Hacking Humans 2.16.23
Ep 232 | 2.16.23

Scamming through generations.


Mathieu Gorge: There's no point in sending a physical leaflet to people that are in their 80s and 90s giving them loads of technical advice because it's just not going to resonate with them.

Dave Bittner: Hello everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week. And later in the show, Mathieu Gorge is CEO and founder of VigiTrust, and he joins us to talk about protecting the young and the old against online scams and abuse. 

Dave Bittner: All right, Joe. Before we jump into our stories here, we have a bit of follow-up. What do we got? 

Joe Carrigan: Well, Greg wrote in with some feedback on episode 230 where we talked with Bennett about the fraud ring that is using credit card fraud to deliver goods that are then grabbed by mules. And he writes, Dave and Joe and nameless, numberless CyberWire minions... 


Joe Carrigan: ...Just a comment regarding porch pirates or delivery dead-drops leg of the triangulation of "Hacking Humans" in episode 230. So he's talking about the fact that, when these guys deliver products - like, we were talking, like, gold coins and things like that - they need someone to go and pick them up to move it around. And even though this gang was based in Southeast Asia, they still have to have infrastructure here in the U.S. to do that. 

Dave Bittner: Right. 

Joe Carrigan: When my father had his office building sold to another owner - he was still leasing his office space - he had various packages delivered to his office from Amazon and other shippers as well. While I couldn't at the time think of a specific, how does this fraud benefit the fraudsters? This makes me think they might be using a list of recently sold addresses as ship-to addresses to insulate themselves from a direct link to the arriving fraudulently purchased products. I wonder if they're using something like this - and he points to a link on Zillow. Yeah, by the way, Greg, thanks. Every time I go on Zillow, I go down a rabbit hole. 


Joe Carrigan: But it's a great link. You can just select from the pull-down menu - first pull-down menu for sold houses, and then you can look at the recently sold houses in your - in a given area. 

Dave Bittner: Right. 

Joe Carrigan: So it's easy to do on a map. And this is a great point, Greg. Also, every newspaper - or a lot of newspapers - will have, like, recently sold houses in the newspaper - in a section of the newspaper 'cause these are public record. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: And, you know, if you live in a small town, that's in the newspaper. 

Dave Bittner: And they do that for commercial real estate as well. 

Joe Carrigan: Correct. 

Dave Bittner: Yeah. 

Joe Carrigan: Correct. 

Dave Bittner: Yeah, interesting. 

Joe Carrigan: I think that's probably correct. 

Dave Bittner: Yeah. All right. Well, thank you, Greg, for sending that in. Anything else, Joe? 

Joe Carrigan: Did you want to talk about your synthetic voice here? 

Dave Bittner: Sure. 

Joe Carrigan: You want to play it? 

Dave Bittner: So - well, I'll - let me set it up a little bit. 

Joe Carrigan: OK. 

Dave Bittner: So, as listeners might know, I also do a segment over on the "Grumpy Old Geeks" podcast, which is a podcast from Jason and Brian. And we do a security segment every week, and so we'd been talking about ChatGPT and synthesized voices and things like that. So I ran - so what I did was I asked ChatGPT to write up a note from me thanking them for having me on the "Grumpy Old Geeks" podcast. Then, I ran that through an automated speech synthesis platform called ElevenLabs, who are currently in beta. And what they do is they take samples of your voice and then they can create a speech synthesizer that imitates your voice. Obviously, there are many, many samples of my voice available. I have thousands of them here. 


Joe Carrigan: That's right. 

Dave Bittner: And so I loaded in about half a dozen of them, and this is what it generated. 

Unidentified Person: (Imitating Dave Bittner) I'd like to take this opportunity to thank the hosts of the "Grumpy Old Geeks" podcast for having me on their show. It was an absolute pleasure to share my thoughts on cybersecurity, and I appreciate their willingness to engage in an open and frank discussion. I'm grateful for the chance to have shared my insights and experiences with the audience, and I look forward to future opportunities to do so. Thank you again. 

Dave Bittner: So what do you think of that, Joe? 

Joe Carrigan: Dave, when you played this for me, I thought it was you resigning from the "Grumpy Old Geeks" show. 

Dave Bittner: OK (laughter). 

Joe Carrigan: And I asked you immediately if you were doing that, and then you told me it was completely synthetic. Now, on the flip side of that, I played it for my wife, and she's like, that sounds robotic. So she picked up on it that it wasn't real, but I did not. So it fooled about 50% of my sample. 

Dave Bittner: (Laughter) Yes. 

Joe Carrigan: In fact, it fooled exactly 50% of my sample (laughter). 

Dave Bittner: Your scientific sample of two. 

Joe Carrigan: ...Right, yeah. 

Dave Bittner: Right, right. 

Joe Carrigan: So I have been saying for a long time I'm not really worried about the AI and the fake stuff for election purposes - at least I was saying that for the 2016 and 2020 elections - but I might be worried about it for future elections. 

Dave Bittner: Yeah. 

Joe Carrigan: Well, guess what? Now I'm worried about it. 

Dave Bittner: (Laughter) Fair enough. Yeah. I mean, this took no more than 10 minutes of effort on my part. 

Joe Carrigan: Yeah, absolutely. 

Dave Bittner: I mean, so - and the synthesis is so fast on ElevenLabs' system. It's not fast enough yet that you could do a real-time interaction with someone, but... 

Joe Carrigan: Right. Yeah. It does take a little bit of time for responses to come up. 

Dave Bittner: Right. But... 

Joe Carrigan: So it's not going to work that way. 

Dave Bittner: ...You could certainly synthesize dozens of generic responses. 

Joe Carrigan: And then write a sound board... 

Dave Bittner: Yep. Exactly. 

Joe Carrigan: ...You know? That would be very simple. The next thing I had you do with ChatGPT was write an endorsement for Alexandria Ocasio-Cortez for president as if it were being written by Donald Trump. 

Dave Bittner: Right. 

Joe Carrigan: And it came up with a really good bit of script for that... 

Dave Bittner: Yeah. 

Joe Carrigan: ...That sounded like something Donald Trump would say... 

Dave Bittner: Right. 

Joe Carrigan: ...If he was endorsing Alexandria Ocasio-Cortez for president, which is something everybody knows would never happen, right? 

Dave Bittner: That's right. That's right. 

Joe Carrigan: But - and then I said we should run that through the speech synthesis. But there's a problem with the terms of service. You're not allowed to use voices that aren't yours. And we don't own Donald Trump's voice... 

Dave Bittner: There you go. 

Joe Carrigan: ...At least not yet. 

Dave Bittner: Right, right. Yeah, yeah. So it's - this stuff is coming along quickly. 

Joe Carrigan: Yeah, it is. 

Dave Bittner: And so I think it's something we need to have on our radar. Obviously, everybody's heard about ChatGPT lately. It's the media darling of the moment. 

Joe Carrigan: Yeah. 

Dave Bittner: But the fact that you can extend it to other things I think is very interesting, and we'll have to keep an eye on it. 

Joe Carrigan: Agreed. 

Dave Bittner: All right. Well, we would love to hear from you. If there's something you'd like us to cover on the show, you can email us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: All right. Let's do our stories here, Joe. Why don't you start things off for us? 

Joe Carrigan: Dave, my story comes from Karl Greenberg over at TechRepublic. And the title is "New Cybersecurity Data Reveals Persistent Social Engineering Vulnerabilities." The first thing it talks about is it talks about ransomware attacks being down last year. We had a guest on earlier this year talking about ransomware attacks being down. 

Dave Bittner: Right. 

Joe Carrigan: That is probably due to the fact that these ransomware groups have been disrupted. 

Dave Bittner: Yeah. 

Joe Carrigan: And they're just reformulating and reforming, so those are going to go back up. But the industrial sector was targeted most by these criminal gangs for a second year running in ransomware because, you know, if you lock up someone's data, OK, maybe they can continue to work. But if you lock up someone's operational technology, that is much more likely to get you a payout, I think. 

Dave Bittner: If the assembly line shuts down. 

Joe Carrigan: Right. Karl also talks about how there were - I'm sorry, 23 - 230,000 DDoS attacks across 2022, 45% of them targeting U.S. businesses, 27% of which occurred in January, which is a large number. And then he talks about the group LockBit, which was responsible for 33% of the ransomware attacks. So that's a large market share being held by one group. 

Dave Bittner: Mmm hmm. Mmm hmm. Although if they're using an affiliate model, it's, you know... 

Joe Carrigan: Correct. Correct. It's almost like a franchise. 

Dave Bittner: Right. 

Joe Carrigan: If you think about McDonald's and how it operates, these ransomware groups were operating very - in a very similar fashion. In fact, they were even giving the lion's share of the ransom to the affiliates. They were giving, like, 60% and only keeping 40% for themselves... 

Dave Bittner: Right. 

Joe Carrigan: ...Because they had done all the back-end work of building the infrastructure and everything, but they were not interested in doing, essentially, what is the sales work of a ransomware industry. 

Dave Bittner: Yeah. 

Joe Carrigan: And they paid people handsomely to do it for them. 

Dave Bittner: Everybody wins... 

Joe Carrigan: Everybody wins except for the victims. Right. 

Dave Bittner: ...Except for the victims. Right. 

Joe Carrigan: Yeah. They lose big. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: The business email compromise is where I wanted to spend most of the discussion here because, as I like to say, business email compromise is the king of social engineering attacks. It succeeded by tricking a third of employees. 

Dave Bittner: Wow. 

Joe Carrigan: A third of employees - now, I'm not sure if this - these statistics include true business email compromise or just impersonation attacks lumped in with business email compromise. That's one of the places that we, as an industry, need to get our metrics right, in my opinion. This is very important because there is a big difference between someone sending an email from a newly created Gmail account that looks like it came from Dave Bittner or somebody actually breaking into your Dave Bittner account at your business and sending email out as you. 

Dave Bittner: Oh, I see. 

Joe Carrigan: Those are two different things. 

Dave Bittner: Right, right. 

Joe Carrigan: And one of them is much more damaging because all the things we say - like, make sure it's coming from the right address. Make sure you're talking to the right person. All those things go right out the window once somebody has compromised your email account. Additionally, these actors can work in a way that masks the fact that you and I are communicating on your compromised email account by generating rules that put my emails coming in into some other folder. You never even see it. 

Dave Bittner: Right. 

Joe Carrigan: And they're in there with you, responding - replying to me as I'm talking to you, and I think I'm talking to you, but I'm talking to some scammer. You're talking to everybody else in your email. And when it comes time for me to say, where do I send the money, the scammer tells me his bank account. 

Dave Bittner: Yeah. 

Joe Carrigan: So that's how this works. But a third of the people who receive these emails - it kind of worked on them at some level... 

Dave Bittner: Wow. 

Joe Carrigan: ...Because these things are tailored and crafted. So in this report that he's referencing here - it's the H1 2023 Email Threat Report - 84% of email reports to phishing mailboxes are either safe emails or graymail. Isn't that interesting? 

Dave Bittner: What do you mean? 

Joe Carrigan: So... 

Dave Bittner: What's graymail? 

Joe Carrigan: ...If you get a legitimate email... 

Dave Bittner: Right. 

Joe Carrigan: ...And it looks kind of suspicious, and you report it, that is - that constitutes about 84% of the reports of phishing emails. 

Dave Bittner: Hmm. OK. 

Joe Carrigan: So when you're in a large organization, a lot of times you'll have an email - you know, even - it's integrated into your email client, where you can just click on a button and say report this as a phishing attempt. 

Dave Bittner: Right. 

Joe Carrigan: Eighty-four percent of the time, it's not a phishing attempt. That's a really high false positive rate. 

Dave Bittner: Oh, OK. 

Joe Carrigan: And that might be one of the problems with having people reporting phishing attempts. In fact, it is one of the problems (laughter). You know, I think that's a remarkably high rate. That's going to make the job of finding real phishing emails much more difficult. 

Dave Bittner: And don't you think there's a better-safe-than-sorry element, though? I mean, if we're training people to be vigilant... 

Joe Carrigan: There is a better-safe-than-sorry element here - you're correct - but I'm not sure if this is the best way to go about it. Yes, have the people report the phishing attempts, and maybe you can do some metrics on the back end. Maybe they do metrics on the back end - I don't know - where they compare the phishing reports. And if you see a bunch of people reporting something similar, then, yeah, maybe you have a real phishing attempt here on your hands. But if you see one person, two people reporting things, maybe you do metrics on the quality of the individual's report and prioritize people who report a higher quality. I don't - I don't know. I don't know what the solution is here, but 84% is not a good metric. Employees in the entry-level sales roles, with titles like sales associate and sales specialist, read and reply to text-based business email compromise attacks 78% of the time. Interesting. 

Dave Bittner: Yeah. I guess if you're a salesperson... 

Joe Carrigan: Right. 

Dave Bittner: ...Better - also better... 

Joe Carrigan: Exactly. 

Dave Bittner: ...Safe than sorry (laughter). 

Joe Carrigan: That is the flip side of this problem. 

Dave Bittner: Right, right. 

Joe Carrigan: So, you know, if you're a young salesperson who's hungry - I've been that young salesperson... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Who has - is trying to generate business. Every single email that comes in - you're reading it... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Right? Ooh, what does this person need? Can I help this person? 

Dave Bittner: (Laughter) This is the one. This is the one. 

Joe Carrigan: I got to make my quota this month. 

Dave Bittner: Yeah. 

Joe Carrigan: Oh, what a miserable experience being a salesperson was for me. I'm sure there are people out there that really love it, but I hated every minute of it. 

Dave Bittner: Yeah. 

Joe Carrigan: Nearly two-thirds of large enterprises experienced a supply chain compromise attack in the second half of 2022. I don't know what that - how that pans out. I'd have to look at this report. But from the first to the second half of 2022, business email compromise targeting small to medium businesses grew by 147%. So now they're going after the smaller guys. So all of that stuff that people think about - these attackers aren't after me. This is where I get to put on my Joe-stradamus (ph) hat and go, see, I told you this was going to happen. 

Dave Bittner: (Laughter). 

Joe Carrigan: But I - you know, this is what they're going to start going for because they're starting to realize that the larger companies with business email compromise are starting to go, OK, everybody needs to use multifactor authentication. OK, well, where am I going to go? I'll bet there are small companies out there that do a lot of business that I could probably go in there, compromise and get some of their vendor payments to get redirected or maybe get some of their customer payments redirected. 

Dave Bittner: Right. 

Joe Carrigan: That's the target - is the money. It's always about the money with these guys. Here's a little bit of a prediction that is from this article. It says, looking ahead to 2023 - we're already in 2023 - but it says bad actors will focus their attention on compromising supply chains in 2023, bypassing multifactor authentication and taking advantage of misconfigured APIs. That is a pretty specific prediction, but we'll see if that comes true. I think it's - it might be valid. Anything they were going to do to bypass multifactor authentication, they're going to do it because multifactor authentication makes these guys' lives much more difficult. 

Dave Bittner: Right. 

Joe Carrigan: But they're not going away. There's too much money to be had. 

Dave Bittner: No, they just keep moving their way down the food chain, I guess... 

Joe Carrigan: Right. 

Dave Bittner: ...Yeah. 

Joe Carrigan: Exactly. 

Dave Bittner: Yeah. All right. Well, that's an interesting article, and we will have a link to that in the show notes. 

Dave Bittner: My story this week comes from the folks over at The Register. This is an article written by Jeff Burt. And this is an interesting one, Joe. It's titled "Scammers Steal $4 Million in Crypto During Face-to-Face Meeting." So I want to start off - I'm just going to read the first half sentence here. It says, Ahad Shams, co-founder of Web3 metaverse gaming engine startup Webaverse - so let me just stop there... 

Joe Carrigan: (Laughter). 

Dave Bittner: ...And say Web3 metaverse gaming engine startup - I already have my tech lingo bingo card full. 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: Right? 

Joe Carrigan: This guy's hitting all the buttons here. 

Dave Bittner: Web3 metaverse gaming engine startup - I could just imagine the pitch meeting. He's like, we've got all the bases covered, gents. 

Joe Carrigan: Right. 

Dave Bittner: We're in good shape here. 

Joe Carrigan: I've already... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Stopped listening to Ahad. 

Dave Bittner: Right, right. 

Joe Carrigan: (Laughter). 

Dave Bittner: So he found that someone had stolen $4 million of his cryptocurrency... 

Joe Carrigan: Oh, no. 

Dave Bittner: ...And it happened during a real-world interaction. 

Joe Carrigan: I want to know how this happened. 

Dave Bittner: (Laughter) So what happened was he was working on a Series A fundraising round. 

Joe Carrigan: OK. 

Dave Bittner: He got contacted by someone who wanted to invest. He seemed to be from a legitimate law firm. He checked the website. The lawyer that was part of the deal - or, well, you know, alleged lawyer who was... 

Joe Carrigan: Right, yeah. 

Dave Bittner: ...Part of the deal - sent him some know-your-customer information, and that all eventually turned out to be fake. 

Joe Carrigan: Right - probably just a way to gather all kinds of information. 

Dave Bittner: Right. But Ahad was doing his due diligence... 

Joe Carrigan: Right. 

Dave Bittner: ...Here, right? 

Joe Carrigan: Yeah. 

Dave Bittner: They're trying to check out these folks. So they set up a meeting in Rome, and Ahad met with this gentleman and his lawyer for dinner, actually. And then they were going to meet the next day to close the deal. So Ahad had set up a Trust Wallet account, which is a cryptocurrency wallet... 

Joe Carrigan: Right. 

Dave Bittner: ...Secure wallet. He had set that up at his home, and he was using a device that he did not normally use to set it up. The idea was that, without any private keys or seed phrases, that the funds would be secure. 

Joe Carrigan: Yep. 

Dave Bittner: So he sat across from these gentlemen, and he transferred $4 million in cryptocurrency to the Trust Wallet. 

Joe Carrigan: To his Trust Wallet. 

Dave Bittner: To his Trust Wallet. The folks that he was doing business with asked to see the balances on the Trust Wallet app and, interestingly, took out his phone to take some pictures of the screen. He said that he thought that was weird, but there weren't any private keys or seed phrases showing on the screen. 

Joe Carrigan: Right. 

Dave Bittner: So they thought, well, no harm done. And then, the person that they thought they were doing business with said he needed to step outside to discuss it over with his colleagues, and they never saw him again. He said, minutes later, the funds left the wallet. He was in shock, and he had no idea how these guys had stolen the money from him. 

Joe Carrigan: How - I'm also in shock and have no idea how these guys stole the money from him. 

Dave Bittner: (Laughter) Right, right. 

Joe Carrigan: So he had the address of a wallet that was back at his house? 

Dave Bittner: Yeah. 

Joe Carrigan: Right? 

Dave Bittner: Yeah. 

Joe Carrigan: And he sent $4 million to that address. 

Dave Bittner: Correct. And within minutes, the bad guys had transferred the money out. And then the story goes on to talk about some of the laundering that they did there - sending it through multiple accounts in multiple places. 

Joe Carrigan: OK. But my bigger question is, how did they get access - they had to have access to his private keys at some point. 

Dave Bittner: Right. 

Joe Carrigan: How'd they do that? 

Dave Bittner: Well, that's the mystery. And if you read through the comments, there are lots of folks trying to guess how they did it. It seems like many people think that there must have been some kind of man-in-the-middle attack - that if they knew they were targeting this person, could they have gotten on his home network? Could they have gotten on his home device? For $4 million... 

Joe Carrigan: Right. 

Dave Bittner: ...It's worth spending a lot of money to try to get access to this person's devices - to their home, to their home network. They thought - someone said, perhaps, you know, the device that he was doing all these transactions on - could they have intercepted a device that was sent to his home, put in their own malware, and then, you know, they - so they have access to that device, and he doesn't know about it? 

Joe Carrigan: I would need to see the infrastructure that Ahad was using here... 

Dave Bittner: Yeah. 

Joe Carrigan: ...In order to make a better educated guess here. You know, there's also another option here... 

Dave Bittner: Yeah. 

Joe Carrigan: ...That this is something Ahad is doing. I don't know if this is right or not. I'm not accusing Ahad of anything, but... 

Dave Bittner: Maybe he's in on it, you mean? 

Joe Carrigan: Maybe he's in on it. Yeah. 

Dave Bittner: That's a possibility - I think probably unlikely here. 

Joe Carrigan: Yeah. Maybe. Yeah, probably unlikely - you're right. 

Dave Bittner: Yeah, yeah. See, all of the evidence here seems to point to Ahad being a legitimate businessman and... 

Joe Carrigan: And being a victim of these guys. 

Dave Bittner: Right, right. Some folks have wondered about the taking of the picture of the screen. Like, that's a little unusual. Someone wondered if, perhaps, someone could have gotten into the code of the wallet itself and perhaps made it so that it would surreptitiously display on the screen something hidden on the screen that would have the keys. 

Joe Carrigan: Yeah. If the wallet he was using was malicious and they had a way to get that information off of there, yeah... 

Dave Bittner: Right. 

Joe Carrigan: ...They could absolutely leak that information that way. 

Dave Bittner: Yeah, yeah. Others have said that maybe the - taking the photo was just a red herring to kind of try to throw people off the trail, which is interesting as well. Folks have wondered if they got into someone's Wi-Fi network. There have been questions - could it have been an evil maid attack - you know? - where they paid off people at the hotel to get access to his devices? So it's still a mystery, but it's interesting because you would think that, in some way, they needed physical access to this person, or else why bother with that part? If they were able to do it - if they were able to get everything they needed from, say, his home computer when he generated the keys to this wallet account, why even go through with the face-to-face meeting - the high risk or certainly higher risk of a face-to-face meeting? Why would you go through with that unless you needed to? 

Joe Carrigan: Yeah. Assuming Ahad's innocence here, the only thing that comes to mind is that that's the only way they can guarantee that he'll be at a given place at a specific time. He'll be not home at a specific time. 

Dave Bittner: Right. 

Joe Carrigan: So they - then they can do the evil maid attack or the break-in. Four million dollars - you know, that is a lot of money. That's enough to motivate somebody to do this, I would think. 

Dave Bittner: Right. And then you can pay off a lot of people... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Along the way... 

Joe Carrigan: Right. 

Dave Bittner: ...To do it. So I tend to think that the man-in-the-middle plot is probably the most likely, but I would love to hear from our listeners. If you... 

Joe Carrigan: I would tend to think that this is somebody getting physical access to the system that has the wallet on it and getting the keys off of it. That, to me, is more of a likely situation than a man-in-the-middle attack because, if you're sending stuff to an address - I'm a little confused, but maybe a man-in-the-middle attack - maybe. 

Dave Bittner: Yeah, yeah. Well, again, I'm curious to know what our listeners think about this. We'll have a link to this article in the show notes so you can check out all of the details. And if you think you have a way or - if you think you have an explanation for how this probably took place, please send it to us. We would love to hear from you. But it's an interesting one, isn't it? 

Joe Carrigan: It is, very much so. 

Dave Bittner: Yeah. 

Joe Carrigan: Now I'm curious. 

Dave Bittner: (Laughter) Uh-oh. 

Joe Carrigan: I don't mean to impugn Ahad. I mean, you're probably right. He is probably a victim here. 

Dave Bittner: Yeah, I think it's probably safe to say. 

Joe Carrigan: Yeah. 

Dave Bittner: I think everything points to that being the case. But it is a question worth asking, right? 

Joe Carrigan: Right. 

Dave Bittner: Because often you found out that someone who purported to be a victim turned out to be in on the scam. But... 

Joe Carrigan: Yeah. 

Dave Bittner: ...In this case, I think that would be a long shot. I don't think there's anything to that. 

Joe Carrigan: Yeah. 

Dave Bittner: All right, Joe, those are our stories. It's time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from Rodney, who writes, Dave and Joe, I saw this in my email. Seems like the scammers are trying to scam those who have already been scammed, hoping to get some money back. So Rodney thinks this is a follow-on scam. Do you want to go ahead and read this one? 

Dave Bittner: Sure. It says, greetings, I am Mr. Romuald Wadagni of the above office, the senior director manager of one of the many branches, Minister of Economy and Finance. This is to let you know that your name and address was among the scam victims' compensation fund - 10.5 million, $100,000, which was approved to be released to you by the president of this country, Patrice Talon. You are advised to get back to us with these details. Your full names, city, home address, working ID, email, address, cellphone. Your urgent message is highly needed as soon as possible once you receive this message. Note, you might receive this email in your spam or your inbox as well. We are still working on our network IP to control our message direct to your inbox. 

Joe Carrigan: I see. 

Dave Bittner: Thanks and God bless you. Yours sincerely, Mr. Romuald Wadagni, Minister of Economy and Finance, Benin Republic. 

Joe Carrigan: So, yeah, this is just a - this looks like a phish, a broad-net phish. But yeah, it's targeting people who have probably already been victims of scams. 

Dave Bittner: Yeah. 

Joe Carrigan: And it's just a follow-on scam. 

Dave Bittner: Yeah. 

Joe Carrigan: So if you get one of these, throw it away. 

Dave Bittner: Yeah. And, you know, broken English... 

Joe Carrigan: Right. 

Dave Bittner: ...Is a giveaway. It's funny how they say if you receive this in your spam folder, (laughter) disregard... 

Joe Carrigan: They try to come up with a reason that it went in your spam folder. 

Dave Bittner: Right. Right. Nothing to see here. Yeah. 

Joe Carrigan: Do you read your spam folder, or do you just highlight everything and click delete? 

Dave Bittner: Oh, yeah. I don't even... 

Joe Carrigan: 'Cause that's what I do (laughter). 

Dave Bittner: Yeah. I don't even do that. I mean, I'd hate to see what's in there right now. 

Joe Carrigan: Right. 

Dave Bittner: It's - you know, yeah (laughter). 

Joe Carrigan: Yeah. It generally empties (ph) out after, like, 30 days, right? 

Dave Bittner: Something like that. 

Joe Carrigan: Yeah. 

Dave Bittner: I don't know. Yeah, just out of sight, out of mind. Just bankrupt that folder every now and then. 

Joe Carrigan: Yeah. 

Dave Bittner: Goodbye. Ding. I figure if it's important enough, they'll write back, or they'll call me (laughter). 

Joe Carrigan: Yep. 

Dave Bittner: All right, Well, our thanks to Rodney for sending that in to us. Again, we would love to hear from you. Our email address is hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Mathieu Gorge. He is the CEO and founder of an organization called VigiTrust. And we're talking about protecting the young and the old alike against online scams and abuse. Here's my conversation with Mathieu Gorge. 

Mathieu Gorge: So I think that we are doing a reasonable job, at least where we have very good initiatives around protecting young children. And we're seeing a lot of schools worldwide starting educating people around cybersecurity and being groomed online and so on, from a very young age. We suddenly see a lot of schools - high schools, that level - providing training to - well, not training, but educational webinars or educational seminars and interactive sessions with teenagers so that they can understand the risks. Where I think we're not really doing so well is with the older generations. And one of the things to bear in mind is that those two brackets, essentially, have different views of the internet, different - you know, different experiences. And also, they are targets for different things. 

Mathieu Gorge: So if you take the younger kids, obviously you don't want kids to be groomed online. You don't want them to meet somebody in person that they might have met online if they can't validate who they are. But even if they can validate who they are, you know, they can be easily persuaded into meeting the wrong type of people. And so I always say that I spent my youth being told not to talk to strangers, not to get in a car with a stranger and so on. Whereas today's kids, they talk to strangers online all the time. And then teenagers, they use Uber and get into a car with a complete stranger all the time. And it's kind of normal. 

Mathieu Gorge: And so what we need to do is we need to educate people with the right mechanisms and with the right ideas. So some of the ideas that we had in 1970s, '80s and '90s are no longer completely applicable. So they are kind of applicable in a physical context but not in a cyberspace. So we have to that challenge with the younger people. And the younger people, basically it's all about, unfortunately, sometimes sex abuse or mental abuse, things like that, bullying and so on. The older people, it's slightly different. So these older people, older generations that are on the internet and, you know, might have been given an iPhone or whatever, and they are trying to keep with the technology, and they're trying - sometimes they have no choice, by the way, because there's some services that are no longer available with, like, physical things, like physical plane tickets. You can't get that anymore. So you need an app, or you need to be able to order online. 

Mathieu Gorge: So the danger with those people is more of a financial danger, I would say, generally speaking. So the - it's that they have access to financial means that the young kids don't have. And sometimes some of them might be lonely, and they might be easily talked into sending money to save somebody that they've never seen because it's really well crafted, and we get a text message saying, hey, my name is such and such. I'm a friend of your son's or your cousin's or whatever because we've been able to gather that information from Facebook or from some other social network. And they will convince them very easily to provide money. Then the next stage, I think, that we need to talk about is, what happens when either a teenager or a kid or an older person realizes that they've been scammed or they're victims of some level of abuse? Do they talk to their family? Do they talk to their parents? Do they know that they can call the police? Where do they actually call? Are they ashamed? Maybe they're not going to be able to talk about it. And so all of these considerations come in when we start talking about that challenging issue. 

Dave Bittner: Yeah, it strikes me that with the kids, you know, we have them sort of as a captive audience when they're in school. And so, you know, we can sit them down and, you know, make them watch a presentation on how to be safe. How do you suppose we can go about reaching the older generation to educate them? 

Mathieu Gorge: Well, ironically, maybe by physical mail because some of them still see a lot of value in physical mail, whereas even I tend not to pay too much attention to it. I mean, I do open it and so on. But all of the important stuff that I need to know about, whether it's an alert from my bank or my insurance or my airline, I get an email, or I get a text or some other type of social media alert. So potentially, you know, sending, like, do's and don'ts, stuff to be aware of, as a campaign to older people in something that they can physically hold. And the next time they're online, they'll actually see it. Obviously, we can provide videos. Whether people watch those videos or not, I don't know. 

Mathieu Gorge: But one of the things that we certainly need to do is we need to get law enforcement to work with the victims and especially in the case of older generations and tell them that it's OK, that it's - you know, it happens every day. It's not something to be ashamed about. It's not something, like - you know, of course you're going to - you might feel foolish about it. But so what? It's - you know, the reality is that there's a system out there that allows you to report those crimes and to make sure that you take corrective action really quickly in order to either stop those forms being sent or maybe get some level of insurance to cover it. And I do think that we need to simplify that message. So we need to send a message in a - you're right - in a way that is going to talk to that audience, and then make sure that the message relates to that audience, right? So there's no point in sending a physical leaflet to people that are in their 80s and 90s giving them loads of technical advice because it's just not going to resonate with them. And the first thing they'll do is they'll say, I'll wait until my son or my granddaughter comes over, and they can do it for me. 

Dave Bittner: Yeah, I mean, you know, folks who listen to this show have certainly heard me tell all of my stories about trying to look out for my own father, who's elderly and is challenged when it comes to these things. And I have to say, I feel sometimes like he's a sitting duck, despite having, you know, me and my siblings to back him up and help try to protect him. It's still really challenging. What is your advice for folks like us, who are trying to do our best to look out for our elderly parents or loved ones? 

Mathieu Gorge: You know, it's interesting because on the one hand, you want them to keep with the program. You don't want them to be isolated from what's happening. And so you would want them to be able to check the news on a mobile phone or an iPad or something like that. You do want them to be able to send text messages or emails to their grand or great-grand generations and children's and children - sorry. And on the other hand, you don't want to essentially put them at risk. 

Mathieu Gorge: So I think that - certainly, what I do with the older generation in my family is I try to get them to pick a device that is appropriate to the use that they want to do, right? So they don't necessarily need the latest iPhone or the latest iPad or whatever. I try to set up all of the security settings for them. I try to get them to understand multifactor authentication. It can be a little bit of a challenge sometimes, but once you explain it in plain terms, plain English, you know, something you know, it's something you have, something that's unique to you, they actually get it. And also, I - you know, I do show them sometimes examples of what can go wrong, you know, ranging from the fake romance with somebody that's 20 years younger than you and find you on the internet, even though you're not on Facebook and you're not on social media - just try to, you know, make them alert to what's happening. 

Mathieu Gorge: The other thing I tend to do is to explain that there's absolutely no shame in being a victim. And, you know, it's not like - it's not a major issue. And I know I've said that a couple of times already, but I do think that we need to level down the issue of, I've been victim of a scam, so I need to stay off the internet. That - that's - no - I mean, you can go on the road and have a minor car crash and you'll still be driving tomorrow and for the rest of your life. Certainly, you know, it might not be a great analogy, but at least we can relate to that. The other analogy that we can all relate to is, especially for much older generations, is when you say to them, look, when you started driving, there was no - not much security. There was no ABS on the brakes. There was no seat belts. There was no seat belts at the back. There was, you know, all of those things. And now they come as standard, and you think it's normal. In fact, if you were given your latest car without all of that, you'd be saying, well, there's something missing. And you rarely get into a car without pulling your seat belt, so why would you go on the internet without paying attention? It's the same idea. 

Dave Bittner: Joe, what do you think? 

Joe Carrigan: Interesting that the problems of protecting the young and the old have a lot of overlap, right? 

Dave Bittner: Yeah. 

Joe Carrigan: You know, and they're both kind of looking for the same thing. They're looking for connection with other people. 

Dave Bittner: Yeah. 

Joe Carrigan: They're looking to use their phones to do that or their technology to do that, which - I don't know. I think it's synthetic on that - but here I am, grumpy old manning this again. 

Dave Bittner: (Laughter). 

Joe Carrigan: Another good point is when you and I were young, our parents would say, don't talk to strangers. 

Dave Bittner: Right. 

Joe Carrigan: And now, kids do nothing but talk to strangers... 

Dave Bittner: (Laughter) That's true. 

Joe Carrigan: ...You know? And it's - the whole stranger danger thing is actually a statistical anomaly. You're much more likely to be harmed by someone you know than by somebody you don't. 

Dave Bittner: Yeah. 

Joe Carrigan: But the don't-talk-to-strangers model doesn't really fit anymore. We get in Ubers with people we don't know. 

Dave Bittner: Right (laughter) right. 

Joe Carrigan: And for all we know, they could be - we don't even know if they're Uber drivers, really. 

Dave Bittner: Yeah. 

Joe Carrigan: And that's happened up in Baltimore a little bit. There have been some things that go on there that are a little bit sketchy with - in terms of Uber drivers. And it's not actually the Uber drivers. It's people who have carjacked Uber drivers and taken their car and their phone. 

Dave Bittner: Yeah. 

Joe Carrigan: Really scary stuff. But the whole don't talk to strangers thing is kind of out the window now. What do we say about that? I mean, when you're on a chat service talking to people you don't know, people need to be aware of the risks, right... 

Dave Bittner: Yeah. 

Joe Carrigan: ...The younger peoples in particular. 

Dave Bittner: I wonder if it's don't talk to strangers in person now... 

Joe Carrigan: Yeah. 

Dave Bittner: ...That's replaced that. Because, you know, when we were kids, there was no alternative... 

Joe Carrigan: Right. 

Dave Bittner: ...Other than the telephone. 

Joe Carrigan: That's right. 

Dave Bittner: (Laughter). 

Joe Carrigan: We'd get telephone calls from time to time. You know, it was always marketing calls... 

Dave Bittner: I mean, yeah. 

Joe Carrigan: ...I was, I'm not allowed to talk to strangers and... 

Dave Bittner: Right. 

Joe Carrigan: ...Hang up the phone. I did that when I was, like, 16. It was hilarious. 


Joe Carrigan: If you want to protect older people, I found this particular point very interesting, that older people are very responsive to actual physical mail coming into their house. So if you send the letter or send a flyer in about, you know, scams going on, that would reach a lot of people. Only drawback with that is it's kind of expensive. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, it's not nearly as cheap as a digital campaign.. 

Dave Bittner: Sure. 

Joe Carrigan: ...Which is why we don't see a lot of mail anymore. 

Dave Bittner: Yeah. 

Joe Carrigan: The shame of being scammed is going to be a big part of why these scammers are successful as long as this is part of the equation. I don't know how we make that not part of the equation. I mean, we - on this show, we talk about people who come forward and we say, that's very brave and we really appreciate it. But in society as a whole, I don't know how we overcome that. I don't know that there will ever be a full remission of this kind of behavior. 

Dave Bittner: Yeah, I - yes, I agree with you. I would say the one thing we can do is make sure that all of our loved ones know that they should not ever be ashamed to speak to us... 

Joe Carrigan: About being scammed, yeah. 

Dave Bittner: ...About this. Right, right. And in fact, a friend of mine gave me a useful little phrase to use when dealing with your parents. And they say - if you say nothing would make me more proud than being able to help you with something like this, right? Now, that's something your parents are going to respond to very positively. And that could help, you know? And just let them know it doesn't matter what it is - what the scam was - you know, I don't care if it was - you know, if you were looking at porn, and you got - you know... 

Joe Carrigan: Right. 

Dave Bittner: There's going to be no judgment because that could happen to anybody. 

Joe Carrigan: Sure. 

Dave Bittner: So just - I don't know - getting in front of it, making sure that they know that you will help them without any judgment may be able to help get rid of some of that potential of shame being a barrier. 

Joe Carrigan: Yeah, yeah. That's a great, great point. You know, the - it doesn't have to be a societal change. It just has to be a change within your local network - you know, family network, friends network - that kind of thing. 

Dave Bittner: Right, right. 

Joe Carrigan: Mathieu talks about simplifying the message, which I think is a great idea. Do you remember when the Medicaid cards started - Medicare cards started coming out? And there was a campaign, very briefly, from Medicare that said, guard your card. And it was, you know, a bunch of older folks sitting around. It was a television ad campaign. 

Dave Bittner: Yeah. 

Joe Carrigan: Bunch of older folks sitting around playing cards, and they were saying things like, guard your card. Don't - some scammer tried to call me and get my Medicare card... 

Dave Bittner: Oh. 

Joe Carrigan: ...Today. They were saying things like - that ad was way too short-lived for it to be effective, but I thought it could have been effective if the - if they had run it long enough. But I - and I thought it was a good campaign as well. And it did just that - it simplified the message to a simple soundbite - guard your card - that rhymes and fits in your brain... 

Dave Bittner: Right. 

Joe Carrigan: ...To the point where I still remember it after having seen it maybe six or seven years ago in a very short-lived ad campaign. 

Dave Bittner: Right - stranger danger. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. 

Joe Carrigan: It is a very effective way to help keep these things in your head. Another one that I still remember that they don't - I don't see any public service ads anymore - stop, drop and roll. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: And from what I see on Reddit and on Instagram, a lot of people don't know that. 


Joe Carrigan: When they catch themselves on fire, the first thing they do is run around... 

Dave Bittner: Run around, yeah. 

Joe Carrigan: ...Which is one of the worst things you could do. 

Dave Bittner: Yeah. Feed the flames. 

Joe Carrigan: Right. It's stop, drop and roll. Training, like cyber awareness, does need to be consistent and constant. And I think that is something that should be in - we should all be doing culturally... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Is - you know, yes, of course, we have the cyber awareness training for the captive audience of the younger people in school and in college and in places like that - maybe when they're starting working. But what do we do with the older people who are retired and don't have to do anything, you know? They don't - you can't make them do anything. 

Dave Bittner: Right. 

Joe Carrigan: Right? It's - and if you try, a lot of them will resist it. I know that if you try to make me do something, I'm going to resist it. 

Dave Bittner: I can vouch for that. 

Joe Carrigan: Right. 


Joe Carrigan: So we got to come up with a way to help these older folks understand what's going on. 

Dave Bittner: Yeah. 

Joe Carrigan: Although our - you know, we've had enough stories in here that say that, generally speaking, older folks are less susceptible to these kind of attacks. But when they are attacked and they're successful, their losses are far more damaging. 

Dave Bittner: Right, right. They have more to lose. 

Joe Carrigan: Because, first off, they have much more to lose... 

Dave Bittner: Yep, yep. Yeah. 

Joe Carrigan: ...And no time to recuperate - right? - and no way to recuperate. Whereas a young person - if a young person lost their life savings tomorrow - someone in their 20s - they'd have the rest of their lives to recuperate from that... 

Dave Bittner: Right. 

Joe Carrigan: ...And a means because they would be employed. And, you know, someone in their 80s doesn't have that. 

Dave Bittner: Yeah. 

Joe Carrigan: It's devastating. 

Dave Bittner: It's also been my personal experience that - both from the horrible aging process that I'm experiencing myself... 

Joe Carrigan: Yeah. 

Dave Bittner: ...That we all go through, but also with my own family and my loved ones - that it's very easy for folks to get more frazzled than they would have, perhaps, when they were younger, just because they're not as quick-witted as they used to be, you know? So it's harder to unpack and process things just through the natural aging process. 

Joe Carrigan: Yeah. 

Dave Bittner: I mean, seen it myself with, you know, people I've known their whole lives. And it is true that many, many people - they do slow down. And so having someone that they can count on, that they can go to, who can help them process these sorts of things - I think that's so important in keeping those lines of communication open. 

Joe Carrigan: I have noticed that with my technical skills - is that I'm not acquiring new skills as quickly as I used to. 

Dave Bittner: Right. Right. 

Joe Carrigan: And, you know, I used to walk up to a piece of software and absorb it within a day. 

Dave Bittner: Right. 

Joe Carrigan: And now it's taking much longer. 

Dave Bittner: (Laughter) Yes indeed. 

Joe Carrigan: And I don't like that. 

Dave Bittner: I know. 

Joe Carrigan: I wish I was young again. 

Dave Bittner: It is the way of things. 

Joe Carrigan: It is. 

Dave Bittner: That's right. Youth is wasted on the young. 

Joe Carrigan: It is. When I tell my son that, he goes, and retirement on the old. 

Dave Bittner: There you go. Fair enough. All right. Touche. All right. Well, our thanks to Mathieu Gorge for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.