Robo call scams and the psychology surrounding them.
Alex Quilici: You have to realize that the bad guys are getting smarter and smarter. And so the key is to, you know, not just assume any call, any text is legit.
Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, Alex Quilici, who is CEO of YouMail, is going to join us to talk about robocalls.
Dave Bittner: All right, Joe, we've got some good stories to share this week. Why don't you start things off for us?
Joe Carrigan: Dave, my story comes from a listener named Derek, who has a story about how his aunt avoided a scam which wasn't very obvious at first. Now, the key point is the aunt called Derek.
Dave Bittner: Yeah.
Joe Carrigan: OK? Because you're going to hear some of the things Derek did. And you want to talk about due diligence.
(LAUGHTER)
Dave Bittner: OK. So, all right, I don't want to bury the lead here or - I don't know - ruin the - spoiler alert, Derek's the hero here?
Joe Carrigan: Yes.
Dave Bittner: (Laughter) OK.
Joe Carrigan: That's correct.
Dave Bittner: Very good. Very good.
Joe Carrigan: His aunt recently retired and is looking for an RV to ride around the country with her dog.
Dave Bittner: OK.
Joe Carrigan: Which seems like a great idea.
Dave Bittner: Yeah. I could just picture her driving an RV and the dog sitting in the seat next to her.
Joe Carrigan: Right. With a bumper sticker that says, dog is my co-pilot.
Dave Bittner: There you go.
(LAUGHTER)
Dave Bittner: Very nice. Very nice.
Joe Carrigan: The - you know, this is, like, a fantasy of mine as well...
Dave Bittner: OK.
Joe Carrigan: ...To sell the trailer that we have and get an RV and have me and the wife and the dogs just drive around.
Dave Bittner: Just travel the country.
Joe Carrigan: Yep.
Dave Bittner: Seeing this great nation of ours.
Joe Carrigan: That's right.
Dave Bittner: OK (laughter).
Joe Carrigan: Sell the house.
Dave Bittner: Right.
Joe Carrigan: Be essentially homeless and nomadic.
Dave Bittner: There you go.
Joe Carrigan: Great idea.
Dave Bittner: Yeah.
Joe Carrigan: But she's looking for this RV. She finds one on Facebook Marketplace, which is the exact model that she's looking for. It's a Winnebago model, right?
Dave Bittner: OK. Yeah.
Joe Carrigan: So she sends an email to the person. And this is one of the emails - Derek sends along one of the emails from the seller. And the people can't see who are listening because this is a podcast and not a video, right? I'm using air quotes.
Dave Bittner: OK.
Joe Carrigan: But it reads, Hi again. Thanks for the reply. At this moment I'm near Kittitas, Wash., in a military base, waiting to be deployed overseas. This is the only reason why I left the Reatta - which is the model...
Dave Bittner: OK.
Joe Carrigan: ...Stored with the paperwork at the shipping company Kittitas All Out Trucking...
Dave Bittner: OK.
Joe Carrigan: ...In Kittitas. And then they provide URL. And then after that, they say Washington, right? WA.
Dave Bittner: Right. OK.
Joe Carrigan: So put the URL right in the middle of the city and state. It's ready to be delivered. I signed a contract with them to take care of this on my behalf because I don't have time to sell it in person. The van is in their custody, ready for shipping, and they will take care of everything. The deal includes free delivery. And then parenthetically - the shipping fees were paid by the previous buyer. His loan didn't get approved. And it will arrive at your address in 5 to 7 days, depending on the exact location. Here's the key part. I want to use their escrow and transport services as they offer 100% protection and assurance to both buyer and sellers. Payment must be sent to an escrow account created in your name, and they will offer you a five-day inspection period from the day the vehicle arrives at your location.
Dave Bittner: This sounds great, Joe.
Joe Carrigan: Uh-huh (laughter). Right. You're coming along with the scam, Dave.
Dave Bittner: OK (laughter).
Joe Carrigan: So this is not a blind transaction, you can physically see the van before committing to buy and eliminate any concerns. In case you won't be satisfied, you can cancel the transaction and ship it back at my expense.
Dave Bittner: This is getting better all the time (laughter).
Joe Carrigan: Right. If you are interested, please include in the next email your contact information, full name, shipping address and phone number so we can get the ball rolling. Thank you. Elizabeth Terry.
Dave Bittner: OK.
Joe Carrigan: OK? So Derek says there are four things that tipped him off to this.
Dave Bittner: OK.
Joe Carrigan: No. 1 - the Gmail address for Elizabeth Terry was misspelled, right? And it didn't seem like it was a purposeful misspelling, but it seemed more like a non-native-English-speaking typo.
Dave Bittner: OK.
Joe Carrigan: Right? That's - so his sensors go up when that happened, right?
Dave Bittner: Sure. Yeah.
Joe Carrigan: No. 2 - the seller claimed to be in the military and was to be deployed overseas and needed to sell the RV. This is a common lead in for scams, for vehicle scams and for - an RV is a vehicle. That's what the V stands for, right?
Dave Bittner: Yeah.
Joe Carrigan: There is no military base near Kittitas, Wash.
Dave Bittner: OK (laughter). All right.
Joe Carrigan: Third point that made Derek think - there was a previous buyer, and their loan fell through. Now, he says, if I was the buyer, I'd kind of want my transport money back. You know, I put that money up. My loan fell through. I want my money back. But that didn't happen.
Dave Bittner: Right. Right.
Joe Carrigan: And fourth, the seller had engaged with a shipping company that worked as an escrow service - right? - so she could be sure she wasn't going to be scammed. The shipping company would ship the RV from Washington to Nevada and would wait five days for her to decide if she wanted to keep the RV or not, at which point she could return it at no cost. What shipping company can afford to wait around for five days, Derek says?
Dave Bittner: Oh, right.
Joe Carrigan: That's a good question. Derek said the offer all seemed too good to be true, which is what made him think this is not right. So Derek does a little bit of investigating. First thing he does is to see if there were any companies that had complaints against them. So go to the BBB webpage, Better Business Bureau.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: And there is nobody - Kittitas Trucking in Washington, but there is one in Wisconsin, which is weird.
Dave Bittner: Yeah.
Joe Carrigan: So then he checks with Washington state and finds that that company doesn't exist in Washington state. There is a company with the same name, but they do not transport vehicles...
Dave Bittner: OK.
Joe Carrigan: ...Which is interesting, I think. This was all sort of fishy, so he begins digging deeper into the website. He goes to their website, which I took a look at, and it's got some red flags for me as well. It does - it has, like, some non-standard English in it.
Dave Bittner: OK.
Joe Carrigan: The website is still up as of this recording.
Dave Bittner: OK.
Joe Carrigan: And it's - he goes and looks at the code of the website, and it's just a business template. And they've got links in there in the code where you can put, like, Facebook profiles and everything else, and none of that is filled in. It's just a website with, you know - that looks really legit.
Dave Bittner: Right.
Joe Carrigan: But if you read the English, it's not right. And then Derek checks the WHOIS database and finds out that the website was registered in February of this year.
Dave Bittner: Ah.
Joe Carrigan: So the company claims to have been in business for 10 years, but they just now registered a website.
Dave Bittner: Well, you can't rush these things.
Joe Carrigan: Right.
Dave Bittner: Yeah (laughter). Who knows if this internet thing is going to stay around?
Joe Carrigan: (Laughter) Right. It's just a fad, Dave.
Dave Bittner: Yeah. Yeah. I mean, come on.
Joe Carrigan: So he says - at this point in time, he tells his aunt, abort. This is too good to be true.
Dave Bittner: (Laughter) Yeah.
Joe Carrigan: This is no good.
Dave Bittner: Right.
Joe Carrigan: Right? He found some other interesting things out. He found the company did not have a USDOT number, which you need if you're going to transport stuff from one state - interstate commerce. You need a USDOT number.
Dave Bittner: The Department of Transportation.
Joe Carrigan: That's right.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: U.S. Department of Transportation - that's correct.
Dave Bittner: Right. Yeah.
Joe Carrigan: The phone number starts with the wrong area code.
Dave Bittner: OK.
Joe Carrigan: So it wasn't in the right area code. He did a Google reverse image search of the team photo. Now, there is a great team photo on this website, Dave.
Dave Bittner: Yeah.
Joe Carrigan: But it's actually a softball team from another company.
Dave Bittner: (Laughter) Oh.
Joe Carrigan: And he found the image - the original source image.
Dave Bittner: (Laughter) All right.
Joe Carrigan: So I say, Derek went full Joe on this (laughter). This is an impressive level of due diligence...
Dave Bittner: (Laughter) OK.
Joe Carrigan: ...Paranoia (laughter).
Dave Bittner: I was going to say, it's a dubious distinction, isn't it? (Laughter).
Joe Carrigan: And one thing I want to point out is whenever you're buying anything...
Dave Bittner: Yeah.
Joe Carrigan: And I'm - I don't know if this is different from state to state. But you as a buyer are always entitled to pick the escrow agent.
Dave Bittner: Oh, is that right?
Joe Carrigan: Yes. I know that in Maryland, when you are going to buy a house - 'cause as I told you, Dave, I had a failed sales career.
Dave Bittner: Yes (laughter).
Joe Carrigan: And the first job in that sales career was a real estate agent.
Dave Bittner: OK.
Joe Carrigan: One of the things...
Dave Bittner: So you're practically an expert.
Joe Carrigan: Right. Yeah. That's right.
Dave Bittner: (Laughter).
Joe Carrigan: But one of the things they said was, according to Maryland law and most state laws...
Dave Bittner: Yeah.
Joe Carrigan: It is the buyer's right to choose the escrow company.
Dave Bittner: OK.
Joe Carrigan: So...
Dave Bittner: That makes sense.
Joe Carrigan: Whenever you're buying something, you can say, nope, I don't want to use that escrow company. I want to use another one.
Dave Bittner: Yeah.
Joe Carrigan: And that's a way to protect yourself. And if they insist upon using the shipping company's escrow company, the shipping company should be like, we don't really care who does escrow. We don't make a lot of money on escrow.
Dave Bittner: Right.
Joe Carrigan: And generally, escrow companies don't make a ton of money on escrow. They - the shipping company would be more interested in making the money on the shipping than they would on the escrow.
Dave Bittner: And it wouldn't be the kind of thing that you would expect them to put up any resistance about...
Joe Carrigan: Right. Absolutely.
Dave Bittner: ...'Cause it's a pretty standard thing to request. Yeah.
Joe Carrigan: Absolutely. As you - if you as the buyer say, nope, I'm going to pick my escrow company, and you get pushback - red flag.
Dave Bittner: Yeah.
Joe Carrigan: Big red flag.
Dave Bittner: Yeah. Wow. All right. Well, I mean, Derek, thank you for sending this to us.
Joe Carrigan: Yeah, Derek. Good story, and good work.
Dave Bittner: What strikes me about this is the amount of depth here. I was sort of joking as you were reading about how everything sounded good.
Joe Carrigan: Right.
Dave Bittner: But it did sound good.
Joe Carrigan: It did.
Dave Bittner: Right? The whole, I mean, putting the money in escrow - that sounds great. Having five days to inspect it - that sounds great - you know, no risk to me. The no shipping costs - if I don't like it, they'll take it back.
Joe Carrigan: Yeah.
Dave Bittner: It all sounds great. What do you suppose would have happened had she gone through with this?
Joe Carrigan: The first thing that would happen is any money she put into escrow would be gone.
Dave Bittner: 'Cause the escrow itself was a scam.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: Exactly. That shipping company doesn't exist. The escrow company is fake. You're just wiring that money to another account.
Dave Bittner: Yeah.
Joe Carrigan: And that's it.
Dave Bittner: And that's - yeah. That's the end of that.
Joe Carrigan: They may try to get access to more account information. I mean, if you have this - these vans, I did look up how much these vans sell for. One from the '90s, late '90s, sells for about $27,000.
Dave Bittner: Oh.
Joe Carrigan: So it's a significant amount of money.
Dave Bittner: Yeah.
Joe Carrigan: Winnebagos tend to hold their resale value. I'm not sure why they do - probably because they're well-built machines.
Dave Bittner: Yeah.
Joe Carrigan: You know, if you think of - in terms of durability, two RV brands come to mind, and Winnebago is one of them.
Dave Bittner: Yeah.
Joe Carrigan: The other one's Airstream.
Dave Bittner: Oh, OK.
Joe Carrigan: But, you know, these things have some kind of value. It'd depreciate quickly if you buy some other brand. But when you buy a Winnebago, it doesn't really do that. You - look, go looking for Winnebagos - used Winnebagos - and you'll see how expensive they are. That's probably why the scammer chose that brand.
Dave Bittner: Right. Right. Yeah. All right. Well, interesting for sure, and thanks to our listener, Derek, for sending that into us. Just a reminder - we would love to hear from you. If you have a story you'd like us to cover, you can email us. It's hackinghumans@thecyberwire.com. My story this week actually comes from the folks over at the FBI (laughter), at the IC3. We talk about the Internet Crime Complaint Center fairly regularly around here.
Joe Carrigan: Yes.
Dave Bittner: They just released their 2021 internet crime report. Now, before you click through and check, Joe, I'm going to quiz you on some things here, all right?
Joe Carrigan: OK, I'll close that tab.
Dave Bittner: (Laughter) OK.
Joe Carrigan: I didn't see anything yet.
Dave Bittner: OK, good. So we - the scams we talk about...
Joe Carrigan: Right.
Dave Bittner: Right? If you had to guess - we talk about ransomware, tech support, all those kinds of things - what do you think was the most expensive scam for - that the FBI looked into last year in terms of total amount of money lost? What do you think was No. 1?
Joe Carrigan: I'm going to bet it was romance scams.
Dave Bittner: Romance scams. OK. It's not a bad guess.
Joe Carrigan: OK.
Dave Bittner: Romance scams was actually No. 3...
Joe Carrigan: OK.
Dave Bittner: ...Coming in at $956 million.
Joe Carrigan: All right. So I missed that one.
Dave Bittner: Yeah.
Joe Carrigan: OK. Can I guess again?
Dave Bittner: Sure.
Joe Carrigan: Let's think here. It's a financial loss. Oh, maybe employment scams because of the pandemic.
Dave Bittner: Employment scams.
Joe Carrigan: Yes.
Dave Bittner: Let's see. I do not see employment scams...
Joe Carrigan: Not even on the list.
Dave Bittner: ...In the top six that are on this infographic I'm looking at. So guess again.
Joe Carrigan: Ugh. I'm drawing a blank, Dave.
Dave Bittner: All right.
Joe Carrigan: What's No. 1?
Dave Bittner: Well, so No. 1 - coming in at No. 1 - business email compromise.
Joe Carrigan: Oh, yes, of course.
Dave Bittner: (Laughter).
Joe Carrigan: Duh.
Dave Bittner: Coming in - $2,000,395,9...
Joe Carrigan: Yeah, I - you know, here's the embarrassing part of this, Dave. Last week, I delivered a speech where I called that the king of social engineering attacks (laughter).
Dave Bittner: Oh, I see. All right.
Joe Carrigan: I should have just said, business email compromise.
Dave Bittner: (Laughter) Yeah. Well, and...
Joe Carrigan: But you put me under pressure, Dave.
Dave Bittner: Well, I'm sorry. I...
Joe Carrigan: Don't take me on "Family Feud."
Dave Bittner: I hate - no.
Joe Carrigan: It won't work.
Dave Bittner: I will know not to do that.
Joe Carrigan: Right.
Dave Bittner: So business email compromise came in about twice the dollar amount of the second one in the list, which was investment scams and fraud...
Joe Carrigan: Really?
Dave Bittner: ...Which were $1.4 billion. After that was confidence fraud and romance scams - just under a billion. No. 4 was personal data breaches - $517 million. Real estate and rental scams - $350 million. So I guess that's the - you know, you show up for your - you know, your vacation rental...
Joe Carrigan: Yeah.
Dave Bittner: ...Your Airbnb, and it turns out somebody lives there (laughter).
Joe Carrigan: Right.
Dave Bittner: Right? And then...
Joe Carrigan: (Laughter) That's got to be embarrassing, right? 'Cause, you know, somebody - anybody can just put something on Airbnb...
Dave Bittner: Yeah.
Joe Carrigan: ...And then take your money.
Dave Bittner: Yeah.
Joe Carrigan: And I don't know how Airbnb does this internally. I'm sure they have processes for it.
Dave Bittner: Yeah, they do. They do. But, you know, I mean, it's - you know, it's - hey, it's unregulated rental (laughter).
Joe Carrigan: Right.
Dave Bittner: So what are going to - you know, you rolls the dice; you takes your chances.
Joe Carrigan: Yep.
Dave Bittner: I'm a hotel guy for this very reason.
Joe Carrigan: Yeah.
Dave Bittner: And...
Joe Carrigan: There's very few hotel scams.
Dave Bittner: Yeah, that's right. That's right.
(LAUGHTER)
Dave Bittner: Show up and the hotel actually isn't there.
Joe Carrigan: Right.
Dave Bittner: (Laughter) They said there'd be a Hilton here.
Joe Carrigan: (Laughter).
Dave Bittner: And then No. 6 was tech support scams - $347 million. So one of the things that they did here in their reporting - we're going to dig a little deeper, Joe - they list by state. So I'm looking at our home state of Maryland...
Joe Carrigan: OK.
Dave Bittner: ...Just for fun. And we'll have a link to this report in the show notes. So if you want to dig in here and look for your own state, you can see what the various numbers are. And what's interesting - so they list by several different ways. They have - they list crime types by victim count - so the number of people who got hit by a particular crime.
Joe Carrigan: Ah, that's good.
Dave Bittner: Yeah.
Joe Carrigan: And then they list by dollar loss?
Dave Bittner: And they list by dollar loss. So the No. 1 crime type in Maryland was something called no lead value. I'm not sure what that is.
Joe Carrigan: I don't know.
Dave Bittner: Second was nonpayment, nondelivery. So all right...
Joe Carrigan: A delivery scam.
Dave Bittner: Yeah. Third was extortion.
Joe Carrigan: Really?
Dave Bittner: Yeah. And next was tech support.
Joe Carrigan: Extortion, huh?
Dave Bittner: Yeah. But business email compromise was, like, fourth or fifth...
Joe Carrigan: Really.
Dave Bittner: ...Which is interesting 'cause it's higher dollar value.
Joe Carrigan: This is just count - attack count, right?
Dave Bittner: Yeah, number of victims.
Joe Carrigan: Right. That makes sense because the business email compromise attack is not a frequent attack because it's a really skilled attack. But when it works, it pays off big.
Dave Bittner: Right. So if you track these numbers - for example, as I said, identity theft - right? - 944 victims...
Joe Carrigan: Right.
Dave Bittner: ...Was just over $6 million in damages. But business email compromise, which had 399 victims - $28 million.
Joe Carrigan: Right. Much bigger.
Dave Bittner: Yes.
Joe Carrigan: Much bigger payouts for these guys.
Dave Bittner: Yeah. Yeah. So interesting to track here. This is always a good report. So the FBI puts this out every year, and it's pretty interesting to read through. It gives you some real insights onto, you know, what they do, the number of things that are reported to them, and I suspect that things are underreported, right?
Joe Carrigan: Right. Absolutely.
Dave Bittner: 'Cause we talk about here a lot that people are embarrassed to report. But it's a good reminder that the FBI does want to hear from you (laughter).
Joe Carrigan: Yeah, they do. Even if you don't hear back from the Internet Crime Complaint Center...
Dave Bittner: Yeah.
Joe Carrigan: ...The IC3, they still use that data to compile reports like this and understand trends.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: Yeah.
Dave Bittner: My understanding is that, like, you know, a lot of government agencies, they would love to have more staffing than they do to be able to handle this on a more personal level, but...
Joe Carrigan: There's a lot of crime out there.
Dave Bittner: But they do the best they can.
Joe Carrigan: That's right.
Dave Bittner: And they are working on this every day. So if you - it's good to report this to your local FBI office. They do want to hear from you. Your scam is not too small for them to tally.
Joe Carrigan: You know, when business email compromise happens, one of the things I - was said in this talk the other last week, a couple weeks ago...
Dave Bittner: Yeah.
Joe Carrigan: ...Was that your technology probably won't help you at this point in time. Once these guys are in your system and talking directly to your people, you're beyond the help of technology. The only thing that will protect you is the people and your policies and procedures, to make sure that you have policies and procedures in place that prevent these kind of scams from taking place and people who are trained with security awareness training to recognize when they're being targeted by a scammer...
Dave Bittner: Yeah.
Joe Carrigan: ...Even if it's coming from the CEO's email address.
Dave Bittner: Right. Right. No, it's a great point.
Joe Carrigan: Yep.
Dave Bittner: All right. Well, we will have a link to that story in the show notes. Those are our stories. Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from a listener named John, who writes, hi, Joe and Dave. Hey, I got top billing this time.
Dave Bittner: (Laughter) Don't let it go to your head.
Joe Carrigan: Right.
(LAUGHTER)
Joe Carrigan: I got a new follower on Instagram today, and with one quick glance, I thought of you guys (laughter).
Dave Bittner: Oh, good. So we're - yeah.
Joe Carrigan: Right.
Dave Bittner: People get scammed. They think of us. I supposed that's good.
Joe Carrigan: Well, I don't think he got scammed.
Dave Bittner: OK. All right.
Joe Carrigan: There were a number of red flags.
Dave Bittner: He thwarted the scam and thought of us.
Joe Carrigan: Right.
Dave Bittner: I'll take that.
Joe Carrigan: Yes, exactly.
Dave Bittner: All right.
Joe Carrigan: There were a number of red flags that listeners of your show would quickly pick up on, but I saw some creativity employed and thought you might enjoy this.
Dave Bittner: OK.
Joe Carrigan: So we have to go to this document, Dave, because he sent along a document with a bunch of screenshots from a phone of an Instagram account.
Dave Bittner: All right.
Joe Carrigan: And the Instagram account is of somebody named Mavis (ph), and then followed by a long string of digits.
Dave Bittner: Is that a phone number? Like, I'm not familiar with - it looks like a phone number. But...
Joe Carrigan: It does look like a phone number.
Dave Bittner: Who knows?
Joe Carrigan: I don't know. Does it have enough digits to be? It looks like it's short one digit for a phone number.
Dave Bittner: Yeah. Well, and nothing says legitimacy than a name followed by a long string of numbers...
Joe Carrigan: That's right.
Dave Bittner: ...Right? (Laughter).
Joe Carrigan: And then underneath on her profile, it says, I'm Mavis, the Powerball lottery winner in Massachusetts.
Dave Bittner: Ah.
Joe Carrigan: I'm the lottery winner of $758 million.
Dave Bittner: Yeah.
Joe Carrigan: And I'm giving out 25,000 to my first 5,000 followers.
Dave Bittner: Oh.
Joe Carrigan: Right?
Dave Bittner: Wow.
Joe Carrigan: So that's - that's the scam, right?
Dave Bittner: Thank you, Mavis.
Joe Carrigan: Right. Some things he notices about this profile is there's the obligatory big check picture, right?
Dave Bittner: (Laughter) Right. OK. Mavis standing with her big check.
Joe Carrigan: Right.
Dave Bittner: Sure.
Joe Carrigan: Exactly. You know, I always - I had a friend once who said that if you ever won the lottery, he'd come in wearing the big check. And that was it.
Dave Bittner: (Laughter).
Joe Carrigan: That was all he'd be wearing.
Dave Bittner: Right. Like, you see people wearing a barrel.
Joe Carrigan: Right. Exactly.
Dave Bittner: Be wearing a big check.
Joe Carrigan: Big check with straps.
Dave Bittner: Check in with the boss. Hey, boss. I'm out of here
Joe Carrigan: (Laughter) Just want to let you know...
Dave Bittner: (Laughter).
Joe Carrigan: ...I'm done here.
Dave Bittner: Got myself a big check. All right.
Joe Carrigan: Next one is there is a pile of - an old white guy. He looks like me. You know, could be me. Little better shape than I am.
Dave Bittner: (Laughter).
Joe Carrigan: But he is counting a large stack of cash.
Dave Bittner: Yeah. So they're sitting in a living room.
Joe Carrigan: Right.
Dave Bittner: It looks like a scene out of "Breaking Bad."
Joe Carrigan: Right. Exactly. Anybody with this amount of money, this amount of cash on their coffee table has a problem.
(LAUGHTER)
Joe Carrigan: Right?
Dave Bittner: Yeah.
Joe Carrigan: First off, what are they going to do with this cash, you know? It's a frightening - and she's giving away $25,000 to each person. These are $100 bills on this table. That's not with $25,000 in hundred-dollar bills looks like. John actually points out, that's pretty unimpressive. It's a small stack of bills. It's only 250 bills...
Dave Bittner: OK.
Joe Carrigan: ...Right? It doesn't look like a coffee table covered in $100 bills...
Dave Bittner: Yeah. Yeah.
Joe Carrigan: ...You know, stacks of these things.
Dave Bittner: Right.
Joe Carrigan: John points out that there's tons of things in here that are designed to target people or trigger people. There's a God bless America picture in here. There's a U.S. Powerball picture with a big flag behind it - not the Powerball logo, but, you know, something that looks like it could be. There's a government-approved stamp right in the middle of it.
Dave Bittner: Well, yeah. Yeah. There you go.
Joe Carrigan: And then further down, she has some conversation pictures posted here that are obviously easily faked. But it says, thank you, Miss Mavis. You're so true. You're so true.
Dave Bittner: (Laughter).
Joe Carrigan: I hope others get their chance. People are saying this is fake, but again, thanks. And then Mavis replies in this chat that doesn't exist and probably never took place, it's OK, sweetie. People aren't believing it's real for some reason (laughter). Wonder what the...
Dave Bittner: Can't imagine why.
Joe Carrigan: Can't imagine why, right?
Dave Bittner: Yeah.
Joe Carrigan: I can't get to everyone, but I'm trying. Stay safe. There's another one with a handwritten letter that says, God bless you.
Dave Bittner: Like, from a child.
Joe Carrigan: Right. Yeah.
Dave Bittner: Like it's that - yeah. Yeah.
Joe Carrigan: And then there's another picture here that says, I just want to message you. I just want to message you that I got it about 2 hours ago, ma'am. Thanks so much for Miss Mavis. I really appreciate it. And then, of course, Mavis replies, good to hear. I mean, these are all just scam - like I said, these conversations never took place.
Dave Bittner: Yeah.
Joe Carrigan: If you contact this person and go, hey, I'm one of your first 5,000 followers, where's my 25 grand, you'll get an advance fee scam. I'm almost certain of it.
Dave Bittner: Right. Right. It'll say, oh, I just need $100.
Joe Carrigan: Right.
Dave Bittner: And I'll send you your 25 grand.
Joe Carrigan: Yep. I'm sure that's how this works.
Dave Bittner: Yeah, absolutely.
Joe Carrigan: But thank you for sending that in, John. That's a good Catch of the Day.
Dave Bittner: Yeah, that is a fun one for sure. Again, we'd love to hear from you. If you have something you would like us to consider for Catch of the Day, send it to us at hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, I recently had the pleasure of speaking with Alex Quilici. He is the CEO of a company called YouMail. And we were talking about robocalls, which...
(LAUGHTER)
Dave Bittner: Right? I mean, is there a person alive right now with a mobile device who robocalls aren't the bane of their existence, right? All right. Well, here's my conversation with Alex Quilici.
Alex Quilici: So I think there's some good news and bad news here. The bad news is that everybody's getting about - as a country, we're getting 4 billion robocalls every month, which, you know, depending on how many people you think there are in the U.S., it works out to 10, 15, 20 calls a month. The good news is it was nearly 6 billion a little over two years ago. So there's an incredible number of these calls, but it's not as bad as it was.
Dave Bittner: I'll say (laughter) maybe it's just my perception, but I can't claim that it feels like it's getting any better. I mean, has there been - what are the attempts to help shut this down? Have regulators tried to step in here at all?
Alex Quilici: Yeah, regulators have - and Congress actually passed something called the TRACED Act. And the focus there was on making it harder for the bad guys to simply spoof a number - randomly pick a number and call somebody. So that was one of the big pushes. The other big push, as part of the TRACED Act, was to allow enforcement agencies to have more tools, such as longer statutes of limitations, the ability to have certain ways of collecting data, things that enable them to really go after the most egregious callers. So that's translated into the carriers building something called SHAKEN/STIR which, despite the funny name, is basically just authenticated caller ID. And so that makes it much easier for the telephone network to tell, is this call one that really is vouched for, or is it a number that someone may have just picked at random? That's been a big help in reducing - starting to reduce spoofed calls. But there's a long way to go here.
Dave Bittner: So the calls that are still making their way through - I mean, what's the process there? Who's behind them, and how are they making their way onto our phone system?
Alex Quilici: Well, so the interesting thing is there's roughly 3,000 VoIP carriers in the U.S. You know, most of these carriers were designed to support business or support a particular kind of calling, like international calls, maybe from a particular country, or prepaid phone calls. There's lots of these carriers. But the bad guys can very easily get an account with these carriers and get phone numbers from these carriers and get access to the network and start making large numbers of phone calls. So it's really, really easy to get on the U.S. telephone network and start making robocalls at volume.
Dave Bittner: And is it a matter that these - for these VoIP operators - I mean, it's hard to tell if these are a high volume of legitimate business phone calls versus the scam calls.
Alex Quilici: There are ways to tell, but it's not easy. So it's sort of complicated technology, right? So YouMail can tell when there's bad guys making phone calls because we have a base of users who allow us to block their calls and keep their voice mailbox clean. That means we get audio of what these bad guys are leaving, and we can use that audio to understand what the phone numbers are doing and which ones are misbehaving and find the bad guys. That's one technique. There's other techniques which look at the duration of the calls. If a particular number is making lots of phone calls and they're all super short duration and they don't behave like normal phone calls, that's likely to be suspicious, too. So there's a number of different technological ways to try to understand, is this a legit - likely to be a legitimate call or not? The thing is, that's complicated technology. It's not something that your average little VoIP carrier, you know, knows how to build or wants to build or has the expertise to build.
Dave Bittner: Now, I know something that you and your colleagues are tracking is the growing level of sophistication of some of these bad actors, that they're increasing the degree to which they target people.
Alex Quilici: Well, there's a couple of things they're doing. So one is they are trying to work from lists because the idea is - you know, originally, what they did is they would just call huge numbers of people from a 1-800 number, right? Well, that turns out to be pretty easy to block, right? It's very easy for them to make the calls, easy to fight against. Then they'd start spreading it out. Then they started making up lots of numbers. Then they started doing smaller volumes of each number. So the bad guys are doing a number of techniques to try to get through to people. So that's sort of the biggest problem is stopping them from doing those techniques. One of them's called snowshoeing now, where they actually go get a bunch of legitimate phone numbers and make relatively small numbers of calls from each number - a thousand calls, say, in a day or even a hundred calls in a day - then throw away the number and get another number. So that's one technique they're using to get through.
Alex Quilici: The other is they're being much less - they're being much more discriminatory about which numbers they want to call. So instead of calling everybody and making, you know, a hundred million calls, if you can get a list of the million people most susceptible to the scam you want to do - say, Alzheimer's patients or older people in Miami or whatever the target's going to be - then you don't have to call a hundred million phone numbers. You need to call a million, and you're much less likely to get blocked because that million can be distributed over a number of different individual caller IDs.
Dave Bittner: Yeah, it seems kind of like a perfect storm here because the - you know, the folks who are most likely to have landlines and not be able to throw some technology behind defending themselves against this are also that older generation who these folks are targeting and, I submit, are more likely to fall into a scam like this.
Alex Quilici: Well, it's interesting because different scams target different people. One of the largest losses we've seen over the past few years was actually a 23-year-old college student. So it wasn't, you know, an 84-year-old grandma. It was a 23-year-old college student who got calls from people basically telling her she hadn't paid her tuition and there were problems and they needed her to pay right away or she was going to get kicked out of USC and go back to China. And she fell for the scam. So I think it's - older people may be a little more susceptible, but the bad guys are targeting everybody. You know, if you look at the refinance scams and the debt collection scams, they're not going after older people to say, refinance your debt. They're going smack dab after millennials and Gen X.
Dave Bittner: That's interesting. So what's to be done here on a device basis? You know, I see, you know, ads come by for various apps that claim that they can help you on your mobile device to get control of this. To what degree are they helpful?
Alex Quilici: They're all helpful. So the question is, you know, how helpful are they? But even blocking 50% of the bad calls that come in makes a big difference. And I would say the apps that are out there are between 50 and 90% effective. Like, YouMail, when we've measured it, we block about 90% of the calls that come in that are illegal. We miss some of them where somebody just picks one number they've never used before and makes a call. Those are hard to block. But we get most of the others. And so I think it's just different apps are about how you like - how the app behaves, how you can configure it, you know, does it block the calls that are bothering you?
Dave Bittner: Is there any crowdsourcing going on? You know, the folks who are in the business you're in - is there any sharing of these databases of the - you know, the bad numbers out there?
Alex Quilici: We at YouMail don't actually share our database with other companies, but what we do do is provide information to law enforcement. So when we see illegal phone calls coming in, we have partnerships where we can send that data to, for example, the Traceback Group who can then trace back the call to the source. Where we've given them clear evidence of illegal call behavior and all the data around that call, they can go find out who made it, and the carrier that put it on the network can go after their customer. Or in some cases, if they see lots of these from a carrier, they may go after the carrier. So we try to contribute. We like to say that if someone joins YouMail, they're joining the fight, and the illegal calls they get will get delivered somewhere where law enforcement can make use of it.
Dave Bittner: So what are your recommendations here? I mean, for folks who want to do a better job of getting on top of this, what sort of words of wisdom do you have?
Alex Quilici: Well, I think for the average consumer, you should be having a robocall-blocking app on your phone in the same way you wear a seatbelt when you drive a car. It's just low-cost protection that really helps. I think that's No. 1. I think No. 2 is you have to realize that the bad guys are getting smarter and smarter. I got a text message one today, which was, you know, hi, Alex, this is Pat. This is all about your refi. We've got some new information for you. Blah, blah, blah. Now, if I had been refi-ing something right now, I might have fallen for that, right? They're getting really smart. And so the key is to, you know, not just assume any call, any text is legit. You've got to go do your research before you contact them back. And so if I was in a refi, I wouldn't call this number back. I would go, you know, find my bank's phone number, call them up and say, what's going on? - you know, do that. So people have to be really smart and protect themselves, both with the app and with a change in consumer behavior. And the thing is, we're all used to this from email, right? I'm sure you get them. I get them. You know, these email phishing scams, right? Your Norton subscription has just been renewed for 399. You know, call here or click here if that's not the case - if you have a problem. So we've all been trained, hey, don't click the link in an email. We now have to be trained to don't just call or text a number back.
Dave Bittner: Where do you suppose we're headed here? Are we going to see more crackdown on this from folks like the FCC, or do you suspect it's really going to be up to the users to be in control of this?
Alex Quilici: I think it's a combination of things. The FCC, the attorney generals, they're all working very hard. The problem is the bad guys are also working very hard. And so you've got kind of a cat-and-mouse game where enforcement can, you know, push on the thing and the bad guys just kind of move and scurry somewhere else. If you ask me, what's it going to look like in a couple years? I think the volumes of calls are going to continue to go down. I'm very positive that we're on a good trend line and we'll see fewer and fewer robocalls as a whole, which is a good thing. But I think the robocalls that people make are going to become more and more harmful. They're going to be more and more targeted. They'll be more and more sophisticated in terms of, you know, scamming people. And so you have fewer calls, but they're more dangerous.
Dave Bittner: All right, Joe, what do you think?
Joe Carrigan: Interesting. The good news is we're down from 6 billion robocalls a month to 4 billion robocalls a month. I mean, that's progress.
Dave Bittner: I guess it is.
Joe Carrigan: You know, but still, 4 billion robocalls left.
Dave Bittner: Yeah - 2 billion of them come to me, so yeah.
(LAUGHTER)
Joe Carrigan: That's good. You're taking one for the team, Dave.
Dave Bittner: OK.
Joe Carrigan: Taking 2 billion for the team.
Dave Bittner: There you go. Yeah.
Joe Carrigan: Pardon my skepticism here, but I don't think the Trace Act has been as effective as it hoped.
Dave Bittner: (Laughter) Right.
Joe Carrigan: I still get calls from neighbor numbers. Do you get those?
Dave Bittner: I do. Yeah. Yeah.
Joe Carrigan: Alex says there's a long way to go. And maybe I'm saying this a little bit too early, so as time goes on, perhaps this will become more effective. It is another tool for prosecution. I'm not sure how I feel about that argument, though. But, I mean, in this case, OK. I'd like to see these people prosecuted.
Dave Bittner: Yeah.
Joe Carrigan: Carriers have built a system to authenticate carrier ID - caller ID? You know what this reminds me of email? Email. Right? The developers of caller ID and email did not envision the threat model that we have today with these two products.
Dave Bittner: I see. Yeah. Yeah.
Joe Carrigan: Right? So all the security we're working on, we're developing for them now is bolt-on security. And that has so many problems. No. 1, you have an adoption problem. You have to get everybody in the team, everybody who uses the service to adopt the technology.
Dave Bittner: Right.
Joe Carrigan: Like, everybody has to use this new authenticated caller ID.
Dave Bittner: Yeah.
Joe Carrigan: Everybody on email has to use dmarc records and have them properly configured.
Dave Bittner: Right. You don't want to break it for the folks who don't - who haven't adopted yet.
Joe Carrigan: Right. It's got to be backward compatible.
Dave Bittner: Yeah.
Joe Carrigan: Right? You have - it costs so much more money and time to implement these things afterwards as well. And if you just think about security, when you're developing a new product or a new service or a new protocol, make that one of the first things you think about. Put security in the requirements document, in the design document, in the concept document. Put it in there.
Joe Carrigan: Yeah.
Joe Carrigan: We have 3,000 voice-over-IP carriers in the U.S. That is astounding. I was unaware of that.
Dave Bittner: It's a lot.
Joe Carrigan: Dave, you want to start a VoIP business?
Dave Bittner: I do not, Joe. No. I'm good. Thank you.
(LAUGHTER)
Joe Carrigan: What's interesting here is what Alex is talking about as the economy of scamming. And we see that that's changing the technique. They change who they call and where they call from. Right? And I think Alex's prediction about the future is probably accurate. These guys are going to essentially be doing spearphishing calls.
Dave Bittner: Right.
Joe Carrigan: They're going to find out that those are much more effective and have a higher profit margin. And that's what they're going to do. So rather than making, you know, a billion calls or, you know, a hundred million calls, they're going to go down to a million highly tailored targeted calls.
Dave Bittner: Right.
Joe Carrigan: That's going to be dangerous for a lot of people.
Dave Bittner: Yeah.
Joe Carrigan: These things, generally speaking, whenever you focus your attention on one person as an attacker, your attack becomes a lot more effective. Right? Right now, these bad guys are targeting everybody. But Alex's refi example provides an excellent example of how it works. Right? These guys didn't just send a text out to Alex. They sent a text out to probably at least a million people. What are the odds that some of those people are doing refi's right now? Probably about 100%, close to 100%
Dave Bittner: Sure.
Joe Carrigan: Right? It's almost certain you're going to get somebody in there who's doing a refining and go, oh, I got to respond to this.
Dave Bittner: Yeah.
Joe Carrigan: Because a refi is very important to you. A refi is refinance of your home mortgage, I guess. It could be also - there are refinances for cars as well.
Dave Bittner: Sure.
Joe Carrigan: So it's vague, deliberately vague.
Dave Bittner: Right. Right.
Joe Carrigan: I'm really happy to see that Alex and YouMail report their information to law enforcement. That's good stuff. Again, I'd like to see these guys prosecuted. I'd like to see some of these people taken away. These guys are horrible people who scam people. And Alex talks about how they're - they build lists of people with Alzheimer's disease. Yeah. What kind of reprehensible scum do you have to be to do that? You know, I just can't fathom the lack of conscience these people have.
Dave Bittner: Yeah. It's the worst of the worst.
Joe Carrigan: It is.
Dave Bittner: All right. Well, our thanks to Alex Quilici for joining us again. He is the CEO of YouMail. And we do appreciate him taking the time for us.
Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.