the hook. You know, it's just basically reversing the game onto them is what it's about. And that's what I do. I - you know, I don't do it, you know, as a job. It's just - if they're going to waste their time calling me, well, I'm going to make it my entertainment.
Joe Carrigan: [0:21:50] What is the funniest thing you've ever had happen doing this?
Shannon: [0:21:52] Oh, gosh, I think the funniest one I ever had was one of those timeshare places. Have you ever gotten those calls, where you win a free cruise or a free vacation?
Joe Carrigan: [0:22:02] I get the ones where it's, like, a horn blowing in the background. Or - and you've got a free cruise. I - the automated calls.
Shannon: [0:22:10] That's actually a scammer call right there. But I'll just hang up on that one.
Joe Carrigan: [0:22:13] (Laughter).
Shannon: [0:22:14] (Laughter) I hate - I absolutely hate that they started using local numbers.
Joe Carrigan: [0:22:19] Yeah, the neighbor number, the first six digits are the same as your phone number?
Shannon: [0:22:23] Yes. They've even - I've even had some come through with actual names of people - like, we live in a very small town. So I know everybody in town. And I've even had some come through with - that had the people's names on it but then ended up being, like, a robocall. So - you know, and I've let those people know. But what do you do?
Joe Carrigan: [0:22:40] Really? You've had, like, people you know have shown up on your caller ID. You answer the phone expecting to find, say, John from down the street, and it's a scammer?
Shannon: [0:22:48] Yes.
Joe Carrigan: [0:22:49] Wow.
Shannon: [0:22:50] Yeah, that's only been recently. That's been within the last couple months. And I - I think about three or four that I've gotten like that. But that's scary. I don't like that. I mean, I don't like that they're - they're becoming that advanced, that they're actually using people's names and, you know, that those names are coming up on caller ID. I don't want people thinking that, you know, if they're using my number, that I'm calling them with some scam.
Joe Carrigan: [0:23:12] Right.
Shannon: [0:23:12] So - and it does make it, especially, you know, people who are more vulnerable to the scams, I think it makes it easier for them to scam them because they're, like, thinking, oh, this is, you know, Mr. Jones down the street. That is terrible. Anyway, back to the funniest one was I had an actual person call, tell me I won a cruise. You know, this girl, she was young and very, very excited to tell me that I won this free cruise.
Shannon: [0:23:37] I had an option of, like, four different ones - which, I knew it was a timeshare scam. She didn't know that I knew. So I just asked questions. I asked - I made her go over every single option for each of the different choices. You know, tell me every detail you could find about each one. And she tried to push me on. But I - no, no no. But tell me this.
Shannon: [0:23:58] And I kept her on the phone for about a half an hour before she finally got really pushy and wanted - well, she wanted my credit card. And I said, well, what for? Well, you know, it's, like, $99. And I said, well, you told me it was free. Well, but you have to pay this. Well, no. You told me it was free. I can argue with the best of them.
Shannon: [0:24:18] And, (laughter), I ended up insisting she put her supervisor on the line. I thought, I'm just going to keep this going as long as I can. And get her supervisor on the line, and she's arguing with me. And probably the total call was probably at least 45 minutes. Ended up with the supervisor so angry, she's cursing at me, yelling at me, telling me that, you know, she's going to just take me off their list, they're not dealing with people like me anymore.
Joe Carrigan: [0:24:43] Mission accomplished.
Shannon: [0:24:45] Yes, exactly. Mission accomplished. And she hung up on me. And I never did hear back from that company again. So I think she did take me off the list.
Joe Carrigan: [0:24:54] That's awesome.
Shannon: [0:24:54] That was probably the most fun one I ever did. (Laughter). But yeah, you know, it's a daily thing. You know, I probably get 10 to 15 calls a day.
Joe Carrigan: [0:25:03] There's no shortage of people calling you.
Shannon: [0:25:04] No. No. And then do you get the ones online? I don't know if men get them as much as women. And women do. I know we get a lot of them on, like, Facebook where you get the instant messaging. And it's some guy in Syria, but he's, within five minutes, madly in love with you.
Joe Carrigan: [0:25:21] My wife gets those frequently, yes.
Shannon: [0:25:23] Yes. Yes. Those are fun because I always turn it around. Because they want you to send them money so that they can come here to visit.
Joe Carrigan: [0:25:29] Right.
Shannon: [0:25:29] And I turn it right around. No. I don't want to be here. I want to be where you are.
Joe Carrigan: [0:25:34] Send me money.
Shannon: [0:25:34] Send me money, and I'll come to you.
Joe Carrigan: [0:25:38] (Laughter). Awesome.
Shannon: [0:25:39] Nobody ever has.
Joe Carrigan: [0:25:41] Nobody - yeah. Surprise, right?
Shannon: [0:25:42] (Laughter). No. But no, I absolutely - you know, I listen to that podcast, and I absolutely agree. It needs - you know, something needs to be done. And if, you know, even if it's a person here or there that's wasting their time and making it less profitable for them...
Joe Carrigan: [0:25:57] Right.
Shannon: [0:25:57] ...Do it, by all means.
Joe Carrigan: [0:25:59] Shannon, thank you very much for joining us. I appreciate you taking the time out of your day.
Shannon: [0:26:03] All right. Thank you for having me. I appreciate it.
Dave Bittner: [0:26:06] All right. Well, that was a lot of fun. Shannon's certainly having a good time out there. I guess we should mention that Shannon didn't want us to use her last name so that's why we're just referring to her as Shannon. I have to say, first of all, Joe, how do you know that Shannon wasn't just stringing you along and taking up your time?
Joe Carrigan: [0:26:21] Could very well be, but I think it was time well spent.
Dave Bittner: [0:26:25] (Laughter) Yeah. That's right. I have to say I'm happy that we have folks like Shannon out there who both have the time to do this and enjoy doing it. Right? And I think, as she said, engagement is the key here, to string them along. And she's using social engineering against them.
Joe Carrigan: [0:26:39] Yes. Absolutely.
Dave Bittner: [0:26:40] Yeah. I love the part with having a side conversation with the cat. I think that's - (laughter) you could go a long way with that.
Joe Carrigan: [0:26:47] I think if I did that with one of my cats, the cat that I actually interact with the most, they would quickly catch on that it was a cat. Because this cat has a conversational way of interacting with you. Like, I'll say something to her, and then she'll meow.
Dave Bittner: [0:26:58] (Laughter).
Joe Carrigan: [0:27:01] Maybe it'd be even better if you can just convince them that you're just insane on the other end. You know, that you are the kind of person that talks to cats and...
Dave Bittner: [0:27:07] Right. Be a good way to be taken off their list, maybe. Yeah.
Joe Carrigan: [0:27:11] I love that at the end, (laughter), when she's talking about how that she infuriated the supervisor and they said, I'm going to take you off the list.
Dave Bittner: [0:27:17] (Laughter).
Joe Carrigan: [0:27:18] I win.
Dave Bittner: [0:27:21] Right. Exactly, yeah. Yeah. (Laughter). They fell right into her trap.
Joe Carrigan: [0:27:24] I also love when she says, did you get the location, to somebody in the background, and then they quickly terminate the call. That's great. That's awesome.
Dave Bittner: [0:27:31] Yeah. Interesting, she was talking about this spoofing of local caller IDs. I haven't seen that myself.
Joe Carrigan: [0:27:36] I haven't seen it, either. But I don't doubt that that's possible.
Dave Bittner: [0:27:39] Yeah.
Joe Carrigan: [0:27:39] It's very easy to spoof a local number. I mean, we get these neighbor call numbers all the time, right, where it's the first six digits are the same. I don't know anybody who has the first six digits of my phone number other than me. So I know immediately it's a scam, and they get my old lady voice if it's anybody when I answer the phone for them. Most of the time it's a robocall, though.
Joe Carrigan: [0:28:00] I will point out a couple things. Her stringing people along with use of the word possibly is great. But another key takeaway is don't use the word yes. Don't use yes because there are other scams out there, like the can-you-hear-me scam, where somebody says, can you hear me? And you go, yes. And they take that segment of your voice, and then they sign you up for other services by using your voice.
Dave Bittner: [0:28:23] And then they have proof that it was your voice.
Joe Carrigan: [0:28:25] Right. Exactly. So don't say yes. Don't say yes.
Dave Bittner: [0:28:29] All right. Well, that was a fun one. Thank you, Shannon, for taking the time to be with us this week. And that is our podcast.
Dave Bittner: [0:28:36] Thanks to our sponsors, KnowBe4, whose new-school security awareness training will help you keep your people on their toes with security at the top of their mind. Stay current about the state of social engineering by subscribing to their Cyberheist News at knowbe4.com/news. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more about them at isi.jhu.edu.
Dave Bittner: [0:29:04] The "Hacking Humans" podcast is probably produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our coordinating producer is Jennifer Eiben, our editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [0:29:20] And I'm Joe Carrigan.
Dave Bittner: [0:29:21] Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.