Hacking Humans 10.7.21
Ep 168 | 10.7.21

Measuring security awareness proactively.


Zach Schuler: The new world of thinking is, how do we measure security awareness on a proactive basis instead of a reactive basis?

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, my conversation with Zack Schuler from NINJIO. We're going to be talking about measuring the effectiveness of security awareness training. 

Dave Bittner: All right. Joe, let's go ahead and jump right into our stories this week. Why don't you start things off for us? 

Joe Carrigan: Dave, my story comes from KGO all the way out in San Francisco. 

Dave Bittner: OK. 

Joe Carrigan: It is a story about a woman named Page Pollack, who is a school nurse with the San Carlos School District out there. 

Dave Bittner: OK. All right. 

Joe Carrigan: It's right in the Bay Area, just south of the big San Francisco area. That's a beautiful area. You ever been out there? 

Dave Bittner: I have. Yeah, it's very nice. 

Joe Carrigan: The redwoods are amazing. 

Dave Bittner: Yes. 

Joe Carrigan: She was getting ready to go back to school, right? And she is a school nurse for, like, eight schools... 

Dave Bittner: OK. 

Joe Carrigan: ...Because for some reason now, there's one nurse for a multiple amount of schools here. And she was also on her way to catch a plane to Utah to visit her kids. And she gets a text message on her phone, saying, Bank of America fraud alert. Did you just attempt a Zelle transaction of $3,500? Please reply yes or no. She goes, I didn't attempt a Zelle transaction for $3,500 - no. 

Dave Bittner: OK. 

Joe Carrigan: And as soon as she responds, no, her phone rings. And the caller ID says Bank of America, right? She answers the phone. And a very friendly man, says, oh, you didn't authorize this transaction? And she says, absolutely not. And he says, well, get your mobile app open. We're going to get your $3,500 back. 

Dave Bittner: Wow. 

Joe Carrigan: I'm sure listeners to this show already know how this is going to end for... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Ms. Pollack. But it turns out that the man walks her through a series of button presses on the Zelle mobile payment app, and then he puts her on hold. And at this point in time, she says she gets panicked because she had to get onto an airplane. And her flight was leaving, and something about the call wasn't - was starting to not sit right with her. So as she boarded the plane, she checks her Bank of America app on her phone. And sure enough, there's a transfer for $3,500 on the phone - on the app, rather. 

Dave Bittner: Uh-oh. Yeah. 

Joe Carrigan: So she calls Bank of America immediately from her seat on the plane. And because it's a large global bank, they have fantastic customer service and someone's right there to talk to her, right? No, of course not. No. She's sitting on hold. 


Joe Carrigan: And she gets put on hold for long enough that the flight attendant comes over and tells her to take - put her phone away because it has to be in airplane mode to take off. 

Dave Bittner: Right. 

Joe Carrigan: Right? She says the flight attendant was not empathetic at all. I can completely relate to that. 

Dave Bittner: Yeah. Well, rules are rules. 

Joe Carrigan: Rules are rules. 

Dave Bittner: I mean, you can't... 

Joe Carrigan: That's true. 

Dave Bittner: You can't mess with the FAA, right? 

Joe Carrigan: Right. And chances are, once that plane gets to about 10,000 feet, you're going to lose connection anyway, you know? 

Dave Bittner: Right. Right. 

Joe Carrigan: And that's going to happen fairly quickly. So when she finally lands in Salt Lake City, she gets on the phone with Bank of America again, submits a dispute with Bank of America. A month later, Bank of America comes back and says, nope, that is not - we're not going to reimburse that. And the reasoning they gave, Dave - get this - the payee did not approve the return of the money, and their recommendation is we recommend you try to contact the person directly. 

Dave Bittner: OK. 

Joe Carrigan: So the bank - Bank of America says, we talked to the scammers, and they said they're not going to give your money back. We recommend you talk to them (laughter). 

Dave Bittner: Listen, thank you for visiting our police station here. We think you should go down to the guy who mugged you... 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: ...And just ask him politely for the money back. 

Joe Carrigan: Exactly. 

Dave Bittner: OK? 

Joe Carrigan: Well played, Bank of America. Good customer service there. 

Dave Bittner: Huh. 

Joe Carrigan: Now, of course, when KGO gets involved, they call Bank of America, and they say that this was fraud, not a legitimate transaction. And the next day, Ms. Pollack gets a call. And it says it's coming from Bank of America. And she goes, no, no, you can't fool me on this one. 

Dave Bittner: (Laughter) Oh, no. 

Joe Carrigan: Right? But it actually is Bank of America calling her back. So - but she does it the right way this time. She calls in to Bank of America and says, I just got a call purporting to be from you. Was it you guys trying to get in touch with me? And they said, yes, we're going to refund your money. 

Dave Bittner: Oh, good. 

Joe Carrigan: OK, so she did get her money back. She was made whole. 

Dave Bittner: Right. 

Joe Carrigan: The media had to get involved in order for that to happen, though. 

Dave Bittner: Yeah. 

Joe Carrigan: So that's not going to happen for everybody, because if the media went around and covered every single scam story that banks didn't make a person whole on, there would be no time for any other news. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: Additionally, I'm not sure that Bank of America should be the - is the culpable party here. You know, Ms. Pollack set up Zelle to access her Bank of America account. I think Zelle is the more culpable party. 

Dave Bittner: Well, my - you know, it's funny. I had - just recently, I set up Zelle on one of my accounts. And as I was doing that, it struck me, like, how does Zelle make any money? Because neither the person who sent me money or me receiving money had to pay any fee. So that seemed odd to me (laughter). 

Joe Carrigan: Is there a delay in the money being transferred? 

Dave Bittner: No, it's pretty much instantaneous. And it turns out Zelle is owned by a consortium of the big banks. 

Joe Carrigan: Oh, OK. 

Dave Bittner: So I'm guessing - I don't know this for sure, but I'm guessing that Bank of America is one of the banks that has... 

Joe Carrigan: A stake in it, yeah. 

Dave Bittner: ...An interest in Zelle. Yeah, yeah. So that's interesting. 

Joe Carrigan: 'Cause I looked up who owns Zelle this morning when I was researching this. 

Dave Bittner: Yeah. 

Joe Carrigan: And it said it was owned by some corporation. I don't know what that corporation is. But I was wondering - I thought it was owned by, like, Capital One or something. But it isn't. It's owned by something else, and you're saying that's a group of banks, maybe. 

Dave Bittner: I believe so, yeah. 

Joe Carrigan: OK. 

Dave Bittner: That's what I found out. I reserve the right to be wrong, but... 

Joe Carrigan: Of course. Well, I'm going to have to try it because... 

Dave Bittner: ...(Laughter) It's my understanding. 

Joe Carrigan: ...I've been trying to get Venmo to work, and it just doesn't work for me. So I'm going to have to switch to Zelle. 

Dave Bittner: Yeah, yeah. Actually, my son sent me some money, and it just came right through. He sent me a text message; he said, I'm sending you money. And then he sent me the money, and I got a text message from my bank that said, your son just sent you some money (laughter). I was like... 

Joe Carrigan: Oh, it shows up directly in your bank account. 

Dave Bittner: Yeah, just shows right - there it is, just right there, ready. And I didn't have to wait to use it or anything like that. So with my one single experience so far, I'm a satisfied Zelle customer (laughter). 

Joe Carrigan: Right. 

Dave Bittner: So take that sample size for what it's worth, which is nothing (laughter). 

Joe Carrigan: Yes. And take my sample size on Venmo for what it's worth, too. 

Dave Bittner: Right. 

Joe Carrigan: It doesn't work for me maybe because I'm an old man, and things just don't work for us anymore, Dave. 


Dave Bittner: That's right. That's right. So back to this story, though. 

Joe Carrigan: Right. 

Dave Bittner: I mean, I guess - were there any red flags that she could have - that should have indicated to her that something was amiss here? 

Joe Carrigan: That's a good question, Dave. I was thinking about this during the time - as I was preparing the story. And this is a good scam, a high-quality scam. They sent out these text messages en masse, I'm sure. 

Dave Bittner: Right. 

Joe Carrigan: And the fact that she responded no to the text message alerted them that she was probably both a Zelle user and had a Bank of America account. 

Dave Bittner: Right. 

Joe Carrigan: Right? Because I don't have a Bank of America account or a Zelle account. If I get one of these text messages, I'm going to ignore it. I'm going to go, that's a scam. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? But somebody who has both of these - and there is a - probably a fairly high percentage of people, maybe 10% percent of people - that's a guess. But, you know, it doesn't matter how big that percentage is; it's large enough to elicit an emotional response. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, you hit the right person - and they caught this woman right at the right time, as she's getting on a plane. 

Dave Bittner: Right. Right. The timing was right, too. 

Joe Carrigan: The timing was perfect for these guys. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: Unfortunately for Ms. Pollack, it wasn't perfect; it was the worst possible time to get one of these. The only way I think that she could have done anything differently was rather than answering the call and following the instructions that somebody on an inbound call tells you to follow, is to say, you know what? I'm going to call you right back at the number I have on file for you. And that's - that would have prevented this. 

Dave Bittner: Yeah, yeah. Right. 

Joe Carrigan: But other than that, no, I don't know what else could have been done. But that's one of the reasons we say, be careful. These phone numbers can be spoofed very easily. 

Dave Bittner: Yeah. 

Joe Carrigan: Somebody - it can show up like they're calling from Bank of America. There needs to be a technological solution to this implemented fairly soon, and I believe it's possible. I don't know how it would work, but I don't have any doubt that it could be done. 

Dave Bittner: Yeah. 

Joe Carrigan: And the other thing is - don't give information or do anything based on an inbound call. Never do that. That's just bad practice. Call the person back. It's 100% OK every single time to say, you know what? I'm not comfortable proceeding like this. I'm going to call you back on the number I have on file for you. 

Dave Bittner: Right, right. Yeah. And I would say also, though, someone trying to walk you through something like this on your mobile device or your computer, that typically doesn't happen either. 

Joe Carrigan: Right, right. 

Dave Bittner: You know, so that would be - I don't know if that's a huge red flag, but it certainly would raise my suspicions. 

Joe Carrigan: Yeah. Well, here's the thing, Dave. She had already had her cognitive narrowing enacted, right? She's in a bad state when they call her, and she's already got the text message that's panicked her. 

Dave Bittner: Right. 

Joe Carrigan: So she's not thinking clearly when this happens. 

Dave Bittner: Yeah. 

Joe Carrigan: This is how this works. 

Dave Bittner: Yeah. 

Joe Carrigan: And it was very effective. 

Dave Bittner: Yeah, absolutely. Well, I mean, I'm glad she got her money back. 

Joe Carrigan: Yeah, me too. 

Dave Bittner: It's a shame that she had to go through, you know, the local TV station to get it done. But all's well that ends well, I suppose. And a good lesson for all of us. 

Joe Carrigan: Indeed. 

Dave Bittner: All right. Well, my story this week, I think it's fair to say, is a rather harrowing tale. This comes from the San Francisco Chronicle. It's - the author of the article is Carolyn Said, and the title is "He Held Me Hostage With No Gun But With His Words: The Phone Scam Gaslighting Therapists." And evidently, this is a common phone scam. It's the story of a woman named Jaime Bardacke, and she is a licensed therapist. That is her profession. And she got a call on her phone that said it was from the local sheriff's office. 

Joe Carrigan: OK. 

Dave Bittner: She answers the phone. And this isn't surprising to her because, as a therapist, sometimes she has to deal with legal issues with her clients. So she sees that this call came in. She actually got a message about - a message from someone claiming to be from the San Mateo County Sheriff's Office and saying, please return my call. This is about a legal matter. 

Joe Carrigan: Right. 

Dave Bittner: So this all adds up to her - nothing unusual. She calls back. The man identifies himself as Lieutenant Reid (ph) from the office and asks her why she failed to testify at a trial after having signed a subpoena saying that she would appear and that there was an order to arrest her for contempt of court. Now, she was concerned because she has in the past been subpoenaed as an expert witness. And she was concerned that this could affect the status of her license, which is her livelihood. 

Joe Carrigan: Right. 

Dave Bittner: So she tells the man on the phone she's never received a subpoena, and he said that she'll have to come to the sheriff's office and sign her name to prove that her signature had been forged. And when that was done, she could be on her way. Now, she Googled the caller's name and the address that he had given her. And sure enough, there was a police officer with that name, and the address was for the sheriff's office. 

Dave Bittner: So the caller tells her that this is a federal case. And the judge has issued a gag order, so he can't say anything more about it but that he's been authorized to bring her in and - but that she'll need to post bail with the federal government. And she'll be reimbursed once they prove her signature was forged. And as they're talking, she can hear noises in the background. It sounds like he's at a police station. She hears, you know, chatter in the background, phones ringing, things like that. 

Joe Carrigan: Right. 

Dave Bittner: He tells her it's $6,000 bail. And she says, well, I don't have $6,000 on me. 

Joe Carrigan: Right. 

Dave Bittner: And he says, well, that's OK. I can tell you how to get it, and you'll be reimbursed as soon as you come into the station to identify yourself and verify everything. So she's a little - at this point, she's starting to feel funny about this. And she tells the caller that she wants to call a friend who's a lawyer. 

Joe Carrigan: Right. 

Dave Bittner: And the caller says, I'm sorry, but once you're on the phone with me, you're not allowed to get off because you're considered a flight risk. This phone call is being monitored, and you're not allowed to send a text message or make any calls about this case because it's in violation of the gag order. 

Joe Carrigan: That's a little bit of isolation right there; isn't it? 

Dave Bittner: He says - the caller says if she has any interaction with a police officer, she'll be taken into custody and held at least 72 hours before the warrant can be lifted. So we're turning up the heat here, right, Joe? 

Joe Carrigan: Right, right. 

Dave Bittner: She says she's scared. She's not sure how she's going to get the money. This seems like a outrageous request. But she also knows that she's had clients who were forced to spend time behind bars because they couldn't post bail. 

Joe Carrigan: Right. 

Dave Bittner: So the man says, if you want to spend 72 hours in jail, that's your choice. I can stop helping you - interesting choice of words there. 

Joe Carrigan: Yeah. He says that because - that is an interesting choice of words. I'm going to hold reservation - I'm going to withhold comment on that until the end of the story here. 

Dave Bittner: Yeah. So the caller tells her to go to a nearby ATM. Her daily withdrawal limit was only $800. And he says, well, you can get on your mobile app and up the limit. So she does that, and she's able to withdraw $1,500. 

Joe Carrigan: Right. 

Dave Bittner: The caller tells her to - wait for it, Joe. 

Joe Carrigan: I'm going to guess. Can I guess this one? 

Dave Bittner: (Laughter) Yes, please. 

Joe Carrigan: Buy some gift cards. 

Dave Bittner: Ding, ding, ding, ding, ding, ding, ding. Right. 

Joe Carrigan: OK. 

Dave Bittner: Tells her to go to a Safeway and buy some prepaid Visa cards with the money. 

Joe Carrigan: Right. 

Dave Bittner: Now, here's an interesting twist that I had not heard of before. He says she would need to send the cards via designated mailboxes that had arrangements with the Department of Treasury to serve as drop boxes. 

Joe Carrigan: Interesting. 

Dave Bittner: She wouldn't need to put postage on the envelope. Just his name and badge number would suffice. He told her where to find one of the mailboxes. Finally, she found the mailbox. It just looked like a regular old blue postal mailbox to her, but he insisted it was a special box. And he told her before she puts the card in the mailbox, she had to read him the card number, scratch off the covering on the PIN and read those aloud, too, right? 

Joe Carrigan: OK. 

Dave Bittner: So what's going on here? She's - basically, she's giving him all the information off the cards. 

Joe Carrigan: Right. And he's... 

Dave Bittner: The cards are useless after that. 

Joe Carrigan: Right. And she's just disposing of the evidence. 

Dave Bittner: Right. She's just putting in the cards in the mailbox. Nothing - they're going to get thrown away. 

Joe Carrigan: Right. 

Dave Bittner: But she's already given him all the information he needs from the cards... 

Joe Carrigan: Right. 

Dave Bittner: ...To get the money off of the cards. The entire time, he just... 

Joe Carrigan: I think... 

Dave Bittner: ...Keeps talking, leading her along. 

Joe Carrigan: I think that that is to keep her from being able to get the money back - right? - because you're going to need those numbers to get that - maybe. Do you need those - I don't know. Maybe. 

Dave Bittner: Yeah. You - I think you would need the numbers. Yeah. 

Joe Carrigan: So... 

Dave Bittner: You need the cards. That's an interesting thing. It'd be a lot harder for her to get - she can't get the money back if she doesn't know the numbers... 

Joe Carrigan: Right. 

Dave Bittner: ...Because she never wrote them down. 

Joe Carrigan: Right. 

Dave Bittner: That's a good point. I hadn't thought about that angle. Ooh - interesting. So, again, he is just weaving a spell on this woman. 

Joe Carrigan: Right. 

Dave Bittner: She says he had a whole rhythm of working me up into a state where I couldn't think straight. 

Joe Carrigan: Right - again, the cognitive narrowing. 

Dave Bittner: Right. So we're about two hours into this. After she's received the voicemail, he's telling her to go to other stores for more prepaid cards. 

Joe Carrigan: Right. He's got her - got a live one, and he's going to continue to... 

Dave Bittner: Yup. 

Joe Carrigan: ...Exploit it. 

Dave Bittner: She visited a 7-Eleven, a Target, a CVS, another Safeway. At a Rite Aid, she says the clerk looked her in the eye and slipped her a preprinted flyer that said, are you a victim of a scam? 

Joe Carrigan: Right. 

Dave Bittner: And the flier listed common scams, including one where someone says you have to post bail bond. 

Joe Carrigan: Right. 

Dave Bittner: And she says, that was the closest I came to ending it. Instead, I walked away from the counter and told the guy on the phone. The guy on the phone said he could prove he was legit by calling her back from his desk phone. He told her to Google the sheriff's office number. And sure enough, her phone rang a minute later, seemingly from that number. 

Joe Carrigan: Again, spoofed caller ID. 

Dave Bittner: Yep. 

Joe Carrigan: Right. 

Dave Bittner: And she didn't know that this was possible. She didn't know that someone could falsify the caller ID. 

Joe Carrigan: Right. 

Dave Bittner: So the scammer said, Jamie, how could I call you from this number if it was a scam? 

Joe Carrigan: Right. 

Dave Bittner: And she says he made her feel guilty for doubting him. Now, it's 11:00 at night. 

Joe Carrigan: Yeah. 

Dave Bittner: She's exhausted. She's bought $6,000 worth of prepaid cards, and she's read the numbers, and she's put them in the mail. 

Joe Carrigan: Right 

Dave Bittner: Now she thinks she has to go to the sheriff's office, and it'll all be over. 

Joe Carrigan: Right. 

Dave Bittner: Here's where it gets horrific. 

Joe Carrigan: It gets worse? 

Dave Bittner: It gets much worse. 

Joe Carrigan: Ugh, OK. 

Dave Bittner: The man says, before you get here, I have to warn you, you'll be the subject of a strip search and cavity search when you arrive. 

Joe Carrigan: Ugh. 

Dave Bittner: And we don't have a female officer, so I'll be doing it. 

Joe Carrigan: Ugh. 

Dave Bittner: She panics, and she says, no, no, this can't be true. 

Joe Carrigan: Right. 

Dave Bittner: He says, I tell you what. I will help you. There's that phrase again. 

Joe Carrigan: Uh-huh. 

Dave Bittner: Instead of an in-person search, she can go to a bathroom at a nearby drugstore and video herself doing the search. 

Joe Carrigan: Ugh. 

Dave Bittner: She drives to the CVS. She's sobbing at this point. She begs the manager to let her in the bathroom, saying it was an emergency. She couldn't get the phone to work. And she realized that she couldn't do this herself. She decided instead that she would just let him search her. 

Dave Bittner: So she drives to the address that he gave her. And when she gets there, it's a closed-up office building. There's nothing there. 

Joe Carrigan: Right. 

Dave Bittner: There's no one there. And that's when she knew it was a scam. 

Joe Carrigan: OK. So nothing physical happened to this woman? 

Dave Bittner: No. 

Joe Carrigan: OK. 

Dave Bittner: Luckily. 

Joe Carrigan: Yeah. 

Dave Bittner: Yeah. But still, she was in the process of trying to videotape herself. 

Joe Carrigan: So not only did this piece of human garbage... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Scam her out of six grand... 

Dave Bittner: Yup. 

Joe Carrigan: ...Now he wants to humiliate and degrade this woman. 

Dave Bittner: Yeah. Yeah. And who knows what other extortion this could lead to. 

Joe Carrigan: Yeah, absolutely. 

Dave Bittner: And what else? So yeah. And I - like, you know, you and I are sitting across the desk from each other. 

Joe Carrigan: Right. 

Dave Bittner: And we're both breathless at - because I think this is a level of despicability that I don't think we've dealt with with these sorts of scams before. 

Joe Carrigan: Right. 

Dave Bittner: And I haven't heard of this sort of thing before. 

Joe Carrigan: I get people scamming other people out of money, right? 

Dave Bittner: Yeah. 

Joe Carrigan: But then to pile this on top of that, that's... 

Dave Bittner: Yeah. 

Joe Carrigan: I don't know. I don't know why - I mean, I know why it angers me, I just can't put it into words right now. 

Dave Bittner: Yeah. Yeah. It's - like I said, it is harrowing and horrific. 

Joe Carrigan: Yeah. 

Dave Bittner: That may be two words for the same thing. I don't know. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) But... 

Joe Carrigan: Ugh. 

Dave Bittner: So she's out $6,000. 

Joe Carrigan: Yup. She's out six grand. 

Dave Bittner: You know, she narrowly escaped this being taken to a whole nother level. 

Joe Carrigan: Right. 

Dave Bittner: And this is a smart woman. 

Joe Carrigan: Right. 

Dave Bittner: Right? 

Joe Carrigan: Oh, absolutely. 

Dave Bittner: Well-educated, you know - this is not - someone who understands how people's minds work, right? 

Joe Carrigan: Yeah. 

Dave Bittner: Who better than a therapist to know - to be able to sense if you're being manipulated. 

Joe Carrigan: Right. 

Dave Bittner: And yet, here we are. 

Joe Carrigan: Exactly. And this is why one of the things we say is don't blame the victim here. 

Dave Bittner: Right. 

Joe Carrigan: You know, she - what happened to her was somebody exploited her physiology, you know, that we all have, and they hit on something with her. They probably went to court records to see people who had testified before and got those court records. 

Dave Bittner: Yup. 

Joe Carrigan: And then targeted her specifically with this threat. 

Dave Bittner: Yeah. 

Joe Carrigan: This probably involved a good deal of research. 

Dave Bittner: Yeah. 

Joe Carrigan: It's information that's freely available. I mean, there are a number of red flags that you and I see sitting here at the desk, not on the phone with somebody telling us we're about to be arrested. 

Dave Bittner: Right. 

Joe Carrigan: And I - this is what I wanted to talk about earlier. When the police officer - and this is actually something that police officers do, is they say, I'm trying to help you. And they're really not trying to help you. I'm not trying to come down on police. It's an investigative technique. 

Dave Bittner: Right. 

Joe Carrigan: They say, I'm trying to help you. And really, what they're trying to do is actually build a case. Because remember, anything you say to a law enforcement officer can and will be used against you in court. 

Dave Bittner: Right. 

Joe Carrigan: It'll never be used for you. 

Dave Bittner: (Laughter) Well, yeah. And so they're trying to build rapport. 

Joe Carrigan: Right, exactly. 

Dave Bittner: Yeah. 

Joe Carrigan: So, I mean, the fact that the guy says, I'm trying to help. You can spend time in jail. Actual cops do that. They say, you know, if you want to talk to your lawyer, fine. You're going to wait in jail until your lawyer shows up. How long's that going to be? 

Dave Bittner: Right. 

Joe Carrigan: You know? 

Dave Bittner: Maybe we can avoid all that. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. 

Joe Carrigan: The answer to that question is always, I'll wait in jail till my lawyer shows up. That's the answer... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Even if you're dealing with an actual cop. Don't... 

Dave Bittner: Yeah. 

Joe Carrigan: You know, you're entitled to remain silent here in America at least... 

Dave Bittner: Yeah. 

Joe Carrigan: ...And in most of the countries around the world. And you're always entitled to say, I want to talk to my lawyer... 

Dave Bittner: Yeah. 

Joe Carrigan: ...About this. And it doesn't matter - and even in the worst-case situation, yeah, you might be put into a local jail for a little while until your lawyer shows up or until a bail bondsman shows up, but - and that's another option as well. If you have - if you owe money for bail, you can actually pay a bail bondsman to come in. So in this case, she would have had to post a $6,000 bond. A bail bondsman is going to charge you $600 to post that bond for you. 

Dave Bittner: Right. 

Joe Carrigan: Right? But what would have happened here is the bail bondsman would have said, this is a scam; hang up the phone. 

Dave Bittner: Right. 

Joe Carrigan: Right? 

Dave Bittner: Right. Well, so after all this was said and done, she called 911. She went to the San Francisco police station. 

Joe Carrigan: Yeah. 

Dave Bittner: The officer filed two reports, one for a financial crime and one for a sexual crime. 

Joe Carrigan: Good. OK. 

Dave Bittner: They said the calls were from a burner phone, and she had no recourse on the financial side because she had taken the money... 

Joe Carrigan: She'd took cash out and... 

Dave Bittner: She'd taken the money out herself. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. But here's an interesting element here. She reached out to some of her local colleagues, and she said about 15 of them said they had been victimized by a similar scam. 

Joe Carrigan: Really? 

Dave Bittner: So it seems as though they are targeting therapists. 

Joe Carrigan: Therapists who have probably all testified in court. 

Dave Bittner: And it's - yeah. And this article points out - they say, you know, a threat to a therapist's license is a powerful motivator... 

Joe Carrigan: Absolutely. 

Dave Bittner: ...Because that's their livelihood. And it also said that therapists are committed to trying to understand other people and see their humanity, so they have a lot of empathy. And that's what this bad guy is exploiting, is that natural empathy... 

Joe Carrigan: Yep. 

Dave Bittner: ...That these people have by - and they're sort of pre-filtered into that because you think therapists are going to have a certain amount of emotional intelligence, emotional availability, right? 

Joe Carrigan: Right. See; now, I've never been called to testify in court or asked to testify on cybersecurity matters or other computer science matters. 

Dave Bittner: Yep. 

Joe Carrigan: But I know people who have been. 

Dave Bittner: Yeah. 

Joe Carrigan: I don't know how this would impact me. I'd like to think that if somebody called me and said, you know, Mr. Carrigan, you didn't show up for court, we're coming to arrest you - I'd be like, yeah, I'll see you when you get here. 

Dave Bittner: (Laughter). 

Joe Carrigan: But I don't know. I - this might work on me. 

Dave Bittner: Yeah. 

Joe Carrigan: This might be something that got me thinking. But I - hopefully, hopefully, future Joe... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...You should always say, I'll call you right back at the sheriff's office number. 

Dave Bittner: Yeah. Or just hit - just don't - just hang up. And if they... 

Joe Carrigan: Right. 

Dave Bittner: 'Cause they're going to call back, right? 

Joe Carrigan: Right. 

Dave Bittner: And you could just say, oh, I don't know what happened; the call must have been dropped. 

Joe Carrigan: Yeah. 

Dave Bittner: Or let them go to voicemail while you call your lawyer - you know, whatever (laughter). 

Joe Carrigan: Right. Yeah, exactly. 

Dave Bittner: Yeah. Just interrupt the call. 

Joe Carrigan: But good on the Rite Aid employee, by the way, handing her a flier. Everybody that sells gift cards should do this. 

Dave Bittner: Yeah. Yeah, it's good to see that the - there's increased awareness and effort there on that side of things to sort of cut this down. 

Joe Carrigan: Yeah, I meant to call out - I took a picture of - at Lowe's a while ago. 

Dave Bittner: Yeah. 

Joe Carrigan: And they had a big piece of paper up that said, here's how gift card scams work. So more and more merchants are doing this. 

Dave Bittner: Right, right. Yeah, it's in their best interest. 

Joe Carrigan: Right. It is. 

Dave Bittner: And it's good for everybody. All right, well, that is my story. We will have a link to all of our stories in this episode's show notes. And of course, we would like to hear from you. If you have a story you would like to share with us, you can email us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from our very own "Hacking Humans" senior producer Jennifer Eiben. She received an email from somebody calling themselves Henry PayPal (ph). Hi, I'm Henry PayPal, founder of PayPal. That's why it's called PayPal 'cause my name is Henry PayPal. 

Dave Bittner: (Laughter) Right. I suspect he often goes golfing with Betty Mastercard (ph) and... 

Joe Carrigan: (Laughter) Charlie Visa (ph). 

Dave Bittner: Yeah, Calvert Visa (ph). Yeah, exactly. Sure. 

Joe Carrigan: The Visa brothers. Got it. 


Joe Carrigan: Dave, why don't you read this email? It's essentially just an invoice, but some of the things are pretty good. 

Dave Bittner: Yeah. It says, customer name - Jennifer Eiben. Payment method - credit card. Order for pickup. Order ready Tuesday. Skip the line, and simply grab your order from our pickup station or counter inside. And here's the order - one kids' spud, five times $13.99 for a total of $69.95. Includes cheddar jack cheese, chips, sea salt, spud chips, one Sprite, four Sprites. Four times $11.69. That's $46.79. 

Joe Carrigan: How much... 

Dave Bittner: Joe, that must be a heck of a Sprite. 


Joe Carrigan: I'm, like, wondering how much these people think Americans spend on Sprite. 

Dave Bittner: Right. I don't know. But that Sprite better have some THC in it or something (laughter). 

Joe Carrigan: Right. I mean, that's the price of a mixed drink here in a lot of restaurants. 

Dave Bittner: Yeah. OK. And there's more, more kids' spuds, four at $13.99 each for a total of $55.96. That includes sour cream, cheddar jack cheese, steamed broccoli. Also, kids' unsweetened tea - six of these at $11.96 each for $70.14. 

Joe Carrigan: At least their drink prices are consistent, Dave. 

Dave Bittner: Here's another good one. Chocolate chip cookies - seven at $11.75 apiece for $82.25 of chocolate chip cookies. It's got to be the best dang chocolate chip cookie you've ever had in your life. 

Joe Carrigan: That's right. 

Dave Bittner: So it's a subtotal of $325.09 plus taxes and fees. Grand total - $336.38. Thank you for ordering with PayPal. For order issues, please contact PayPal team at - and there's an 800 number where - I wonder what happens when you call that 800 number, Joe. 

Joe Carrigan: Oh, that's where that scam starts, Dave. 


Dave Bittner: Man. 

Joe Carrigan: I need to get a burner phone to start calling these people. 

Dave Bittner: Yeah. You know, the thing is, too, this would - I could see this working on some people, but also, how hard would it be for them to find out what a Sprite costs (laughter)? 

Joe Carrigan: Right. Or maybe that's part of the plan, right? Like, the hope was that Jennifer would see this and go, what idiot thinks I'm going to pay - I'm not buying this - and then calls the number. 

Dave Bittner: Right. Right. 

Joe Carrigan: And that's of course - that might be part of the psychological hook here, is that you're buying really expensive food, like potatoes and soda and tea are going to cost you $300 (laughter). 

Dave Bittner: Yeah, yeah. And I think that's the thing. I'm sure - you call that number, they're going to ask you for all your banking information, and that's the ballgame. 

Joe Carrigan: They may even ask you to log on to your computer. 

Dave Bittner: Yeah, yeah. Right. All right. Well, that's a good one. And of course, we thank our dear friend, Jen Eiben for sending that to us. We do appreciate it. 

Dave Bittner: All right, Joe. I recently had the pleasure of speaking with Zack Schuler from NINJIO. And our conversation focuses on the effectiveness of security awareness training. Here's my conversation with Zack Schuler. 

Zach Schuler: The cybersecurity awareness industry is a growing industry for obvious reasons. There are more companies coming into the industry. Traditionally, cybersecurity awareness training has been a check-the-box exercise for the lion's share of organizations that are out there kind of regardless of size. And I think when you get larger in size as an organization, it becomes more of a check-the-box exercise. 

Zach Schuler: And so as the years have rolled on, some of the more sophisticated cybersecurity awareness companies have done a better job of getting people out of the check-the-box mentality and have figured out that they actually need to educate people because humans, depending upon what you read - whether it's Verizon data breach investigations report, DBIR - I don't know - always remember what the I stands for... 

Dave Bittner: (Laughter). 

Zach Schuler: ...Or Ponemon Institute or whatever you read, you know, human error is 85- to 95% of the issue, right? And so if you can attack human error and you can make a big dent on human error, then you've done a great job. 

Zach Schuler: When I view the industry, I kind of look at it - I look at the players in sort of like two different classifications. First classification, I call them kind of phishing-first organization. These are companies who, you know, their clients are companies who believe that security awareness training should be done through simulated phishing, trying to attack the employee. And then, you know, if they fall for the attack, you serve training up after the attack that they've fallen for, hopefully, that's semi-relevant to the attack. 

Zach Schuler: More recently, there have been organizations that have entered the market. You know, we were - I'd like to call us one of the first if not the first. I think we got into microlearning and, you know, microlearning through storytelling in the cybersecurity awareness space first. You know, I call us and a few others content-first companies. 

Zach Schuler: And so instead of saying, all right, we are going to test our people and then train them based on the results of the test, there's an opposite kind of philosophy. And that is like you would walking into your first day of university, you would say, we are going to train people before we give them the test, right? And so that's kind of our theory is that we want to give people really good, memorable training that they can retain. And then you phish them after the fact, and, you know, you see how well they do. And that can be measured in several different ways. So that's kind of my purview of, you know, how the industry sits today. 

Dave Bittner: And in terms of the customers who are purchasing these various types of security awareness training programs, how are they measuring success within their own organizations? How do they know that the investment they're making here is making a difference? 

Zach Schuler: So security awareness is one of those really interesting things, right? If you dump a $100,000 into a marketing channel and that $100,000 produces a $500,000 return, it's really easy to measure our ROI or ROIC. With respect to security awareness, you have to measure, what is the decrease in risk that we have created through our security awareness program? 

Zach Schuler: And so the traditional measures for that, especially in the phishing-first kind of organizations - traditional measures have been, we launch a simulated phishing attack, and how many people take the bait? And we did a study on that a couple of years ago with one of our clients who was considered by DHS a critical infrastructure company. Long story short, they did a phishing attack on them, this organization being a client of ours for four years, and one out of 600 people that were targeted in the attack took the bait. We felt really good about that. And, you know, the organization did as well. 

Zach Schuler: And so traditionally, that's been a form of measurement. I think that still should be counted as a form of measurement, but not necessarily the primary form of measurement. And the reason is, it's a reactive measurement. And so you cannot make the assumption that if somebody didn't fall for the attack, maybe they never saw it. Maybe it was an email that came through and it's sitting at the bottom of their inbox somewhere and they haven't seen it. I mean, I'm sure you've gotten on the phone with lots of people and they've got, you know, 7,028 messages that are unread. 

Dave Bittner: (Laughter). 

Zach Schuler: They never fell for the phishing attack because they never got it in the first place, right? 

Dave Bittner: Right. Right. 

Zach Schuler: And so, you know, you can't guarantee that it gets - that that attack gets set right in front of their plate and that they have the option to take a bite or not. I still think it's a valid measurement because it does give you an idea. It can spot trends and stuff like that. But the new world of thinking is how do we measure security awareness on a proactive basis instead of a reactive basis? 

Zach Schuler: And so from that perspective, one of the things that we are paying now a lot of attention to is how many people report phishing attacks, right? Because, you know, over the course of the day, whether they're simulated or not, you're going to get them, you're going to see them. And if you get an employee who is consistently reporting legitimate phishing attacks and you start to create a culture of reporting phishing attacks, you're really showing a proactive behavior, I think, that's a leading indicator on how pervasive has security awareness culture become inbred into the organization. And so, you know, we like to look at proactive measurements like that. 

Zach Schuler: Another one that has been done in the past for measuring the success of a program is, what has the engagement been in the training, right? And so, you know, we're big on engagement. We want to make sure that every single person at every single organization we serve is watching every single episode that we release. We release a new episode every month. We want every employee watching those episodes, getting to the end - they're three to four minutes long - getting to the end, completing a one-question multiple choice, multiple answer quiz and moving on with their day and hopefully retaining that information, right? So that's a good measurement. 

Zach Schuler: Companies - it's kind of a 50-50 split. Some organizations make that training mandatory. In other organizations, they might have their one-hour internally produced death-by-PowerPoint security awareness training made mandatory. And then the voluntary training is NINJIO on a monthly basis. 

Zach Schuler: So when that's the case, that could actually be pretty critical because if you are being served up NINJIO on a voluntary basis, but you're still engaging and you're still taking in the training, that is a phenomenal proactive measurement to see who is actually self-motivated on a voluntary basis to want to learn more about how to protect themselves and how to protect their organization. If NINJIO has been made mandatory - and it's either getting rolled out through our cloud-based LMS or through a client's learning management system or some other delivery mechanism - but then they put up optional episodes maybe up on Slack, maybe in Stream or maybe on their, you know, security on their SharePoint Portal. 

Zach Schuler: These are the, you know, optional episodes that you can watch to learn more. If you're measuring how many people are actually going out and they - you know, you meet the learner where they are, right? So they're on Slack, they see an episode come through, and you can measure how many people are watching that on a voluntary basis. That is another amazing indicator of how security awareness culture has ingrained itself into the organization. 

Dave Bittner: You know, I've seen a number of particularly security professionals sort of turn their nose up at the whole idea of security awareness training. They make the point that this shouldn't be necessary, that if the security pros are doing their job, then the training would be irrelevant. How do you respond to that attitude? 

Zach Schuler: It's an outdated attitude. Security awareness is everybody's responsibility. I don't care how good your secure email gateway software is. I don't care what blinking lights you have in your data center or what blinking lights you've outsourced to another organization that is supposed to, quote, unquote, "keep your organization secure." At the end of the day, as quickly as technology companies innovate, hackers are innovating just as quickly, if not more quickly. 

Zach Schuler: So what does that mean? It means that attacks are going to come across your desk, either as phishing attacks, as smishing attacks, as watering hole attacks, as SMS hijacking attacks. You're going to see them now. And the security department is not going to be able to stop everything, right? They do a great job in, you know, stopping perhaps 99% of the attacks that come through. But I hate to make the analogy - it's like the analogy of a terrorist, right? It only takes one. And that's the reality today is that it only takes one. 

Zach Schuler: And for anybody that, you know, kind of puts their nose up at security awareness training, you know, as an effective tool in keeping an organization more secure, they're just not living in reality today. Now, I would say either that's the case or their past experience with security awareness training, maybe with, you know, an older-school provider with an older mentality, maybe they just haven't seen any actual results. And so, you know, that could be the reason for, you know, kind of say, yeah, it's not worth the money - right? - because they've had - they haven't had positive experiences. 

Dave Bittner: I sort of liken it to if you're a shopkeeper or, you know, you have a small business and even just a handful of employees - that it's everyone's responsibility to look after the security of the shop, you know? You can't - if someone walks in the door and starts taking merchandise out the door, everyone needs to help put a stop to that. It's not to say that, you know, every employee is going to be the one who confronts that person. But everyone needs to be aware, tuned in and on board with that effort. 

Zach Schuler: Yeah. You couldn't be more right about that. You know, you look at, you know, say, you know, Target, for example, the store. Target has a loss prevention department. They have people that are walking around watching for people shoplifting. Maybe they aren't anymore because shoplifting is OK now. That was a joke. 

Dave Bittner: (Laughter). 

Zach Schuler: Your average employee - you're exactly right. The average employee sees something. We have a saying - see something; do something. If the average employee sees something, maybe they don't - like you said, they don't confront the person. But they certainly pick up the phone and call security... 

Dave Bittner: Right. 

Zach Schuler: ...And say, hey; I just saw this person shoplifting. Yes, it's everybody's responsibility. You can't just rely - Target cannot just rely on their LP department to protect, you know, merchandise going out the door unpaid for. 

Dave Bittner: All right, Joe. What do you think? 

Joe Carrigan: Great interview, Dave. I like a lot of things Zack had to say. No. 1, he starts talking about larger enterprises. And for these larger enterprises, security awareness becomes a check-the-box activity. 

Dave Bittner: Yeah. 

Joe Carrigan: I guess checking the box is better than not checking the box, but you should probably take it more seriously because as he points out, human error is 85 to 95% of the problem. He talks about having two paradigms, the first being train then test and then the other one being test then train. And I like the Zack - the model that Zack's company does with train first; then test. But it doesn't let you get a baseline that test first; then train would let you collect. 

Dave Bittner: I'd like to be tested out of the training if possible. 


Dave Bittner: Right? 

Joe Carrigan: That's another option, right? 

Dave Bittner: Right, right. 

Joe Carrigan: Dave doesn't fall for these. 

Dave Bittner: Yeah. If you - if I can pass the test, don't make me sit through the 20 minutes of... 

Joe Carrigan: Right. 

Dave Bittner: ...Training, right? 

Joe Carrigan: Zack makes a great point about metrics here. You really can't tell when someone didn't fall for a phishing attack because they may have missed the email. 

Dave Bittner: Yeah. 

Joe Carrigan: I was just traveling, and I came back to 500 emails in my inbox. Thanks to whoever signed me up for all those mailing lists, by the way. 

Dave Bittner: (Laughter). 

Joe Carrigan: But if I got a phishing email in the past week or so, I haven't seen it. 

Dave Bittner: Yeah. 

Joe Carrigan: Also, some of the metrics you're looking for are kind of difficult to gather because you're talking about the absence of an outcome. 

Dave Bittner: Right. 

Joe Carrigan: That's what security awareness is there to prevent. 

Dave Bittner: Yeah. 

Joe Carrigan: So I really like the things that Zack has done here to quantify changes in behavior, right? He comes at it from a different angle by measuring actual events that you can count, like how many people are reporting phishing emails. An increase in that would indicate that your security awareness program is working or how many people are voluntarily watching the training materials. Like you said earlier, you don't want to watch them. But if you can actually create something that's enjoyable to watch, maybe you will watch it. 

Dave Bittner: Yeah, yeah. Make them entertaining, which - you know, to - I mean, lots of - we're at that point now... 

Joe Carrigan: Right. 

Dave Bittner: ...Where there are a lot of entertaining ones out there. 

Joe Carrigan: Right. 

Dave Bittner: So that's definitely a good development. 

Joe Carrigan: It is. I agree a hundred percent. 

Dave Bittner: Yeah. 

Joe Carrigan: Zack makes a big point about this, and I want to also focus on this point as well. Security awareness isn't necessary if the cybersecurity folks are doing a good job. That mindset, you know, that we really don't need security awareness as long as the cybersecurity stuff is good - Zack said that's an outdated attitude. I'm going to go a little bit further on this and say it's a dangerous attitude. Not only is it outdated, but it's dangerous. There has never been in human history a perfectly secure system. 

Dave Bittner: Yeah. 

Joe Carrigan: And the best systems are going to fail at some point in time, and you need to train your people to be ready to be the last line of defense against that failure. Additionally, as our standard tools like firewalls and spam filters and everything gets better, the bad guys are just going to straight-up attack the people. And that's kind of what we talk about here on this show every week... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Is the straight-up attack on the people. And the best way to protect those people is with security awareness training. This is not something that you can just ignore or rely solely on your cybersecurity program to help you with. You're going to need security awareness training for your people. 

Dave Bittner: Yeah, yeah. I agree. I mean, you need both. You can't... 

Joe Carrigan: Right. 

Dave Bittner: Yeah. The more you have of both, you know, in general, the better off you're going to be. So... 

Joe Carrigan: Right. 

Dave Bittner: Yeah, absolutely. All right. Well, our thanks to Zack Schuler from NINJIO for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.