podcast

Don't dismiss the fraudsters.

Dave describes a credential gathering scam targeting users of the Stripe online payment system. Joe responds to an email message from his boss, and learns a valuable lesson. Our catch of the day follows someone as they string along a text messaging scammer. Carole Theriault returns with an interview with J Bennett of Signifyd, an AI firm fighting romance scams.

Links to stories:

Transcript

J Bennett: [00:00:00] I think that's the other thing that people don't particularly understand about fraudsters; they treat this as a business. 

Dave Bittner: [00:00:06]  Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast. This is the show where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire and joining me, as always, is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hi, Joe. 

Joe Carrigan: [00:00:26]  Hi, Dave. 

Dave Bittner: [00:00:26]  We've got some good stories to share this week. And later in the show, Carole Theriault returns. She's got an interview with J. Bennett of Signifyd. They are a firm that is trying to use artificial intelligence to fight romance scams. 

Joe Carrigan: [00:00:39]  Good for them. 

Dave Bittner: [00:00:39]  But first, a message from our sponsors, KnowBe4. Step right up and take a chance. Yes, you there, give it a try and win one for your little friend there. Which were the most plausible subject lines in phishing emails? Don't be shy. Were they, A, my late husband wished to share his oil fortune with you or, B, please read important message from HR or, C, a delivery attempt was made or, D, take me to your leader? Stay with us, and we'll have the answer later. And it will come to you courtesy of our sponsors at KnowBe4, the security awareness experts who enable your employees to make smarter security decisions. 

Dave Bittner: [00:01:24]  And we are back. Joe, I'm going to kick things off for us this week. I got a story from the folks at Cofense. And the article is titled "This Credential Phish Masks the Scam Page URL to Thwart Vigilant Users." This is by Milo Salvia from Cofense's Phishing Defense Center. And the folks at Cofense have been tracking a phishing campaign that looks to gather credentials from Stripe, and Stripe is an online payment platform. 

Joe Carrigan: [00:01:53]  OK. 

Dave Bittner: [00:01:54]  They handle billions of dollars for folks. And so what happens is you get an email from someone that says it's from Stripe support. 

Joe Carrigan: [00:02:01]  Right. 

Dave Bittner: [00:02:01]  And it tells them that there are details associated with your account that are invalid and that you need to take immediate action otherwise your account will be placed on hold. Now, if you are an online retailer or something or you rely on your Stripe service, this would get your attention. 

Joe Carrigan: [00:02:17]  Immediately. 

Dave Bittner: [00:02:17]  Yeah (laughter). 

Joe Carrigan: [00:02:18]  Right. 

Dave Bittner: [00:02:18]  So you follow the link, and that takes you to a page that looks just like the Stripe login page. 

Joe Carrigan: [00:02:24]  Right. 

Dave Bittner: [00:02:25]  A couple interesting things to note here - so this page looks exactly like Stripe's page. So it asks for your email and your password. And once you enter them, it asks for your bank account number and your phone number. All of these are things that would not be out of the ordinary for you to enter in your interactions with Stripe, but after you enter in your bank account and your phone number, it pops up a window that says wrong password, enter again and takes you to the actual Stripe login page... 

Joe Carrigan: [00:02:59]  Ah. 

Dave Bittner: [00:03:00]  ...Which looks exactly like the page you were just at. 

Joe Carrigan: [00:03:03]  Right. 

Dave Bittner: [00:03:03]  So the notion being that once you see this wrong password message, you will enter in your password again. You'll think, oh, I must have just mistyped it or something like that. 

Joe Carrigan: [00:03:14]  Right. 

Dave Bittner: [00:03:14]  You'll log in successfully. 

Joe Carrigan: [00:03:15]  You'll move on to the actual Stripe site, and you will be looking at the URL saying this is Stripe and - very clever, I think. 

Dave Bittner: [00:03:22]  Yeah, yeah. So in the meantime, they have gathered up your email, your password, your bank account and your phone number - all very useful information if they want to come at you. Now, another interesting thing about this particular attack is, as the title of this article says, they're using very basic HTML functionality to try to hide the URL. We've talked about many times how it's always a good idea, if you're on your desktop, to hover over a link. When you hover over a link with your mouse, the URL will usually pop up, and it'll show you where you're going to - show the actual URL for where you're going. 

Joe Carrigan: [00:03:56]  Correct. 

Dave Bittner: [00:03:56]  So, for example, if you think that when you hover over this, it should say you're going to Google and instead it says it's visiting malwarethieves[.]com (ph), you know don't click through to that. 

Joe Carrigan: [00:04:07]  Right. 

Dave Bittner: [00:04:07]  Well, built into HTML's <a> tag, one of the fundamental (laughter) building blocks of HTML... 

Joe Carrigan: [00:04:15]  It's A for anchor. 

Dave Bittner: [00:04:16]  Right. Right. 

Joe Carrigan: [00:04:17]  That goes all the way back to when this was just used at CERN, right? When HTML was just used at CERN, they called it an anchor to another document. When you specify in an <a> tag, you can specify the URL and then you close the first <a> tag - right? - with a closing bracket. 

Dave Bittner: [00:04:32]  Right. 

Joe Carrigan: [00:04:32]  And then you could put any text you want in there, and it can even look like another URL. Then you say </a> and that's the closing tag for the entire <a> tag. That's how HTML works if anybody out there is still awake after I explained that. 

Dave Bittner: [00:04:48]  (Laughter) Let me get my weed wacker, Joe, to get us out of... 

Joe Carrigan: [00:04:51]  (Laughter) Right. It's like, I'm down in the weeds. 

Dave Bittner: [00:04:52]  Yeah. Let me just fire that puppy up here. 

Joe Carrigan: [00:04:55]  But basically, that's the technical way of how you put in some text and have the URL point to anything you want in HTML. 

Dave Bittner: [00:05:01]  Right. And also within the anchor tag is the ability to put in a title. 

Joe Carrigan: [00:05:05]  Correct. 

Dave Bittner: [00:05:06]  And so what that allows you to do is sort of take over what pops up when someone hovers over that link. 

Joe Carrigan: [00:05:13]  Correct. 

Dave Bittner: [00:05:13]  So instead of the URL popping up, which is the default behavior, if you put in information for a title, that will pop up instead. And so that could be a different URL... 

Joe Carrigan: [00:05:24]  Right. 

Dave Bittner: [00:05:24]  ...Which could mask the fact that this is going to a malicious URL. 

Joe Carrigan: [00:05:27]  Yep. 

Dave Bittner: [00:05:28]  And another thing - as I was looking into this, just a good reminder that it's harder to do these things on mobile devices than it is on desktop because you can't really hover with a - like you can with a mouse... 

Joe Carrigan: [00:05:39]  Right. 

Dave Bittner: [00:05:39]  ...On a touch interface. On iOS, if you press and hold on a link, it'll pop up, and it'll give you the link. 

Joe Carrigan: [00:05:47]  The actual destination. 

Dave Bittner: [00:05:48]  The actual destination. 

Joe Carrigan: [00:05:49]  Right. 

Dave Bittner: [00:05:49]  There's actually - Apple actually changed the functionality in iOS 13, which is the newest version. It'll give you a preview of the destination page, and it's actually an extra click to get to being able to see the URL. So in some ways, for security, it's kind of a step backwards because it's harder to see the actual URL. I can see the utility of getting a preview of the page you're going to. I wonder, from a security point of view, is it dangerous to generate this preview of the page you might be going to. 

Joe Carrigan: [00:06:20]  Yeah, that's a good question. 

Dave Bittner: [00:06:20]  If it is a malicious link, something's rendering that page. 

Joe Carrigan: [00:06:22]  Right. In this case, it wouldn't have helped you unless you actually took the time to look through the URL, right? 

Dave Bittner: [00:06:26]  Yeah. 

Joe Carrigan: [00:06:26]  Because it would have looked just like the Stripe login page. 

Dave Bittner: [00:06:29]  On Android, how do you preview a URL - same thing? 

Joe Carrigan: [00:06:31]  Well, you can't really get a visual preview. But if you do the same thing, you long press, a window pops up that says, do you want to open this in another tab, in an incognito tab? Do you want to save it? Do you want to share it? But up at the top is the actual text of the URL. 

Dave Bittner: [00:06:45]  I see. 

Joe Carrigan: [00:06:45]  So you can actually read the URL just by long pressing on it on Android. 

Dave Bittner: [00:06:49]  All right. Well, in terms of recommendations to protect yourself against this type of thing, where they're trying to get your Stripe credentials, I suppose in terms of vigilance - I mean, anytime someone's asking for anything that's financially related... 

Joe Carrigan: [00:07:01]  Right, vigilance. And if you have the capability, two-factor authentication. 

Dave Bittner: [00:07:06]  Right, yeah. Yeah. That would work here. 

Joe Carrigan: [00:07:08]  Because if you - that would really save your butt. 

Dave Bittner: [00:07:09]  (Laughter). 

Joe Carrigan: [00:07:09]  If you actually gave them your username and password, they still wouldn't be able to get in... 

Dave Bittner: [00:07:13]  Yeah, yeah. 

Joe Carrigan: [00:07:14]  ...Because they wouldn't have your second factor. 

Dave Bittner: [00:07:16]  Yeah. All right. Well, that's my story this week. Joe, what do you have for us? 

Joe Carrigan: [00:07:20]  Dave, I have something from personal experience. 

0:07:22:(LAUGHTER) 

Dave Bittner: [00:07:25]  OK. 

Joe Carrigan: [00:07:25]  And I'm not happy about it. 

Dave Bittner: [00:07:26]  All right. 

Joe Carrigan: [00:07:26]  Last week, I sent my boss, Dr. Tony Dahbura, a progress report. 

Dave Bittner: [00:07:31]  Yeah. 

Joe Carrigan: [00:07:31]  And Tony replied to me and said, this looks great. Let's meet up next week after the staff meeting on Tuesday. And I said, fine. That's great. 

Dave Bittner: [00:07:38]  Yeah. 

Joe Carrigan: [00:07:39]  On Monday, I had lunch with Tony. We were having a meeting with Dr. Lee, our technical director, and somebody from industry. And after we got back from lunch a little bit later in the afternoon, around 3:55, I got an email with a subject line - quick request. And the only thing in the email was the word available, followed by a question mark and then a dash, Anton Dahbura - because that's Tony's actual name - executive director. And quickly, I replied, sure, right?

Dave Bittner: [00:08:06]  Yeah. 

Joe Carrigan: [00:08:07]  And I grabbed my notebook and a pencil, and I head downstairs to Tony's office, only to find it dark. And I'm wondering, where's Tony? And I see a co-worker of mine, and I go, where's Tony? And she says, he left at 2. Did you get that email? And I'm like, oh. 

Dave Bittner: [00:08:21]  Oh, oh. Oh, Joe. 

Joe Carrigan: [00:08:24]  So I grab my phone, and I really quickly - and I look at the email, and sure enough, it does not come from Tony's actual email. It comes from a Gmail account that is set up to emulate Tony's email. I didn't check the email, right? 

Dave Bittner: [00:08:37]  Wow. 

Joe Carrigan: [00:08:37]  So I responded to the guy. And they got me, Dave. They got me. They got me with a phish. And... 

Dave Bittner: [00:08:45]  (Laughter) Oh, for shame, Joe. For shame. 

Joe Carrigan: [00:08:49]  I was so angry with myself and embarrassed at this. 

Dave Bittner: [00:08:54]  (Laughter) Aw. 

Joe Carrigan: [00:08:54]  We've been getting a lot of these at the office recently, where they're sending out messages from, like, department heads when they're just trying to get gift cards. 

Dave Bittner: [00:09:00]  Yep. 

Joe Carrigan: [00:09:00]  So if this would have gone on, this would have been - you know, hey, I'm at this meeting. I need you to go buy me some gift cards. 

Dave Bittner: [00:09:07]  Right. 

Joe Carrigan: [00:09:07]  And my plan was - OK, I'm going to extract my vengeance from these guys, right? 

Dave Bittner: [00:09:12]  OK (laughter). 

Joe Carrigan: [00:09:12]  I'm going to - we talked a couple of months back about Shawn (ph), who just hit the quick reply buttons on Gmail because Gmail, if you have an Android phone, then you receive an email and you click reply, it gives you, like, three options to quickly reply that are sentences that sound like they're cogent responses. 

Dave Bittner: [00:09:29]  Right. 

Joe Carrigan: [00:09:30]  But it just takes a button click to do it. And I was like, I'm going to do this. But alas, our network security team, our operational security team, blocked the address. So I... 

Dave Bittner: [00:09:38]  (Laughter) They were one step ahead of you. 

Joe Carrigan: [00:09:41]  That's the right thing to do. 

Dave Bittner: [00:09:42]  Yeah. 

Joe Carrigan: [00:09:42]  But I never got any further emails from this person or people. 

Dave Bittner: [00:09:45]  Now, to add insult to injury... 

Joe Carrigan: [00:09:46]  (Laughter). 

Dave Bittner: [00:09:46]  ...What you're saying here is that your co-worker had gotten the same email. 

Joe Carrigan: [00:09:51]  He'd gotten a similar email months ago, right. 

Dave Bittner: [00:09:52]  Oh. And that person did not fall for it (laughter). 

Joe Carrigan: [00:09:55]  No, well - I don't know that I would have fallen for... 

0:09:57:(LAUGHTER) 

Joe Carrigan: [00:10:00]  He knew right away that it was a scam. And... 

Dave Bittner: [00:10:01]  Yeah, yeah. I guess he didn't host a podcast about social engineering, does he? 

Joe Carrigan: [00:10:06]  No, I guess not. I guess not. 

Dave Bittner: [00:10:09]  (Laughter) OK. 

Joe Carrigan: [00:10:11]  I like to think that if this had gone on, that the moment somebody replied to me and said, hey, I'm in a meeting right now and I need you to do me a favor, I would have clued in on it. 

Dave Bittner: [00:10:18]  Yeah, I suspect you probably would have. 

Joe Carrigan: [00:10:21]  Right. 

Dave Bittner: [00:10:22]  (Laughter) Well, but also, think about if - what if Tony worked in a different building or you were working from home that day? In other words, you were able to - you grabbed your stuff and went down to your boss' office... 

Joe Carrigan: [00:10:32]  Right, to find it dark.

Dave Bittner: [00:10:33]  That was your - yeah, that was your impulse. 

Joe Carrigan: [00:10:35]  Right. 

Dave Bittner: [00:10:35]  But for a lot of people, that wouldn't be a possibility. 

Joe Carrigan: [00:10:37]  Right. You're 100% correct. There was a real physical stop that helped me out here, aside from maybe recognizing the scam when I see it. But there was actually a oddity that made me stop and go, huh, what's going on here? And somebody else asked me, oh, did you get the email that looked like it came from Tony? 

Dave Bittner: [00:10:57]  (Laughter) Oh, Joe. Well, like we say, it can happen to anybody. 

Joe Carrigan: [00:11:00]  It happened to me. 

Dave Bittner: [00:11:01]  Yeah, yeah. Hasn't happened to me in a while, but it has happened to me. Look - hey, it could happen to anybody. Nobody is immune to this. 

Joe Carrigan: [00:11:10]  Right. 

Dave Bittner: [00:11:10]  They will get everybody with something. If they want you bad enough, they will figure out a way to get you. 

Joe Carrigan: [00:11:15]  They got me at just the right time, right? They hit me with this email right at the right time. The week before, Tony had said, let's have a meeting. That day, I had had lunch with Tony and thought maybe he wanted to have this meeting now, on Monday afternoon, rather than Tuesday afternoon. 

Dave Bittner: [00:11:28]  I see. 

Joe Carrigan: [00:11:29]  Because it was a - you know, a meeting of opportunity. So it was just a perfect confluence of all these things that made me go, oh, Tony wants to see me right now, so I'm going to go downstairs. 

Dave Bittner: [00:11:38]  So Joe, what did we learn from this, Joe? What are the lessons? (Laughter). 

Joe Carrigan: [00:11:41]  Well, I guess we learned that when you get a very terse email unsolicited from your boss that you should look at the from email address because that would have been all it would have taken to get me to recognize it as a scam. Of course, I would have immediately replied, sure. 

Dave Bittner: [00:11:58]  (Laughter) If you knew it was a scam, you would've... 

Joe Carrigan: [00:12:00]  If I knew it was a scam, I would've been like, all right, let's play. 

Dave Bittner: [00:12:02]  The game is afoot. 

Joe Carrigan: [00:12:03]  Right. Exactly. 

Dave Bittner: [00:12:04]  Yeah, yeah. All right. Well, I guess a good lesson for all of us. 

Joe Carrigan: [00:12:09]  Yep. 

Dave Bittner: [00:12:10]  And you'll be a little more careful now (laughter), right? 

Joe Carrigan: [00:12:12]  Well, I mean, yeah. I mean, I like to think that I'm always careful. But this time they got me now. I'm embarrassed. 

Dave Bittner: [00:12:18]  All right. Well, I'm glad you're willing to share. And that's the thing... 

Joe Carrigan: [00:12:21]  Well, you know... 

Dave Bittner: [00:12:21]  ...Lots of people are too embarrassed to share, and that... 

Joe Carrigan: [00:12:23]  We have talked about people on this show who have lost thousands and thousands of dollars... 

Dave Bittner: [00:12:28]  Right. 

Joe Carrigan: [00:12:28]  ...Who have had the courage to come forward and share their experience, right? 

Dave Bittner: [00:12:31]  Yes. 

Joe Carrigan: [00:12:32]  How little of an impact this has had on my life... 

Dave Bittner: [00:12:34]  Right. 

Joe Carrigan: [00:12:34]  ...Aside from just my emotional feeling of embarrassment and anger at myself for falling for it, I am willing to take that exchange and willing to share my story, as well. 

Dave Bittner: [00:12:42]  All it cost you was your dignity. 

Joe Carrigan: [00:12:43]  All it cost me was my dignity. 

0:12:48:(LAUGHTER) 

Dave Bittner: [00:12:48]  It's time to move on to our Catch of the Day. 

0:12:50:(SOUNDBITE OF REELING IN FISHING LINE) 

Dave Bittner: [00:12:54]  Our Catch of the Day comes from actually a friend of mine on Facebook. His name is Rich. And he is someone who enjoys toying with scammers. Evidently, for whatever reason, he gets a lot of these via text. And these are folks who I think are trying to connect with him for some dating. He is a single guy. And so, you know, I guess he's on a list somewhere (laughter). 

Joe Carrigan: [00:13:18]  Right. 

Dave Bittner: [00:13:19]  He might be someone who's looking for companionship or relationships. So when he senses that he's got a scam, he likes to keep them going. And here is the story. I will play the part of the scammer, and you can play the part of Rich. 

Joe Carrigan: [00:13:33]  OK. 

Dave Bittner: [00:13:33]  Hey. Good morning. 

Joe Carrigan: [00:13:34]  Hey. It's nearly afternoon in the U.K. 

Dave Bittner: [00:13:37]  It's 10 a.m. here. 

Joe Carrigan: [00:13:38]  Ah. 

Dave Bittner: [00:13:39]  What's the time there? 

Joe Carrigan: [00:13:40]  Five. So why are you trying to match with someone in the U.S.? 

Dave Bittner: [00:13:44]  I'm willing yo (ph) move there anytime soon, as soon us (ph) I graduate from school. 

Joe Carrigan: [00:13:50]  Uh, so someone with a different picture showed up with the exact same number to text. I don't understand the point. 

Dave Bittner: [00:13:56]  I'm willing to move there as soon as I graduate. Sorry, I don't get you. 

Joe Carrigan: [00:14:00]  And I would have to pay for your travel? 

Dave Bittner: [00:14:02]  No, I have money. And I'm from the rich. 

Joe Carrigan: [00:14:06]  Uh, why would two different women on Match have the same number to text to? 

Dave Bittner: [00:14:11]  Sorry. Why are you sounds fishy? Is anything wrong? I don't know. I am very new to this. Sorry, you are getting me confused. 

Joe Carrigan: [00:14:18]  Two women - same number, same method of texting. That's pretty straightforward. 

Dave Bittner: [00:14:24]  Well, I know nothing about this. Sorry. 

Joe Carrigan: [00:14:26]  OK. Are you from the U.K., originally? 

Dave Bittner: [00:14:29]  Yes, please. 

Joe Carrigan: [00:14:30]  Because your English is a little off. For instance, in English, you don't say, you are from the rich; you would say, you are rich or your family is rich - just FYI, for the next person you try this on. And you don't say, you are getting me confused; you would say, you are confusing me or I'm getting confused. Does that help? 

Dave Bittner: [00:14:49]  OK. Thanks, you. 

Joe Carrigan: [00:14:51]  No S (ph). 

Dave Bittner: [00:14:54]  (Laughter). 

Joe Carrigan: [00:14:54]  So your friend is trying to give this person a lecture in English. 

Dave Bittner: [00:14:58]  Yeah. Well, you know, he's helpful. 

Joe Carrigan: [00:15:00]  Right (laughter). 

Dave Bittner: [00:15:00]  Yeah, he's - not only is he eating up the scammer's time, but it's just a little cultural exchange there to try to help them brush up on their English. 

Joe Carrigan: [00:15:10]  Right, this is not a native English speaker. 

Dave Bittner: [00:15:12]  Nope. All right. Well, that is our Catch of the Day. Coming up next, Carole Theriault returns. She's got an interview with J. Bennett. He is from Signifyd. They are a firm that is looking to use artificial intelligence to help fight romance scams. 

Dave Bittner: [00:15:25]  But first, a word from our sponsors, KnowBe4. And what about the biggest, tastiest piece of phish bait out there? If you said, A, my late husband wished to share his oil fortune with you, you've just swallowed a Nigerian prince scam. But most people don't. If you chose door B - please read important message from HR - well, you're getting warmer, but that one was only No. 10 on the list. But pat yourself on the back if you picked C, a delivery attempt was made. That one, according to the experts at KnowBe4, was the No. 1 come-on for spam email in the first quarter of 2018. What's that? You picked D, take me to your leader? No, sorry. That's what space aliens say. But it's unlikely you'll need that one unless you're doing "The Day the Earth Stood Still" at a local dinner theater. If you want to stay on top of phishing's twists and turns, the new-school security awareness training from our sponsors at KnowBe4 can help. That's knowbe4.com/phishtest. 

Dave Bittner: [00:16:35]  And we are back. Joe, Carole Theriault recently had the opportunity to speak with J. Bennett. He is from a company called Signifyd, and they're using artificial intelligence to fight romance scams. Here's Carole Theriault. 

Carole Theriault: [00:16:48]  So at some point in our lives, if we are lucky, we find love. And prior to this, a lot of our free time is spent, well, seeking it out. And those of us with grayer hair out there will remember when flirting just consisted of a shy smile across the library aisle. But some of the younger listeners out there may have only experienced online connections. And let's face it - the reality is that today's dating world, whether you're an old pro or a newbie on the scene, largely begins online. And it ain't all pretty. There are scammers out there who kickstart their attack where it hurts the most - the heart. 

Carole Theriault: [00:17:26]  And there's this recent New York Times article which reported on a woman's suicide following her discovery that she had been first romance scammed and then financially duped to the tune of $100,000. Yeah, you heard that correctly. And yeah, it is a shitload of money. Now, I've invited the VP of operations and corporate development, Bennett from Signifyd. This is a company that uses artificial intelligence and machine learning to detect and block these types of attack. And I wanted Bennett to walk us through this scam to help us understand what we can do to protect ourselves. Thanks, Bennett, for coming onto the show. 

J Bennett: [00:18:04]  Absolutely. Thanks for having me. I think there are two things from your intro that I would like to tease out - the idea of old pros and new people trying to find love online. And actually, what we find is that the scammers are very good at finding both of those people in one. So we're typically going after elderly folks who are reentering the dating world. It's almost someone who is not used to this space and then trying to find love and then trying to do it online for the first time - that seems to be where people are going after. These are becoming increasingly common. They're doubling in count and more than quadrupling in dollar amount. And so fraudsters are finding a lot of success with this type of attack. And it was already the No. 1 as reported to the FTC and the FBI. 

Carole Theriault: [00:18:50]  Gee - because I've got to tell you, if my own husband of mur-mur-mur (ph) years asked me for $100,000, I can assure you, both my eyebrows would shoot up pretty darn quickly. So how does an individual part with such a significant amount of money without ever having met the person in real life? 

J Bennett: [00:19:08]  Difficult to answer because it's so personal to every single situation. People who have $100,000 lying around that they could maybe wire to someone because, you know, they need it for hospital bills, they need it to pay for a visa - that's a pretty small population. So the first thing to really understand is that these fraudsters are putting in work. And they see someone as a target; they identify someone. We have seen in our interviews with the people who have been scammed that they're spending a minimum of a year building up rapport with these people. 

J Bennett: [00:19:41]  It doesn't even need to be romance; it could be up to three years of a friendship. And then all of a sudden, a really dear friend to you says, oh, I've been totally destroyed by this accident. I can't pay my hospital bills. Now I can't get out of the country because the - you know, the debtors are coming after me. This whole scenario sounds pretty fantastical. I liked the way that you framed it of, if my husband asked me for this, what would I say? But unfortunately, you probably have a much stronger support network than the people who are being targeted. 

J Bennett: [00:20:13]  So the fraudsters are really very good. And I think it's key to start with - you're filtered, right? Before a fraudster starts to groom you, you are typically on your own. You're typically looking for love. And those two things together really put you in a different state of mind. 

Carole Theriault: [00:20:30]  So we're looking at someone that maybe has gone through marriage, has had kids... 

J Bennett: [00:20:34]  Yes. 

Carole Theriault: [00:20:34]  ...And maybe faced something, a divorce or has been widowed, and now are looking to try and find new love. So - and this new area of being online is a - it's a brand-new world for them. 

J Bennett: [00:20:44]  Yes. Yes. And if you think, where are people's social networks now? Oftentimes, if you're elderly, you may be using Facebook as a way to try to get help, right? You want that like. You want that dopamine. 

Carole Theriault: [00:20:56]  Right. 

J Bennett: [00:20:58]  And so people are very honest about some of the best, right? They - you know, they put up a really plausible screen - oh, I'm, you know, traveling in Bali this year. Or, oh, I just had my honeymoon. Everything's wonderful and beautiful, right? Oh, I just got a promotion. But Facebook is also used for the inverse. When people are at their lowest, they'll post and they'll say, I'm really looking for help. I'm really looking for prayers. I could really use some friends who I haven't talked to in a while. You could log onto Facebook right now and search for certain keywords and go through profiles and find someone who's at the lowest point in their life right now. 

Carole Theriault: [00:21:33]  OK. So I'm at the lowest point of my life. I have decided to go onto Facebook and reach out - right? - to connect with someone for all the reasons you described. What happens then in the case of a romance scam? I just want to try and see if we can isolate some kind of components that might make us safer online. 

J Bennett: [00:21:51]  The fraudster's not going to reach out then, right? But they will keep a list, right? And so they'll know - hey, this particular person has just lost their husband. I'll circle back in three months. They'll make sure - see are they looking for a relationship now? Are they a year later now? I think that the other thing that people don't particularly understand about fraudsters, they treat this as a business. 

J Bennett: [00:22:13]  They are very professional at what they do. They spend a lot of time and effort, and the rewards are worth that. And so you always think about cost-benefit analysis of any business. And so a fraudster is willing to very much say, I have the list of 30 prospects. I'm going to see who has entered the dating market. Say, six months a year from now, have check-ins. I will then target them with particular content. Maybe this woman has posted favorably about the military. Maybe this woman has posted favorably about her nonprofit activity. Maybe this gentleman has posted about, you know, how much he misses his wife who had these type of characteristics. 

J Bennett: [00:22:54]  And so the fraudster will then tailor the profile - because these are fake people, right? - to what they know about the person. They'll tailor their first message of - oh, you know, I'm a doctor working in an orphanage in Malaysia. And that might, to the particular person who's being scammed, sound like the best thing in the world, an angel who has come in and said, this is exactly the type of goodness that I need to see in the world. And so it's really preying on very specific, very personal ways to communicate from the fake profile to the person who is being groomed to scam. 

Carole Theriault: [00:23:28]  Yeah, it almost sounds like cult grooming. 

J Bennett: [00:23:30]  It is. It's very similar. And even after they've been scammed, they don't want to admit it. No, this is my friend. No, this - and so it's really quite tragic. 

Carole Theriault: [00:23:41]  So even our numbers, the numbers that you guys have collated, are probably low because people are, you know... 

J Bennett: [00:23:47]  One hundred percent. 

Carole Theriault: [00:23:47]  Right, right. 

J Bennett: [00:23:49]  One hundred percent, yes. 

Carole Theriault: [00:23:50]  Does this normally happen more to women or to men? Is there any gender information you guys have? 

J Bennett: [00:23:54]  Definitely that women tend to be more targeted. The FTC - all of the scammer pronouns are female pronouns, and all of the scam pronouns are male. And so it's quite interesting that they've chosen to do that, either consciously or subconsciously. 

Carole Theriault: [00:24:10]  Do you have tips or ideas on what red flags are to help us navigate these waters that seem to get more and more dangerous every year? 

J Bennett: [00:24:19]  Yes. So the single best thing that you can do that I don't feel gets emphasized enough is to freeze your credit and freeze the credit of your parents. That is definitely the best thing you can do. If you think about all of the other types of ways to send money, that has its own piece, right? I think that the fraudsters are moving away from that. And what they're now attacking are loan applications, credit cards and those types of things, all of which, ultimately, if you have locked your credit, then that will solve probably 70% of the problem. 

Carole Theriault: [00:24:51]  Wow. Yeah. 

J Bennett: [00:24:51]  What these scammers were doing is they were getting information, sensitive information, about their target and then opening new credit cards in their name, moving the real credit cards that they have stolen from someone else to the billing and delivery address of their sweetheart and then that allowed them to skate through all the traditional fraud review. So that's the single best thing that you can do that is fairly easy and straightforward. 

Carole Theriault: [00:25:16]  Yeah, that's a great piece of advice. Makes perfect sense, right? 

J Bennett: [00:25:19]  Yes, yes. So shout it from the mountaintop. 

Carole Theriault: [00:25:22]  I will. I will. I'm on your - I'm on that side, definitely (laughter). 

J Bennett: [00:25:25]  Perfect. So the next thing is, obviously, we can't stop people from dating online or finding love online. 

Carole Theriault: [00:25:31]  Right. 

J Bennett: [00:25:32]  If you do a reverse image search of someone that you've met and you find that they have a presence across the web with different names, it's a huge red flag. The problem is that's not an easy thing to do for, you know, an 80-year-old woman who's just now trying to find someone to talk to. Trying to do a reverse image search is pretty difficult. So hopefully, you can look out for those people in your life that are looking online and kind of teach them how to do it and show them and take them through an example of someone who has used a fake image. 

Carole Theriault: [00:26:04]  Right, right. Good advice, yeah. 

J Bennett: [00:26:06]  Next thing is, absolutely don't take the conversation out of the app until probably three months in. And so what the fraudsters will do is they'll say, oh, I don't want to talk in this dating app anymore. Let's go to email. Let's go to WhatsApp. Let's go to text.

Carole Theriault: [00:26:40]  If you kind of start getting that feeling of red flags are popping up everywhere, I need to extricate myself from this situation, this person I'm talking with online - are you saying, let's do that respectfully and just bow out slowly, freeze your credit? 

J Bennett: [00:26:55]  Yeah. I think that, in general, the fraudsters need to be respected and not dismissed. I think one of the things that people really do is they think, oh, this is somebody who's just a terrible human being, or, oh, this is someone who's really dumb; like, why are they a fraudster? And I think we have to realize that these are human beings with an agenda, and this is their job, and they are quite good at it, and they spend a lot of time testing. And so the only reason that they're doing these type of attacks is because it's successful, right? The fact that the FTC and the FBI know about these means that the fraudsters are making a lot of money on this. And so it's worth paying attention to, and it's worth respecting that they know what they're doing because they're following the money.

Carole Theriault: [00:27:38]  Bennett, thank you so much for taking the time to chat with us today. It's been fascinating. All you love-seekers out there, I hope you remember to manage this one factor enough so that you can actually see these red flags. This was Carole Theriault for "Hacking Humans."

Dave Bittner: [00:27:54]  Joe, what do you think?

Joe Carrigan: [00:27:55]  You know, Dave, I find that interview a little bit disheartening, a little bit sad.

Dave Bittner: [00:27:59]  Yeah.

Joe Carrigan: [00:28:00]  But I want to go over some points here. You know, my kids, both their current significant others they met online. They've met through dating apps. You know, my daughter met her fiancee through a dating app. My son has met the girl he's currently dating and the last girl he dated through dating apps. It's just how people do things now.

Dave Bittner: [00:28:15]  Right.

Joe Carrigan: [00:28:15]  They're going after these older folks online, and there are actually sites that cater to that demographic, like ourtime.com...

Dave Bittner: [00:28:21]  Oh, yeah.

Joe Carrigan: [00:28:21]  ...Which is a dating site for guys our age, Dave.

Dave Bittner: [00:28:24]  Speak for yourself, grandpa.

0:28:26:(LAUGHTER)

Dave Bittner: [00:28:28]  I think an important point here, when they're talking about social media - and they brought up the point that you can see people at their best and at their worst...

Joe Carrigan: [00:28:36]  Right.

Dave Bittner: [00:28:37]  ...A saying that I find helpful for putting social media in perspective is that, in places like Facebook, you are comparing your behind the scenes to everyone else's highlights reel.

Joe Carrigan: [00:28:47]  Right. 

Dave Bittner: [00:28:48]  So everyone else, you see their great vacation, and their kids are graduating from college, and they just got a new job and a new car and a new outfit and a new puppy. 

Joe Carrigan: [00:28:56]  Right. 

Dave Bittner: [00:28:56]  And meanwhile, you're home sick with the flu, and your hair doesn't work, and your shoes don't fit, and your car broke down, and you can't afford to take the vacation you want. 

Joe Carrigan: [00:29:06]  Does my new puppy upset you, Dave? 

0:29:07:(LAUGHTER) 

Dave Bittner: [00:29:09]  Anyway... 

Joe Carrigan: [00:29:11]  I think it's interesting, when he talks about Facebook, that they're actually, essentially, doing lead generation on Facebook, right? They're looking at people who are saying, my spouse just passed away or I just got divorced, and then they don't come back to that person right away - or don't... 

Dave Bittner: [00:29:25]  Yeah. 

Joe Carrigan: [00:29:25]  They come back in three months, and then they follow that up with one to three years of pretexting. 

Dave Bittner: [00:29:29]  Well, you know, it reminds me, in the old days, before these online tools, you would hear about scammers would look through the obituaries... 

Joe Carrigan: [00:29:37]  Right. 

Dave Bittner: [00:29:37]  ...To try to find widows, and they would try to scam them. That was how they generated their leads. Someone just died, so let me call up the widow and try to get some of that insurance money. 

Joe Carrigan: [00:29:48]  Right. I like what J says about protecting yourself, freeze your credit. They're not trying to bilk you out of money anymore. He said 70% of the time they're performing identity theft. If they get enough personal identification information from you, then they can just fill out credit card applications in your name and have them sent to another address, but the billing can be sent to your address. And lo and behold, now you might be on the hook for it. Of course, it's fraudulent, and these credit card companies - you may not have to pay them. I don't know how that works. I never had to go through that - yet. 

Dave Bittner: [00:30:16]  Yeah (laughter). 

Joe Carrigan: [00:30:18]  Reverse image search is also helpful. We've talked about that here. But he's right - how do you get your 80-year-old mom or grandmom to do a reverse image search? I like what he says - don't take the conversations out of the app, especially, he says, not for three months. I'm imagining that after three months, if the account is a scam account, it will be shut down by these dating sites. But we've also had stories on here before where dating sites aren't shutting down these scam accounts (laughter) because it's against their own financial interests.

Dave Bittner: [00:30:46]  Right. 

Joe Carrigan: [00:30:46]  Here's my suggestion. Try to date locally, and then try to meet the person to make sure that they're real. Have that meeting in a public place. Like, let's get together for coffee over at the local coffee shop and take an Uber there, right? Don't drive your car; take an Uber. Then get out of the car and sit down, and then when your ride gets there, just walk to the car and drive off. I think that's a good operationally secure way to meet somebody in person and verify their existence. 

Dave Bittner: [00:31:13]  Yeah. I mean, that's tough, isn't it? I'm just so out of touch with all of this. It's been so long since I've had to deal with any of this (laughter). 

Joe Carrigan: [00:31:19]  Yeah. You and I have never had to do online dating. 

Dave Bittner: [00:31:21]  Right, right. So the people I dated were people I already knew... 

Joe Carrigan: [00:31:25]  Right. 

Dave Bittner: [00:31:25]  ...From school or college or work or - so I wasn't meeting people out of the blue; they were sort of pre-vetted because they were at school, or they were at work. 

Joe Carrigan: [00:31:34]  Yeah. 

Dave Bittner: [00:31:34]  Or, you know, they weren't dropping in from out of the blue. On the one side, it makes it easier to find people, but on the other side, you have the possibility for being scammed like this. 

Joe Carrigan: [00:31:43]  Exactly. You know, there's always the social anxiety of walking up to somebody that you know and saying, hey, you want to go get a cup of coffee sometime or you want to go have dinner sometime? And it's someone you just met. You don't know if they're in a relationship or not. At least when you're dating online, there's a very - I've always seen the appeal of it because what you're doing is you're looking for people who you know are looking for a relationship, right? 

Dave Bittner: [00:32:05]  Right, right. 

Joe Carrigan: [00:32:06]  So - but you're right. You're 100% correct. These scam - that just makes you vulnerable to these scams. J. was saying have a healthy respect for these people. I mean, they're - I don't know. I find these people despicable people. 

Dave Bittner: [00:32:18]  Yeah, I guess have a respect for their capabilities, is the way to say it. That they're... 

Joe Carrigan: [00:32:21]  Correct, I would say that. Yes. Respect that like you respect a weapon, right? (Laughter). 

Dave Bittner: [00:32:25]  Yeah. Right, yeah. Exactly. Every gun should be considered a loaded gun. 

Joe Carrigan: [00:32:29]  Exactly. Absolutely. 

Dave Bittner: [00:32:30]  All right. Thanks to Carole Theriault for bringing us this story, and thanks to Bennett for doing the interview. It's good information. And thanks to all of you for listening. 

Dave Bittner: [00:32:38]  And of course, we want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: [00:33:02]  The "Hacking Humans" podcast is probably produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: [00:33:15]  And I'm Joe Carrigan. 

Dave Bittner: [00:33:16]  Thanks for listening.

Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

Supported by:
KnowBe4 Logo
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.

Subscribe to the CyberWire
Subscribe to the CyberWire Podcast: RSS Stitcher Google Play Music Castbox
Follow the CyberWire