Hacking Humans 9.10.20
Ep 115 | 9.10.20
The story is what gets people in.
Transcript

Mallory Sofastaii: If you are the victim of this fraud, it's important that the Department of Labor knows that it wasn't you because this could impact your ability to get benefits in the future.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. This episode is for September 11, 2020. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week. And later in the show, my conversation with Mallory Sofastaii. She's a reporter and anchor at WMAR 2. That's a local affiliate here in Baltimore. And she's covering the story of an imposter who stole a Marylanders identity to steal unemployment insurance benefits. It's an interesting... 

Joe Carrigan: I'm already mad. 

Dave Bittner: (Laughter) It's an interesting tale. So stick around for that. All right. Joe, let's kick things off with some stories this week. Why don't you get us started. 

Joe Carrigan: Dave, I'm going to get started with a story I saw in the weekend edition of The Wall Street Journal a couple weekends ago. And this story is from Ariel Sabar. And it is called "The Age-Old Secrets Of Modern Scams." And it starts by talking about the Twitter hack and how the prosecutors of this Twitter hack - this is the one where the teenager put out a bunch of Bitcoin scam tweets from people like Jeff Bezos, Barack Obama... 

Dave Bittner: Yep. 

Joe Carrigan: ...Elon Musk. The prosecutors called him a mastermind... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Of a, quote, "massive fraud designed to steal money from regular Americans." I don't know how many regular Americans own bitcoin. I'm not diminishing what this kid did. What he did was remarkably dangerous. And had it not been some kid looking for some bitcoin, this could have been very damaging. But he got away with $118,000 after taking control of multiple accounts. Now, that seems like a lot of money, right? 

Dave Bittner: Yeah. 

Joe Carrigan: ...A hundred and 18 thousand dollars. But if you compare that to a YouTube scam back in June, where somebody impersonating Elon Musk may have gotten as much as $464,000 - just by impersonating Elon Musk, not actually hacking into his account, right? 

Dave Bittner: Right. 

Joe Carrigan: There was no hacking involved. This was just, we're going to put up this YouTube video. We're going - they actually livestreamed a video they'd probably done before. And they got $464,000 - almost half a million dollars - compared to the Twitter guy, who got $118,000 after actually socially engineering his way into Twitter, getting by multi-factor authentication by doing a SIM swap attack. And these guys don't even do any of that and they make four times what he makes. So... 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: The ability to make a scam work, the article says, depends less on your technical skills and more on your ability to tell a convincing story. So the Twitter scam was not well thought out. I mean, the attack to get inside was well thought out. But once he was inside, what did he do? He just copy and pasted the same tweet to a bunch of different accounts. That is a typical Bitcoin scam. Every one of those tweets sounded scammy, right? But the YouTube scam back in June used SpaceX branding. And it timed the broadcast with the launch of the Crew Dragon, Falcon 9. The video was livestreamed. And the Bitcoin addresses for the scam contained the words Musk and space. 

Joe Carrigan: Now, I don't know how many Bitcoin addresses these guys had to generate before they got a Bitcoin address that contained the word Musk and space. The article has them quoted with a capital M, lowercase U-S-K. The point is that this sounds much more like something Elon Musk would do, right? This is what - you know, hey, I want to call attention to everybody. I want everybody to watch my rockets take off. I want everybody to watch me deliver - for the first time in history, a private corporation to deliver a human payload to an orbiting space station. That's never happened before. 

Dave Bittner: Help me celebrate my success. 

Joe Carrigan: Right. Exactly. This is the kind of thing that he's known for doing. He does crazy things, particularly to promote his stuff. So this - that's what this story is about. And that makes it much more believable. And once it's more believable, it becomes more successful. And it's demonstrated in the dollar amount that these people made. Now these are nothing new, these kind of scams. It really depends on your ability to tell the story. This goes back a long time. This is nothing new. 

Joe Carrigan: In fact, The Wall Street Journal article talks about a manuscript in the Middle Ages that was claimed to have been written by the fourth century Roman emperor of Constantine. And it wasn't discovered until the 15th century by an Italian scholar that it was a forgery. And it was rife with, quote, "contradictions, impossibilities, stupidities, barbarisms and absurdities." Then, in April of 1983, the German magazine Stern started publishing what they believed were a cache of Hitler's lost diaries, 60 volumes in total. They paid $4 million for these. 

Dave Bittner: Wow. 

Joe Carrigan: And after publishing, within days, German authorities announced that they were fakes. 

Dave Bittner: (Laughter) Oh, man. 

Joe Carrigan: So I mean, if you work at Stern - if you're the guy at Stern that paid $4 million for fake diaries... 

Dave Bittner: Yeah. It probably tipped them off when Hitler was saying what a big fan he was of the Beatles. 

Joe Carrigan: Right. 

(LAUGHTER) 

Joe Carrigan: That should have been your first clue. 

Dave Bittner: Yeah. Well - you know. 

Joe Carrigan: This is even going on now. And it doesn't happen to just regular people. There's a professor at the Harvard School of Divinity named Karen King who announced the discovery of "The Gospel of Jesus' Wife," right? It turns out that this was also forged by using an old piece of papyrus and making some soot ink, which is apparently very easy to do. So the person who presented this to Dr. King realized that this was something that was in Dr. King's wheelhouse and presented her with a story that matched her beliefs. And Dr. King acknowledged that she'd been duped four years after publishing this. So we shouldn't mock people for falling victim to these. Everybody falls victim to these, including this Harvard professor. And we've had stories of other Harvard professors who have fallen for similar things and lost personal fortunes. And it happens to everybody. Anybody can fall for it. 

Dave Bittner: Right. 

Joe Carrigan: It depends - all you need to do is have that right trigger that clicks something off in your mind, and that's why these scams start with such a broad net. They're trying to go after a bunch of different people, and it's almost like sales, right? 

Dave Bittner: Yeah. 

Joe Carrigan: It's almost like the cold-calling organization for Salesforce. You have to find the right person who you can tell has been activated by what you say. 

Dave Bittner: Right (laughter). Right. Yeah. I mean, I think the story element is so key here. I mean, you know, how - I think about everything - like timeshares, you know? They sit you down in a room, and they tell you a story about how you're going to - you know, you're going to love having this vacation home, and it's going to be the best thing ever and - which sure sounds good when you're there in the room. 

Dave Bittner: You and I are around the same age. We grew up watching that show "In Search Of..." - remember that one? Hosted by Leonard Nimoy - and things like the Shroud of Turin and the - Noah's Ark - people thought that they had these things that were these antiquities. And as time went on and science got better at being able to analyze them, they found, oh, no, this is not that old, really (laughter). 

Joe Carrigan: Right. Yeah. 

Dave Bittner: But the stories are so compelling, and that's what makes it fun. 

Joe Carrigan: Exactly. If you go back through "Hacking Humans," there's the story of the guy who sold the Eiffel Tower, like, five or six times, right? 

Dave Bittner: (Laughter) Right. Right. 

Joe Carrigan: You don't just stand outside the Eiffel Tower going, hey, you want to buy the tower? No. 

Dave Bittner: (Laughter) Right. Sign here (laughter). 

Joe Carrigan: You don't do that. He comes up with this whole story, and he tells everybody to keep it quiet because it's a secret, but they're actually going to tear the tower down, and they're going to sell it for scrap. Who wants to buy the scrap metal? The story is the scam. The story is what gets people hooked and gets people in. 

Dave Bittner: Yeah. All right. Well, it's interesting - interesting story. My story this week has a bit of storytelling in it, as well (laughter), or influence, anyway. This is a release from the Oklahoma City Police Department, and this is a very clever theft. A man walked into a convenience store, and he convinced the store clerk that he was there to take over her shift. 

Joe Carrigan: (Laughter) Brilliant. 

Dave Bittner: Yeah. He had a shirt on that had the store's logo on it, and he convinced her, you know, go home early. You know, you're going to get paid, but I'm here to take over your shift. So she leaves. He continues to run the store for a little while. He operates the register, checks people out, you know, makes everything seem normal. Then, eventually, he locks the door, steals all the money. They said he also stole all the cigars and lottery tickets. 

(LAUGHTER) 

Dave Bittner: So there's that. And then he fled the business. The Oklahoma City Police have a description of the car he was driving. There are a couple photos of him from the security cameras. So what strikes me about this is just how bold and brash this is and that this requires - this guy has to be cool as a cucumber, right? 

Joe Carrigan: Right. Yeah. I mean, he has to go in there and talk his way into getting behind the cash register. I know people I work with, you know? And, jeez, I mean, I guess he was very convincing. I guess maybe in this store, there's a high turnover, or maybe you don't know everybody you work with because you work different shifts. 

Dave Bittner: Yeah. 

Joe Carrigan: But this is amazing. 

Dave Bittner: I mean, you'd think the person would say, well, let me call a manager or let me call my boss. You know, there aren't a whole lot of details here of exactly what he did to convince the other clerk to take off. This gentleman certainly must have the, you know, gift of the gab to be able to do this (laughter). 

Joe Carrigan: He talked his way into owning a convenience store, essentially. 

Dave Bittner: Right (laughter). Right. Exactly. 

Joe Carrigan: He could have emptied everything out of there. They're lucky he only went with the cigars, the lottery tickets and the money. 

Dave Bittner: Right. Right. Pull up a U-Haul and just clean the place out. Yeah (laughter). Yeah. So that was my story this week. It just struck me as being just so bold and brash - I - oof, man. What... 

Joe Carrigan: Yeah. Why didn't he pull up a U-Haul? Why didn't he have somebody on call with a U-Haul to just empty that store out? And then when somebody came in and said, what's going on? He'd go, oh, we're getting ready to remodel. 

Joe Carrigan: Right (laughter). Right. Right. 

Joe Carrigan: Because I've been in stores that are cleaned out, and they tell me it's getting - they're getting ready to remodel, and I believe them, right? 

Dave Bittner: Yeah. 

Joe Carrigan: If there's a guy behind the counter wearing a shirt with the logo on it, I would absolutely believe him. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: I wouldn't even think twice about that. 

Dave Bittner: Yeah. Yeah. Exactly. And, I mean, and that's the thing. Like, there had to be a certain amount of forethought and planning that went into this because he had the shirt with the logo on it. So it wasn't a spur-of-the-moment thing where he thought, oh, let me see if I can pull this off. No. He put some planning into it. Who knows if this is something he's done before? All right. Well, that is my story this week. It's time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE)  

Joe Carrigan: Dave, our Catch of the Day comes from Find My Scammer on Twitter. It's @findmyscammer. They received an email from a fake landlord, and they're trying to track him down. But the email is pretty good. Dave, are you going to read this? 

Dave Bittner: I most certainly will. Let's see. What would a fake landlord sound like? Maybe it sounds a little something like this. 

Dave Bittner: (Reading) Hello. Thank you for the most eloquent response to my listing. I'm the owner of the apartment you're making inquiry of. Actually, I resided in the apartment with my family before, and presently, we had packed due to my transfer from my church, where I work, and now situated in Pennsylvania, United States of America. And presently, my apartment is still available for rent, and I'm not willing to sell my apartment anymore. It includes the utilities, such as dishwasher, fridge, stove, assigned, secure parking, fitness facilities, microwave, washer, dryer, cable satellite, internet connectivity, storage locker, fireplace, packing. I have my furniture in the apartment. If you wish to move in with your furniture items, no problem. You can put my own furniture in the store. Please, I want you to note that I'm a kind and honest man, and also I spent a lot on my property that I want to give you for rent. I will want you to take absolute care of my apartment, and I do want you to treat it as your own. Money is not the most important thing, but I want you to keep it tidy all the time, so I will be glad to see it neat when I come for a checkup. I look forward to hearing from you ASAP, so I have included an application form to fill out below. Fill it out and send it back to me and discuss on how to get the apartment for rent. Looking forward to hearing from you soon. So if you are OK with this, please return the application form in your next email. Like I said earlier, we are not just after the rent money, but if you have to promise to keep the apartment tidy. 

Dave Bittner: Well, there you go. That's... 

Joe Carrigan: That's amazing. I think two things are going on here. One, they're definitely going to steal your personal information and sell that... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...If you fill out that application form. And the other thing that they're going to do is - after you filled out the application form - is they're going to say you when you get the apartment. Now send me a deposit. They're going to try to steal that money from you, as well. 

Dave Bittner: Right. Right. Some kind of security deposit for first and last month's rent or something like that. It's interesting. You think the apartment actually exists. Do you think - what do you think? 

Joe Carrigan: No. 

Dave Bittner: Do they think they use pictures from a real apartment, but it's not their apartment? 

Joe Carrigan: This is very common on Craigslist, where you just put a bunch of pictures of an apartment up for rent. You don't even own the apartment. All you have is a set of pictures. And you're you're trying to get people to apply to rent the apartment and possibly send you a security deposit. 

Dave Bittner: Targeting folks who are out-of-towners... 

Joe Carrigan: Yep. 

Dave Bittner: ...Right? - who can't just drive by and take a look at the apartment or something like that. 

Joe Carrigan: Right. Well, they may even know where the apartment is and see it. It may be in a building. They may have an address. But they don't own anything in there. 

Dave Bittner: Right. 

Joe Carrigan: I would not do anything for an apartment until I could get in and physically see the apartment and... 

Dave Bittner: (Laughter) Right. Yes, yes. 

Joe Carrigan: ...Meet somebody who was trying to rent it to me. 

Dave Bittner: Thanks to the folks at @findmyscammer for sharing that. And that is our Catch of the Day. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Mallory Sofastaii. She is a reporter and anchor at WMAR-2 here in Baltimore. And she recently reported on an imposter who stole a man's identity here in Maryland to steal unemployment insurance benefits. Here's my conversation with Mallory Sofastaii. 

Mallory Sofastaii: Well, Michael is the name of the man who had his information stolen. He emailed me because he wasn't getting a response back from the unemployment office. And he knew that I was in touch with them, sending claimants' information who needed assistance. There was a huge delay in benefits, as I'm sure you're aware. So he emailed me, seeing if there was anything I could do to help him get the attention of the Division of Unemployment Insurance to let them know that someone was claiming benefits under his name. 

Dave Bittner: Well let's go through some more of this story together. I mean, what's the background here? Obviously, unemployment has sort of been crushed under the weight of the demand from the COVID pandemic, yes? 

Mallory Sofastaii: Absolutely. In Maryland, on average, they were getting - I believe it was around 2,000 claims a week. And then it skyrocketed. You saw one week, it was over a hundred thousand. So in order to keep up with this demand and to have to vet all these claimants and make sure they are who they say they are and that their work history is in line, it's a lot to ask. So yes, they have been crushed by the overwhelming number of claimants and also implementing these new programs under the CARES Act for people who didn't typically receive benefits. So you have the self-employed, the independent contractors, the gig workers. The CARES Act basically said these people now qualify for benefits. And states had to implement these programs in order to deliver these benefits while also vetting them. And it makes it a little bit more difficult when you have someone who's self-employed. How exactly do you verify with their employer that, you know, they - their work history is correct and that they've been at that position for, you know, X amount of years or days? So it adds this extra level that made it more challenging for states to verify and made fraud more rampant. 

Dave Bittner: And I suppose also, it's a bit of a double whammy because you've got the state employees who are also doing their best to function under COVID, as well. 

Mallory Sofastaii: Yes. And they shut down their offices. So a lot of these people are working remotely. They had to bring in Accenture, which is another company, and just hired professionals to try to train them up so that they can handle the overwhelming number of phone calls from people who are still waiting on their benefits, wondering, what's the delay? On top of that you have these employees who have to coordinate these interviews with employers to confirm all this information. So it's kind of this back and forth in - you know, the best way the Secretary of Labor describes it - it's an insurance program. So you have to go through all these different steps. You know, if you were to get in a car accident, you have to talk to both individuals who were in the accident. You have to confirm this information. And that's the same with unemployment. So, you know, it's not a quick authentication process by any means. And when you have hundreds of thousands of people now trying to claim benefits, it created the perfect storm. 

Dave Bittner: Walk us through this gentleman's experience. What happened when he reached out and tried to claim his unemployment benefits? 

Mallory Sofastaii: Michael actually wasn't looking to claim any benefits. He was working full time. He was one of the lucky ones who got to keep his job. So what happened was one day, a letter arrived to his company's office. And his HR director approached Mike, saying, hey, we got this letter stating that you are claiming unemployment insurance benefits. But we obviously know you're still working here, so this is a problem. And Michael said, you know, I have no idea why you received this letter. So the HR director said, OK, you know, let's try to get to the bottom of this. We'll make some phone calls. You make some phone calls. 

Mallory Sofastaii: And so that letter came late June. But according to the letter, the person had already been collecting benefits since April 25. So, you know, to even get the ball rolling, they never received any kind of notification that someone had filed for unemployment insurance under Michael's name. So then what happened from there is Michael tried calling the unemployment insurance office. He couldn't get through because the phone lines are overwhelmed. They hadn't yet implemented this callback system, which still is having its issues. The email didn't receive any kind of response - same thing happened with this company. They also tried notifying the Division of Unemployment Insurance and also experienced difficulty getting through. So Michael is actually an IT professional. What he did was - he was so frustrated, you know? He sees these stories of these people who desperately need these benefits. And then to see this imposter... 

Dave Bittner: Right. 

Mallory Sofastaii: ...You know, receiving benefits over these other people who really need it just made him so angry. So what he did is he went onto the beacon system, which is what it's called in Maryland. And he was able to log in using his own information. The only thing he didn't have was the user ID. But he could say, I don't know my user ID. And they spit it right out to him. So he logged on. And he saw that, you know, there was a Florida address, which wasn't his. There was a Gmail account on there that wasn't his. 

Mallory Sofastaii: He said the only thing on there was his old property address from 1995. He has no idea how that information got on there. And as we mentioned, Michael being in the IT profession, he's not surprised that someone was able to get his personal information. He knows that a lot of this has leaked out through major data breaches through Equifax or Target, you know, some of those huge ones. 

Dave Bittner: Right. 

Mallory Sofastaii: And then that information goes on the dark web. And people could potentially purchase it there and use it for anything they like, which, in this case, he believes is what happened. He has no idea how this person got his information. But that's what he assumes. 

Dave Bittner: So once he was able to log on there, was - did he have any ability to shut it down or make any changes? 

Mallory Sofastaii: He cannot shut it down. There's not that option in the system. So what he did was he - in order to get unemployment insurance benefits, you have to file a weekly claim certification saying that, you know, you weren't unemployed. You were searching for work. You didn't get paid anything. So what he did was he filled it all out like it was him. So he said, I worked every day this week. I was paid. I have a full-time job. And then there's an option to upload different documents, like a W-2 form. So he uploaded a Word document stating, you know, this account has been hacked. This does not belong to me. It belongs to someone else. Please, shut it down. Please, contact me - hoping that this would, A, halt the benefits, and then also get someone's attention to contact him so they can figure out what's been going on and shut down the benefits to this imposter. 

Dave Bittner: So at what point does he decide that it's in his best interest to reach out and contact you and your team there at WMAR? 

Mallory Sofastaii: He said it had been about a week and a half. He still hadn't received a response. He was concerned that this person was still receiving money. He estimates that that person had collected already around $3,200. And he didn't want them receiving a penny more. So then he emailed me. And, you know, since I have been in regular contact with the Department of Labor, I immediately brought this to their attention. They got in touch with Michael. And they were able to work it out quickly. And then, after that - it was about two weeks after our report. Maryland's governor held this news conference announcing that within the state's unemployment system, they've uncovered this massive fraud scheme. And we know that Michael was potentially part of that. 

Dave Bittner: Now, what about the perpetrator here? Is there any hope of trying to track that person down? 

Mallory Sofastaii: The Department of Labor wouldn't give us any specifics on that. All Michael had was an ad for us. He didn't know, you know, if that was just a shell or if that was the actual person. You know, could this person have even been overseas? He has no idea. So all of the - this entire investigation now is being handled by the Office of the Inspector General for the Department of Labor. And they are very tight-lipped. They will not say, you know, where they are in their investigation, if they have found these culprits, if it's, you know, a ring of people involved or if it's just, you know, one-offs here and there. So we don't exactly know, you know, if that person will be punished or have to pay it back. But if you are the victim of this fraud, it's important that the Department of Labor knows that it wasn't you because this could impact your ability to get benefits in the future. 

Dave Bittner: Yeah. That was going to be my next question. I mean, what does this mean for Michael or someone else who's in his shoes? How would this affect them going forward? 

Mallory Sofastaii: So Michael made sure that when he was going back and forth with the Department of Labor letting them know this wasn't him claiming benefits, you know, he wasn't perpetrating fraud, which does have a penalty. I'm not exactly sure what it is. I believe it's a year's suspension of benefits. But he received a letter from the Department of Labor stating exactly that we know you were the victim of fraud and that this wasn't you who was trying to fraudulently claim benefits. So that should he need unemployment in the future, he has this letter he can show proving that, you know, it wasn't him maliciously trying to game the system. 

Dave Bittner: Yeah. I mean, it's interesting to me that, you know, you have someone here like Michael who has the resources, who has the time, who has the knowledge and has the desire to try to do the right thing here to sort of track this down and be, you know, a good citizen. But not everyone has the ability to do that or the capabilities to do that. Do you have any sense for how widespread this has been? 

Mallory Sofastaii: This is happening in a number of states. Illinois recently said 120,000 fraudulent claims. We're seeing it in California, in Florida. The U.S. Department of Labor has put out these warnings saying we know that fraud is happening. We are trying to get a handle on it. Now that Maryland had that news conference and exposed this scheme, they did create an email address - that, hopefully, they check more frequently - for people who believe they are the victims of fraud or know about fraud to email them. And they have a certain group who then will, I guess, get back to the claimant as soon as possible. 

Mallory Sofastaii: But one of the unintended consequences of exposing this fraud is that a number of legitimate claimants have had their benefits turned off because now they're trying to work through and make sure that you are who you say you are, that you do deserve these benefits. And so for many people, they saw this happen over the weekend of July 4, where - I believe it was Sagitec, the vendor who created the BEACON website - they put out a news release saying that they turned off all out-of-state benefits except for - I believe it was, D.C., Maryland and Pennsylvania. But for any out-of-state claimant - you know, college students or someone else who may be working in Maryland but moved home with family in a different state because, you know, they can't afford rent... 

Dave Bittner: Retirees in Florida, maybe. 

Mallory Sofastaii: Exactly - retirees. So Sagitec said that in order to stop this fraud scheme, what they had to do was shut down their benefits. And now you have this group within Maryland Department of Labor having to manually go through each one of these claimants' information to verify them in order to reinstate their benefits. But I'm still receiving emails every day from people who haven't received their benefits in weeks. They state that, you know, they had been receiving them for a month or a few weeks before and that, you know, they are legitimate, and now they don't have this money. But it - you know, it's kind of - what do you do? You know, the state doesn't want to give away this money to someone who doesn't deserve it, but then you have these people who really need it and aren't getting it right now. 

Dave Bittner: Do you have any recommendations for folks out there who want to check to make sure that they're not falling victim to this? Is there any sort of irregular vigilance that people should be taking part in in their day-to-day practices? 

Mallory Sofastaii: Absolutely. Keep a close eye on your bank account, your credit card statements. Make sure there isn't any irregular activity there. Your credit reports - pull those regularly. I believe right now, because of the pandemic, you could pull those for free. You could go to freecreditreport.com and look for any suspicious accounts that don't belong to you. And that's exactly what Michael had to do, as well, because he was the victim of identity theft. You might want to put a freeze on your credit if you do suspect something's up. You want to take whatever steps you can in order to protect your identity because, you know, as I said, Michael being an IT professional, you know, he said he doesn't know how much information this person has on him. Is it just the basic personal information and his Social Security number? Or, you know, his words - am I going to wake up tomorrow and see that my bank account is empty? 

Dave Bittner: All right. Joe, what do you think? 

Joe Carrigan: A good interview, Dave, and thank you to Mallory for making this public. One of the biggest things I take away here is the difficulty in getting in contact with somebody at the Maryland Department of Labor or the unemployment office here. My son had to apply for unemployment during this pandemic. He's still not working. And he could not get ahold of anybody despite trying to. He experienced that huge delay that they were talking about early on in the interview, and part of the reason for this - and I can't say I don't understand why this happened. When you're talking about a fiftyfold increase in workload is - that's just something you can't really plan for, right? 

Dave Bittner: Yeah. 

Joe Carrigan: That is a Herculean task on the Department of Labor here. The workflow for getting these benefits is detailed by design, and that's kind of to prevent this fraud. But when people started filing claims for these benefits very early on and the huge wave of people getting the benefits, it seems like the Department of Labor just said, OK, we're just going to start paying out these benefits and start verifying later. And that took two months before Michael got notified of what was going on at his - by his employer coming to him and going, what's this letter here we're getting? But then there was no way to contact them. And, you know, there should be some kind of fraud and abuse line that you can call that should be staffed for this kind of thing because this is going to happen rampantly. So kudos to Michael for going in there and taking control of the account or trying to take control of his account and then telling the Department of Labor, no, I'm gainfully employed. Everything's fine here. 

Dave Bittner: Right. 

Joe Carrigan: it seems that that person still continued to get the benefits. I got to tell you, Dave, I am not shocked at all by the level of fraud that the state of Maryland and other states around the country have experienced. This is exactly the kind of thing these people wait for, these fraudsters wait for. When they started shutting down businesses across the country, these fraudsters - I could just imagine the, you know, the - squee (ph), we're going to make so much money here. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: You know, that these people, that these weasels - they were happy. They were happy this was happening... 

Dave Bittner: Well, yeah - taking advantage of the chaos, you know. 

Joe Carrigan: Exactly. Take advantage of the chaos. Take advantage of the expedited process, and just start scamming people out of millions and millions of dollars. And in the end, Dave, we all pay for it. We, the taxpayers and the employees of the country, pay for it. 

Dave Bittner: Yeah. It's frustrating because, on the one hand, I can't fault the folks who were with the state of Maryland for saying, OK, let's prioritize getting these benefits out... 

Joe Carrigan: Right. 

Dave Bittner: ...As quickly as possible with as little friction as possible because... 

Joe Carrigan: Absolutely. 

Dave Bittner: ...We want to ease the pain and anxiety of our citizens. And that, of course, has been - and that's been happening all over the world, not just Maryland, not just the U.S. but all over. But a side effect of that is that you're going to have some of the scammers out there who take advantage of that very thing, and that seems to be what happened here. 

Joe Carrigan: Yeah. 

Dave Bittner: Well, our thanks to Mallory Sofastaii for joining us, for taking the time. We do appreciate it. And also, you know, for her shining a light on this - this is one of those things where having the resources of an active local news crew to be able to follow up and draw attention to some of these things when perhaps they otherwise wouldn't get the attention that they deserve - you know, that's an important part of your local community. 

Joe Carrigan: Absolutely. 

Dave Bittner: All right. Well, that is our show. We want to thank all of you for listening, and, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.