Podcasts
Hacking Humans
Ep 143
Hacking Humans 4.15.21
Ep 143 | 4.15.21

Being aware can go a long way to prevent attacks.

Show Notes
Transcript

Herb Stapleton: Doing the simple things like guarding against phishing and being suspicious and being well trained and aware of what kind of social engineering tactics might be used really can go a long way to preventing these types of attacks.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week. And later in the show, my conversation with Herb Stapleton. He's the FBI's cyber division sector chief. 

Dave Bittner: All right, Joe, let's kick things off with some stories. Why don't you start things off for us this week? 

Joe Carrigan: Well, Dave, it's tax season. 

Dave Bittner: (Laughter) Woo-hoo. 

Joe Carrigan: Wabbit season, tax season. And, of course, the IRS has come out with a warning about a scam because these scammers keep track of the calendar they know what to send out when. 

Dave Bittner: Right. 

Joe Carrigan: And there's an ongoing IRS impersonation scam that is primarily targeting educational institutions. That got my interest, right? 

Dave Bittner: (Laughter) Right. Right. 

Joe Carrigan: Because they're including students and staff that have .edu email addresses. And I'm a student or staff that has a .edu email address. So I have not received any of these emails, or if I have received them, they've been filtered out by our spam system, which is remarkably good. These emails display the IRS logo, and we've talked about this before as well. One of the things that these phishing campaigns do is they'll actually go out to the IRS website or whatever site they're impersonating and they'll actually take the logos from those sites. And there's really nothing anybody can do to prevent that because, you know, these logos have to be transmitted across the internet in order for you to view the webpage. You have to get a copy of it. 

Dave Bittner: It's the way the web works. 

Joe Carrigan: Exactly right. Exactly right. And they have subject lines like tax refund payment. Oh, hey, that's going to get my attention. And here's one that's really going to get my attention - recalculation of your tax refund payment. Recalculation? Hey, I did all the calculations. I do my own taxes. I don't know what you guys do, but here's my forms. And I actually fill them all out. That's going to get my attention right away. And it's going to be like, oh, this sounds like an audit's coming, right? 

Dave Bittner: Well, it's either bad news or good news. But either way, it's news that you want to know about, right? 

Joe Carrigan: Since it comes from the IRS, my immediate thinking is this is bad news. 

Dave Bittner: Yeah, OK. 

Joe Carrigan: It asks people to click a link to submit a form to claim their refund, which is another scam. The IRS doesn't ask you to click a link to submit a form. You have to file your taxes to get your refund. If you click the link, you're taken to a phishing website that asks you to do - enter the following information. Are you ready, Dave? 

Dave Bittner: Sure. 

Joe Carrigan: Buckle in because this is a long list. 

Dave Bittner: (Laughter). 

Joe Carrigan: Social Security number, first name, last name, date of birth, prior year annual gross income or AGI, driver's license number, current address, city, state or territory, postal ZIP code and electronic filing PIN. 

Dave Bittner: Oh, what - that's your pin for the IRS, right? 

Joe Carrigan: That's right, Dave. They are... 

Dave Bittner: What? No blood type? They didn't ask for your blood type? I mean, come on. 

Joe Carrigan: Well, they don't need to fraudulently file a tax return on your behalf. I think that's what the endgame is here. They're going to start filing tax returns for people and get refunds. They usually do this earlier in the season, in the tax season, like earlier like in January or early February. They beat people to filing for their tax returns so that they get the check first. And then when the victim goes and files, the IRS says, hey, you already filed your taxes, and we already sent a check out. The person then has to go through a process to get the refund. It's longer for the actual victim. Generally, the IRS makes good on the refund. 

Joe Carrigan: They have a quote here from the IRS that says taxpayers who believe they may have provided identity thieves with this information should consider immediately obtaining an Identity Protection PIN. This is a voluntary opt-in program. An IP PIN - that's Identity Protection PIN - 

Joe Carrigan: PIN is a six-digit number that helps prevent identity thieves from filing fraudulent tax returns in the victim's name. 

Joe Carrigan: Now, it's interesting that they also are asking for the same - what appears to be the same PIN here in the form. That looks like what these guys are trying to phish. But if you've given that up, you should do whatever you can to change it right away. And I say, if you file your taxes electronically - I don't. I send in the documents, I send the forms in. I like doing it the old-fashioned way. 

Dave Bittner: (Laughter). 

Joe Carrigan: If you file your forms electronically, you should already have one of these. And if you don't, you should get one right now just 'cause, right? 

Dave Bittner: Yeah, 

Joe Carrigan: It just makes it more secure for you to file electronically. Because I never file electronically, I don't know if it's required when you file. I have no idea. I've never done this. 

Dave Bittner: Yeah, I'm not sure either. It's interesting that it's a six-digit number and that it's only a six-digit number. It's a shame you can't have it be as long as you want it to be or write numbers and letters and, you know, it's... 

Joe Carrigan: It's a shame you can't make it a password. 

Dave Bittner: Right. It's better than nothing, but it could be a lot better than it is, I suppose (laughter). 

Joe Carrigan: Yes, absolutely. The IRS does make a note that if you want to track your refund, you can go to irs.gov/refunds. And that's where you can check the status of your refund, not from some link in an email. 

Dave Bittner: Yeah. 

Joe Carrigan: Never click the link. 

Dave Bittner: All right. Well, it's good information. And, of course, we'll have a link to the IRS' website there if you want to find out what their tips are and the warning here, you can check that out. 

Dave Bittner: My story this week comes from the BBC. And before we dig in here, let me ask you, Joe, looking back on your life, did you ever have a really, really bad password before you knew better? 

Joe Carrigan: Yes, 

Dave Bittner: Like, can you remember - what was the worst password that you ever had? You don't have to tell me what it is, but how was it constructed? 

Joe Carrigan: It was constructed - it was - let's see. It was constructed as a eight-character phrase that you could pronounce and remember. But all of the vowels were changed to numbers or some of the letters have changed to numbers. So I thought I was being clever, but it was only eight characters. And when I entered this password on Troy Hunt's page, it is, of course, pwned (ph). So it's already in a list. 

Joe Carrigan: Right. Right. 

Joe Carrigan: But the thing is, before I knew better, Dave, I used it everywhere, and that's bad. 

Dave Bittner: Certainly those of us who've been at this as long as you and I have have been through that, where in the early days, when we were dialing into BBSes with our modems that required passwords, passwords, you know, it wasn't really a thing the way it is today. For a lot of us, we had our password. And it was the password. It's all we - one. We just had one. It's our password. There's no worry about reusing it. Of course, you can't do that anymore. And as you say, if you go on Have I Been Pwned, you can see how many of your passwords have been pwned in many of the data breaches. 

Dave Bittner: So all of that brings me to this story from BBC News, and it's titled Pets' Names Used As Passwords By Millions, Study Finds. That this the NCSC, which is the National Cybersecurity Center in the U.K. They did a survey. And they found that about 15% of the population used pets' names, 14% used a family member's name, and 13% pick a notable date. And to me, this is so obvious because when I've worked with other friends and family members and, as again, Joe, you and I, we have often been drafted into the role of tech support for our loved ones. 

Joe Carrigan: Yep. 

Dave Bittner: So that means a lot of times you'll be sitting at the computer and you have to log in. You say, all right, well, give me your password. And they give you their password. And their password is fluffy2001 you know - right? - or, you know, rover1934. Yeah. And everybody thinks they're being clever. They take a name and then a year. Well, what's the name you're going to choose? Chances are lots of - according to this, 15% of people use their pet's name. And then they use some number that's easy to remember. And for a lot of people, that's the year they were born, maybe their house number, maybe their last four digits of their phone number, something like that. 

Dave Bittner: As you and I discuss here regularly, the things that make all of those things easy for you to remember make them incredibly easy for the bad guys to figure out... 

Joe Carrigan: Yes. 

Dave Bittner: ...Practically in an automated way. 

Joe Carrigan: Right. 

Dave Bittner: And it gets even worse, thanks to social media, because people are posting pictures of their pets. And so chances are, if you have an adorable little fuzzy fur baby in your home, that you have probably posted a picture of that and said, hey, welcome to our family, here's Rover. Isn't he adorable? Or even if you don't say the name, some of your friends might respond to a picture that you post and say, oh, my gosh, you know, Spike is such an adorable dog. We all love him so much. 

Joe Carrigan: Right. 

Dave Bittner: Actually, that reminds me - I saw another thing on Twitter yesterday. After this report came out, I saw someone respond to it and say, you know, darn it, another data breach. This is the third time I've had to rename my cat. 

(LAUGHTER) 

Dave Bittner: You know, this is pretty straightforward here. And it's nothing new. But I think seeing these numbers here - results from an actual actual survey to see here we are in 2021, and this is as extensive as it is. 

Joe Carrigan: Right. 

Dave Bittner: I think it's a good reminder, especially - as we always say here, check in with your loved one. Check with your parents. 

Joe Carrigan: Yeah. 

Dave Bittner: Check with your siblings. Check with the people around you and just ask them, are you using the name of your pet or a family member or a notable date in your passwords? And if you are, have that be the beginning of a conversation hopefully moving them toward using a password manager, something that will randomly generate passwords, so they don't know what they are. They're not pronounceable. And they don't have to worry about this. 

Joe Carrigan: Right. I wish this article came out a little earlier because earlier this week, I actually gave a talk on social engineering attacks. And one segment of that talk was focused on this exact problem. It was focused on the weakness of passwords, for people reusing passwords and picking weak passwords. It's an area of social engineering we don't really think about because it's not really directly involving somebody. You're not directly attacking a victim. You're kind of guessing the password based on that victim's behavior that is open to the public at large. Like you say, on social media, everybody who knows me on social media, everybody who's connected with me, knows what my dog's names are or can find it out. 

Dave Bittner: Right. 

Joe Carrigan: If you have a public profile, if you don't keep that stuff hidden so that only your friends and connections can see it, then everybody in the world can literally see it. 

Dave Bittner: Yeah. 

Joe Carrigan: Literally everybody in the world can see it. It's easy to guess passwords if 14% of the people use their pets' names as some base of the password. 

Dave Bittner: Yeah. And I'll tell you, you know, a colleague of mine - his name's Christopher Pierson. He runs a company called BlackCloak, which is a company that provides kind of, like, concierge service for high-net-worth executives, you know, like, people who who really get targeted by a lot of these bad guys. You know, they provide sort of custom security for them and their families. And just for fun one day because he could, he called me up, and he read me off my list of all of my historic passwords that had been in data breaches. 

Joe Carrigan: Yeah. 

Dave Bittner: And let me tell you, it kind of makes your blood run cold (laughter) when you get somebody out there just just listing off passwords from your past, some of the ones that you haven't even thought about in a long time. It's like, is this your password? Yes, it's - oh, what does this number have to do in your life? Well, that's the number of such and such, you know (laughter)? Just to see how careless you were back in the day before you knew better. 

Joe Carrigan: Right. 

Dave Bittner: Interesting point the NCSC makes here. They suggest that a nice compromise here is to choose three random unconnected words as a password. 

Joe Carrigan: Yeah, that's the "xkcd" comic... 

Dave Bittner: Right. 

Joe Carrigan: ...That Randall - Randall's his name, right? I can't remember what his last name is. But he suggests using four words. It's - you know, it's a good way to do that. If you think about it, there's about 2,000 words that we use very frequently in our vocabulary. And if you pick four of them unrelated that don't make up a sentence, then you've got 2,000 to the fourth, which is a large number, which makes your password very difficult to guess. It's about the same as having, I think, an 11-character password, which is pretty good. 

Dave Bittner: Yeah, yeah, yeah. When it comes to passwords, size matters. 

Joe Carrigan: Right, yep. Absolutely. 

Dave Bittner: (Laughter) All right. Well, that is my story. I'll have a link to the BBC story here in the show notes. Joe, it is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, our Catch of the Day comes from the land down under. Gareth and Kingsley sent this to me. And just to be clear, their jurisdiction is a single-party-consent jurisdiction. So this is actually a recording that was sent to me. A scam caller called into these guys' business, and they - one guy filmed it while the other guy interacted with the scammer. Let's take a listen. 

(SOUNDBITE OF VIDEO) 

Unidentified Person: Internet services, which you are using, at your provider directly (ph) is that your internet is sending some data and warning signals into our main server without your knowledge and without our permission. And, you know, sir, in the warning signals, which your internet is sending, indicated that some online hackers - the bad people - they have got access to your internet. You understand that? 

Gareth: So you're telling me the bad people have access to my Internet, and they're sending bad signals to your server? 

Unidentified Person: Yeah. Yes. The hackers have got access to your internet, and they're using your IP address towards a bad signal without your knowledge and without our permission. Actually, we are calling you from the NBN security department so that we can help you, sir, and show you all the problems. Sir, can you do one thing, sir? Can you move in front of your router, and can you verify me that how much - how many lights are blinking over there? 

Gareth: OK, let me just check. Can we get in contact with the hackers and ask them to stop? Because I don't want them in there. 

Unidentified Person: Sir, yes, we will be doing everything that we have here to remove all the troublemakers. 

Gareth: Ah, that's a relief. 

Unidentified Person: Don't be worried. Just to verify - yeah, you verify me how many lights are blinking over there? 

Gareth: OK, let me just count them. 

Unidentified Person: Yes, yes. 

Gareth: Looks like there's about 27. 

Unidentified Person: Twenty-seven. Oh, my God. And what's the color of the lights over there? 

Gareth: Orange. 

Unidentified Person: Oh, the orange. Oh, my God. 

Gareth: Is that bad? 

Unidentified Person: It's no problem, sir. OK, excuse me (ph), sir, are you access with your - any of the electronic devices, like your any of the - like your computer or the laptop so that I can show you all the problems they turned into right now. 

Gareth: We have iPads. We have about 10 iPads. 

Unidentified Person: Ten iPads. Apart from the iPad, do you have any other, like, mega (ph) device like a computer or the laptop? 

Gareth: We've got a Commodore 64 that's hooked up. 

Unidentified Person: No problem. You take your lovely time and turn on any one of the computers, any one of your computer or laptop. 

Gareth: OK, we have one that says Atari. Will that one be OK? 

Unidentified Person: Sorry? 

Gareth: We have one that says Atari, a computer. Can I turn that one on? 

Unidentified Person: You can turn on. 

Gareth: OK, when do - what cartridge do you like me to put in? 

Unidentified Person: It's a Windows, yeah? 

Gareth: No, no. It's an Atari. I can put a cartridge in for you if you like. 

Unidentified Person: Yeah, did you see it turn on? 

Gareth: Yep, no worries. I've got "River Raid." Can I put that one in? 

Unidentified Person: Yeah, definitely. 

Gareth: Excellent. All right, that's up. Should I play one player or two players? Do you want to play? 

Unidentified Person: Are you kidding with me, sir? 

Gareth: No, no, this is serious. It's an Atari and "River Raid." I can do two players if you want to play. 

(LAUGHTER) 

Dave Bittner: Oh, wow. Yeah, too much fun. Too much fun. Well, goodness. 

Joe Carrigan: (Laughter). 

Dave Bittner: What can we say about this (laughter)? 

Joe Carrigan: That was awesome. That was just fantastic. 

Dave Bittner: I have to say the Academy Award for best actor goes to the scammer with his responses to the - how many lights were blinking on the router... 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: ...And what color they are (laughter). 

Joe Carrigan: I think the best actor goes to Gareth. I think he did a great job there. That was Gareth's voice you hear. 

Dave Bittner: OK, yeah, yeah. All right. Well, our thanks to Gareth and Kingsley for sending that to us. That was a lot of fun. That is our Catch of the Day. We would love to hear from you. If you have a comment for us or a Catch of the Day, you can email us at hackinghumans@thecyberwire.com. 

Dave Bittner: All right. Joe, I recently had the pleasure of speaking with Herb Stapleton. He is the FBI's cyber division sector chief, and they recently published the latest version of their IC3 report outlining a lot of the things that they're tracking. Here's my conversation with Herb Stapleton. 

Herb Stapleton: I think there are parts of this that are unsurprising given the pandemic and the overall kind of environment that we worked in. But unfortunately, we saw a significant increase in the number of complaints received at the IC3 for the year. 

Dave Bittner: Can you take us through some of the things that really drew your attention? What were some of the areas that really stood out? 

Herb Stapleton: Yeah, I'd be glad to. You know, I think a couple of the things that really stood out to us - once again, we see business email compromise, frauds as one of our leading complaints in terms of amounts of loss. And that number only increased in 2020. You know, another thing that really stood out to us is on the ransomware front. Unfortunately, we saw huge increases in the amounts of loss reported in ransomware incidents - not so much just the overall number of complaints but the amount of losses. 

Herb Stapleton: And I would attribute that to a couple of things. You and I have talked before, I think, even, about how the pandemic created this opportunity for cybercriminals with more of a attack surface, more volume of people working from home and creating opportunity for things like phishing emails and other things that ultimately lead to these types of frauds like ransomware and BEC. 

Herb Stapleton: And the second thing is that I think that we saw an increase in the amount of reporting. I think we saw a higher number of people actually reporting things to the FBI this past year than we have seen in previous years. So I think it's really a combination of increased activity and increased reporting. 

Dave Bittner: Can you touch on the importance of people reaching out to you and your colleagues at the IC3, why that can help make a difference in trying to combat these things? 

Herb Stapleton: Yeah, it's incredibly important. And one example I would provide of that is while we saw a lot of trends that we don't want to see as far as increase in losses, increase in complaints, we also saw an increase in the amount of funds that the IC3 was able to help recover through its recovery asset team. 

Herb Stapleton: You know, basically, the way this functions is if a complaint meets a certain set of criteria, we can work with financial institution partners to potentially prevent that money from actually being delivered to the overseas cybercriminals that it's intended for. We saw a corresponding increase in the amount of funds we were able to stop for victims before they actually reached their ultimate destination with the cybercriminals. We can't do that type of work unless we know about the crime in the first place. 

Herb Stapleton: The second thing that's really important is many of these investigations are very long-term criminal enterprise investigations that we have to undertake. And so - and every piece of evidence is really potentially helpful as we try to work our way through these complex investigations, identify who's responsible and ultimately try to bring charges against them and bring them to justice. So even if a complaint seems like a very small piece of the overall puzzle, it can be very, very valuable to the investigators in the field who are trying to piece together these long-term criminal enterprise investigations. 

Dave Bittner: You know, one of the things that stood out to me as I was making my way through the report is that you break out the victims by age group. And I suppose it's not surprising that, as we get into some of those older age groups, they are targeted both in the number of victims and the amount of money lost here. But I think it really highlights the importance of those of us, you know, reaching out to our older friends and family and making sure that we do our part to try to educate them. 

Herb Stapleton: Yeah, I totally agree with that point. We at the IC3 have been a big part of the overall elder fraud initiative that's been run by the Department of Justice writ large and our partners in the criminal investigative division and within the FBI. The IC3 really serves two purposes on the elder fraud front. One of those is to be a place that folks who have been victimized or potentially victimized can report the crime so that we can help to bring that person to justice. But the other, I think equally important function that the IC3 serves is as a platform for education. 

Herb Stapleton: And so throughout the year, one of the things that you see on the IC3 website are, you know, a number of products that warn people of all ages, including older citizens, how to protect themselves against these types of frauds. And we really feel that's a critical function, for the IC3 to be able to help protect people. Even if we can prevent one victim from losing money, that is totally worthwhile for that. And we certainly hope and believe that we've prevented more than one or two from falling victim to these types of scams. 

Dave Bittner: You know, another thing that stood out to me - I was looking through your three-year complaint count comparison, where you can look back in time and see how these things have been trending. The one that really stands out here is phishing, vishing, smishing and pharming. You know, that flavor of attack there really has just gone through the roof in the past couple of years. 

Herb Stapleton: Yeah, absolutely. I think, you know, the lesson there, from my perspective, is that those types of very simple vectors can continue to increase in prevalence because they continue to be successful. It's certainly very important to harden our network defenses and take all of those more complex cybersecurity steps that are necessary, but really, the simple things remain kind of fundamental, as simple as that sounds - that doing the simple things like guarding against phishing and being suspicious and being well-trained and aware of what kind of social engineering tactics might be used really can go a long way to preventing these types of attacks. And as you see in the report this year, you know, phishing by far continues to be the most common type of complaint. 

Herb Stapleton: I think one thing I would add about that, relative to this year in particular - one of the reasons that phishing incidents seem to probably be on the rise is there's been some very fertile context or pretext for those types of attacks in the COVID-19 pandemic. And so we've just seen really a flood of phishing attacks that are COVID-19 themed, whether that would be, you know, something like a phishing attack claiming to offer COVID-19 relief funds, a phishing attack that would claim to offer vaccine access or COVID-19 cures. There's all sort of manner of potential themes that go along with the COVID-19 pandemic that really offer some unfortunately valuable material for potential cyber scammers, leaving people vulnerable to losing money or their personally identifiable information. 

Dave Bittner: What's the outlook for this coming year? I mean, as things start to open up again, as life hopefully, you know, continues to return to normal with more people getting vaccinated and things opening up, do we suspect it's going to be more of the same or are there any shifts that you're looking out for as the year progresses? 

Herb Stapleton: You know, we really hope to see those numbers go back down as the COVID-19 pandemic subsides. That being said, you know, the numbers prior to the pandemic were already very substantial, and so we anticipate that this type of activity is going to continue. One thing that we are going to keep a really close eye on - as things begin to open back up, I don't think anybody really knows for sure how the sort of work-from-home trend or the teleworking trend will play itself out, even after vaccination becomes widespread. There's definitely a possibility that many people will continue to predominantly work from home. 

Herb Stapleton: That's a concern for us on a variety of fronts. We certainly think that that telework trend is a contributing factor - not the only factor, but a contributing factor - to the increase in phishing emails, the increase in potential malware attacks where remote working applications are potentially exploited because they might lack sufficient security to protect that particular network connection. And so that's something we're going to keep an eye on. How does that telework trend progress and how does it affect the overall kinds of criminal trends that we're seeing at the IC3? 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: I love it when these reports come out, Dave. Any time one of these reports comes out, I get my hands on it, and I go through it. I love going through the data. It's one of the high points of my day, and that's probably (laughter)... 

Dave Bittner: (Laughter) Yeah. 

Joe Carrigan: ...Very, very sad to somebody out there. 

Dave Bittner: (Laughter) Well. 

Joe Carrigan: Truth states (ph). Yes. Some stand out points - business email compromises up, ransomware losses are up in terms of the amount and there's a lot of increased activity and reporting. So we're seeing more bad guys acting, and we're seeing more people reporting these activities. I'm absolutely impressed with the asset recovery team or recovery asset team so they can have that clever nickname or acronym RAT. That's nice. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: They stop money from being collected by the bad guys, and they are doing it more often, which is great. Good news to hear. The statistics in this report lumped everyone over 60 into one group. And they are the largest group with the biggest losses, but the other age groups are all 10-year age brackets. But the trend of older people suffering larger losses seems to hold in this data. You know, I took the number of complaints and divided into the amount of losses, and the people over 60 definitely suffered the largest losses. If you remember, we've talked about this in the past that actually people who are older are actually less likely to fall for a scam. But when they fall for the scam, they lose more money. And I think this data tends to back that position up and reinforce it. 

Joe Carrigan: Phishing has gone up almost tenfold in the past two years. And Herb makes a few great points here. One, this is a low-skill attack. Phishing really is very easy for people to carry out. There are kits out there that walk you through it from how to send out the emails, how to write the emails to how to launder the money that you get from it. I mean - and these kits sell for like 15, $20 - not a lot of money. And he makes another good point is there have been a lot of good opportunities for convincing pretexts this year. And pretext is just a lie that someone tells you to get you into the story that they want you to believe. Like in the - in my story today, the pretext would be recalculation of your tax refund. Right? 

Dave Bittner: Right, right. 

Joe Carrigan: Now, if you compare phishing to business email compromise, business email compromise is actually very low on the list in terms of victim count. It's No. 10. But it's No. 1 in losses by a lot. It has more losses than the next six most profitable attacks. Almost 37% of all the losses in this report are from a business email compromise. I've taken to calling business email compromise the king of social engineering attacks because the losses are so big, and the payouts are so big for these guys. It's staggering. I mean, we've had stories where millions of dollars have disappeared from a business email compromise attack. 

Joe Carrigan: It's interesting to see that losses from employment scams also are up about 50% this year from last year on a much less significant level of complaint increases. So in other words, complaints have gone up a little bit, but losses have gone up a lot, which means these are actually getting worse as well. Now, they're pretty far down the list, but I think that this also probably has to do a lot with COVID-19 that - because it's more believable that, hey, we're going to have you work from home, we need to go out and buy this equipment. Go to this vendor, and send them the money. And it's basically a check floating scam for most of these scams. We've had a couple stories on about this. But I don't know. Maybe this will go down as we start to get back to normal, as more people get vaccinated. I hope it does. But I don't think it will. I don't think it will. 

Dave Bittner: No. And I think it speaks to the fact that the scammers are getting better at what they do. They're refining their efforts, and so they're able to target people who have more money to lose and are more successful in getting those high-value targets to give up the money. So - well, I want to thank Herb Stapleton for joining us - really interesting stuff. We appreciate him taking the time. 

Dave Bittner: And of course, the IC3 wants to hear your information. If you find yourself the victim of a scam, the FBI's IC3 site is a really good clearinghouse. You know, even if you don't think it's a big deal, your report could help connect the dots between other things that they're working on. So - I asked Herb about it. And he said, unfortunately, with their staffing levels, they're not always able to respond individually to every single report. You'll get an automated response that says - that verifies that they got your message. But... 

Joe Carrigan: Right. 

Dave Bittner: You're probably not going to get a case - an FBI agent who's going to call you in response, chances are. But they still want you to report everything because... 

Joe Carrigan: 'Cause they still use the data, 

Dave Bittner: They use the data. And you never know if your little thing that you think is insignificant might be the little connecting piece of information that helps crack a case. And you know, they're out there fighting the good fight every day, trying to bring these people to justice. So we appreciate them taking the time for us. 

Joe Carrigan: And go out and download this report. You can get it from ic3.gov. 

Dave Bittner: All right. Well, that is our show. We want to thank all of you for listening and, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan, is a Senior Security Engineer with the Johns Hopkins University Information Security Institute. He has been a Software Engineer for over twenty years and has been working in the security field for more than ten years focusing on usable security and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.