Hacking Humans 4.29.21
Ep 145 | 4.29.21

Anyone can be a target of romance scams.


Stacey Nash: Criminals have obviously - I say all the time - I'm like, they're not going to go and get an honest job. They're going to try and figure out how to make money elsewhere.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations all over the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Stacey Nash. She's head of Fraud and Central Operations at USAA. We're going to be discussing romance and sweetheart scams. 

Dave Bittner: All right, Joe, before we jump into our stories, we got a little bit of a follow-up. We received a kind letter from one of our listeners who had a question for us. This person asked that we not reveal their name, so we're going to honor that request. 

Joe Carrigan: Yes, of course. 

Dave Bittner: I'm going to read parts of the letter here. There's more to it, but just for - in the interest of time, I've distilled it a bit. 

Dave Bittner: And they write, (reading) during the Easter time, two universities in Dublin got attacked by ransomware. I am a student at one of the universities that got attacked by the ransomware, and I have friends who are students in the other one. Now we are sharing the same feeling of, what the hell is going on, and how is it going to be? Because things are pretty confusing. 

Joe Carrigan: Yeah. 

Dave Bittner: They say, (reading) I know it might sound rude at the first time, but what is calling my attention is the fact that how people are dealing and not disclosing any important information that we might need. The systems went down between the 1 and 3 of April 2021. What we thought being an instability became a ransomware attack that was widely noticed through university social media. 

Dave Bittner: (Reading) One of the universities are updating their website, but the other is not. But there is not any communication about what happened through our emails. Most of us only received an email saying, you must change your password now, a few days ago. Now most part of the systems have been restored, but can I trust it? 

Dave Bittner: Now, this is a really interesting aspect of this, Joe... 

Joe Carrigan: Right. 

Dave Bittner: ...Where a university student - and, of course, this is an environment that you are intimately familiar with (laughter), part of... 

Joe Carrigan: I'm steeped in it daily, Dave (laughter). 

Dave Bittner: Yeah, Johns Hopkins (laughter). 

Joe Carrigan: Right. 

Dave Bittner: The students are very much dependent on the infrastructure that the university provides. And when a breach happens like this, how do you restore trust in the students' minds? 

Joe Carrigan: That's an excellent question, Dave. And the listener's question, can I trust it - my answer to that is, you can trust it as much as you did before, I think. 

Joe Carrigan: What I will say here, though, is it sounds like these universities are not doing their communication part of this well. Anytime you suffer one of these attacks, you absolutely need to have communication as part of the response. Your incident response team has to have that on their docket of things to do. It's got to be there. And I can imagine it's very frustrating when you don't hear things from people, particularly when you're a student in a university, and these ransomware attacks frequently turn out to be breaches as well. 

Dave Bittner: Right. 

Joe Carrigan: Has your personal information been compromised? Has somebody gotten that? What I would say to anybody anywhere is, my first boss in any computer job told me to - Jeff Russell (ph) said, the first four rules of computing are back up, back up, back up and back up. 

Dave Bittner: Right. 

Joe Carrigan: Make sure you have your data backed up in some way that you can take care of it. Perhaps the university has your data backed up. That might be one of your backups. You might have an offline backup. That could be another backup. There might be things in the cloud. All these things are - you know, you have to have your data in different places in order to protect it. 

Joe Carrigan: Can you trust it? I mean, you can trust it to some degree, but you should have contingency plans. 

Dave Bittner: Yeah. I'm trying to think of a good way that you could get answers if you're not satisfied with how they're communicating. I wonder if you could reach out, if the university has a, you know, on-campus news publication, something like that. You know, perhaps they would have the influence to be able to get more answers than just an individual student would who was reaching out. 

Joe Carrigan: Yeah, if you have a campus newspaper, I would definitely go in and ask them. 

Dave Bittner: Yeah. 

Joe Carrigan: A lot of times, though, you find that they are really hamstrung by the administration of the university, right? 

Dave Bittner: Well, I also wonder, being in Dublin, you know, how much do they fall under GDPR for disclosure? 

Joe Carrigan: They are completely under GDPR. They are under the European Union and under the governance of that law. 

Dave Bittner: Yeah. Well, and I guess the advice also to the university is, you know, the more forthright you are and the more you share information along the way... 

Joe Carrigan: Yeah. 

Dave Bittner: ...You're going to maintain the trust of your users... 

Joe Carrigan: Correct. 

Dave Bittner: ...Rather than them having to guess and - you know, it's that whole nature abhors a vacuum, and a vacuum of information, people are going to start filling in their own imagination (laughter). 

Joe Carrigan: Right. Exactly. And I'm not saying that these universities are behaving in a malicious manner. They're probably not. They're probably in a state of trying to resolve the issue. 

Dave Bittner: Yeah. 

Joe Carrigan: And in that state, you know, they're working hard to do that. But they're not - part of that has to be communication. There has to be somebody who's assigned to find out what's going on and then communicate that out to the user population of the university. 

Dave Bittner: Yeah, absolutely. All right. Well, our thanks to our listener for sending in that question. We would love to hear from you. You can email us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe, let's move on to some stories. Why don't you kick things off for us this week? 

Joe Carrigan: Dave, my story comes from The New York Times, written by Alex Marshall. Let me ask you - are you familiar with the Baillie Gifford Prize? 

Dave Bittner: I am not, no. 

Joe Carrigan: Of course not, Dave, because it is a respected British award for nonfiction writing. 

Dave Bittner: (Laughter). 

Joe Carrigan: I was also not familiar with this until I read this article (laughter), so... 

Dave Bittner: Fair enough. 

Joe Carrigan: Never heard of it. But these organizers of this prize got an excited email from an author, Craig Brown, who had been awarded the prize the night before. And he won the prize for a book about some 1960s boy band called "150 Glimpses of the Beatles." 

Joe Carrigan: The email said, words cannot even begin to describe how over the moon I am. Right? And then the email went on to say, I'm currently experiencing a few hiccups with my bank account, but also with the pandemic. Could the organizers transfer the prize money, 50,000 pounds - which is about $69,000 - to my PayPal account, if that's OK? 

Joe Carrigan: The prize's executive director, Toby Mundy, said the message was written with tremendous confidence. And there was a bit of zhoosh about that last sentence. But Toby was wise to the scam, and he actually called Brown - right? - called the author and said, hey, what's going on here? I got this email from you. And guess what, Dave. 

Dave Bittner: (Laughter) Wait for it. 

Joe Carrigan: Yeah, the email was a scam. Someone was trying to steal the money from him. So Toby Mundy did exactly the right thing here. He picked up the phone, called the author and said, you're asking me to send this money to your PayPal account? And the author was like, no, I wouldn't ever do that. 

Dave Bittner: (Laughter). 

Joe Carrigan: Just write me a check. He goes, ah, good, I caught the scam in process, and now I'm not falling for it. 

Joe Carrigan: But over the past year, at least five British book prizes have been targeted by the same scam. And in March of 2020, the Rathbones Folio Prize - I love these British names - said 30,000 pounds went to a scammer posing as author Valeria Luiselli, who had just won the award for her novel "Lost Children Archive." And that organizer had to find another 30,000 pounds to pay Luiselli because they had sent the money to a scammer. 

Dave Bittner: Wow. 

Joe Carrigan: And they said they absorbed the cost by cutting costs elsewhere. So I don't know what that means. Did they have to fire somebody because of that? I - who knows? 

Dave Bittner: (Laughter) Yeah. No matter what, it's not good. 

Joe Carrigan: Yeah, it's not good. I mean, any time 30,000 pounds leaves your bank account, it's bad, right? 

Joe Carrigan: The scammer does not appear to have targeted any prizes outside of Britain. And the National Book Awards in the United States and five other awards in the United States have not been contacted, nor has the Nobel Institute, and they run the Nobel Prize for Literature. 

Joe Carrigan: Susan Swan, who's a novelist who helped found the Carol Shields Prize for Fiction in North America, is quoted in this article. And she says, "literary phishing is a diabolical cybercrime because most of us expect fraudsters to be working elsewhere and not reading about books." This is the hackers-are-not-interested-in-me argument, right? 

Dave Bittner: Right. 

Joe Carrigan: And one of the first things I tell people when I'm talking to them is, yeah, hackers are interested in you because you have money. You have money. And that's what they're out to do. They're out to monetize their activity, just like everybody else in the world, except rather than being legitimate operators, they're criminals, and they're going to try to steal money from you. 

Joe Carrigan: Swan goes on to say, we'll solve the problem by issuing checks to our winners and avoid online payments. I think that's a great solution. That's the perfect solution for this. Don't do anything other than write a check. 

Dave Bittner: Well, it sounds like we've got a fraudster who has hit on something that works. I don't know if it's an individual or a group or whatever, but they seem to be making their way through this community. And I suppose at some point, word's going to get out into the community, and if it hasn't already, and they're going - and the fraudster will have to move on to a different community. 

Joe Carrigan: Yeah. 

Dave Bittner: But they've clearly keyed into a technique that is effective. 

Joe Carrigan: Right. They've done this five times and gotten 30,000 pounds out of it... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Which is a lot of money, you know? And they don't know where this fraudster is, but they think he might be in Britain. Yeah, who knows? Mundy said that they reported the matter to the police, but - this is interesting - nobody at the police responded. Before that, he tried catching the fraudster himself. He asked for a phone number so he could confirm some details, but the - of the PayPal transfer. But the scammer never wrote back. So... 

Dave Bittner: (Laughter) Yeah. 

Joe Carrigan: You know, maybe if you work with PayPal because PayPal requires a lot of information to set up an account, as I recall. I haven't - it's been years since I set up my account, but you have to provide legitimate information. That money has to go somewhere, usually to a bank account that's associated with something. Of course, that could all be fraudulently established as well, so... 

Dave Bittner: Yeah, could be making use of a money mule. We've seen that many times as well. 

Joe Carrigan: Yep, absolutely. 

Dave Bittner: You just never know. All right, it's an interesting story for sure. 

Dave Bittner: My story comes from the LA Times (laughter), and the title of it is "Scammers Can't Get No Satisfaction." 

Joe Carrigan: (Laughter). 

Dave Bittner: And it has to do with a Rolling Stones tribute band who is among several bands who were targeted in a fake check scheme. Joe, have you ever been out to see any of these tribute bands? 

Joe Carrigan: No, Dave, I've never been to see a tribute band. I like to go see the original band. And if I can't do that anymore, I just accept the fact that I've missed my opportunity. 


Dave Bittner: Right, right. Well, I saw a Queen tribute band I guess right before we went into lockdown for pandemic, and I have to say it was way better than I had expected it to be. 

Joe Carrigan: Really? 

Dave Bittner: Like (laughter) - oh, yeah, they were really good. And they sounded like Queen. I mean, the key to a good Queen tribute band is you got to have a killer Freddie Mercury. 

Joe Carrigan: Right, absolutely. 

Dave Bittner: And they did, so (laughter) it was really quite a lot of fun. But I digress. 

Joe Carrigan: (Laughter). 

Dave Bittner: So this story is about some folks who have this tribute band. And someone reached out to them pretending to be a nonprofit in Hong Kong. And they reached out to the band and said that they wanted to pay them for a 35-minute set that would be streamed to a Hong Kong fundraising event. 

Joe Carrigan: OK. 

Dave Bittner: But it gets a little more complicated than that because... 

Joe Carrigan: OK. 

Dave Bittner: ...The folks who claim to be running this foundation in Hong Kong were going to pay the band $30,000 for the set, which the band was pleased with. That's a - you know, it was a good payday for them. 

Joe Carrigan: Right. 

Dave Bittner: But they were also going to send the band an additional $75,000, which they wanted the band to donate to the foundation. So the sweetener here was that the band would then be able to take credit for a charitable donation... 

Joe Carrigan: Right. 

Dave Bittner: ...Which would be good for the band. It would be helpful for their taxes and all that sort of thing. The folks who wrote this article spoke with a talent agent who said that this sort of thing is not unusual, that - folks providing extra funds for an artist to donate to charity. It's not unheard of. Said he's negotiated similar deals for other clients. 

Joe Carrigan: OK, so this is something that actually goes on in the music industry. 

Dave Bittner: Evidently it does, yeah. 

Joe Carrigan: OK. 

Dave Bittner: Yeah. So they received a cashier's check for $101,000, and the person representing the band said, I was expecting a bank wire. The cashier's check made the whole thing a little sketchy. The check was drawn on an account from Commerce Bank, and it was sent via FedEx from Long Beach, Calif., not Hong Kong. 

Dave Bittner: So the person went to a Bank of America branch to deposit the funds into the client account, and he told the teller that he was suspicious about the check's authenticity. And the bank teller ran a couple of checks and said the check's good. So the band's rep emailed the foundation, said that he deposited the check. The foundation responded and said that he needed to wire the $75,000 donation immediately, that very day. 

Joe Carrigan: Right. 

Dave Bittner: Now the representative of the band was really suspicious. 

Joe Carrigan: Right. 

Dave Bittner: So he contacted Commerce Bank and shared a copy of the check, and they said it was definitely a fraudulent check. They even got the font on the check wrong. 

Joe Carrigan: OK. 

Dave Bittner: So he contacted the FBI. In the meantime, the foundation is becoming more and more aggressive, insisting that the $75,000 be wired right away. 

Joe Carrigan: Right. 

Dave Bittner: They said if he didn't send the money that day, he'd stop - they would stop payment on the check. And they also said there were children who needed the funds. Children who need the funds. 

Joe Carrigan: Yes. They're hitting on all the cylinders for your desire to help somebody, your desire to get some money. And maybe now they're trying to say, we're going to scare you a little bit. They're doing everything. 

Dave Bittner: Yeah, yeah. So it turns out that the whole thing was a check fraud scam. Can you explain that, Joe? Do you understand how those work? 

Joe Carrigan: Yeah, yeah. A check fraud scam is a - generally they don't involve cashier's checks. It's like a business check that is drawn on a fake account. And the idea is - I'm the scammer, and I say to Dave, Dave, here's a check for $1,000, but I need you to wire $600 of it to person C, right? You go to the bank and you say, Joe gave me this check for $1,000. They go, OK, that's fine, your funds are available. And then you go immediately and wire the $600 to person C, who's actually working with me. And then when the check bounces and you don't have the funds anymore in your bank account, the bank still expects you to pay them the $600 that you wired out. 

Dave Bittner: Right. 

Joe Carrigan: So you've been scammed out of $600. 

Dave Bittner: Right. That $600 comes out of your account. 

Joe Carrigan: Correct, exactly. 

Dave Bittner: Scammers get that. Yeah, so that's basically what was going on here. 

Joe Carrigan: On a much larger scale, too. 

Dave Bittner: And evidently, they were targeting several different music acts. There was another one called the Mariachi Rosas Divinas, which is an all-female mariachi band. They got tagged, also. They were attempted to rip off about 55 grand from them. 

Dave Bittner: So these scammers seem to be taking advantage of the fact that these acts are looking for work. You know, they give them a very lucrative offer to do something that's streaming because you can't perform live in a lot of cases these days... 

Joe Carrigan: Right. 

Dave Bittner: ...With COVID and everything. I mean, it's interesting, too, that this organization claims to be out of Hong Kong. The checks are coming from the United States. Again, possible that they're using money mules who have no idea that they're part of a scam. Hard to say. 

Dave Bittner: But in this case, both bands who are mentioned in this article ended up not actually being scammed. They had their shields up in such a way that they didn't fall for it. 

Joe Carrigan: That's good. 

Dave Bittner: But you can see how it would be easy to fall for this. And it's just interesting to me that they're targeting these musical groups. They found a way to try to come after folks for some big money. 

Joe Carrigan: Right. And again, you can't be thinking, hackers aren't interested in me, right? 

Dave Bittner: Right. 

Joe Carrigan: These people aren't - they are. They're interested in you because you have money. 

Dave Bittner: Right. All right, well, that is my story this week. Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from a listener named Konstantin (ph). He writes this first. He says, I enjoy the podcast, and I find it not only useful, but entertaining as well. Well, thank you, Konstantin. 

Dave Bittner: Very nice. 

Joe Carrigan: (Reading) Here is a seasonal phishing email from the Great White North. Sorry - had to throw a sorry in at least once - but typos, weird punctuation and the way it was written don't make it any more believable. You can read it on the air, but, Dave, you must do a Canadian accent, eh? 

Dave Bittner: Shouldn't that be (imitating Canadian accent) sorry? Sorry. Sorry. OK. 

Joe Carrigan: So are you ready, hoser? 

Dave Bittner: (Imitating Canadian accent) I'm about to do it, yes. 

Dave Bittner: OK, so (imitating Canadian accent, reading) you have a tax refund of Canadian 458 waiting for your previous revenue records. You received a letter from Canada Revenue Agency to make a refund to your account. Unfortunately, we were not able to process your information because the details we have did not match. 

Dave Bittner: (Imitating Canadian accent) Hoser. 

Dave Bittner: (Imitating Canadian accent, reading) Due to this issue, we have to reverify your information. Make sure your complete the form correctly. Any mistake will take more time to process, and you tax refund will be processed within six to nine working days as claimed. Sign in. Privacy and Security, Legal, Accessibility. 

Dave Bittner: (Imitating Canadian accent) OK, eh? 

Joe Carrigan: That was a short and sweet one, Dave, that gets right to the point. And Konstantin is absolutely correct here. The punctuation makes this just almost unreadable. If anybody that listens to this - if you read this out in your head exactly as it's written, it quickly becomes obvious this is a phishing email. 

Dave Bittner: Yeah. 

Joe Carrigan: They're just trying to get you to go to this website and enter your credentials, probably for the Canadian Revenue Authority (ph), whoever that is, and maybe file tax documents on your behalf to get some money out of the government. 

Dave Bittner: Yeah, yeah. Who knows? All right, that's a good one. Thanks to Konstantin for sharing that with us. We do appreciate it. 

Dave Bittner: All right, Joe, I recently had the pleasure of speaking with Stacey Nash. She is the head of Fraud and Central Operations at USAA. And we focused on romance and sweetheart scams. Here's my conversation with Stacey Nash. 

Stacey Nash: Scams in general across the U.S., but, quite honestly, across the world, have increased over the last few years. If you think about going back to the infamous Target breach and some of the breaches that happened a few years ago, it was all around card data. And ultimately, over the course of the last few years, as we kind of moved to chip and we kind of closed that lucrative opportunity for criminals, criminals have obviously - I say all the time - I'm like, they're not going to go and get an honest job. They're going to try and figure out how to make money elsewhere. And scams have been actually something that they've kind of moved towards over the course of the last few years. 

Stacey Nash: Various things, I would say - employment scams. They're also opportunistic. So if you think about some of the pandemic and the virus, there's been a lot of scams around PPE and even some of the vaccine. And romance scams - so romance scams goes back to a few years ago, you heard about the emails that would come from a prince from a far-off land. And it would be anything from - you know what? - I want to come to your country, but I need your help, and this is what it's going to look like. And sometimes it was romance, sometimes it wasn't. 

Stacey Nash: And then couple that with the last few years, the prevalence of online dating and social media and meeting people that you think you actually know who they are because they post this very realistic-looking picture and they create this persona online. And you talk to them for days, weeks and months, and you establish a relationship. 

Stacey Nash: And ultimately, at some point during that courtship, the relationship ends up - the person that you're in the relationship ends up asking for something. And it's either - most of the time it's money, but sometimes they'll ask for even access, so access to your accounts, your PIN number, things like access passwords. 

Stacey Nash: And the routes around that is normally - typically it's something to do with - you know what? - I really want to be together. I want to live happily ever after. I just have to tie up a few loose ends on my end. Sometimes they'll go as far as to say they've got to actually care for an elderly parent or, you know, a relative and they don't want to leave anybody hanging. Whatever they can do to actually drive empathy and trust they'll use. And the victim will send the money and never hear from them again. 

Dave Bittner: Now, what do you all track in terms of who these folks are targeting? Are there specific groups that they go after? 

Stacey Nash: Honestly, I would tell you, Dave, a couple years ago, it was targeting more of our elderly demographic. But over the course of the last few years, there's been no discrimination in that anybody's open and an open target. I've seen people that are in their early 20s all the way up to some of our more senior consumers all be the target of this. So anybody who actually you can find online and you can, you know, bring into a relationship is a target, unfortunately. 

Dave Bittner: Can you take us through what the process typically looks like? I mean, someone's minding their own business. They're monitoring their Facebook profile or Twitter or one of the other social media platforms. How do these folks reach out and establish contact? 

Stacey Nash: You just named one of them. So one of the most common is through social media. You think about, you know, even myself with my kids, I'm like, don't ever connect with anybody online that you don't know, that you haven't actually physically met and talked to and you can attribute where you know them from. 

Stacey Nash: Unfortunately, you see people who have thousands and thousands and thousands of connections. You think, wow, that person must have so many friends. Reality is they don't know a lot of those people. So in those situations, you've got people that you connect to. They're in your network. At some point, one of them might start talking to you. The relationship can move into just kind of niceties to eventually some kind of a romantic relationship where you're talking, you're talking, you're talking, and then that blossoms into something more. 

Stacey Nash: The other thing - the other scenario, I would say, is kind of moving away from just kind of your typical social media sites. It's actually going in through the dating sites - so the dating sites where people will actually go in and, you know, set up a profile and look like a legitimate individual and go from there. 

Stacey Nash: So it runs the gamut. I would even tell you, too, we've had situations where people will apply for jobs on legitimate job-posting sites. And, you know, in some cases, it might look like an actual scam tied to a job opportunity. But in some of those cases, it can turn into, OK - you know what? - the position has been filled, but, you know, let's keep in touch. And all of a sudden, the people keep talking, and one thing leads to another and they think they've got a friend and/or a relationship. 

Stacey Nash: And then all of a sudden it's like - you know what? - we might have an opportunity here, but it's going to cost you $1,000. If you send me $1,000 for all the materials, we'll ship it to you, and you'll be good to go and you can start working. So it's all about building a foundation of trust. And as soon as that trust is established, they strike. 

Dave Bittner: What are your recommendations then? I mean, we're in a kind of a tough time right now. You know, people are lonely. They feel isolated. They want to feel connected to other people. What are some of the red flags? 

Stacey Nash: Any time you're talking to somebody for any period of time and you haven't actually looked them in the eye - and I know in this environment, especially with the pandemic, you can look somebody in the eye virtually, right? We've got FaceTime. We've got Zoom. We've got all kinds of technology where I can actually look at you. 

Stacey Nash: I would say the first thing, don't ever give away anything, including personal information. Like, you know, we're talking about sending money and giving PII and access to banking, but even just personal information. From an identity perspective, I would be suspicious about sharing any information until I feel like, you know, I've, quote-unquote, "met" the person. But especially if somebody asks me for money at any point, even if it's months in, I'm going to be suspicious. 

Stacey Nash: Honestly, Dave, maybe not for this interview (ph), it might just be the industry I'm in, but I've seen some stories where this is - you know, it's so prevalent. And I would say the red flag tends to be you haven't seen the person, you haven't met the person. 

Stacey Nash: The other thing I would say a red flag is if a story sounds too good to be true, it typically is. If it looks too good to be true, it typically is. I will tell you from a USAA perspective, one of the things that, you know, we see sometimes from our military community - and this wouldn't be unique to USAA, but, you know, a visual or a picture, a profile picture of a military - like, a serving woman or man automatically invokes trust and respect. 

Stacey Nash: So the other thing I would say is, you know, if there's a profile that actually has that picture, I'd want to go really deep into understanding how that individual served their country, where they were, and then, you know, going back to my comments around meeting them because I think that's another thing where these criminals know that by putting certain pictures up, they automatically gain trust and respect. 

Dave Bittner: Now, what are you all tracking in terms of folks reporting these things? Am I right in my understanding that there's a lot of embarrassment here, so these may go underreported? 

Stacey Nash: You're very right, yes. There is some shame and embarrassment tied to it. I will tell you the stigma is, thankfully, is starting to lift a little bit just because it has, unfortunately, become so prevalent. 

Stacey Nash: The other thing I will tell you is, you know, we have people who report or will call us right before it happens, which, thankfully, those are the calls that I know our organization and all the other organizations, because I'm in contact with, you know, most of my peers at the other financial institutions - we would much rather have that conversation before somebody sends the money. 

Stacey Nash: And, you know, we'll take a call as an example that says - you know what? - I just - before I do this, I just want to chat. Does this sound right to you? And we have the opportunity to say no. No, no, no, don't do it. Don't do it. 

Stacey Nash: But I would say that we still have those conversations where somebody will call and explain that they've sent money somewhere. And in some cases they actually still think it's legitimate. And, you know, in some cases they might even be worried about the person because they haven't heard from the person. And that's - those are the tough conversations where you have to kind of say, well, unfortunately, I'm pretty sure you never will. 

Dave Bittner: I think you bring up a really good point, which is that you would encourage people to call if they have a question, right? I mean, that's part of what you're there for. That's part of the service you provide. People shouldn't feel like they're taking up someone's time or bothering somebody if they have questions about these things. 

Stacey Nash: Not at all. Not at all. At all. Like, I would 1,000% rather take a call from somebody that says, you know, I read this. I got this text. I got this email. I received this robocall, whatever it is. 

Stacey Nash: You know, we're talking about romance scams, but regardless, any time you get something that sounds suspicious or you're about to do something, especially when it involves divulging personal information, financial information, geolocation information or money, I would check in with your financial institution, especially if it involves anything to do with your banking or your finances, because we've - unfortunately, we've seen most of them. And to your point, Dave, that's why we're here. 

Stacey Nash: The No. 1 mitigation we have against this, followed quickly by No. 2 - one - No. 1, though, is education, getting the word out, raising awareness, ensuring that people, to your point earlier, know that there isn't a reason to be embarrassed. Thousands and thousands and thousands of people fall for this on a regular basis, unfortunately. 

Stacey Nash: The second thing I would just say is, you know, hats off to our law enforcement community because, you know, they are fighting tirelessly with the banks to try and bring these criminals to justice. So those are the key things. You know, as much as this is happening, just trust that we're doing everything we can not only to protect people, but also to actually go after the people who are doing this whenever we can. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Great interview, Dave. Stacey makes a couple of interesting observations. Carding is going downhill because we're moving to more chips. It's not going away because you can still do online purchases - right? - so they still have value there. But it has become less profitable. And I love what she says here, that these guys aren't moving on to an honest job. 

Dave Bittner: Right. 

Joe Carrigan: Stealing's so easy, and I'm so good at it. It's the only thing I know how to do, so that's what I'm going to keep doing. They're going to move on to this litany of other things they can do, and they are opportunistic. Romance scams have evolved over time. They've gone to the next level because of these dating sites and social media. 

Joe Carrigan: And it's interesting that it's gone from an older-person scam to an all-ages show. And I think that is due, again, in large part to the fact that you now have these dating sites and social media apps out there. The attack surface for romance scams has expanded exponentially with the advent of these technologies. 

Dave Bittner: Right. 

Joe Carrigan: It starts slow. And this is a long game for a lot of these scammers. They have a pipeline. You know, they have to be working with - like in a sales organization where you do so many different cold calls every day, and then after you're done that, then you go and you nurture the next stage of your people, and at the end there's maybe two or three of these that pay out, right? And in sales, you think there's two or three big sales that you make. This follows the same kind of business model. These guys have to have that same functionality going on in their workflow and in their daily lives. 

Joe Carrigan: And they strike at exactly the right time. That's common among a lot of these social engineering attacks. These guys know when it's time to ask for the money and how much to ask for. 

Dave Bittner: Yeah. 

Joe Carrigan: And they may have done the reconnaissance in the course of building this relationship to find out how much money this person has. You know what I think would be hilarious, Dave, is if two of these romance scammers started working each other. I wonder if that ever happens. 

Dave Bittner: (Laughter) Right, accidentally. Yeah. 

Joe Carrigan: Right. 

Dave Bittner: I'll bet it does. It must. 

Joe Carrigan: Yeah, it must. It has to happen at some point in time. 

Dave Bittner: Right. 

Joe Carrigan: I liked a lot of Stacey's advice here. Protect yourself. If you haven't met in person, then don't connect with these people on social media. I like to have that on my Facebook account, right? Like, if I haven't met you, you're not friends with me on Facebook at all, period. But that's not the case for, like, LinkedIn or Twitter. People can follow you on Twitter. You don't have to connect back to them. 

Dave Bittner: Right. 

Joe Carrigan: And LinkedIn - I mean, I have close to a thousand connections on LinkedIn, and I haven't met most of these people, but a lot of them actually know who I am. They comment that they like this show and that's why they reached out. And I'm happy to connect with people who listen to the show. LinkedIn is a different kind of use case, I think. So I don't know. I'm OK with that on LinkedIn, but I'm not OK with that on Facebook. 

Joe Carrigan: The ask for the money is a big tip-off. The other things that are a big tip-off are stories that are too good to be true. We had a story a couple weeks ago about the guy who was scamming people in Los Angeles who was an entrepreneur, a Bitcoin investor, a Navy SEAL or Green Beret or something. 

Dave Bittner: Right, right. 

Joe Carrigan: I mean, all the things he added up, it was just too much, too much stuff, too much good stuff. 

Joe Carrigan: If you have a question, call somebody. I like what she says about that. I mean, she works for USAA, which is a - either a bank or a credit union. I can't remember which one. I think it's a credit union. Call them up and say, hey, I think this might be a scam. Somebody's trying to get in. They're happy to hear that call. They love hearing that call much more than they like hearing the call, hey, someone just scammed me out of $10,000, right? 

Dave Bittner: Right, right. 

Joe Carrigan: They'd much rather get that first call. 

Joe Carrigan: The No. 1 prevention for this kind of thing is education. You just have to educate yourself and be educated, know what's coming and be wise to the scam. 

Dave Bittner: Yeah, absolutely. Well, again, our thanks to Stacey Nash from USAA for joining us. We do appreciate her taking the time. 

Dave Bittner: We'd like to thank all of you for listening. And, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.