We get listener followup on the church pastor scam. Dave explores a phony investment web site. Joe explains phishing, spear phishing and whaling. Fake federal agents are featured in our catch of the day. Carole Theriault interviews Max Bruce from Action Fraud UK.
Max Bruce: [00:00:00] With scam, it may not sound as sort of severe. But actually, we need to sort of think about our technology. A scam is a fraud. A fraud is a crime. And, you know, somebody could lose a small amount of money or they could lose their life savings.
Dave Bittner: [00:00:13] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:33] Hi, Dave.
Dave Bittner: [00:00:34] Later in the show, we've got Carole Theriault's interview with Max Bruce from Action Fraud U.K.
Dave Bittner: [00:00:39] But before we get going, a quick word from our sponsors at KnowBe4. So who's got the advantage in cybersecurity - the attacker or the defender? Intelligent people differ on this. But the conventional wisdom is that the advantage goes to the attacker. But why is this? Stay with us, and we'll have some insights from our sponsor KnowBe4 that puts it all into perspective.
Dave Bittner: [00:01:07] And we are back. A couple of things before we jump in here, Joe. I have a cold - just for our listeners' sake. Yes, I know, I'm a little stuffy today. But we'll make the best of it. We've got some follow-up today. We had a listener named Rick write in. And he said, I provide IT services for many churches in the Atlanta area. And he says they're seeing the fake pastor iTunes gift card scam, about three to four campaigns a week...
Joe Carrigan: [00:01:31] Really.
Dave Bittner: [00:01:32] ...Across the 10 churches where they handle IT.
Joe Carrigan: [00:01:35] We talked about that about two months ago, right?
Dave Bittner: [00:01:37] Yeah, yeah. It's been a few weeks.
Joe Carrigan: [00:01:38] Yeah.
Dave Bittner: [00:01:38] But he says he's been educating the staff. He says unfortunately, church staff and volunteers are quite often pretty tech illiterate.
Joe Carrigan: [00:01:46] Right.
Dave Bittner: [00:01:47] And he said they had a targeted attack where someone almost performed an outbound wire transfer for an invoice while the pastor was out of town. He said the email conversation was pretty convincing. In the end, the only thing that prevented this was my insistence that the church block all wire transfers.
Joe Carrigan: [00:02:04] I would recommend, as we're going to talk here later, that you have your church people listen to this podcast.
Dave Bittner: [00:02:10] Well, I want them to listen every week, Joe (laughter).
Joe Carrigan: [00:02:11] Well, right, of course. But I would say, you know, as part of your training and part of your IT services, you should recommend to all the church staff they should listen to "Hacking Humans."
Dave Bittner: [00:02:19] I cannot disagree with that.
Joe Carrigan: [00:02:21] That's why we're here.
Dave Bittner: [00:02:23] (Laughter). So Rick says he spent years forecasting revenue for a government contractor. And he developed a sort of a Spidey sense to avoid fraud. So thanks, Rick, for sending that in. It's interesting to hear that this is perhaps more widespread than we had originally thought. Those folks are lucky to have you looking out for them.
Joe Carrigan: [00:02:38] Indeed.
Dave Bittner: [00:02:39] So my story this week - this was another one sent in from a listener. A listener named Jordan sent this in. And he said I thought you might be interested in this online cryptocurrency investment scam. This is a website, cozinxbase.com. And Jordan writes in and says it seems investors never see their money again after signing up with one of the packages.
Joe Carrigan: [00:02:58] What?
Dave Bittner: [00:02:59] The reason this scam is interesting is that it is quite believable. The returns are obviously outrageous. However, as far as the site goes, it is quite convincing. He said the best thing we can do is spread the word and inoculate as many people as possible to this kind of scam.
Joe Carrigan: [00:03:12] Absolutely.
Dave Bittner: [00:03:13] So I went and looked at this Cozinxbase thing. And it's interesting. I mean, Jordan's absolutely right. At first glance, it's a well-designed website...
Joe Carrigan: [00:03:22] It looks very nice.
Dave Bittner: [00:03:23] ...Looks legit.
Joe Carrigan: [00:03:24] Yup.
Dave Bittner: [00:03:25] You get down to the part where they talk about their different plans.
Joe Carrigan: [00:03:28] They even have, like, people that look like they run the place.
Dave Bittner: [00:03:30] They have a bronze plan that's $2,000, a silver plan that's $10,000, the Gold plan, which they say is their popular plan. That's $20,000. The diamond plan is $50,000. And the black plan is $100,000. I don't know why we go from precious metals to complete darkness in our descriptions...
Joe Carrigan: [00:03:50] Right.
Dave Bittner: [00:03:50] ...Of the - well, I get - the black plan is new.
Joe Carrigan: [00:03:51] Completely through gemstones.
Dave Bittner: [00:03:52] Yeah. The black plan is their new plan, so maybe they don't know about platinum. But here's the thing. They're talking returns - 30 to 50 percent monthly return. I'd say if you consult with any real financial adviser, they'd say that that is absolutely bonkers (laughter).
Joe Carrigan: [00:04:06] Right. You know, the very first thing that comes to my mind when you hear this is Ponzi scheme. But I'll bet it's not even that sophisticated.
Dave Bittner: [00:04:13] Well, I don't know. I mean, I did a little bit of quick digging into this site, the usual stuff you can do. I did some reverse image search on the images of all of their alleged employees. And sure enough, they're all just stock photos.
Joe Carrigan: [00:04:26] Really.
Dave Bittner: [00:04:26] Yep. These employees show up in a lot of different places.
Joe Carrigan: [00:04:29] (Laughter).
Dave Bittner: [00:04:29] So either they're - got a lot of side hustles going on...
Joe Carrigan: [00:04:32] Right.
Dave Bittner: [00:04:32] ...Or they are not actually employees of this place. I did a Google Maps search on their business address. It doesn't exist.
Joe Carrigan: [00:04:39] It's - yeah, it's in the middle of a field somewhere.
Dave Bittner: [00:04:42] I mean, there's not - that address doesn't exist.
Joe Carrigan: [00:04:44] It doesn't resolve to an address.
Dave Bittner: [00:04:45] Nope. Nope.
Joe Carrigan: [00:04:46] Awesome.
Dave Bittner: [00:04:46] Not at all. The other interesting thing - again, just a quick Google search - brought up, I guess, some zombie pages on their website of stuff they used to do. And this Cozinxbase Inc. - one of the pages that popped up, it says, get paid to surf. Are you ready to start making money online with little effort? We are an ideal get paid to website that you can trust.
Joe Carrigan: [00:05:10] (Laughter).
Dave Bittner: [00:05:12] We have been around for a while, and we actually pay. Don't waste your time with scam sites. Start earning real cash now. So...
Joe Carrigan: [00:05:19] I can't even respond to this. This one has me so flummoxed. It's just - it's awesome.
Dave Bittner: [00:05:23] So I guess they moved on from this get paid to web surf thing to...
Joe Carrigan: [00:05:27] Right. That was probably some kind of...
Dave Bittner: [00:05:29] (Laughter).
Joe Carrigan: [00:05:29] ...Click farm fraud thing where they were just sending people to pages to jack up the revenue for ads they were selling somewhere.
Dave Bittner: [00:05:36] So too good to be true, of course.
Joe Carrigan: [00:05:38] Of course.
Dave Bittner: [00:05:39] And, you know, just some quick digging on my part. I didn't do anything sophisticated. I did a couple of Google searches.
Joe Carrigan: [00:05:44] You did more than 99.9 percent of the people would do.
Dave Bittner: [00:05:48] Yeah, that's true.
Joe Carrigan: [00:05:48] I mean, hopefully, most of the people would come to this website and go, there's no way this is real, and just be gone, right? But anybody that would be tempted by this should then spend the time to do something that you did. Reverse image search is powerful. It's a remarkably good, powerful tool that we have that we didn't have two or three years ago.
Dave Bittner: [00:06:04] (Laughter).
Joe Carrigan: [00:06:05] And you can look up the people that are on this webpage in that reverse image search and know immediately that these are just models who have posed for some stock pictures.
Dave Bittner: [00:06:14] And I think this is another one of those examples where if you just asked a friend about this - particularly, I think most of us probably know somebody who has knowledge when it comes to finances and investing and so forth who just...
Joe Carrigan: [00:06:27] Yup.
Dave Bittner: [00:06:27] This is one of those things. If you're going to spend some money on anything like this, run it by a friend and say, what do you think about this?
Joe Carrigan: [00:06:33] Yeah. Don't keep that to yourself.
Dave Bittner: [00:06:34] All right. Well, again, thanks, Jordan, for sending this in. This is a good one and certainly one for people to know about. Joe, what do you have for us this week?
Joe Carrigan: [00:06:41] All right, Dave. On this podcast, we generally avoid technical topics, right?
Dave Bittner: [00:06:45] Yeah, more or less. Yeah, sure.
Joe Carrigan: [00:06:46] So we really want this podcast to be approachable to just about anyone. I want my parents, I want my aunts and uncles, my friends who aren't really technical - I have a lot of them, actually. I want anybody to be able to listen to this podcast. And I want the technical people who listen to this podcast or other podcasts like the CyberWire recommend this podcast to everyone. I really want it to be approachable. And you want that, too.
Dave Bittner: [00:07:05] Sure.
Joe Carrigan: [00:07:05] That's kind of the mission of this podcast.
Dave Bittner: [00:07:07] Yeah.
Joe Carrigan: [00:07:08] So that being said, let's review something for maybe a new listener or somebody who's new to the idea of social engineering. You hear us talk about phishing a lot, P-H-I-S-H-I-N-G. It's spelled phishing, and that is a longtime hacker tradition going back to using the phone system.
Dave Bittner: [00:07:24] Phone phreaking, yeah.
Joe Carrigan: [00:07:25] Phone phreaking, right, where freaking was spelled with a P-H. Phishing is where an attacker will send out a bunch of emails with some malicious payload or a malicious link in an attempt to get some of the people that they send it to to respond or to take some action. It never ends well for the end user, but it's pretty easy to spot and pretty easy to avoid.
Joe Carrigan: [00:07:43] Then there's spear phishing, where somebody goes out and they will gather a bunch of open-source intelligence, right? - which I'm going to talk about open-source intelligence gathering next week...
Dave Bittner: [00:07:53] OK.
Joe Carrigan: [00:07:53] ...Because that's a very important part of social engineering. And they're going to use that information to make an email seem more plausible. And they're not going to send out a bunch of emails. They're only going to send it out to one person.
Dave Bittner: [00:08:02] Right.
Joe Carrigan: [00:08:03] So that's spearfishing versus phishing. So phishing, I'm casting a wide net. Spear phishing, just like the name implies, I'm going after one guy. So finally, we have whaling. It's the same thing as spear phishing. The only difference is the target.
Dave Bittner: [00:08:15] (Laughter).
Joe Carrigan: [00:08:15] If you think about the concept of spear phishing, I'm going to stand in a river or stand on the beach, and I'm going to get a fish. And that's going to be it. But if I'm going whaling, I'm going after something big.
Dave Bittner: [00:08:23] You got a harpoon.
Joe Carrigan: [00:08:24] Right, I got a harpoon.
Dave Bittner: [00:08:25] (Laughter).
Joe Carrigan: [00:08:26] And it's the same process, but I'm going after a whale. So in this case - like, casinos have whales that come in. Those are the big spenders. So do spammers and scammers and social engineers, they go after CEOs and CFOs. And there is an article from Juliet Van Wagenen on BizTech magazine called "Cyberattacks that Target the C-Suite on the Rise." And this kind of falls into the, I saw this coming category, right? (Laughter) But it's interesting.
Joe Carrigan: [00:08:53] The article quotes Katherine Hutt, who is the national spokesperson for the Better Business Bureau. And she says, we believe there has been a recent uptick in whaling scams aimed at businesses. And we want to warn companies to alert their employees about this kind of potential fraud. The FBI said in a report in July that losses from business email compromise were up 136 percent from December of 2016 to May of 2018.
Dave Bittner: [00:09:20] Wow.
Joe Carrigan: [00:09:20] So a little more than a year - yeah, it's not even - it's about a year and a half. And it's more than doubled. So business email compromise is the main goal of a whaling attack because if I can get a whaling attack to be successful, I can get a CEO to install some malicious software that gives me access to his email account, then I can very easily impersonate that CEO.
Joe Carrigan: [00:09:40] There's other phishing scams where I impersonate the CEO from an outside email address. And I look like I may have an email address that kind of looks like the CEO's email address, but it isn't. An astute employee might spot that, and my attack might not be successful. But if I actually have control of the CEO's email address, it's almost like having the keys to the kingdom...
Dave Bittner: [00:09:59] Right.
Joe Carrigan: [00:09:59] ...Very dangerous. So what can be done about these kinds of attacks? The Better Business Bureau has five tips. They say, number one - be wary of short messages because that's how these things start. They start with short messages. And the scammers aren't going to write long messages. They want to engage you and get you started with a short message like, I need your help on something. Hey, do you have time to help me with something?
Dave Bittner: [00:10:21] Right, so this isn't going to start with the long Nigerian bank scam emails...
Joe Carrigan: [00:10:25] Right.
Dave Bittner: [00:10:25] ...That we see all the time.
Joe Carrigan: [00:10:25] It's going to start with something very quick and very easy. Double-check before downloading. This is something we say all the time. Krebs has a rule on this. If you didn't ask for it, you don't install it. So if somebody sends you an email, just be careful. Now, of course, it's really hard to tell people who have to open documents as part of their jobs, if they receive an email, not to open documents...
Dave Bittner: [00:10:44] Yeah.
Joe Carrigan: [00:10:44] ...In their email. So that becomes a technical solution problem, which is kind of beyond the scope, like I said, of this podcast. So we won't talk about that here. Think about how you share. Never send sensitive personal or proprietary information over email, regardless of who's asking you for it. This is good policy. I've worked at companies where we had ways to securely transfer files to credentialed outsiders. So we had a third-party service where we did that. And we would set our clients up with access to it, and they could access it. It's almost like having a second way to distribute that kind of information.
Joe Carrigan: [00:11:14] Watch out for emails to groups, of course, because if somebody compromises your CEO's email or they're trying to scam you with a fake email, they're going to have a lot more success if they reach out to more people. It just increases the probability of success. Of course, the simple way around this is that a scammer will send out a bunch of individual emails rather than an email to a group. But - so I say still be wary of individual emails you have.
Joe Carrigan: [00:11:37] And finally - and I think this is the most important tip and the best advice you can give. Businesses should set up a process for handling these kinds of requests and transactions. Handling the request of information, sending information to somebody or sending a payment to a third party should always have a business process that gets followed. And that process should always include some kind of verification from another person involved in the company.
Dave Bittner: [00:12:02] Right, another set of eyes.
Joe Carrigan: [00:12:03] Another set of eyes, exactly. And as I've said a number of times, if you get an email from your CEO requesting you to transfer a large amount of money, it makes sense to just - to pick up the phone and say, did you request me to send this money? If the CEO is irritated with this and goes, yes, yes, yes, I asked you to do that, remind them that you're just making sure that the information you've received is authentic and accurate.
Joe Carrigan: [00:12:24] And if you're a CEO and someone calls you and asks you if you did, in fact, send them that information and send them that request, the first two words out of your mouth should be thank you for verifying.
Dave Bittner: [00:12:33] Right, right.
Joe Carrigan: [00:12:34] Try to be accommodating of your employees who are trying to protect your business, right?
Dave Bittner: [00:12:37] Yeah, that little pause could be the difference that it makes in saving you from being scammed.
Joe Carrigan: [00:12:42] And maybe even sending out an email that says, hey, I want to thank my human resource director for touching base with me before sending out a payment that I did actually request - or maybe, hey, because she sent or he sent me a message, we stopped a fraudulent attack. Thank you. Good job.
Joe Carrigan: [00:12:57] All right. Well, it's a good one - good tips there. And it's time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:13:05] Our Catch of the Day this week comes from a listener. His name is Dan. He sent us this Catch of the Day. He said, my name is Dan, and I'm a huge fan of the "Hacking Humans" podcast. I love what you're doing. Keep up the good work. Well, thank you, Dan. We appreciate that.
Joe Carrigan: [00:13:16] Thanks, Dan.
Dave Bittner: [00:13:17] He said, I recently got a voicemail from a number I don't recognize in Floral Park, N.Y. Of course, I didn't answer. This is a transcript from the voicemail. And it goes like this. There's a lawsuit against you regarding tax deficiency in tax fraud. Ignoring this will be an intentional second attempt to avoid federal law. For any further information, immediately speak to federal agent - callback number. Then it has a number. I repeat - it has the number. And it says thank you - so short and sweet. And Dan pointed out something that you've said many times. Federal agents don't call and leave automated voice messages.
Joe Carrigan: [00:13:52] No, they do not.
Dave Bittner: [00:13:52] No, they write letters.
Joe Carrigan: [00:13:54] Yes, or show up.
Dave Bittner: [00:13:54] Or they show up at your door. Right, right. Exactly. And also, Dan had a nice little P.S. here. He said, well, I can't tell you where I work. I can tell you that through the month of October, they're running a contest and putting our names into a raffle every time we catch a phishing email that they send to our work emails.
Joe Carrigan: [00:14:10] That's a great idea.
Dave Bittner: [00:14:11] Yeah. He says, if we fall for the attack, we have to go through the phishing training once more. He says, I love it (laughter). So yeah, that's great. Gamify it a little bit. Make it fun. But also just put people on alert that there's a good side and a bad side - I guess a carrot and a stick when it comes to...
Joe Carrigan: [00:14:27] Right.
Dave Bittner: [00:14:27] ...Trying to catch those phishing emails.
Joe Carrigan: [00:14:29] I like that in this case, the stick is just training.
Dave Bittner: [00:14:32] Yeah.
Joe Carrigan: [00:14:32] Yeah.
Dave Bittner: [00:14:33] Yeah. Right, exactly. You lose your annual bonus.
Joe Carrigan: [00:14:36] Right. No, that would not be a good stick.
Dave Bittner: [00:14:38] All right. Well, Dan, thanks for sending that in. It's a good one. And always, we'd love to hear from you. If you have something you'd like for us to use as our Catch of the Day, please send it to us. Coming up next, we've got Carole Theriault's interview with Max Bruce from Action Fraud U.K. But first, a message from our sponsors at KnowBe4.
Dave Bittner: [00:14:58] Now let's return to our sponsor's question about the attacker's advantage. Why do the experts think this is so? It's not like a military operation where the defender is thought to have most of the advantages. In cyberspace, the attacker can just keep trying and probing at low risk and low cost. And the attacker only has to be successful once. And as KnowBe4 points out, email filters designed to keep malicious spam out have a 10.5 percent failure rate. That sounds pretty good. Who wouldn't want to bat nearly 900? But this isn't baseball. If your technical defenses fail in one out of 10 tries, you're out of luck and out of business. The last line of defense is your human firewall. Test that firewall with KnowBe4's free phishing test, which you can order up at knowbe4.com/phishtest. That's knowbe4.com/phishtest.
Dave Bittner: [00:15:58] And we are back. Joe, it's great to welcome back to the show Carole Theriault. She is our CyberWire U.K. correspondent. And this week, she's interviewing Max Bruce. He's from an organization called Action Fraud U.K. Here's Carole Theriault's interview with Max Bruce.
Carole Theriault: [00:16:13] So we all know that online scams are designed to dupe us. They try to get us into doing something like give money away or hand over access to sensitive info. Sometimes, they just want us to click on a link in order to install some nasty malware onto our machines. And we keep hearing about how online scams are getting worse out there. Some are sickening. During Hurricane Florence that recently hit the East Coast of the U.S., scammers were out in full force pretending to offer assistance to the afflicted.
Carole Theriault: [00:16:39] Now, if someone breaks into my house, I know to call the cops. If someone steals my wallet, same deal. But if I fall for an online scam, do I call the cops then too? The thing is we know that scammers hide their location and identity. And let's be honest. They look after specific geographies. Do they really want to know about an online scam orchestrated by scammers outside their jurisdiction? So I reached out to Action Fraud U.K. to find out what they had to say about all this.
Max Bruce: [00:17:06] OK. So my name is Max Bruce, and I'm from the National Fraud Intelligence Bureau. And we are based in the City of London. We work with Action Fraud. So if you report a fraud or cybercrime within England, Wales or Northern Ireland, your report will come through to the National Fraud Intelligence Bureau who will sort of link all the crimes together. We'll assess them.
Max Bruce: [00:17:28] We'll try and take sort of key banking information, telephone calls, locations, sort of any sort of MO that they can and then put that into a package that will then go out to law enforcement throughout England, Wales and Northern Ireland. We will also look at how we can disrupt websites and bank accounts and telephone numbers, share intelligence with our partner agencies and put out alerts to the public.
Carole Theriault: [00:17:52] Right, so when you're talking about disrupting these numbers, these are numbers kind of assigned or believed to be in the hands of a scammer.
Max Bruce: [00:17:59] Yeah. Yeah. So like, you know, a bank account, the money has been paid into maybe or, you know, a telephone number where people are receiving nuisance calls. You know, we believe that is the number that they're using to commit their crimes.
Carole Theriault: [00:18:13] Has the number of scams being reported gone up or is it kind of stayed stable over the last few years?
Max Bruce: [00:18:19] Well, the number of crimes has gone up. But we are still very mindful that crime - sort of fraud and cybercrime is underreported. So one of the key things that we're trying to do is create awareness that if you are a victim, that you should report.
Carole Theriault: [00:18:33] Do you think cybercrime and scams are underreported because the victim's actually embarrassed, they're nervous that cops, you, might think like, what an idiot for falling for that?
Max Bruce: [00:18:43] I mean, I don't know if it's for that particular reason. I think there's a number of factors. People, obviously, get their money back. In a lot of cases, may not even know they've been a victim, which is the really worrying thing. But also, they may, you know, not be aware of where to report to, so it's really important that we sort of publicize ourselves.
Carole Theriault: [00:19:03] Yeah, because I - you know, if I got scammed, I think in my head, I would be thinking, the person who scammed me is probably not in the U.K.
Max Bruce: [00:19:11] OK, yeah.
Carole Theriault: [00:19:11] Right? And what can you do, what can my local authorities do about that? And you're right. If you get your money back from the bank or whatever, it kind of takes the pressure off, I guess...
Max Bruce: [00:19:21] Yes.
Carole Theriault: [00:19:21] ...Of reporting it. But so you're saying it's really important to report. So why is that a good thing to do?
Max Bruce: [00:19:25] So it certainly - it sort of builds the threat picture so we can actually know the true threat of what we're facing. And we can work with other jurisdictions. We - you know, it's a global issue now, so it's about sharing intelligence globally. But also, the really key thing about reporting is that your report will be added to everybody else's report.
Max Bruce: [00:19:44] So somebody may have been a victim, but they may not have many details about the crime. It will be linked with them, so actually, you can be helping, you know, their reports and also helping all the people that maybe don't know they've been a victim and also preventing future fraud and cybercrime from taking place, hopefully.
Carole Theriault: [00:20:01] Yeah. And I guess it also helps with, like, even staffing and resources and budgeting because, you know, if you know there's a big problem out there and it's underreported, it doesn't help you guys if you don't have enough people actually looking into it.
Max Bruce: [00:20:12] Yeah, exactly.
Carole Theriault: [00:20:13] Do you think that someone who acted with more skepticism online would be better suited to trying to avoid these kind of scams? Do you think it's a trust issue is what I'm getting at, actually?
Max Bruce: [00:20:24] I think it's more to do with sort of how sort of sophisticated some of these scams can actually be, you know? And if you get a telephone call and the caller ID shows a trusted number, like your bank, you are more likely to trust it. Same with, you know, a text message. If it appears in a thread that you're already having, it can be quite difficult to sometimes think, actually, is this a scam?
Carole Theriault: [00:20:46] The word scam kind of makes it sound almost cheeky as opposed to a criminal offence. Like, has anyone lost their shirts with a scam that you know of?
Max Bruce: [00:20:55] Oh, 100 percent, absolutely 100 percent. You know, we will see scams where people have lost everything. You know, and like you say, sometimes, the word scam, it may not sound as sort of severe. But actually, we need to sort of think about our terminology. A scam is a fraud. A fraud is a crime. And, you know, somebody could lose a small amount money or they could lose their life savings. And we do see that. And, you know, the sort of the effects can be devastating.
Carole Theriault: [00:21:18] We, obviously, have a blind spot because we keep falling for scams.
Max Bruce: [00:21:20] Yep.
Carole Theriault: [00:21:21] So what are the tricks that you're seeing today? And maybe they've changed over the last, you know, five years, say.
Max Bruce: [00:21:27] Technology has moved on and so people are now allowed to use sort of number spoofing and actually make things seem a lot more genuine. The sort of scams that we see is people are very - trying to be very exploitive of seasonal topics. So maybe like the time when you've got student loans coming through or tax returns, you know, we'll see a high spike in sort of these types of scams. For example, when there was the BA data breach...
Carole Theriault: [00:21:51] Yeah.
Max Bruce: [00:21:52] You know, it was kind of going around on Twitter. And it wasn't, like, the official lines yet. But we were already seeing fake BA customer emails, you know, being sent out. So people are really trying to be responsive. And anything they see in the news, you know, maybe disaster sort of relief charities, those sorts of things, trying to exploit those types of situations. In terms of sort of the tactics, I mean, certainly, the ones that we've seen which have been successful is more things around the use of urgent language. So, you know, urgent, expires, immediately...
Carole Theriault: [00:22:25] Putting us into panic as a recipient, as a victim.
Max Bruce: [00:22:28] Exactly, yeah. It's trying to get you to make that sort of...
Carole Theriault: [00:22:31] Right.
Max Bruce: [00:22:32] ...Really quick response where, you know, you might not think necessarily right at that moment. So like I said, it's really important that you take that time just to step back - I mean, sort of tax returns maybe. And, you know, even with a refund, for example, we'll see something saying, you know, you are owed money. You're due money back, but it's time limited. So complete the form as soon as possible.
Max Bruce: [00:22:51] These sorts of things are really sort of the lures that will get people time and time again. We also see it on the flipside. You know, congratulations, you've won. There'll be, like, you know, a heading that might make people sort of click on a link.
Carole Theriault: [00:23:02] Finally, recognition.
Max Bruce: [00:23:04] Exactly. You know, and - you know, like I say, with the sort of the digital footprint that we put out there, people might look at, you know, a simple tweet they put out about a restaurant that they've gone to. It may actually result in them receiving a spoofed email from the restaurant being - you know, you were the 100th customer of the night or something. Complete this...
Carole Theriault: [00:23:21] Right.
Max Bruce: [00:23:21] ...Form and you'll get a voucher. You know, simple things like that can still be very sort of, you know, successful for the criminals.
Carole Theriault: [00:23:30] And social engineering, does it play, like, a massive role in scams? Is it something that you see in almost every single scam or do we make too big of a deal about it?
Max Bruce: [00:23:39] No, social engineering is, you know, is hugely prevalent within these scams. The most successful sort of - that we see is still telephone and text messaging. So actually, where you have that sort of human interaction with people is still far more likely to bring, you know, success to the criminal as opposed to an email. You know, sort of that sort of thing, the sort of computer software service frauds, for example, are very sort of - are successful at the moment. And we see a lot of reports about that where someone actually rings them up and has that sort of human engagement with them.
Carole Theriault: [00:24:11] Now, I've been getting a lot of calls from Microsoft about my computer being damaged and having a virus (laughter).
Max Bruce: [00:24:16] OK.
Carole Theriault: [00:24:17] Now, these numbers come in, and I choose just to block them when they come in. But I haven't reported these to Action Fraud. Is that something that I should do?
Max Bruce: [00:24:25] Yeah. I mean - certainly. I mean, like I said, computer software service fraud is a huge issue at the moment. I mean, last year, I think we had about 22,000 reports and...
Carole Theriault: [00:24:34] Yeah.
Max Bruce: [00:24:35] ...Over 21 million pounds reported loss due to these types of scams. You know, if you do have any information or you have a number or something like that, then yes, it's really important that we - you know, we have these sorts of numbers and this information because we, you know, we may actually help prevent somebody who does answer the phone and does fall for it. So, you know, I'd advise everybody to report if they have information.
Carole Theriault: [00:24:56] OK. And what - other than reporting it, what other changes need to happen for us to catch more of these scammers internationally and nationally?
Max Bruce: [00:25:04] We need to work better with industry and, you know, make sure we build up those strong relations as well. So we're - I mean, we're working very closely with the banks, for example. And we're introducing things like the banking protocol where all the people on the shop floor are sort of being given some basic training, so they're aware of some sort of vital signs that then they can sort of use the banking protocol, call the police and hopefully, we can stop that. So it's about law enforcement, but it's about awareness. It's about everybody sort of pulling together, supporting each other. And, you know, hopefully, we will - you know, and just create that awareness, really.
Carole Theriault: [00:25:38] OK. Before we go, is there a scam that was most memorable to you, either for its cunning or idiocy or quirkiness?
Max Bruce: [00:25:46] So within our team, every week, we put out a sort of scam of the week, if you will. And we call it Fishy Friday. And so it's the sort of things that we've seen a lot of during the week. So we put it on our social media. And one of them that sort of stuck out to me that included everything within the scam is the first part of it was somebody had got hold of someone's email account. And they had sort of sent an email to a business partner asking them to make a payment because they were going to be away for a few days. So it's kind of like the start of like your mandate fraud and sort of changing your banking numbers to make the payment. So that was sort of the first stage of it.
Max Bruce: [00:26:23] And then the person had, you know, taken the instructions and gone to, you know, change the bank details to pay the money. So they went to pay it, and the bank account wasn't correct. So they couldn't pay the money. So then they saw the number on the invoice, rang the bank or what they thought was the bank to actually then speak to the criminal. So the criminal didn't want to sort of just get that quick win of the payment. They wanted to actually try and build a relationship and create that sort of social engineering environment. They also want - you know, could then use that situation to, you know, get them and verify their accounts and sort of, you know, get a lot more sort of information from them than just the payment. It kind of included many, many steps. So I think that was quite a memorable one.
Carole Theriault: [00:27:08] Yeah. It kind of tells you how organized it is. It's not just some spotty kid behind a computer.
Max Bruce: [00:27:14] No. I mean, like you said, this can be sort of serious organized crime groups.
Carole Theriault: [00:27:19] What you guys want most from us is report these scams to you so you guys can build a more accurate picture of what you're actually dealing with.
Max Bruce: [00:27:26] Yes, please. Make sure you report.
Carole Theriault: [00:27:29] This was Carole Theriault for the CyberWire's "Hacking Humans."
Dave Bittner: [00:27:33] All right, so an interesting window into the types of things that are going on in the U.K. when it comes to battling these things.
Joe Carrigan: [00:27:40] Right. Yeah. We've heard stories before about where people have been too embarrassed to report their own fraud victimization. So yeah, I think this does happen more frequently than anyone wants to admit. I'd like to see a study done on it. But I don't know how you would even begin to select the population for that. Again, one of the biggest factors any of these attacks is an artificial time constraint. You know, you need to do this now, trying to short-circuit your thinking process. I had - a couple of weeks ago, we had the guest who said, go get a cup of tea.
Dave Bittner: [00:28:07] (Laughter). Right. Right.
Joe Carrigan: [00:28:08] Relax.
Dave Bittner: [00:28:08] Right.
Joe Carrigan: [00:28:09] Think about this for a couple minutes.
Dave Bittner: [00:28:09] Right. And as we said earlier in today's show, ask a friend.
Joe Carrigan: [00:28:12] We don't have Action Fraud here in the U.S. We do have a couple of resources. You can take a look at the FTC's consumer website. And that's consumer.ftv.gov. And they have a scams tab there. And you can look at all of the latest scams that are going on. You can report a scam to the FTC at ftc.gov/complaint. If you've actually been victimized and sent money to a scammer, you can file a report with the FBI's Internet Crime Complaint Center at ic3.gov. You can also call your state's attorney's office as well.
Dave Bittner: [00:28:42] Yeah. You know, I was visiting with my folks recently. You know, they live in an over-55 community. And I noticed they had a brochure on their coffee table that was from the Maryland state's attorney. And it was a nice glossy brochure all about avoiding scams.
Joe Carrigan: [00:28:55] Oh, excellent.
Dave Bittner: [00:28:56] So my sense is it was sent to senior citizens. I thought that was interesting outreach that the state's attorney is being proactive about this, trying to get the word out to folks who are certainly targeted. All right. Well, that is our show. Thanks so much to all of you for listening.
Dave Bittner: [00:29:09] And, of course, thanks to our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school Security Awareness Training. Be sure to take advantage of their free phishing test, which you can find out more about at knowbe4.com/phishtest. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:29:34] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:29:50] And I'm Joe Carrigan.
Dave Bittner: [00:29:51] Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.