Hacking Humans 12.8.22
Ep 223 | 12.8.22

Do not get your news on social media.


Giulia Porter: It's important to kind of know what scammers are really trying to do when they're talking to you and so you can kind of know what to look for.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week. And later in the show, Giulia Porter - she's vice president at RoboKiller, and she's giving us information about their mid-year report on phone scams. 

Dave Bittner: All right, Joe. I am going to kick things off here with our stories this week. And mine comes from the folks over at Sophos. This is a report that has been making the rounds here - a big takedown this past week so good news. 

Joe Carrigan: Yep. 

Dave Bittner: (Laughter) That was - let me back up a little bit and frame this a bit. I was thinking. You and I, the age that we are... 

Joe Carrigan: Right. 

Dave Bittner: ...We grew up in the golden age of prank phone calls. 

Joe Carrigan: Yes, we did. 

Dave Bittner: Right (laughter)? 

Joe Carrigan: When you could get away with that crap (laughter). 

Dave Bittner: Right. Right. Because this is - you know, for some of our younger listeners, there was a time in the time of landlines before you had caller ID. So you could call someone, and they would have no idea who was calling them (laughter). There was no way to know. 

Joe Carrigan: That's right. 

Dave Bittner: So, you know, you could call someone and ask if the refrigerator was running and say, oh, you better go find it or, you know... 

Joe Carrigan: You'd better go catch it. 

Dave Bittner: ...Call the bowling alley and ask if they have 10 pound balls - you know, those kinds of things. Ah, hilarious. 

Joe Carrigan: Right. 


Dave Bittner: But then caller ID came out and... 

Joe Carrigan: Yep. 

Dave Bittner: ...That put an end to all of that (laughter). 

Joe Carrigan: It did, indeed. 

Dave Bittner: So we're no longer anonymous. And, of course, caller ID extended to our mobile devices, and it's just a regular part of the phone system. But this article points out that caller ID is not reliable... 

Joe Carrigan: It is not. 

Dave Bittner: ...That it is easy for people to spoof caller ID the same way that they're able to spoof an email address or something like that. And the root of this story is that there was an online service that was called ispoof.cc where anyone could sign up for this service, pay them some money and generate phone calls that appeared to come from wherever they wanted it to come from. They could appear to come from any number they wanted, any place they could come from. So they could put the name of your bank in there. They could put the name of your hospital in there. They could put the name of your parents in there (laughter). 

Joe Carrigan: Right. 

Dave Bittner: Anything at all, they could put in there. And these folks made a lot of money, as you might imagine. 

Joe Carrigan: I'm sure they made tons of money. 

Dave Bittner: Yeah. So - but there was a big international takedown this week, and this involved law enforcement teams from 10 different countries, the usual suspects here - Australia, Canada, France, Germany, Ireland, Lithuania, Netherlands, Ukraine, the U.K. and the USA. It seems as though these folks were centered in the U.K. 

Joe Carrigan: Really? 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: OK. 

Dave Bittner: And they seem to have generated an - it says generate an estimated worldwide loss in excess of 100 million pounds. And over 100 people have been arrested as part of this takedown. They have - 142 people have been arrested, according to this. And the kingpin was a 34 year old by the name of Teejai Fletcher, who is in London. And they also say that one of the things that they were able to gather in this takedown was a database file... 

Joe Carrigan: Oh. 

Dave Bittner: ...Which they say contained 70 million rows... 

Joe Carrigan: Uh-huh. 

Dave Bittner: ...Identified 59,000 suspects. 

Joe Carrigan: Mm, yes. 

Dave Bittner: They say a hundred have been arrested. 

Joe Carrigan: A hundred of the people in the database have been arrested? 

Dave Bittner: Yes. 

Joe Carrigan: Awesome. 

Dave Bittner: And (laughter) this is kind of funny. See, right now, the cops are focusing on those who have spent at least 100 pounds in bitcoin to use the site. So they're going... 

Joe Carrigan: Right. Yeah. That's the first thing I would have done. 

Dave Bittner: They're going up high level. Right. 

Joe Carrigan: I would have selected from that table based on count - you know, the number of times their user ID shows up in the table - and gone after the - just start with the top person and work my way down. 

Dave Bittner: Right. Right. So obviously, it's good news that this takedown happened, and it's one, you know, one other way to try to go after the folks who are trying to do bad things out here. But one of the things I like about this article from the folks over at Naked Security from Sophos is they have a nice little list of tips here about dealing with this sort of thing. Their first tip is - treat caller ID as nothing more than a hint. 

Joe Carrigan: Yep. 

Dave Bittner: I think that's good advice (laughter). 

Joe Carrigan: I agree. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: We often say that on this show when we're talking about it. Even if the caller ID says it's from your bank, it's perfectly OK to say, I'm going to call you right back and call them at a number 'cause I think not only can you spoof the name of your bank, but you can also spoof the number of the bank. 

Dave Bittner: Right. Right. And that's actually their second tip, which is always initiate official calls yourself using a number you can trust. So... 

Joe Carrigan: Right. 

Dave Bittner: ...Just like you said. You know, say, all right, great. Hello, bank. I will call you back on the number that I know is actually you... 

Joe Carrigan: Yep. 

Dave Bittner: ...And do so. The third tip is don't let a coincidence convince you a call is genuine. 

Joe Carrigan: Indeed. This is how most of these work. I'm convinced of that. 

Dave Bittner: Yeah? 

Joe Carrigan: Yeah. 

Dave Bittner: How so? 

Joe Carrigan: I think that - you know, because I've gotten - yeah, I've gotten scam calls from Amazon, and I almost always have an Amazon order coming through, right? 

Dave Bittner: Right, right. 

Joe Carrigan: So I can see how that works. And, you know, we talk about this - all these scams have to do is find the right person at the right time. And if you hit enough people, you're going to hit enough - like, let's say I'm impersonating Bank of America. I don't know who's a Bank of America customer. But if I hit 40 people, I'll bet two or three of them, at least, are Bank of America customers. 

Dave Bittner: Yeah. 

Joe Carrigan: And that's the kind of thing that this is talking about here, I think. 

Dave Bittner: Yeah, it really is a numbers game. They point out in the article here that the scammers using iSpoof made at least 3 1/2 million calls in the U.K. alone over a 12-month period, which works out to one call every three seconds. 

Joe Carrigan: Right. 

Dave Bittner: I feel like I got most of those calls. 


Joe Carrigan: Your phone doesn't stop buzzing when you put it on a table. Just all night long. 

Dave Bittner: That's right. It just vibrates... 

Joe Carrigan: I've gotten used to it. 

Dave Bittner: ...And falls onto the floor, yeah. And then their fourth tip here is something we say all the time here, which is be there for vulnerable friends and family. 

Joe Carrigan: Indeed. 

Dave Bittner: And perhaps that's the best advice of all. 

Joe Carrigan: Yes. 

Dave Bittner: Make sure that they're aware of this sort of thing. Share these tips with them and be there if something like this happens to them so that, you know, you can provide help for them. By the way, to that point, I want to thank - a number of people wrote in with, I guess, a note of sympathy, support, whatever it is... 

Joe Carrigan: Right. 

Dave Bittner: ...For my story about my father. Yeah, yeah. 

Joe Carrigan: Yeah. 

Dave Bittner: I appreciate it. 

Joe Carrigan: Right. 

Dave Bittner: Thank you, everyone. You know, we love our family and do our best to take care of them. And I think a lot of people find themselves in the same boat. So good on you. 

Joe Carrigan: I would agree. 

Dave Bittner: Yeah. All right, well, I will have a link to this story in the show notes. That is what I've got for us this week. Joe, what do you have for us? 

Joe Carrigan: So, Dave, recently I was working with somebody in the Johns Hopkins University Communications Department. We were doing a story on news on social media. And, of course, everyone on this show or everyone who listens to this show knows my stance on this, right? 

Dave Bittner: (Laughter) Yes. 

Joe Carrigan: And my stance is do not get your news from social media. 

Dave Bittner: Right. 

Joe Carrigan: But if you're going to get your news from social media, make sure you verify it. Make sure you can validate that it's true. Make sure it comes from a trusted source. And during the course of writing this article, I came across a website called leadstories.com. And it is a website that focuses on fact-checking stories that show up on social media. So it's - I thought I would take a lighthearted look at this. Now, if you go to the website - it's leadstories.com... 

Dave Bittner: Yeah. 

Joe Carrigan: ...It says, just because it's trending doesn't mean it's true, which is... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Really the problem with news on social media is that, you know - like Mark Twain said, a lie can run around the world while the truth is still tying its shoes or something to that effect. I'm paraphrasing here. 

Dave Bittner: Right. Yeah, yeah. 

Joe Carrigan: But across the top they have these sections. One is called the Blue Feed, one is called the Red Feed, and one is called War and one is called Coronavirus. And these are - so if you're someone who leans left, maybe you look at the Blue Feed so you can find - when you see a story that's out there. Now, Dave, I'm going to go through a couple of stories here... 

Dave Bittner: OK. 

Joe Carrigan: ...That are on this website. And I want you to tell me if you think these are true or false. 

Dave Bittner: OK. 

Joe Carrigan: Spoiler alert. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: So I think we know what they're going to be. But let's start with the Blue Feed. 

Dave Bittner: OK. 

Joe Carrigan: Did the White House hire a Satan worshiper to oversee American health? 

Dave Bittner: Let me see (laughter). Somehow, I would say, I don't know, whether or not you're a big fan of President Biden, that would seem like an odd hire to me. So I'm going to go with that not being true. 

Joe Carrigan: That's correct. It's not true. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: It comes from a tweet from somebody named Benny Johnson, who is a verified Twitter user. 

Dave Bittner: Yeah. 

Joe Carrigan: Blue check - what does that mean anymore? I don't know that it means anything. 

Dave Bittner: (Laughter). 

Joe Carrigan: And he is a - you know, a right-leaning individual. But he says that Biden picked Dr. Demetre Daskalakis as deputy coordinator of national health in response to the monkeypox outbreak. And Benny Johnson has found a picture of this - of Demetre here where he is posing with his shirt undone, and he has a pentagram on his chest. It says, well, this is proof that he's a Satanist. 

Dave Bittner: (Laughter) OK. All right. 

Joe Carrigan: Right? Demetre says no, I have other tattoos that would be proof that I'm not. 

Dave Bittner: (Laughter). 

Joe Carrigan: But it's interesting here that the pentagram is a right-side-up pentagram, which is generally not a satanic symbol, I think. 

Dave Bittner: All right, I'll take your word for it. 

Joe Carrigan: Yeah. Also, by the way, upside down crosses - not a satanic symbol. 

Dave Bittner: OK. 

Joe Carrigan: So all those metal bands, you really look like you're just - you just don't understand things. Anyway, let's go on to the next story here. 

Dave Bittner: OK. 

Joe Carrigan: Ready? 

Dave Bittner: Yeah. 

Joe Carrigan: Let me get the link up here. And let me ask this question, Dave. Do you think that nasal swab tests for COVID-19 contain a DARPA hydrogel that causes recipients to be remotely controlled? 

Dave Bittner: (Laughter) Wow. Well, since I have had a COVID-19 nasal swab test, my reply is unreliable. 

Joe Carrigan: That's correct. 

Dave Bittner: (Laughter). 

Joe Carrigan: Me too. Maybe that's why I'm talking about this in such a jovial fashion is because of the DARPA mind-control gel. 

Dave Bittner: That's right. That's right. Who knows? 

Joe Carrigan: This is obviously false. 

Dave Bittner: Yes, yes. 

Joe Carrigan: This is obviously false. These are... 

Dave Bittner: Sure. 

Joe Carrigan: ...And, of course - but, I mean, we laugh at this. But people are actually spreading this on social media as if it were true. 

Dave Bittner: Right. 

Joe Carrigan: So let's take a look at a couple from the Red Feed, which is going to be focusing on people who are a little bit more right-leaning. This is going to be lies about that. 

Dave Bittner: Yeah. 

Joe Carrigan: So let me ask you this - and I've actually seen two of these on Twitter. 

Dave Bittner: Yeah. 

Joe Carrigan: Does Donald Trump get a tax break for his golf course because Ivana Trump is buried there? 

Dave Bittner: Sure. Yeah, sure. Absolutely. Yeah, yeah. 

Joe Carrigan: He does not, Dave. 


Joe Carrigan: That doesn't happen. 


Dave Bittner: Joe, I've seen this one, too. I've seen this one, too. Yeah, yeah. 

Joe Carrigan: Right. Well, that is patently false. 

Dave Bittner: Right. 

Joe Carrigan: Donald Trump does not get a tax break because he has a cemetery on his property. That is not how that works. 

Dave Bittner: OK. 

Joe Carrigan: This - there's a complete - this thing - these fact checks go into painstaking detail about where these things come from and where they are and why they are false. 

Dave Bittner: OK. 

Joe Carrigan: And the last one we're going to look at. Dave, do you know who Ben Shapiro is? 

Dave Bittner: I'm familiar with him, yes. 

Joe Carrigan: He's a conservative commentator. 

Dave Bittner: Yes. 

Joe Carrigan: But - and he is critical of the Biden administration, of course. But did Ben Shapiro receive a Payday Protection Plan loan? 

Dave Bittner: At all? 

Joe Carrigan: At all, yes. 

Dave Bittner: Oh, I have no idea. 

Joe Carrigan: Right. Well, it was claimed on Twitter that he did, but it is not true. And in fact, it's - what happened was somebody just went to the - to a website that lets you search these things and typed in Ben Shapiro. And lo and behold, there are many people in the world named Ben Shapiro, and some of them run businesses. And they have taken out loans for Payday Protection through the COVID pandemic, right? 

Dave Bittner: Right. 

Joe Carrigan: During the early days of this. And this Ben Shapiro happened to be from Los Angeles, and he was a real estate broker. And the screenshot that - Ben Shapiro actually refuted this almost immediately and said, here's a full screenshot of the thing. And I like Ben Shapiro's response here. He says, in short, Twitter is filled with gullible rubes who will believe nearly anything based on a partial screenshot, which is a great way of saying, don't believe just what you see on Twitter. I mean this - and again - and here we are. And this is why I say this. This is absolutely why I say this. Do not get your news from social media. 

Dave Bittner: Yeah. 

Joe Carrigan: It is terrible. It is a terrible source for this. And it's also a terrible platform for political discussion. It is... 

Dave Bittner: Right. 

Joe Carrigan: ...I believe it is largely responsible for the polarization that we have in this country. I think it has done more harm than any good will ever come of it. And I am - but everybody knows how I feel, Dave. 

Dave Bittner: I find - 'cause I'm a fan of fact-checking sites. 

Joe Carrigan: Right. 

Dave Bittner: Think like - probably the one I know best is Snopes, which is very well-known for being a fact-checking site. But I like the way that this one allows you to sort things based on ideologies. I think that's useful. 

Joe Carrigan: Right. I think it's 100% useful. I mean, it's really good. Now, my favorite thing about this is that it is - these stories are absolutely outlandish, a lot of them. 

Dave Bittner: Right. 

Joe Carrigan: They're - in fact, as I scroll through, I'm like - I'm finding myself going, who would believe that? Who would believe that? Who would believe that? 

Dave Bittner: (Laughter) But isn't funny, though? Like, because I think, depending on your inclinations, you can look at something that, coming from one side, is completely outlandish and go, who would believe that? And then you look at something coming from the side that you lean towards and you go, yeah, that sounds plausible. 

Joe Carrigan: Right, exactly. That's a big... 

Dave Bittner: (Laughter) So you have to check your own biases, you know? 

Joe Carrigan: Yeah. 

Dave Bittner: And a site like this helps you do that. So I think it's good. 

Joe Carrigan: I would agree. That's why I bring it up here today. 

Dave Bittner: Yeah. Yeah. So you present this as, for our readers, as a utility to help them sort through some of these scams and misinformation that's out there. 

Joe Carrigan: Absolutely. Maybe when you see one on Facebook or Twitter, that you just go to leadstories.com, plug in the keywords, find the debunking - or the, you know - it's usually just debunking. It's really not anything else. But find the debunking page, and then just post a link to that as the reply. 

Dave Bittner: Right. 

Joe Carrigan: And see what happens. Of course, you'll be hated and blocked and everything. 

Dave Bittner: (Laughter). 

Joe Carrigan: Which is great. But that's... 

Dave Bittner: Well, there's an old thing about when someone - like a - when someone believes a conspiracy theory, that evidence to the contrary is just evidence of the conspiracy to them. 

Joe Carrigan: Right. Yeah, absolutely. 

Dave Bittner: It just reinforces the fact that, look how strong the conspiracy is. People are out there putting out this sort of information, so... 

Joe Carrigan: Absolutely. 

Dave Bittner: It's really hard to convince people when they've - when they're dug in to something like this. 

Joe Carrigan: Yeah, that requires personal attention from people that care about them, and that is never going to come across social media. 

Dave Bittner: Yeah, that's a good point. I suspect a lot of our listeners experienced that over the Thanksgiving holiday, of sitting down with their friends and family. And... 

Joe Carrigan: You know what? We didn't have that at - over Thanksgiving holidays. 

Dave Bittner: No? 

Joe Carrigan: We did not. We did not have any political discussions. You know, it's just generally something we don't do. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, every now and then when my sister and I sit down - my sister, my brother and I sit down, we do get a little bit political. But we try to keep it really civil. And, you know, 'cause we are all siblings and we do care and love each other, so... 

Dave Bittner: Yeah. 

Joe Carrigan: And we all have different political leanings, you know? It's really interesting to sit down and have a discussion. 

Dave Bittner: Yeah. 

Joe Carrigan: Sends my wife into hysterics and hives, though. She doesn't like the conflict. 

Dave Bittner: (Laughter) She goes into the other room. 

Joe Carrigan: Right. That is exactly what happens. 

Dave Bittner: Oh, look at the time. 

Joe Carrigan: (Laughter) Right. I'm going to go talk to your parents. Goodbye. 

Dave Bittner: Right, Right. All right. Well, that is leadstories.com - very interesting. And we'll have a link to that in the show notes. Joe, it is time to move on to our Catch Of The Day. 


Joe Carrigan: Dave, our Catch of the Day comes from Povilas who writes, hey, guys. I love your podcast and wanted to share this funny phish that was sent to one of our users recently. And it is a - it's a - I don't know what it is, Dave. It's kind of a strange one. I mean, it's the same thing we see frequently, but it's written a little bit differently. 

Dave Bittner: All right. Let's see. It starts off here and it says, (imitating Australian accent) my name is Anton Johann Fiel (ph). I was born in Australia - Maleny, Queensland - on 30/12/1965. I live in Germany since 1975 - oh. (Imitating German accent) I am a visionary developer and businessman. When my system is inserted between, save up to 98% energy. We don't need batteries then. This is a win-win situation for all of us worldwide, for poor countries especially, for industry worldwide, for politics, for all of us, et cetera. This project is 100% green, 100% very, very cheaper than all other renewable energies. The good thing about this project - we don't need to wait. We can start immediately. We have the technology and the knowledge. We need to save our earth together and become greener, all of us. Together, we are strong. More information here - you can write me. Here's my email address. 

Joe Carrigan: So it sounds like this guy's peddling a perpetual motion machine or something. 

Dave Bittner: Oh (laughter). Right, right. 

Joe Carrigan: I mean, when you start talking about, save up to 98% of the energy... 

Dave Bittner: Yeah. 

Joe Carrigan: ...I'm immediately dubious of that. You know, generally... 

Dave Bittner: Yeah. 

Joe Carrigan: ...The energy savings that we see in things or the energy improvement we see in things come in very, very small increments. 

Dave Bittner: Right. 

Joe Carrigan: Not huge - we're going to eliminate the need for 98% of the energy. If that were the case, yeah, wow. What - it's just not true. 

Dave Bittner: It reminds me of those devices that people sell that promise to - like, for $10, they'll increase the gas mileage on your car by 20% or something like that. 

Joe Carrigan: Yeah. 

Dave Bittner: And, you know, let's just say on a $30,000 car, if there was a $10 device that would increase your gas mileage by 20%, it would come with the car (laughter). 

Joe Carrigan: It would come with the car. Right. 

Dave Bittner: Right? 

Joe Carrigan: Because - yeah, or your mechanic would offer it. 

Dave Bittner: Whatever. I mean, you know, to your point that... 

Joe Carrigan: Right. 

Dave Bittner: ...Manufacturers are just doing everything to try to eke out tiny little percentages of efficiency out of these things. 

Joe Carrigan: Right. 

Dave Bittner: So if someone truly had something, a revolution like this, it would be everywhere. 

Joe Carrigan: Right. It would already be there. 

Dave Bittner: But I suppose it's playing into that notion that people want to be in on something. They want to have the secret that no one else has, right? 

Joe Carrigan: You know, Dave, I tend to be pretty gregarious out in public when I see people doing things that are interesting to me. And I made a terrible mistake one time with a friend. 

Dave Bittner: (Laughter). 

Joe Carrigan: A friend of mine and I were having lunch at Wheaton Plaza, and I see this guy reading a technical book. And he - I said, oh, what are you reading there? He goes, I'm reading this book from this guy on servos and about how we got much more efficient servos out there. And I'm thinking, this guy's reading a perpetual motion book. And I'm like, there has to be loss. He goes, oh, there's loss in the system. I'm like, well, who is this guy? Maybe I can look him up. And he go - he says to me the three words that let you know that you're dealing with somebody who is one of your conspiracy friends - they killed him. 

Dave Bittner: (Laughter) Oh, no. 

Joe Carrigan: And now, my friend kind of looks over and glares at me. And he's like, what have you gotten us into? 

Dave Bittner: Oh, oh, look at the time (laughter). 

Joe Carrigan: Yeah, right. And my friend actually bails me out here. He goes, oh, we got to get back to work. I'm like, yeah, OK, thanks (laughter). 

Dave Bittner: Yeah. Yeah. All right. 

Joe Carrigan: Yeah. 

Dave Bittner: Well, that is a fun Catch of the Day for sure. Thanks to Povilas for sending that in. I appreciate it. And we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Giulia Porter. She is vice president at RoboKiller, a popular app that helps you cut down on spam calls and spam texts on your mobile devices, and she joins us with information about a report that they recently published about some of the phone scams that they're tracking. Here's my conversation with Giulia Porter. 

Giulia Porter: So RoboKiller is a spam call and text blocker app in the U.S. We've been around since 2017. RoboKiller takes a unique approach to blocking spam calls and text, where we're using AI and machine learning to stop spam calls for our users. What this also allows us to do is analyze nationwide spam calls and text trends for, of course, the people who do use RoboKiller, but also for what we believe is kind of happening across the country outside of just the RoboKiller ecosystem. And, of course, as everyone knows, spam calls and text are not only annoying, but, you know, consumers are losing a lot of money to these scams. And so we tracked these trends, of course, to better understand how we can stay one step ahead of the scammers on our end with our technology, but also to make sure that, you know, people are aware of scam trends out there and know what to look for so that they don't become victims. 

Dave Bittner: Well, let's go through some of the key findings here. I mean, what are some of the things that caught your eye? 

Giulia Porter: So, unfortunately, Americans are now more spammed than ever, as of 2022. In past years, you know, we've been very much focused on robocall trends, which have continued to increase year over year. Unfortunately, we do have a new problem that's emerging at great scale, which is robotexts. Just in the first half of 2022, it's estimated that Americans received 66 billion robotexts, which is quite a lot. And at this point, it's now outpacing robocalls, where Americans received about only - only, I mean... 

Dave Bittner: (Laughter). 

Giulia Porter: ...Forty billion estimated spam calls in the same time period, so at this point now, one of the biggest trends and concerns, frankly, for us is that, you know - and we can talk about this in a bit - but the industry is very focused right now on combating robocalls, and scammers know this. And they seem to be getting one step ahead of us and pivoting to this new technology, which is robotexts. 

Dave Bittner: And, I mean, is that really what it comes down to - is that - as organizations like yourselves are helping people get on top of robocalls, is this just a pivot on the part of the bad guys? 

Giulia Porter: It's actually a pivot at the industry level. RoboKiller has been blocking spam texts for many years now, and we have been first to market in solutions to protect consumers. But what this - we believe that this is a result of - and the trend lines up with this timing quite closely - is if you've been following the government efforts on the robocall side with a new technological framework called STIR/SHAKEN. STIR/SHAKEN is a technology that was released last year that all telecommunications providers in the U.S. had to adopt and comply with, which was essentially a technological framework for caller ID verification and authentication. And what that was designed to do was create a universal standard for understanding whether or not a call - a phone call that was being placed was being spoofed. 

Giulia Porter: A lot of times scammers, robocallers in particular, are using caller ID spoofing to mask their caller ID. And normally that's on the backside of a phone scam more than it is a legitimate call. And so the industry has been very, very focused on adopting this framework, complying with new regulations. And we are seeing improvements as a result. But unfortunately, scammers know this as well, and were prepared for this and are responding in just a whole new medium, unfortunately. 

Dave Bittner: Yeah, it really seems like a game of cat and mouse here and, as you say, very frustrating for consumers. I mean, what are some of the other statistics that you're tracking here? 

Giulia Porter: So the FTC reports has a - reports on the reports that they receive for consumers who come to the FTC and report losses to phone scams. We believe, based on the traffic that we're seeing, that these reports that represent millions and millions of dollars of consumer losses are only a small piece of the actual losses in the United States. For 2022, we are projecting that we are - that consumers are going to lose about $28 billion to robotexts. Where that kind of nets out is about a thousand dollars in losses per robotext scam. And unfortunately, again, going back to that point of being more spammed than ever, people are also losing money to robocalls. And we believe that number for robocalls is going to reach about 60 billion by the end of 2022. And so you can imagine that this is a huge problem for consumers that we're seeing nationwide. And, of course, you know, that just kind of takes it a step further. Not only are these calls and texts really annoying, but for some, they can be quite catastrophic, financially. 

Dave Bittner: In terms of the actual scams themselves, are there certain ones that are more popular? 

Giulia Porter: Yes. We - you know, it's kind of sad and funny at the same time. If - I think, if you've kind of been on social media, you might have seen some people talking about the car warranty robocall. Based on RoboKiller's data, we estimate that it's statistically possible that every American with a smartphone has received that robocall more than four times this year, at least. 

Dave Bittner: I know I have (laughter). 

Giulia Porter: I guess it's something we all have in common. What's interesting with the car warranty robocall is we're actually seeing a large decrease - a significant decrease, actually - in the last couple of months for that robocall specifically - actually, thanks to an effort from the FCC. The FCC tracked down some known robocallers that were suspected to be behind this car warranty robocall, and they actually put out an announcement that allowed all carriers to block any traffic from where they had identified they think - they thought this - the scam was coming from. And what we've seen, since that announcement in July of this year, is that car warranty robocalls and - according to RoboKiller - have gone from about 15% of total robocalls to less than 1% in just a couple months. So this is actually an exciting development because it's a great testament to, you know, the FCC's efforts to get involved, to stop a particular scam and seeing that that's working really, basically immediately. So we're very excited about that. Of course, scammers, just like we're seeing with robotext shifts, you know, are really going to, often, just change their tactics and adopt different scams. 

Giulia Porter: In terms of the types of scams that we're seeing, the overall trend that we know about phone scammers is that they watch the news. They know what's top of mind for us. And they're often changing and targeting their scams to be as relevant as possible. So, for example, in the last couple months, we've seen increases in - significant increases in student loan phone scams, both for robocalls and texts, as coverage around student loan forgiveness has increased in the media. And again, that - scammers really are just trying to kind of catch you when you're not really paying attention. But, you know, this - you might, like, look at something and see, like, oh, yeah, you know, I did apply for student loan forgiveness. I'm going to, you know, just click this link and check this out in this text. And then, all of a sudden, you know, you're hooked. And so that's definitely a common trend that we see. Of course, as we head into the holidays, you know, scammers love to pose as delivery service text companies. I've been getting a ton of Amazon spam texts in the last couple days, actually. And so really for them, it's a game of relevancy, just to increase the likelihood that you'll fall for their scams, unfortunately. 

Dave Bittner: You know, we see providers, such as you and your colleagues there at RoboKiller, and even the - some of the device manufacturers. You know, you think about Apple, for example, will allow you to have a setting where you won't - a phone call won't come through unless it's in your address book. And those are effective. But I'm curious, do you have any insights onto, you know, what's keeping the carriers from doing a better job of tamping down on this at the source? 

Giulia Porter: So our perspective on this is that I think carriers, you know, of course, play a big role in this problem. But they often get a lot of heat, and it's, I think, partly because of just their brand awareness and their depth. But I think what a lot of people don't realize is that, you know, the carriers are just - you know, your T-Mobiles, your AT&Ts and the ones that come to mind when you think about a phone carrier in the U.S. - are a very - are just a piece of the overall telecommunications industry. There is a ton of other vendors that your phone call is passing through, beyond just, you know, Verizon and T-Mobile, that do need to, you know, adopt STIR/SHAKEN frameworks, like, be - you know, passing that kind of authentication framework through the system. And so there are so many more touch points to the way that these calls and texts are being placed, outside of just carriers alone, that, you know, carriers tend to get quite a lot of heat, of course, for, you know, wanting - needing to protect their consumers and their users from this problem. 

Giulia Porter: And our perspective on that is, well, you know, we really, I think, believe that a unified effort is necessary to stop this problem. It's a big ship to turn. And it is, yes, important that the carriers do partake, and they are. They have - most of them, at this point, have adopted the STIR/SHAKEN framework. But it's actually also, you know, in order for them to be effective, too, all of the providers that they're working with also have to adopt this framework. And I think that's still taking a bit of time. And so, you know, they're definitely getting that pressure, unfortunately. And, you know, I think it's good to see that they're leaning into the problem. But we need kind of everyone working together. Then that's kind of still a missing piece. 

Dave Bittner: Yeah. So what are your recommendations, then, I mean, for folks who want to do a better job getting on top of this? I mean, obviously, there are products like yours. But, you know, beyond that, what sort of things can people do to try to limit the flow of these annoying messages? 

Giulia Porter: Yeah, it's - you know, I think it's unfortunate that this is kind of the primary advice. But I think, you know - I think a lot of people are kind of just - this is - the spam call and text problem is changing this for people, just in general. But I think our first advice, first and foremost, is just to be more skeptical of unknown calls and texts, which is unfortunate that we have to be, but, you know, you do have to protect yourself while we're waiting for, you know, all of these players in the industry to really come together and solve this problem. And so just being skeptical can help a lot, you know, whether or not you might answer a spam call and just take that extra second to say, you know, would Amazon be calling me out of the blue? - and just trying to, like, keep that in mind. I know sometimes a lot of people are very busy and that can be kind of hard to remember, right? And so, you know, I think outside of that, it's important to kind of know what scammers are really trying to do when they're talking to you and so you can kind of know what to look for. 

Giulia Porter: Oftentimes, if you do - if you are on the phone with a scammer or you do get a text message, really look out for urgency, right? If a scammer is trying to get you to do something very quickly, oftentimes there are consequences if you don't. Those types of conversations are normally scams. Oftentimes, Amazon isn't going to ask you to, you know, give them your password or you're going to get locked out of your account immediately over the phone, right? Like, that's just not something that - you know, I think even Amazon's come out and said, you know, that's not something that they do. 

Dave Bittner: Right. 

Giulia Porter: And so be cognizant that that's kind of what scammers' goals are. And, of course, if you do, you know, tend to answer - if you happen to answer a phone scam, of course, never provide any personal or financial information over the phone. All of that advice, unfortunately, won't mean that you won't get spam calls and texts, which I know a lot of consumers are just like, you know, outside of the risk to losing money to them, are just so flustered by the sheer volume of the calls and texts... 

Dave Bittner: Right, right. 

Giulia Porter: ...That they're receiving. 

Dave Bittner: Right. 

Giulia Porter: That, I think, is - that, I think, is obviously the big piece of the puzzle that, I think, consumers are waiting for, you know, the government, carriers, apps like RoboKiller to kind of come together and solve universally. But really right now, unfortunately, there isn't a way, outside of downloading a call and text blocker app, to stop these calls from reaching you in the first place. Of course, you can be skeptical and cognizant of how much you're giving out your phone number. But scammers often are auto-dialing phone numbers at random. So that could help a bit, but it's not going to really solve the problem entirely. 

Giulia Porter: And so really, in the meantime, you know, having something like RoboKiller - we also do have just a text - spam text blocker app, only if you're just having - getting spam texts. It's available for iOS. We're working on Android. These apps, like RoboKiller, have huge, global databases of known phone scams that the second you sign up, you're instantly protected from ever receiving them. And then, of course, you know, RoboKiller has an algorithm that's constantly staying ahead of new scams and making sure that those don't reach you either. But, really, unfortunately, right now, that is the only way to stop all of these - or as most of these as possible from ever getting to you at first. And I know that's what a lot of people hope and dream for. 

Dave Bittner: Right. 

Giulia Porter: I know I do. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Dave, I think this is great. Collecting large amounts of information this way is wonderful. You can really see the trends. And I think it's probably OK that RoboKiller here is using the data that they're collecting as a representative sample of a broader population. Yeah, there may be some selection bias in here. So, you know, keep that in mind. But... 

Dave Bittner: Right. 

Joe Carrigan: ...They state where they're getting the data, so I don't really have a problem with that. 

Dave Bittner: Yeah. 

Joe Carrigan: I like the outcomes or the stories that - or, the statistics. That's what I'm talking about, the numbers that she gives - every time they start talking about numbers. 

Dave Bittner: Yeah. 

Joe Carrigan: This is interesting that robotexts - in the first half of this year, Americans received 66 billion robotexts. That's a lot of robotexts. 

Dave Bittner: (Laughter) It is. 

Joe Carrigan: And 40 billion calls like that. 

Dave Bittner: Right. 

Joe Carrigan: And I'm surprised that the texting number is so low, frankly. 'Cause, I mean, I don't think it costs much, or anything, to inject spam SMS messages into the telecommunications system. I don't know how much it costs or might be, but I don't think - it doesn't strike me - it strikes me as much less expensive than a phone call. 

Dave Bittner: Yeah. 

Joe Carrigan: However, later in the interview, she talks about that the losses from the robotext scams are $28 billion, but losses from robo phone calls are $60 billion. So there's a much higher rate of return on the lower - first off, there's a bigger return by volume on a lower incidence by volume of calls. So that means a much higher rate of return for calls. So maybe that's why we're still seeing calls. Although Giulia does make a good point, and that is the shift is - from calls to robotexts - is because of the opposition they're getting, and the friction they're experiencing, when making these calls. 

Dave Bittner: Right. 

Joe Carrigan: For example, your story today is going to make it - you know, that - the shutdown of that site is going to make it much more difficult to perform robocalls... 

Dave Bittner: Yeah. 

Joe Carrigan: ...And spoof legitimate organizations, so. 

Dave Bittner: Yeah. 

Joe Carrigan: It's good. Car warranty calls - I have absolutely shut these down from coming - and actually, maybe it wasn't me. Maybe - 'cause Giulia says that the FCC shut them down. But the way I would always end them is they'd say - I'd say, oh, I'm so glad you called. And they'd say, what kind of car do you have? And I'd immediately tell them, Lamborghini Countach, and they would just hang up. 

Dave Bittner: (Laughter). 

Joe Carrigan: That would be the end of the call. I'd be like, hello? I mean, you're not going to come along with this? I'm obviously rich and have tons of money that I have a classic Lamborghini, and that's what I drive to work every day. It's got bumper stickers on it and everything. 

Dave Bittner: Right (laughter). 

Joe Carrigan: But, no, that just stops them. 

Dave Bittner: (Laughter) That's interesting. 

Joe Carrigan: But the FCC and, you know, being able to block a large portion of those calls, is taking them down to the level of background noise... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Which I think is interesting. 

Dave Bittner: It's interesting. I got a call earlier this week. I was engaged with someone who was doing some service for me, so it was a provider. Someone was calling me who I had not done business with before, so - but what I noticed was when they called me, there was an extra note on my mobile device that said something along the lines of carrier verified... 

Joe Carrigan: Yes. 

Dave Bittner: ...Right? So... 

Joe Carrigan: Yes, I've seen those as well. 

Dave Bittner: And I - that was the first time - certainly the first time I'd noticed it. So I don't know how long that's been going on. I suspect that has something to do with what the FCC is up to here. And the... 

Joe Carrigan: Yeah, with the STIR/SHAKEN framework. 

Dave Bittner: ...The STIR/SHAKEN thing. Right, right. Exactly. But I thought it was just an interesting note that that's active. 

Joe Carrigan: Yeah. 

Dave Bittner: Whatever that is. Doesn't seem like a bad thing, but who knows? 

Joe Carrigan: Right. By the way, we have another win for Joe-stradamus (ph) here. 

Dave Bittner: Yeah? 

Joe Carrigan: Remember when I predicted that there would be an increase in student loan scams? And, bam, Giulia says we've seen a massive increase in student loan scams. By the way, this is the easiest part of this job (laughter). 

Dave Bittner: Making predictions? 

Joe Carrigan: Making predictions like this. I should probably... 

Dave Bittner: OK. 

Joe Carrigan: ...Start, like, keeping a spreadsheet of predictions I make and, you know, call them Joe-stradamus predictions. And just, you know, what my prediction was specifically, when I made it and when we got confirmation that it happened, but... 

Dave Bittner: Just track your success rate? 

Joe Carrigan: Yeah, just track my success rate. I'll bet it's... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Pretty high. 

Dave Bittner: Yeah. 

Joe Carrigan: The reason this is easy is because it's - the scammers do the same thing that we do, you know? They watch the news and they understand what's going on. They have these ideas. And with these student loan scams, this is all over the news right now. 

Dave Bittner: Right. 

Joe Carrigan: It's pretty much - you know, right now it's in court. And the Supreme Court, I think, has agreed to hear this. Is that right? Did I see that yesterday? 

Dave Bittner: Yes. 

Joe Carrigan: So the - that's where it is right now. But that means that it's always front of mind. And that's what scammers want is something that's on the front of your mind. It's in front... 

Dave Bittner: Right. 

Joe Carrigan: ...Of your mind. That's why they're going to be shifting right now to package delivery scams, 'cause everybody's ordering packages for Christmas or for Hanukkah or whatever gift-giving holiday you have coming up. And... 

Dave Bittner: Yeah. 

Joe Carrigan: ...It's going to be the case that these scams are going to increase. And just be mindful of that. Don't forget... 

Dave Bittner: Yeah. 

Joe Carrigan: ...That that's where we are. 

Dave Bittner: Yeah. 

Joe Carrigan: I might actually make up a diagram of a scam calendar, just to make sure that everybody - just so I can share that somewhere and, you know, outline the seasons. 'Cause I talk about it, but I think it would be helpful to visually see it. 

Dave Bittner: Add that to your presentation slides (laughter). 

Joe Carrigan: Right. Yeah. Be good. 

Dave Bittner: Yeah, yeah. You know, I will say that, independently of scheduling Giulia here for the interview, that I have been using their app, RoboKiller, for a couple of years now, and it works. It really does work, and... 

Joe Carrigan: It's effective. 

Dave Bittner: It's - yeah. For me, it's been money well spent. It's a couple bucks a month. But it really - my - it's been a lifestyle improvement for me because... 

Joe Carrigan: Right. 

Dave Bittner: ...So many things you just don't even see. Sure, occasionally, does something still get through? Does my phone sometimes ring with something? Every now and then. But, boy, is it a lot better. So, you know, an unsolicited endorsement for RoboKiller. I have been a pleased customer for a few years now. 

Joe Carrigan: Very good. 

Dave Bittner: Yeah. 

Joe Carrigan: I think this problem is going to get resolved. It's going to take time. But, in the meantime, for the individual user, I like Giulia's advice here. Be skeptical. Be very skeptical. Look for urgency. Any time you see the artificial time constraint, that is a big red flag. I also would like to add - look for what I call the social engineering one-two punch, which is where you have the problem and I have a solution. Somebody that calls you, tells you you have a problem and what you must do to solve it - that is a very common tactic in these things. And when you receive a call that has that model, that has that pattern, you should immediately be skeptical and probably just hang up. 

Dave Bittner: Yeah. Yeah, absolutely. All right. Well, our thanks to Giulia Porter from RoboKiller for taking the time to speak with us. We do appreciate it. 

Dave Bittner: That is our show. We want to thank all of you for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.