Hacking Humans 8.11.22
Ep 208 | 8.11.22

Staying away from Medicare scams.


Ari Parker: Scammers are attuned at targeting the elderly. They're typically more vulnerable and less comfortable using technology than people who are millennials, let's say.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, Ari Parker. He's co-founder and head Medicare adviser at an organization called Chapter. And we're talking about Medicare scams. 

Dave Bittner: All right, Joe, before we dig into our stories this week, we've actually got quite a bit of follow-up here, don't we? 

Joe Carrigan: We do. The first one comes from Jay (ph), who writes, hi, Dave and Joe. You mentioned that Bernie Madoff was taking a vacation at Club Fed, but he finished his stay a little early the only way you can get out early - by passing away while in residence. 

Dave Bittner: That'll do it, yeah. 

Joe Carrigan: Yes, it will. 

Dave Bittner: That'll do it. 

Joe Carrigan: I completely forgot that Bernie Madoff had died. 

Dave Bittner: Yeah, yeah. All right. 

Joe Carrigan: But Jay goes on to write - this was in reference to the diamond merchant who took advantage of the oil baron for $12 million - which actually reminds me of Victor Lustig, who did a similar scam but was much smarter about it. He presented a rare, potentially lucrative opportunity to Al Capone. Now, I don't know about you, Dave, but if the opportunity to scam Al Capone comes up, I'm skipping that opportunity. 

Dave Bittner: Yeah. I don't know that that's wise for your long-term - yeah (laughter). 

Joe Carrigan: Yeah, right. 

Dave Bittner: Go on. 

Joe Carrigan: It may be the last scam you pull. But listen. 

Dave Bittner: Right. 

Joe Carrigan: It goes on. He says it was pretty audacious, given how Mr. Capone dealt with people who crossed him. But he got Mr. Capone to hand over $50,000 for a deal that Mr. Lustig was planning. Mr. Lustig then took the money, put it in a safe-deposit box and let it sit. After a period of time, he comes back to Mr. Capone, says the deal fell through. As a result, I'm completely wiped out - not really. But don't worry, Mr. Capone. I was able to return every penny of your $50,000. He just gives him his cash back. And Mr. Capone said Victor Lustig was one of the few very honest people in his circle of friends and said, here, take this $5,000 to tide you over during this time of hopefully temporary insolvency. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: So the guy got five grand out of Al Capone. 

Dave Bittner: Yeah. 

Joe Carrigan: Which is amazing. 

Dave Bittner: Wow. Just for sitting on some money that Capone had loaned him. 

Joe Carrigan: Yeah, just for sitting on $50,000. Now, I wonder... 

Dave Bittner: All right. 

Joe Carrigan: I mean, it's the same money, right? He just put it in a safe-deposit box. Did he change... 

Dave Bittner: Yeah. 

Joe Carrigan: ...The bills out? 

Dave Bittner: No, no. I mean, who knows? Who knows? 

Joe Carrigan: Right. 

Dave Bittner: But he was - you know? It - I like it. It's clever. I mean, it's... 

Joe Carrigan: It's a good story. 

Dave Bittner: It's good social engineering story, yeah. Yeah. 

Joe Carrigan: Yep. 

Dave Bittner: What else do we have, Joe? 

Joe Carrigan: John (ph) writes in to say, thank you, guys. If it hadn't been for your podcast, I might've fallen for this. I just dialed the number on an email I received to talk about a device that had been connected to some system. The number looks very close to a legitimate tech support number for my service provider, and, of course, I wanted to know what device they were talking about because I didn't get any new device recently. The switchboard, when you call the number, is very much the same and sounds legit. 

Joe Carrigan: So I call and I speak to someone named Omar (ph). Omar immediately asked me for my personal details, including my date of birth and my address. Suddenly, my hackles go up. I realized I'd called the number from the email, not the one on their website. So I asked them where to find the official website so I can call the number. He says he doesn't know, but he sent me - he can send me an SMS to prove that they are who they say they are, which is... 

Dave Bittner: Aha. 

Joe Carrigan: ...Not going to work, right? 

Dave Bittner: (Laughter). 

Joe Carrigan: And our listeners know this. 

Dave Bittner: Right. 

Joe Carrigan: Now, you guys have spoken about smishing, so I knew this wouldn't prove anything. So I insist he tell me where on the website the number exists. Eventually Omar gives up and hangs up. 

Dave Bittner: All right. 

Joe Carrigan: He immediately called the service provider using the number on their website. He went out and found it. And the agent there confirms that number does not belong to them and gives me the information on how to file a fraud report. So thank you, guys. If I wasn't a regular "Hacking Humans" listener, I might've become a victim. Have a virtual handshake and my warmest thanks. 

Dave Bittner: Oh, that's very nice. 

Joe Carrigan: That is good. 

Dave Bittner: Good for you. 

Joe Carrigan: I'm... 

Dave Bittner: Good for you, John. 

Joe Carrigan: Yep. I'm glad that that worked out well. 

Dave Bittner: Yeah. 

Joe Carrigan: And finally, Richard (ph) writes in to say, hi, Dave and Joe. I have a little experience with the short first email that Romain Basset mentioned in your interview last episode. I think this was a couple of episodes ago. But, you know, we get these emails a little bit later. I'm in academia - as am I - and members of our research group frequently get phishing emails purporting to be from our PI. PI is principal investigator. That's the person who is responsible for the government grant. He has a fairly curt email style, as people who do a lot of emailing are wont to develop, so they do not appear that implausible from him, which makes sense because we get a lot of these - I get a lot of these as well from faculty as well and people who would be PIs on these things. I did once reply to one short but vague request with a clarifying question and got instructions to buy gift cards in response, at which point I told the scammer to try harder next time. They seem to be doing so as they are now using accounts with my PI's profile picture. So these guys have gone out and they have taken this guy's picture off the internet and they're really putting a lot of effort into. 

Dave Bittner: Mmm hmm. Mmm hmm. 

Joe Carrigan: He wanted to pick up another point from the interview. Organization is putting in place more process to prevent fraud, are often adding additional identifying verification process but not necessarily doing this well. The more places that introduce requirements like phone numbers, additional forms of ID and proof of addresses fraud prevention measures, the worse it gets in the long run. So now every Tom, Dick and Harry with excessive know your customer requirements has my entire life history on file for the next 30 years so they can show they complied with the requirements. When one of them inevitably gets breached, what am I supposed to do when everything people want me to use to prove I am me is for sale on the dark web? That's an excellent point. And I don't know, Richard, that's - you know, I'm all about identity. 

Joe Carrigan: But Richard goes on - proper cryptographic identity solutions can't come soon enough. And I agree with that, too. I really hope to see some of the things discussed at the Internet Identity Workshop - and then he provides a link, which we'll put in the show notes - about self-sovereign or user-centric identity come to fruition as soon as possible before the current mess devolves any further. And I agree. I'm going to take a look at this Internet Identity Workshop. I think that's probably a great place to start. But the idea of a cryptographic key that we can identify - use to identify ourselves is a great idea. Maybe even the possibility of going and identifying ourselves with somebody we trust, maybe a bank or something, and then having them provide a valid - I'm just spitballing here - this is me just - this is how I think, Dave. You're actually looking at Joe's stream of consciousness right now. 

Dave Bittner: Well, I mean, in the same way that we use our driver's license, which, you know, the state has gone to the trouble to make sure that, when getting a driver's license, you can't just get one willy-nilly, right? There's effort and you have to prove who you are. So other people rely on that. They rely on the scrutiny of the state. If we could have a cryptographic equivalent to that, someone can vouch for our identity, maybe that'll - without having to turn over all this information... 

Joe Carrigan: Right. 

Dave Bittner: ...Maybe that's a good solution. 

Joe Carrigan: Yeah, I think that's - it's got to come. At some point in time, that's got to be here because Richard's point is 100% valid. These people just are amassing all this identifying information because of know your customer requirements. And while they may not be selling it - there may be regulation that prohibits it or there may be ethical concerns - first off, there's a potential that they could sell it. And second off, when it gets breached, no amount of regulation is going to save you from having that information sold... 

Dave Bittner: Right. 

Joe Carrigan: ...To anybody who wants to use it for whatever reason. It's a terrible situation. So good point. 

Dave Bittner: All right. Well, thanks to everyone for writing in. We would love to hear from you. If you have something you'd like us to consider for the show, you can email us at hackinghumans@thecyberwire.com. All right, Joe, let's jump into our stories here. Why don't you kick things off for us? 

Joe Carrigan: I have a story from John Matarese at WCPO in Cincinnati. It's very hard for me to say WCPO in Cincinnati without saying WKRP in Cincinnati. And I'm sure John hears that... 

Dave Bittner: (Laughter) Yes. 

Joe Carrigan: ...All the time, right? 

Dave Bittner: I'm sure he does. As God as my witness, I thought turkeys could fly. 

Joe Carrigan: Right. From people our age, that's probably all John ever hears. 

Dave Bittner: Right. 

Joe Carrigan: How do you not say WKRP? Because I work at WCPO. That's how I don't do it. I'm a professional. But this story actually ties back to your story from episode 200. That was about eight weeks ago that was from Pixm about a credential stealing campaign on Facebook Messenger. It's pretty simple. The way it works is the attack starts with a message from someone the victim knows, but their account has been taken over and it's a bad guy on the other end. And if the victim clicks a link, they are shown an ad and then a page that looks like the login page for Facebook. So it looks like you've been logged out of Facebook and you're asked to log back in after you've been shown this ad. So I wonder if these guys are monetizing this campaign two ways - first, by generating ad revenue. 

Dave Bittner: Right. 

Joe Carrigan: You know, hey, if we're going to steal people's credentials, why not make some money in the process? And then going on to convince them that they've logged out of Facebook and they need to log back in again. If you enter your credentials, the bad guy gets control of your account, and they send messages to all of your friends. So it is an exponentially expanding campaign. And so far, it's hit 10 million people according to Pixm's measurements. 

Dave Bittner: Wow. 

Joe Carrigan: Now, John Matarese is talking about how this scam has impacted a specific victim here. And her name is Sissy Lowe. And she founded an Elvis page, Elvis fan page, on Facebook about seven years ago. And over the past seven years, she has grown this page to 32,000 followers. 

Dave Bittner: Wow. 

Joe Carrigan: That's a big page on Facebook. 

Dave Bittner: Yeah. 

Joe Carrigan: That's a lot of people. So at some point in time, Sissy had her credentials stolen probably with this campaign, but maybe with another one. It doesn't matter. The effect is the same. And whoever did it immediately took her out of the group, blocked her, and she couldn't get in. So they took her admin status away, kicked her out of the group and blocked her from the group. Well, here's something I think is interesting about this. They did not deny her access to her own account. And I'm wondering why that is. Maybe her account, her actual personal account, is not nearly as valuable as the Facebook page. I suspect that might be it. But I'm also suspicious that if they were to take over her page, then she would have more recourse via Facebook. And they don't want that. They just want to get the fan page. They don't care about her personal account. 

Dave Bittner: Right. Right. I know something that happens with some of these fan page takeovers is they'll come in, and they'll find a page like this that has built up a sizable audience. 

Joe Carrigan: Yes. 

Dave Bittner: And then they'll convert it to a completely different topic. 

Joe Carrigan: Right. 

Dave Bittner: And then they'll promote that topic. And they'll use the fact that this fan page has so many followers. And that makes it seem legit. 

Joe Carrigan: Right. Exactly. 

Dave Bittner: Because people get this thing, and they're like, oh, this is the - you know, I don't know - this is the acne medication page. And oh, my gosh, it's got 32,000 followers. Well, that must be - this - it must really work, right? 

Joe Carrigan: Right. Exactly. 

Dave Bittner: And away they go. 

Joe Carrigan: Let me buy some stuff. She says she believes the hacker is now making money selling the contact information of her followers. I don't know if that's true, but they are definitely posting ads on the page in some way. 

Dave Bittner: Ah. 

Joe Carrigan: The things I've seen is they take over an account, and then they - what they do is they just start putting spam ads up in the hope of getting people to click on them and generate some revenue... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Or links to articles that do something else. It's not good. Or they could do what you say and just convert it to something completely different. Here's my favorite line from the article. It says, quote, "we contacted Facebook executives hoping they could investigate, but we have not heard back." No kidding. You know, I'm not surprised. Any time you have this, it's like screaming into the void. That's my favorite phrase to describe trying to get help from Facebook or Twitter or anything. The point I want to make today is this. Your Facebook presence has value to these bad guys, especially if you control a large group. Your best bet is to protect your Facebook account with some kind of multifactor authentication, preferably a physical token. If you use anything that generates a code, I think that is - this particular campaign and targeting people who are admins of these kind of groups might be enough to incentivize these malicious actors to go out and take the extra effort to try to get that code out of you as well... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Which they can do with - just by asking you for it on their - on the web page they control, which they then pass to Facebook, and then they take over your account again. But they can't really do that with the multifactor authentication device like - that is - like a YubiKey. But there are lots of other ones out there. 

Dave Bittner: Yeah. 

Joe Carrigan: But they use the FIDO alliance, which is an open standard - the FIDO Alliance standard. 

Dave Bittner: Yeah. My wife runs a sizable Facebook page. I want to say it has around 20,000... 

Joe Carrigan: That is a big one. 

Dave Bittner: ...Followers on it. Yeah. And so I have learned a lot about how all these sorts of things work on Facebook through her. When you run a group of that size, you do have tools that, you know, mere Facebook mortals do not have in terms of managing the folks in the group and that sort of thing. But I will say that it comes in waves that people try to hammer away at her credentials. You know, she'll (laughter) - like, just a couple nights ago we were sitting on the couch, you know, watching TV or something. And she showed me her phone, and people were - you know, her MFA was being triggered because people were trying to log in to her account, trying to take over her account. 

Joe Carrigan: Just brute-forcing it. 

Dave Bittner: Yeah. 

Joe Carrigan: Credential-stuffing attack, probably. 

Dave Bittner: Yeah. Yeah. And, you know, it kept coming up. You know, is this you? Is this you? Here's your - you know, here's your reset code. And she's like, oh, boy. And yeah, like I said, it comes in waves. And - but it's a pretty common thing and, good example - good thing she has MFA on there. 

Joe Carrigan: Right. 

Dave Bittner: That seems to do a good job of stopping it. So... 

Joe Carrigan: Yeah, it does. 

Dave Bittner: Yeah. All right. Well, that is interesting for sure. We will have a link to that story in the show notes. My story this week comes from the folks over at Bloomberg. This is an article written by Jeff Stone, and it's titled "North Koreans Steal LinkedIn Resumes in Crypto Job Search Scam." So, you know, Joe, as we've been through the pandemic, which I submit, we are not yet completely through. We're still making our way through the pandemic. But... 

Joe Carrigan: We're recording this episode remotely because of that exact reason. 

Dave Bittner: That's right. That's right. So one of the things that has happened is we've got more and more people who are working remotely. And because of that remote work, scammers are taking advantage of that. Before I dig into this story, I've heard stories anecdotally about folks who get hired with companies as a developer, so a very technical job, but they will take on four or five full-time jobs - remote jobs... 

Joe Carrigan: Right. 

Dave Bittner: ...Where they don't meet anyone. It's all done remotely. But they claim they're going to be the greatest employee ever. And basically, part of the scam is that it takes a few weeks and at least one pay cycle to figure out that the person is scamming them and to fire them. 

Joe Carrigan: Right. 

Dave Bittner: And so if you do that... 

Joe Carrigan: And you have to pay them for the work that they've done - right? 

Dave Bittner: Right. 

Joe Carrigan: ...Because there's laws about that. 

Dave Bittner: And - even if that work is terrible. Yeah (laughter). 

Joe Carrigan: Right. 

Dave Bittner: Right. So if you can do this, the scam is you - you know, you sign up for four or five jobs. Don't do them very well. Do the minimum amount. Try to string the companies along as long as possible. Oh, I'm getting up to speed. I'm just - you know, I'm running late, all that kind of stuff. And then by the time they figure it out, they have to pay you. But because you've been running multiple jobs, you can profit. 

Joe Carrigan: Right. 

Dave Bittner: And I've heard - I've seen people bragging about the hundreds of thousands of dollars that they brought in through this scam. That is not exactly what's going on in this article. In this article, it's actually folks from North Korea, IT workers there who have been trying to obtain work with cryptocurrency companies. And they steal the wording, the phrasing from other people's resumes that they find on LinkedIn, and they cook up their own good-looking, good-sounding resume, and they apply for these jobs with the intention of getting inside a company, where they will have access to some of the things the cryptocurrency companies work with - you know, virtual currencies, tokens, all that kind of stuff. 

Joe Carrigan: Are they looking for keys to crypto wallets? 

Dave Bittner: Yup, all that good stuff. Basically anything they can get their hands on by being an insider is what they're going for here. And evidently, they're having some success in doing that. Part of it is because people are working remotely, so it's not that unusual to not meet someone person - or face to face who you may be hiring for a job. I suspect there's even more of that in some of these tech jobs, like a cryptocurrency company, right? 

Joe Carrigan: Right. 

Dave Bittner: A fast-moving startup who is much less likely to have things like office space and, you know, a world headquarters, that sort of thing. 

Joe Carrigan: Yeah. 

Dave Bittner: So really the point of this article is that your training has to include your HR people, and they have to be on the lookout for this sort of thing, that you can't assume that someone who's applying for these jobs are doing it in good faith. And even though they may seem to have all the right things on the resume, they may seem to have all the right skills, they may pass all of the types of tests you put in front of them with flying colors - it doesn't necessarily mean that they are who they say they are. I'm not sure how much you can protect yourself against this when it's a nation-state actor who's coming after you for these sorts of things 'cause the - a North Korean actor is going to have presumably all of the paperwork that would look legit, right? Don't you think, Joe? 

Joe Carrigan: Dave, that's 100% correct. In fact, North Korea - we had Jeff White on the show with Carole Theriault back in episode 201, where he was talking about the North Korean scamming these people, trying to get into these cryptocurrency companies for exactly this purpose. And you're right, these guys are really good at what they do. It's amazing to me that a country that has no internet infrastructure has a team of nation-state hackers that are as good as they are. 

Dave Bittner: Yeah. 

Joe Carrigan: They are a formidable force, one to be reckoned with. And because this country is completely isolated financially, they are going after crypto assets, cryptocurrency assets, because that's the best way for them to get money. 

Dave Bittner: Yeah, yeah, to support the regime. Absolutely. 

Joe Carrigan: Right. 

Dave Bittner: All right. Well, we will have a link to this in the show notes. Again, I think this is an article that if you work for an organization where you have folks in HR, this might be a good one to forward on to them, just... 

Joe Carrigan: Yeah. This is definitely something your HR people need to be aware of. It is something that you need to be prepared for. And there needs to be some kind of vetting. And if anything seems fishy, particularly with somebody internationally, I think that's a big red flag. I don't know - you know, I don't know, if you're running one of these currency - one of these cryptocurrency companies in South Korea, I don't know how you differentiate a potential North Korean impersonator. I think that's a real challenge. 

Dave Bittner: I agree. 

Joe Carrigan: But, you know, if you're here in America, there are plenty of American - well, actually, there probably aren't plenty of American engineers. That's one of our problems. So you might have to be going internationally. So I guess everybody has to be aware of this. 

Dave Bittner: Yeah, absolutely. All right. Well, we will have links to all of our stories in the show notes. Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from Jon, who writes, I saw this and thought it would be a great Catch of the Day. It's sad that I missed the time window to receive my fund, especially since the email was sent a year late. But it's good that we get to enjoy this message. I particularly love the address of Chairman and CEO of JPMorgan Chase. Note that the sending address and the email address at the end do not match. And he is correct. The sending address was from John Depp (ph), with a number of numbers after it - four or five numbers after it - which is just some other account that either these guys have set up or taken over. And all the way down at the bottom is the name with a different address with a bunch of numbers after it. So... 

Dave Bittner: Uh-huh. 

Joe Carrigan: Dave, why don't you read this? 

Dave Bittner: Sure. It goes like this. Attention, this is to bring you a kind notice that your outstanding payment of $10,500,000, which has been with our central paying office from United Nations, has been signed and approved for payment after a series of meetings with our board of directors. Also, bear in mind that we want to conclude all payment before the second quarter of 2021 runs out for you to receive your fund. Seems a little late to me, Joe. 

Joe Carrigan: Right, it is. 

Dave Bittner: Therefore, to enable us to achieve our goal to release your fund to you, you are advised to reconfirm to us the below information to enable us to conclude this transaction with you. Your full name. Your complete address, direct telephone number, mobile number, company name, occupation, nationality. Finally, your response to this email should be made immediately before it will be too late for you to receive your total funds. Waiting for your immediate response. Thanks for banking with JP Chase Bank, while we look forward to serving you better. Yours faithfully, David McKay, chairman and CEO, JPMorgan Chase. 

Joe Carrigan: Couple of things I like about this email, Dave. 

Dave Bittner: Yeah. 

Joe Carrigan: No. 1, in the section - in the subject section, beneficiary is misspelled. That's my favorite. 

Dave Bittner: (Laughter). 

Joe Carrigan: Also, the CEO of JPMorgan Chase is a man by the name of Jamie Dimon or Dimon. 

Dave Bittner: OK. 

Joe Carrigan: I'm not sure which way you pronounce it. One M, so probably Dimon. David McKay - I just did a quick Google search on David McKay. The only thing that comes up is the pitcher for the Oakland A's. 


Joe Carrigan: And that's it. 

Dave Bittner: OK. 

Joe Carrigan: I don't find any anybody - David McKay who is financial. So a quick Google search will render this phishing email inert. But I think, like we said before, that's kind of the purpose, right? They want people who aren't going to check it. They're just going to go, oh, $10 million. Sign me up. 

Dave Bittner: Right. 

Joe Carrigan: And it's, of course, an advance-fee scam. 

Dave Bittner: Yeah. Yeah. All right. Well, thank you to John for sending that in to us. We would love to hear from you. Our email address is hackinghumans@thecyberwire.com. All right. Joe, I recently had the pleasure of speaking with Ari Parker, co-founder and head Medicare adviser of an organization called Chapter. And our conversation centers on Medicare scams. Here's my conversation with Ari Parker. 

Ari Parker: Medicare is a federal government health insurance program, typically for people who are 65 years and older. This is the most vulnerable population. Seniors are especially vulnerable to scammers because scammers are attuned at targeting the elderly. They're typically more vulnerable and less comfortable using technology than people who are millennials, let's say. 

Dave Bittner: So as someone comes into being, you know, eligible for Medicare, what is the transition that happens? Like, you know, I haven't reached that age myself yet. And I'm sure - imagine some of our listeners have, but many have not. Is it a kind of thing that automatically kicks in for people? 

Ari Parker: Great question. You can get Medicare in one of three ways, the first is automatically. If you're taking Social Security before the age of 65, then you'll receive your red, white and blue card three months before the month in which you turn 65. The second way is by applying for it. Typically, if you're not working or you're working part time, then starting Medicare is the best option to provide for your health care expenses. You would apply through the Social Security website. It takes less than 5 minutes. And the government will send you your red, white and blue card. Your Medicare will begin the month you turn 65 unless your birthday is on the first day of the month. The final way is if you're still working and you want to keep your work insurance past the age of 65, then you can remain on your work coverage so long as your employer has 20 or more employees. When you're ready to retire, you would then alert Social Security that you intend to enroll in Medicare. And you'll receive a special enrollment period to start Medicare. 

Dave Bittner: So what sorts of things are out there that people should be aware of? 

Ari Parker: There are three types of scams that seniors should be aware of. The first is a scam that offers free Medicare in exchange for your Social Security number or your Medicare beneficiary ID. When you start Medicare, the government sends you a card that has an 11-character, unique Medicare identifier. Scammers will try to get this number so that they can bill Medicare. Sometimes, the scammers send you the piece of medical equipment. Other times, they don't. The thing is, they don't really know whether you need the equipment or not. It's fraud. The second type of scam is an email phishing scam where scammers will put up a fake page and have seniors click through in order to provide information about themselves. And then the final type of scam is that scammers will try to acquire seniors' bank account information and commit wire fraud. 

Dave Bittner: Now, is this - is it a situation where the scammers will try to, you know, get to these seniors before the government does? Knowing what kind of schedule that the government is on, will they try to reach out before the government gets to them and pretend to be the government? 

Ari Parker: Absolutely. What scammers will do is they'll set up a website that appears to be medicare.gov but isn't, in fact, Medicare. They'll also call seniors and say that they're representatives of Medicare, but Medicare will hardly ever call you. In fact, they say that outright on the government website, that they don't typically call beneficiaries. 

Dave Bittner: Now, in terms of the beneficiaries themselves, are they liable for any of the things that the scammers do here? If - you know, if someone sends me a piece of medical equipment in a fraudulent kind of way, could I be on the hook for that? 

Ari Parker: Yes. You would be on the hook for up to 20% of the medical equipment that the scammer sends you if you're just on original Medicare. The reason why is because Medicare is 80/20 coinsurance. The government covers 80% of your Medicare. You're responsible for the other 20%. 

Dave Bittner: So what are your tips here? I mean, what are the advice that you have for seniors in terms of protecting themselves against these specific scams? 

Ari Parker: Three tips - the first is to watch out for free Medicare offers. This will typically - what, recently, scammers have been advertising is an offer for free medical supplies. And they might say that Medicare will cover it without asking you whether you actually need it or have a medical condition that qualifies you for it in the first place. They'll then ask for your Social Security number or your Medicare number. Don't share this information. The second type of scam that we've seen recently is ones that say that people are eligible for a refund. How this works is that they'll say there's been a change in your Medicare coverage and that you're therefore eligible for a refund on your Medicare. And then they'll reach out to you as representatives of Medicare, typically. The third type of scam is email phishing. And here, spammers will set up fake email addresses or even fake websites that appear to be Medicare-related or Medicare itself, and then they'll ask for your Social Security number, your Medicare number. Sometimes they'll even ask for your bank account information in order to withdraw funds. Don't give out this information over the internet. 

Dave Bittner: You know, I can imagine a lot of this being very confusing, you know, for the folks who are, in good faith, trying to take advantage of their Medicare benefits. You know, I just - I see all sorts of things on TV that say, you know, if you have this condition, if you need a - some sort of assistive device - a wheelchair or a cane or, you know, there are all sorts of things you see ads for - and they say you may be eligible for this at no cost to you. I suspect there are companies who are legitimate when it comes to this thing, but I could see it be confusing for the folks out there who are just trying to take advantage of this and get on with their lives. 

Ari Parker: That's right. It is absolutely confusing, Dave. I don't - I can't tell you enough how many emails we get with direct mailers that people are sent, asking, is this legit? Should I respond to this? - when, in fact, it's a piece of spam. Or in the fall, when you see advertisements on television about different types of plans, you don't know if the plan is suited for you or not. That's not to say that the advertisement is a scam, but it's confusing, and it creates complexity around something that seniors really need in order to protect themselves and gain peace of mind over their health care coverage. 

Dave Bittner: What about Medicare itself? I mean, do they provide resources to help guide folks through this and help them steer away from some of these scams? 

Ari Parker: Dave, there's no website Medicare has set up that identifies whether a specific scam is legitimate or not. What I can say here is that if it feels suspicious, then don't respond to it. If someone calls you and asks for your Social Security number or your Medicare number, then don't just hand it out over the phone. Scammers are trying to get three pieces of information out of seniors, typically. They're either trying to get their Social Security number, their Medicare number, or their bank account information or a credit card. If it feels suspicious, don't respond to it. Don't go any further in a conversation if someone calls you and it feels suspicious, and if someone says to be a Medicare representative, then that should be a red flag if they're calling you. Medicare typically doesn't call you. You call them. 

Dave Bittner: And would it be fair to say that if you're suspicious of something, that that you should hang up, and if you need to contact Medicare, then you reach out to them? 

Ari Parker: That's exactly how it works. Medicare has a 24/7 hotline. They're not difficult to reach. People typically wait on the phone less than 10 minutes. They actually have an excellent support department. 

Dave Bittner: Joe, what do you think? 

Joe Carrigan: Two things that Ari talks about that make seniors more vulnerable as a population. No. 1, there are a higher proportion of seniors who are not, like, digital natives, right? You know, Dave, as you and I move towards this realm - it's a lot closer than you think. Let me put it to you this way, Dave. Do you remember graduating from high school and college? 

Dave Bittner: Yes. 

Joe Carrigan: Yeah. Retirement is closer, Dave (laughter). 

Dave Bittner: OK. Very nice. 

Joe Carrigan: Retirement is closer. 

Dave Bittner: Thank you for that. 

Joe Carrigan: So, yeah. You know, and I would say that you and I are probably digital natives of the earliest breed. 

Dave Bittner: Yeah. 

Joe Carrigan: But do you remember when we were young and we were playing with computers? There weren't a lot of people around doing that. So people... 

Dave Bittner: Right. 

Joe Carrigan: ...Our age are still not as familiar with computers as, like, you and I are, or, more importantly, our kids. So hopefully as the population continues to age, this will become less and less of a risk factor, the digital nativeness, I guess. 

Dave Bittner: Yeah. 

Joe Carrigan: But the more important factor here of these two factors is that these scammers are skilled and make an effort to target older people. And that is never going to change. It doesn't matter what the technology is, the targeting for the people - the age population is always going to be the same. They're going to try to scare the crap out of these people, and - or offer them something that they think they might be able to get for free. And those kind of scams are pretty much always going to be effective, even if they have to walk away from the digital aspect of the scam. There are a lot of scams out there based on Medicare, including fraudulent billing, identity theft, which is where they're going to try to get you to enter a bunch of information, including your Medicare information, your Social Security information, then just straight-up theft where they ask you for your bank account information. Hey, you need to pay for your 20% of this item. And then you give them your bank account or credit card information, and they just take the money and run. 

Joe Carrigan: These scams all sound very familiar. And if we're lucky enough to live long enough to be on Medicare, we're all going to have to contend with these scams. And they're pretty familiar sounding to listeners of this podcast. Free Medicare offers - no, probably not. Medicare is an 80-20 split. A refund, really? No, not really. Remember that - I think it was a Tostitos commercial from the '90s with Chris Elliott and the IRS. I - that's what I think of when I think refund. And phishing links with fraudulent sites, those are - I don't know, there's got to be - there's going to be a technical solution to this eventually. I'm hopeful of that. But until there is, we're still going to have to deal with phishing links. Email is awful, and we need a better solution, although I have no idea what that is. So I'm - I get to play my grumpy old man card here, Dave, and just complain about the current state without offering any solutions (laughter). 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: There is no website or tool that will tell you if the offer you're currently experiencing is a scam. You just need to be cautious, and again, never give out information on an inbound call. Here you have to be careful that who you're calling is also bona fide because of two things. There are two things I want to talk about here. We actually had a listener write in about this recently saying that when I call - when I get the inbound call, sometimes I say, I want to call you back. And they go, well, there's no way for you to get back in touch with me in particular, right? The customer service - and these companies - I understand that. They don't have any way to do it. But, you know, I still say, OK, well, what is this regarding? And I'll call back and talk to someone in your customer service organization. It may not be you, but they should have access to it as well. So I still say give them a call back, even if you may not get the same representative. 

Joe Carrigan: And the other thing is that these emails that we get or these websites that we get are asking us to make the outbound call. And if we make the outbound call without verifying that call, just like our listener who provided feedback earlier today - earlier in this episode, he made the call and got suspicious. And as soon as he started getting requests for information that didn't seem legit, he was like, nah, nope. I'm - think I'm going to make that - make the call to the actual number. 

Dave Bittner: Right. 

Joe Carrigan: So, you know, it's kind of difficult. I mean, it's just - these guys are just making it more and more difficult for people just to get the services to which they're entitled. 

Dave Bittner: Yeah, absolutely. All right. Well, again, our thanks to Ari Parker for taking the time for us. We do appreciate it. 

Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. "Hacking Humans" podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.