Hacking Humans 3.30.23
Ep 237 | 3.30.23

Seeking employment fraud?


Kathleen Smith: Be grounded in the process. If you're going to get rattled really easily, then realize that you're going to expose yourself. And it might be better to sort of step back. And like okay, do I want to this? How do I want to do it?

Dave Bittner: Hello everyone and welcome to the CyberWire's "Hacking Humans" podcast. Where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: Hi, Dave.

David Bittner: We've got some good stories to share this week. And later in the show, Kathleen Smith from ClearedJobs.Net joins us. She's got insights on job scams. But first, a word from our sponsors at KnowBe4. We're not talking conspiracy theory when we say it's all connected when it comes to infosec tools. Effective integrations can make or break your security stack. Though not as common, the same should be true for security awareness training. Not only does KnowBe4 deliver the world's largest library of security awareness training, but they also provide a way to integrate the various elements of your existing security stack to help you strengthen your organization's security culture. Stay with us and in a few minutes, we'll hear from our sponsors at KnowBe4 about how you can integrate security awareness with your tech stack like never before. Alright, Joe, before we jump into our stories here. We got a little bit of feedback from one of our listeners.

Joe Carrigan: Yeah, this is an experience that Steve wrote in to talk about. He said he's a long-time listener and big fan of the show. And he wanted-- but he wishes that his wife also was a long-time listener and big fan of the show. Because she got duped by scammers before Steve could stop her. And they got into the Verizon Wireless account.

David Bittner: Oh, my.

Joe Carrigan: So they had to know his wife's phone number, and they called her posing as Verizon fraud agents. They asked if she had ordered an expensive iPhone, and said to be shipped to California, they live in New Hampshire. So that would not be the case. She said no, and they said they had to lock her account to stop the fraud with a pin that they would send to her. My wife then got a text from Verizon - which was legit - actually coming from Verizon. And she read it to them. And that's when Steve walked into the room. And she explained what was going on. And Steve says, "My hackles went up."

Joe Carrigan: She put them on speaker, and I asked what department they

were from and how I could prove it. And they said they were from Verizon Fraud and proceeded to read the last three payments to the account. You know what's going on here, Dave?

David Bittner: Yes. But continue on. Let's unpack it after it all plays out here.

Joe Carrigan: Okay. So Steve says the call dropped for some reason and I ran to try to log into my Verizon account, which I could not do. They were in. I called Verizon Support and after a short time, we had control of our account again. We checked for any orders and there were none. I opened a ticket with the fraud department just to be sure. And just to confirm, I checked the last three payments and they were exactly what the scammers told me. Well they were in your account is what happened.

Joe Carrigan: If my wife had read the legitimate text from Verizon, particularly the part where Verizon says "Verizon will never ask you for this code," this could have been avoided. The scammers just used Verizon's password reset feature on their website to send the authentication code. They just needed to have the right phone number. And get the code. And that's what this attack was.

Joe Carrigan: Steve says he hopes this helps others and he wants us to keep up the great podcasting. Which I'm sure we'll be able to do. But Steve, thank you for sending this in. It's a really good example of the social engineering attacks that happen on people. All they needed was your wife's phone number. And they probably had some information from some data breach somewhere that had an email address, which was probably used as a login for your Verizon account. And they already knew that information. So they said we're going to send a password reset pin to your phone, but they call your wife and lie to her with some pretext that says, "We're from Verizon and we're going to need this pin."

David Bittner: And they put the heat on because they say there's an expensive iPhone that's on the way. It's ready to be shipped.

Joe Carrigan: Shipped to California.

David Bittner: So if you don't want to be on the hook for paying for that expensive iPhone--

Joe Carrigan: Yeah, those are what, 1400 dollars, Dave?

David Bittner: And rising, and rising. They say all you need to do is send us-- we're going to send you a number and all you need to do is repeat it back to us. And then as you say, of course what they're really doing is getting your pin to log into your account to do a password reset.

Joe Carrigan: Correct.

David Bittner: Yeah. I wonder what you could do to prevent this, other than just being aware of it. Trying to think of some-- could you put additional counter measures on your Verizon account? I'm not that familiar with how Verizon sets it up.

Joe Carrigan: I know that when I call my mobile provider, which is not Verizon by the way, that I have to provide them with a pin over the phone. I don't generally use the web interface to interact with my-- not Verizon. My mobile provider. So I'm not sure how that works. But yeah, it's a good question. Really, I think the onus here falls on Verizon. But at the same point in time, I don't know how they can prevent against this. Because they want ease of use for the customers.

David Bittner: Yeah. Right.

Joe Carrigan: I think if you need a password reset for the website, you call in. And you have to verify information. But then again, maybe these guys would have been able to do that.

David Bittner: Yeah, and you know, I imagine how common password resets are. That seems like something that it's in everyone's best interest to have automated. But at the same time, you can see that it makes it open to these sorts of things. I mean really, if you think about it, it's the fraudsters who are putting the manpower into this.

Joe Carrigan: Yes, correct.
David Bittner: Yeah.
Joe Carrigan: Because there's big bucks in it for them.

David Bittner: I wonder if you could have a special note put on your account that says, you know, every time-- Hey, Verizon, every time you call me for me to know that it's you say the words peanut butter. Or something like that. You know?

Joe Carrigan: That's a good note. So you could ask Verizon, what's the password?

David Bittner: Yeah, right, or is there something you want to tell me, Verizon? And Verizon says peanut butter. Ah, okay, good. Something only Verizon would know because it was literally a note in your account and not something that you'd entered in like a password or something like that.

David Bittner: Who knows. I mean, I'm probably overthinking it. And it's more complicated than that or less complicated than that. Or whatever. Verizon wouldn't want to add that level of complication for their tech support folks. But can't hurt by asking, right?

David Bittner: Alright, well our thanks to Steve for writing in. Good story. And we would love to hear from you. Our email address is hackinghumans @thecyberwire.com.

David Bittner: Alright Joe, let's jump into our own stories this week. I'm going to start us off this time. This is actually some research that came my way. This is via the folks over at Akamai. And this is from Shiran Guez. And it's titled, "Chatbots, Celebrities, and Victim Retargeting - Why Crypto Giveaway Scams Are Still So Successful." So this research from Akamai really walks you through what these giveaway scams are.

David Bittner: Now, Joe, I'm old enough, and you and I are around the same age that I remember when these scams centered on Bill Gates.

Joe Carrigan: Yes.

David Bittner: Who I believe at the time was the richest man in the world.

Joe Carrigan: Yeah, at the time he was.

David Bittner: And these days, of course, the richest man in the world is--

Joe Carrigan: It's either Bezos or Musk. But I think Musk is no longer the richest man in the world because he has sunk so much of his money into Twitter.

David Bittner: Right, right.

Joe Carrigan: Which is now losing value rapidly. I'm going to go with Bezos.

David Bittner: Yeah, well, I think you're right. But I think Musk is the more popular one in pop culture. He's certainly the most popular ones for these scams.

Joe Carrigan: He's certainly a crypto bro.

David Bittner: That's right, that's right. So, this research really focuses on these crypto giveaway scams. Which is where the bad guys do things on social media to try to get people involved in scams involving cryptocurrency. And I think this is something that probably most of us have seen. The example they use here is probably the most common one these days. They have a screenshot from a Tweet that pretends to be from Elon Musk. It says @ElonMusk. It has Elon Musk's name and picture and the verified check mark there. And it says "Biggest crypto giveaway of 100 million dollars. Join here." And then there's a link. And then of course, if you go through there it's a scam.

David Bittner: They also talk about some of the other tactics that these folks use. Where they will use the social media account of a popular person, like an Elon Musk, and they will tag onto that. So they'll have a reply. They have an

example here. And it says "Our marketing department at Tesla Headquarters came up with an idea to hold a special giveaway event for all cryptocurrency fans. If you want to participate, it's easy to do. Just go to the Bitcoin portal below to find out more."

David Bittner: And again--

Joe Carrigan: That's a scam website.

David Bittner: Scam website. Right. But they're taking advantage of the popularity of the celebrity. In this case, Elon Musk, who has millions and millions of followers. So, chances are that reply will fall on millions and millions of eyeballs. This also talks about how they use direct messaging platforms like WhatsApp or Telegram. They reach out to people. Same sorts of things. Just using the celebrity to try to lure you in and say that either there's going to be some kind of a giveaway. Or some kind of a deal that's too good to be true.

Joe Carrigan: Hey, it's me, Elon Musk. You want to make some crypto money?

David Bittner: Right.

Joe Carrigan: Do I?

David Bittner: But how many times have you gotten one of these? Something like this?

Joe Carrigan: I don't know that I've ever gotten a crypto scam!

David Bittner: Is that right?

Joe Carrigan: Like this. Yeah! I mean, I've seen them on websites or on Twitter and things like that. Crypto. But every time I roll through them like, you know, it'd be so much easier to give away crypto. If you really want to give away crypto, just ask people for their crypto addresses and you could just send it to them. That's how it works.

David Bittner: Right. Right. Well I've seen a few of these over the years. And I said, I mostly remember ones from Bill Gates.

Joe Carrigan: The ones I remember are the ones where it said "Send me one Bitcoin and I'll send you back two."

David Bittner: Oh, okay. You know it's interesting, I don't see many of those anymore. Maybe that's what it leads to if you follow through or something. That you know, they need some sort of demonstration of your dedication--

Joe Carrigan: Right, you have to send them some crypto. Is what has to happen at some point.

David Bittner: Yeah. The other thing that this research outlines are the sites where you can buy kits to do this kind of scamming.

Joe Carrigan: Bet they did. How convenient that they already have kits to do this kind of scam.

David Bittner: Right, right. So if you want to, you can invest some of your money and you can buy one of these kits. And it's basically a turnkey kind of thing in terms of the landing page. So if you go out and, I don't know, Joe, spam your entire address book with friends and say "Hey everybody, it's Joe! I'm giving away crypto." And they'll say "Is that Moneybags Carrigan in the lawn?"

Joe Carrigan: That's what they call me.

David Bittner: Crazy Joe's giving away some more crypto! Joe Carrigan: The Vast Corrigan Fortune.

David Bittner: That's right.

Joe Carrigan: Millions of dollars, but it's all debt.

David Bittner: So, you could have a landing page that you had purchased from one of these providers. And it has everything you could possibly need to make this scam happen. They also point out that a lot of times, these things have real-time countdown timers.

Joe Carrigan: The artificial time horizon. David Bittner: Right, right.

Joe Carrigan: I'd like to know if you reload the page does the timer just start again?

David Bittner: Probably. Probably. Who knows? Maybe it's sophisticated enough to drop a cookie or something. Or start pestering you. Only five more minutes! Only five more minutes!

Joe Carrigan: I imagine a buzzer sounding. Eh.

David Bittner: Yeah. But then they also go on to track a particular bitcoin address that was used as the recipient of many of these scams.

Joe Carrigan: Yeah.

David Bittner: And so, as you well know and have explained to us all many times, if you have that address, you can really have a good look at where all the money's coming from. And that's what they've done here.

Joe Carrigan: Well, what address is it coming from, what address is it going to.

David Bittner: Yes, yes, yes. They point out unsurprisingly that most of the scam kits are coming from Russia. I don't think there's any mystery there. But then there's some helpful tips here for how to avoid becoming a victim of a crypto giveaway scam. They say there are no free gifts.

Joe Carrigan: Right, that's number one.

David Bittner: Right, right. Don't send cryptocurrency to anyone you don't know. That seems fair.

Joe Carrigan: Unless you're planning on just giving away some crypto, which people might do out of altruism.

David Bittner: Right, right. Except Elon Musk. He's not going to be doing that. Joe Carrigan: Yeah, I don't know.

David Bittner: Check and double check the verification status of an account. So, this has to do with the fact that nobody can put a graphic of a blue check mark next to their account or it's easy to do. So, yeah. Make sure that the people are legit. And odds are, they are not.

Joe Carrigan: Right.

David Bittner: It says check the username. A lot of times impersonated celebrities will have accounts that sound like the user's-- the celebrity's name but isn't actually that.

Joe Carrigan: Like Taylor Schwift.

David Bittner: Right, right, exactly. It says to check if the account is new. This makes a lot of sense. Because celebrities generally at this point in the game have been on social media for a long time. If that Elon Musk account is only a few hours old, chances are, again, it's not him.

David Bittner: and then they say do your research. It says legitimate giveaways do exist, but it's always best to verify. I would add that it's probably best just
to avoid this stuff altogether.

Joe Carrigan: That's right.

David Bittner: If you want to gamble, if you really want to gamble, play your state lottery or something.

Joe Carrigan: No, don't do that. Go buy some cryptocurrency!
David Bittner: Go buy some cryptocurrency. Okay, there you go. Right, right.

Although we heard this week, what was it? A bunch of crypto ATMs got popped? A couple million dollars in bitcoin got drained from--

Joe Carrigan: Really?

David Bittner: Yeah. Someone found a zero day vulnerability in a popular bitcoin ATM. And sucked them dry. So buyer beware.

Joe Carrigan: Well actually, does that even affect the buyer or is that something they just went in and took all the money out of the ATM company's wallets?

David Bittner: Oh, I don't know. That's a good question. I don't know the answer to that. My impression was that the users were victims, but you could be right. Who knows? Maybe both.

Joe Carrigan: Let me check how much Dogecoin I have left in my wallet. See if they got me.

David Bittner: Yeah. Alright, well we will have a link to that story in the show notes. Joe, what do you have for us this week?

Joe Carrigan: So, Dave, this week my story comes from the Federal Trade Commission. Nowe we have been talking a lot about voice fakes. And this is actually one that you and I need to pay attention to.

David Bittner: Oh.

Joe Carrigan: Because the Federal Trade Commission is now warning people that scammers are using AI to enhance their family emergency schemes. So let's back up. What's a family emergency scheme? This is where someone calls your dad pretending to be you and goes Dad, it's Dave. I'm in trouble. I'm in Mexico and I'm in jail. I need about 10,000 dollars. Or they're going to leave me in here to rot.

David Bittner: Right.

Joe Carrigan: Very common scam. My father's gotten these before. But it's always somebody with an accent pretending to be one of his grandkids. And the first thing he mentions is that's a nice accent, when'd you get that? Because his grandkids were all born in America. They have American accents.

David Bittner: Right.

Joe Carrigan: They don't sound like that. And then they usually hang up. But if you get a more skilled person on the phone, they're going to be able to do a better job of doing the accent and possibly even impersonate somebody.

Joe Carrigan: And if you think about the case where it's somebody who doesn't

see their grandkids very often, they might not know what the grandkids sound like on the phone.

David Bittner: Right.

Joe Carrigan: So this might be a new kind of scam. But now what they're saying is they're using voice models. These voice models that are available for free on the internet to use to generate speech. And they're training them on very little audio. So one of the things they'll do is they will call the person they want to impersonate. And just start talking to them or get them calling, but they're recording the call. Then they're feeding that recorded call into these voice generators. And they're building a model. And then they're able to generate sounds for a conversation that they may play out or that they may actually try to do live on the phone.

Joe Carrigan: Now, I've played with these voice modulators or these voice models, rather.

David Bittner: Yeah.

Joe Carrigan: They are-- there would be a little bit of lag in a live conversation. But that lag is not devastating. It's very doable. So this has rose to the level where the FTC is actually warning about it now. And the reason I said you and I need to be careful with this, Dave, is because there is tons of quality samples of our voice out there on the internet that anybody can access.

David Bittner: Right.

Joe Carrigan: So, I think I'm going to make a family announcement, if you will. To everybody in my family. Because one of the things we talk about here is what's your risk model look like?

David Bittner: Right.

Joe Carrigan: Well, guess what? My risk model is ripe for exactly this kind of impersination. As is yours. Unfortunately, Dave.

David Bittner: Yeah.

Joe Carrigan: So we're going to have to do something. You know, we have some code words we use in our family as well.

David Bittner: Peanut butter!

Joe Carrigan: Right. So, we have that. But I think I'm going to like talk to my parents, talk to my brother, my sister. And I don't know. I think if I called my cousins asking for money they'd hang up. So.

David Bittner: Right.

Joe Carrigan: Not this guy again. I've never called my cousins and asked for money. But yeah, I don't know how likely it is that they would fall for it. Without talking about it with other people. But it's a really good opportunity for people like us. Any podcaster, really. It doesn't matter how popular your podcast is. If you have your voice in audio out there on the internet. This is a threat factor you need to be concerned with.

David Bittner: Yeah. And it could be that you've given a presentation somewhere that there's a YouTube video of or anything like that.

Joe Carrigan: Or presentations of my-- there are YouTube videos of my presentations, I think.

David Bittner: Yeah. But just for anybody, maybe you were interviewed for something. My point being that there's probably more out there for most people than you think there is.

Joe Carrigan: Yes. A great thing to do is Google your name and then click videos.

David Bittner: Yeah. And it's remarkable how little audio these synthesis modules need to generate a decent sounding version of you. And especially if they're saying we're far away, we're in a foreign country. Half a continent away or more. And if they make it sound like it's on a fuzzy phone call, it certainly could be convincing. It's interesting. It's interesting to me that this announcement from the FTC says don't trust the voice. It says to call the person who contacted you and verify the story. Or try to get in touch with other friends and family before you do anything.

Joe Carrigan: Indeed. So one of the biggest problems with that is if they're convincing enough. Right? Like I'm in a Mexican jail. They've taken my phone. I'm calling you from a Mexican phone number. The person is not going to think that is going to work. Right? But they should still pick up the phone and call, right? And see if you answer. Hey, I thought you were in a Mexican jail. Okay, hang up the other phone, Dad. Whatever it is.

David Bittner: Yeah. Yeah, and I think it's also worth pointing out that a lot of times, these types of scams, rather than having the person on the other line pretending to be the grandchild or something like that, rather than having the grandchild doing the talking, they'll have someone in authority doing the talking.

Joe Carrigan: Right.

David Bittner: And they'll have the sound of the grandchild suffering in the background. Right. Crying or wailing or, you know, "Grandpa, help me!" You know, that sort of thing. And imagine what that does to rachet someone's emotions up and short circuit their critical thinking.

Joe Carrigan: Yes.
David Bittner: So I think that angle is something to consider here as well.

Joe Carrigan: Yeah, we've had some really horrible stories on this show about things like that.

David Bittner: Yeah.

Joe Carrigan: They're coming. They're coming, these kinds of attacks against people are coming.

David Bittner: Yeah. Interesting that it's risen to the level where the Federal Trade Commission feels like it's worth putting out an announcement about it.

Joe Carrigan: Yeah.

David Bittner: Yeah. Alright, well those are our stories. Again, we would love to hear from you. Our email address is hackinghumans @thecyberwire.com. Joe, it is time to move onto our "Catch of the Day." (SOUNDBITE OF REELING IN FISHING LINE)

Joe Carrigan: Dave, our catch of the day comes from Jim who writes, "Hello, Dave and Joe. My name is Jim and I absolutely love the show. So I was going through my spam folder and saw this email. I opened it up and started reading and instantly thought of sending it to you. There are numerous red flags that this is a scam and I thought you would both enjoy it. Thank you and keep the awesome content coming."

Joe Carrigan: That's another listener who said awesome content. It's a good day for us, Dave.

David Bittner: Yes, it is. Thank you, Lisa, for sending in these lovely notes. She doesn't know who we're talking about. She doesn't listen to this show. Yeah. Alright, well, it's allegedly from Sergeant Nola E. Donald. With a name that does not match in any way, shape, or form in the email address from gmail. And it says, "Attention Beneficiary." And it goes like this.

David Bittner: "My name is Sergeant Nola E. Donald, a citizen of United States of America. 33 years, single, from Los Angeles. I am a soldier working as United Nations Peace Keeping Troupe in Iraq in War Against Terrorism. I have in my possession the sum of 5.6 million US dollar, which I made here in Iraq. I deposit this money with a Red Cross agent because of the law. I want you to stand as my foreign beneficiary to receive the fund and keep it safe because I don't trust Red Cross agents. You will keep the money saved in your account so that as soon as I am through with my mission here in Iraq, I will come over to you for us to meet face-to-face and get to know each other. For your effort, I will give you 50% of the total money for your assistance after you have

received the money."
Joe Carrigan: That's very generous.

David Bittner: "I want to assure you with my life that you will never regret your involvement in doing business with me. The success of this transaction will depend on our total mutual trust. I pray to Almighty God to take control so that everything will go smoothly."

Joe Carrigan: Good appeal to religion.

David Bittner: "How I got the money. A few weeks ago, our shoulders had encounter and exchanged bullets with some gunmen. And eventually, three of our shoulders were injured in the event while over 16 of the gunmen were killed. As a nurse in the Army, I and my group rushed to give medical attention to our men, who were injured at the spot where the 16 gunmen were shot to dead. I saw two trunks and showed it to my fellow and we decided to force the trunks open. And discovered huge amount of dollars. We quickly counted the money and share it among ourself. Mine amounted to 5.6 million USD. That is the money I want you to keep safe until I finish my duty here in Iraq and come down to your country."

David Bittner: Shouldn't it be "our country"? Joe Carrigan: Right.

David Bittner: "Finally, you stand as my foreign beneficiary and receive the fund and keep it safe until I come to your country. You will assist me to invest it in good profitable venture. Don't worry yourself. I will give you 50% of the total money for the assistance after you have received the money. I believe I can trust you. You don't have to be afraid of anything. I have inquired about the arrangement on how to carry out the transaction. We can only communicate through our military communication facilities, which are secured so nobody can monitor our emails. So I can explain in detail to you. I will only reach you through email because our calls might be monitored. I just have to be sure who I'm dealing with is the right person.

David Bittner: Please, if you can handle it, let me know so I will furnish you on the way forward. Your urgent reply is highly needed. Best Regard, Sergeant Zero E. Donald."

Joe Carrigan: See, that's a completely different name than Nola E. Donald at the beginning.

David Bittner: Yeah.

Joe Carrigan: So, well, I guess, just the first part's different. This one's great. Has all the red flags, right? The appeal to religion. The-- you read it like in a

Russian accent. It looks like it was written by a Russian.

David Bittner: That's right.

Joe Carrigan: Not a lot of articles. And I don't think there's articles in Russian.

David Bittner: Yeah.

Joe Carrigan: Right? So it's-- it totally smells to me like a Russian scammer here. Or eastern European scammer.

David Bittner: Yeah. Appealing to greed.

Joe Carrigan: Appealing to greed.

David Bittner: Need your secrecy. Patriotism, right? Military person.

Joe Carrigan: Starts off with,it says we're both US citizens but then talks about your country.

David Bittner: Yes, yes. So I mean, this is a standard trunk scam, right? And this predates the internet.

Joe Carrigan: Yeah. I found these two trunks. It's just going to be advanced fees. That's all it is. You're going to have to pay fee after fee after fee after fee. Until you either realize it's a scam or run out of money.

David Bittner: Yeah. Alright, well, our thanks to Jim for sending that into us. We do appreciate it. And again, we would love to hear from you. Our email address is hackinghumans @thecyberwire.com. Back to the concept of integrations. KnowBe4's Security Coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CloudStrike, Cisco, and dozens of others. Security Coach analyzes alerts your security stack generates to identify events related to any risky security behavior from your users. With this information, you can set up real-time coaching campaigns to target risky users based on those events from your network. End point, identity, or web security vendors. These campaigns enable you to coach your users at the moment the risky behavior occurs. With contextual security tips delivered via Microsoft Teams, Slack, or email. With 35 integrations and counting, Security Coach delivers the insight you need to improve your organization's security culture.

David Bittner: Learn more about Security Coach at KnowBe5.com/SecurityCoach. That's KnowB4.com/SecurityCoach. Joe, I recently had the pleasure of speaking with Kathleen Smith. She is from ClearedJobs.Net. And our conversation centers around job scams and some of the things that her and her colleagues have been tracking. Here's my conversation with Kathleen Smith.

Kathleen Smith: I've been in recruitment marketing for over 20 years. And what recruitment marketing means is I am the conduit between an employer and a job seeker. Now most people may think that that is a staffing firm, a head hunter, a recruiter. But I'm part of a job board that specifically works in the security cleared market, but we also have job fairs. So I am constantly, every day, talking to job seekers and talking to recruiters. Both of whom have challenges finding each other.

Kathleen Smith: And I had always thought after 20 years that they wouldn't have trouble. But finding a job and finding good talent is still a very big issue. No matter where you are, no matter what industry you're talking about. And because it is a challenge, you then have these gaps, these opportunities, for scams to come about. And when we talk about scams, when we talk about phishing, we talk about people who are preying on others who are very vulnerable. And talking to them when they are probably not grounded in what they're doing. They're highly emotional. They're dealing with, you know, issues and tools that they're not familiar with.

Kathleen Smith: And those are the perfect background for an employment scam, for any kind of scam. So when I talk to job seekers in particular, they tell me about how awful recruiters are. And yes. There are recruiters who--

David Bittner: Present company excluded.

Kathleen Smith: Well, no. I mean, I'm not a recruiter. Everyone thinks I'm a recruiter. I talk about recruiting but I haven't don't recruiting in quite some time. But a lot of people do, I mean, they will use a lot of swear words and cuss me out about how bad recruiters are. And then I try to explain to them that there are so many different kinds of people who will recruit.

Kathleen Smith: There are direct recruiters who work for a company, who work for a Ratheon, who work for a Target, or Sony or something like that. Then there are the recruiting agencies who have been tasked with going out and finding candidates. And those are more about getting butts in seats, getting a lot of quantity candidates. You know, let's just throw as many people against the wall as possible. You have head hunters who have been paid a large fee to find a very, very unique kind of person. And that's usually for an executive kind of position.

Kathleen Smith: Sadly, we have also people who are just in what I call chop shops or very large shops. And all they do is they pound the phone, they pound candidates, they pound customers all the time. And they really are just looking for as many candidates or as many job prospects as possible to just churn and make some money.

Kathleen Smith: So when I've been looking at employment scams, I mean, the first one that I heard of in the security cleared community was a good 15, 18

years ago. And even then, I knew that employment scams had been around. So just like phishing, just like any kind of scams that are out there, they've been there. We just haven't, you know, seen them as prevalent as we are now.

Kathleen Smith: And why are we seeing more of them now? Well, we're seeing a lot of layoffs. So there are a lot of people who are further on edge than they normally would be about finding a job. And so, if they've just been laid off, if they're concerned that they're going to be laid off, they have a certain more, as I said, vulnerability, highly emotional, okay, maybe I should talk to this recruiter, maybe I should talk to this person, maybe I should give some information. Because I don't know if I'm going to get laid off. And I always say take a breath! You know. Realize it's okay. You are in control. And you are in control of your own job search.

Kathleen Smith: So there are some things that I will go over at the end of our discussion about what I think people should do to keep themselves safe. And they're very basic things. But some of the employment scams, the one that was very big, about 15 years ago when social media first came out, and security cleared recruiters came on social media when we all went through this discussion, should we part of it, should we not. And several bad actress actually put up an entire social media company page and recruiters page mimicking one of the large defense contractors out there. So, people with security clearances were being contacted by who they thought were security cleared recruiters via one of the large social media platforms.

Kathleen Smith: And because many of the government contractors at that point, over 15 years ago, had not been on social media, no one knew to monitor it. No one knew to hey, is someone mimicking us? Are there fake profiles of our executives, our professionals, and lo and behold, they found out there were. Because they had job seekers contacting them saying, "I was contacted by this recruiter on a social media platform. And they said that they had a job for me." And they found out wow, we don't even have anyone on social media. So we have a very large problem.

Kathleen Smith: Another example has been where government contractors' careers page have actually been copied. And if you looked at the URL, you could see that it is very similar. But not exact to the way the company lists their URL. And they had a full, you know, these are positions to apply for. These are places you can go and work. And just provide us with some of your vital information like social security numbers and home addresses and things like that. So, again, things that typical government contractors would not request during an outreach. So it's good to know what would happen in that place.

David Bittner: Is there an additional element of potential espionage when we're talking about people in the cleared community?

Kathleen Smith: Oh yeah. It's out there. You know, when I would teach at some

of the agencies transitioning from working in government work to civilian, and I would recommend being on social media platforms, I usually got my head bitten off. Saying, but you know, there are all those actors. And I just looked, something, 20 million fake LinkedIn profiles out there. So we have known that bad actress, espionage has been going on through social media for quite some time. This is nothing new.

Kathleen Smith: I actually think we do it. I'm not going to say yes or no. But I know I'm pretty sure we do it as well. So.

David Bittner: Sure.

Kathleen Smith: So nothing is really safe, as we know. And I would say that if you are concerned, then you block and you report. This is one thing that I think is really great with social media. It came about that a lot of information was being shared across many different platforms. And then I think when communities started saying look, you know, there's bad things happening. You've got better and better opportunities to report, to block, to make sure that people cannot continue.

Kathleen Smith: But of course, they turn around and they set up another profile. But you do have some steps. Some of the other things that have happened as far as employment scams are concerned. And these are always a big trigger. Is if you're asked to pay for something up front. So you have a really great job. It's going to be remote. It's-- the hours are going to be great. But you need to buy your own laptop. So here's a link to go and buy the laptop. And you're like wait a minute, no.

Kathleen Smith: Employers should be providing you with the laptop that you're going to work on. You should not have to pay for that laptop. Same thing with you need to have a certain certification. It's just a simple test. Go ahead and take this test. And then pay for this certification. And you'll get the job. Well again, your employer is going to pay for that certification after you have the job.

Kathleen Smith: So, very common tactics that are used in non-employment ways are being used here. Looking at an email address. If someone says hey, I'm contacting you from X, Y, Z Company and you look at the email address that comes from and it's not the same nomenclature as that company, I'd be suspicious.

Kathleen Smith: And I have yet to hear, but again, I work in a very specific community, of any employer asking in an email for any of your home address, for information about your family, your social security number, you know, all of those are done through a secure website. We all know to look for a secure website versus a nonsecure website when you're entering any of the employment data.

Kathleen Smith: So, people are going to make sure that you're highly emotional, that you're vulnerable, that you don't know the process. These are all the things that are going to make you more susceptible to an employment scam. So some of the things that I recommend is one, understand that you need to be grounded in this process. What do you want to find in your next job? Is it remote work? What kind of work are you looking at? Because a lot of
times, people get all wrapped up in all of the different things that are there without looking at what am I really wanting to do with this next job? And then the next area that people are going to confuse you on is they're going to tell you that you applied for a job and start having a question-- you know, start questioning you about, you know, what is your day like? What do you do?

Kathleen Smith: Well, why not keep a spreadsheet of all of the jobs you've applied for? Because I know sometimes there are a lot of job seekers who say, "I applied to 100 different jobs and somebody called me about a job and I thought that was the job and then they started asking me all of this information." I'd go back to a spreadsheet and making sure that that is a job that you actually did apply for. That is one of the more critical things that people come through.

Kathleen Smith: And then third, well, nope, two more. One is social media is friend and foe. We can love it, we can hate it, we can get good information, we can get harassed. By and large it is something that is going to help you in your job search. But it's important for you to understand how to stay engaged, who to stay engaged with, especially if you are in job search or any kind of professional development. That you're always staying engaged. And sort of keeping an eye on the landscape. Understanding who are the players, who's influential. Do you want to know more about pen testing or reverse engineering? Who are the people you want to follow with that?

Kathleen Smith: And then who are those people in your network that you can rely upon? So that when you are looking for a job, you have the tools to be able to reach out to talk to somebody and say do you know a company, do you know a recruiter that I can talk to? Rather than waiting for someone to call you or respond to a job posting that you posted your resume to.

Kathleen Smith: And finally, something that people rarely do but I wish they would is have a network of recruiters that they trust. Because if you have three to four recruiters that you've enjoyed talking to over the years, that you trust them, they understand your skills, you can always tap into them and say, you know, someone reached out to me, I'm not quite sure about the company, I'm not quite sure about the person. have you heard of them? So you have your own verification process. And that is always going to be better than do I take this call or not? And I'm surprised that our jobs, our careers, are so important to us but we don't build this bench of resources in the way of trusted recruiters that we work with that we like working with. That know our industry, know the people who are influential or not.

Kathleen Smith: So that is one of the safeguards I would really recommend. Rather than saying is this person legit or not? Make sure that you have some recruiters that you can talk to and ask them those questions.

David Bittner: You know, just last night I was chatting with a family member who's in the midst of a job search. And they were saying that one of the things that they were running into were different organizations would ask you to fill out forms as part of your application. But they kept running into forms that were asking for way too much. You know, what's your social security number? What's your bank account information? Things like that. And they look like legitimate forms. But some of the places the forms are legitimate and some of them aren't. And it can be a challenge to tell the difference.

Kathleen Smith: You're right. I mean, there is no employment form that I've ever experienced that has ever asked for bank information. And you know, very rarely will they ask for your social security number until you're in the interview process. So they are needing that for US citizenship verification. But it's not going to happen at the beginning of any kind of process.

David Bittner: Yeah, yeah.

Kathleen Smith: But again, it's preying on people's emotions. It's preying on them not knowing what a true recruitment process is all about. And I always, as I said at the beginning, be grounded in the process. If you're going to get rattled really easily, then realize that you're going to expose yourself and it might be better to just sort of step back. And like okay, do I want to do this? How do I want to do it?

David Bittner: Joe, what do you think?

Joe Carrigan: Scams are going to show up wherever there are opportunities for them. And they're going to take advantage of the standard vulnerabilities that people have in their software, if you will. And right now, in tech, there has been a bunch of layoffs. And there are a bunch of tech people out there looking for jobs.

David Bittner: Right.

Joe Carrigan: If you've been in tech, chances are you haven't ever experienced a layoff unless you were working in some defense contractor. Or something like that, where layoffs just happen because budgets change.

David Bittner: Contracts come and contracts go.

Joe Carrigan: Right. Administrations have different focuses, right? So, it's-- this is interesting, period, right now because there haven't really been these kind of massive tech layoffs in recent memory. Not since what, 2002? When that.com bubble crashed?

David Bittner: Right.

Joe Carrigan: Right? So, you know, it's been over 20 years.

David Bittner: Yeah, yeah.

Joe Carrigan: Most people don't remember that. Or most people in the job force may not remember that.

David Bittner: Sure.

Joe Carrigan: I'm glad that Kathleen knows that recruiters are terrible.

David Bittner: Kathleen is a recruiter, Joe!

Joe Carrigan: Well, she's not a recruiter. She works for an organization that does job postings.

David Bittner: Okay.

Joe Carrigan: And she says that in the interview. And she's right, there are different types of recruiters. And I've had relative success with internal recruiters. But third-party recruiters seem to me like a position or a kind of position to emulate that just lends itself to scam believability.

David Bittner: Okay.

Joe Carrigan: If you will. I work for this third party recruiting. I think we had a Catch of the Day last week that was-- or maybe a couple weeks ago.

David Bittner: Yeah.

Joe Carrigan: That was a third-party recruiting scam. We're recruiting for our people, for our customer.

David Bittner: Right.

Joe Carrigan: And frankly, when I see a lot of these third-party recruiters coming through to me with emails, they look like scams.

David Bittner: Yeah.

Joe Carrigan: It's just-- fortunately, I'm at the point in my career where I just don't deal with third-party recruiters anymore. A new person in any career doesn't have that luxury and I understand that.

David Bittner: Yeah.
Joe Carrigan: It's nice to be in a position. And everybody will get there over

time. Where you can just say no, not doing it.

David Bittner: Yeah. Yeah, I mean I agree that it is a particular line of employment that can lend itself to this sort of thing. I think about it like a lot of these folks who are kind of public facing who have to be out there contacting people every day.

Joe Carrigan: Right.

David Bittner: Is that there are good ones and the good ones make it look easy. And there are bad ones, and the bad ones make you realize how hard it really is. So, I appreciate the good ones for how good they are, but boy, in some of these industries, it's hard to break through the noise of the bad ones.

Joe Carrigan: Yeah. David Bittner: Yeah.

Joe Carrigan: And I don't mean to be sitting here just openly criticizing blanketly. I guess I do mean to--

David Bittner: Maybe a little, yeah.

Joe Carrigan: You know, I've met some third-party recruiters who I still have in my network. And actually, one of them is no longer a recruiter. He does some kind of management with another organization. And another one still is a recruiter but has moved onto another role.

David Bittner: Yeah.

Joe Carrigan: And I like these guys. They're both guys. I should probably diversify my network a little bit, I guess. But you know, these guys were good folks. I didn't have an issue with them.

Joe Carrigan: The first scam that Kathleen talks about is a great example of striking while the iron is hot. So, for example-- for the example she cites, a lot of recruiting companies or defense contractors or people that had cleared jobs didn't know if they should get on the social networking bandwagon. And the scammers said oh, we'll do that. We'll get on there right now. They always know exactly what to do. They're not bound by concerns.

David Bittner: Right.

Joe Carrigan: They don't care what happens, all they want is a way to get people to give them money somehow.

David Bittner: Imagine what you can do when you have no scruples. Joe Carrigan: That's right. You can be the first to market even if you're

David Bittner: Right.

Joe Carrigan: But now there are companies that have entire business models based on protecting against this. ZeroFox comes to mind.

David Bittner: Yeah. Yeah.

Joe Carrigan: That's what they do. They go out and they find all of these fake profiles and another shocking thing that Kathleen said. 21 million fake LinkedIn profiles? How many LinkedIn users are there?

David Bittner: 21.1?
Joe Carrigan: 21.1 million!

David Bittner: I don't know. I mean there's a lot. But it sure seems like there's a lot of fake ones. Every day, I probably get one or two invites that are clearly manufactured or synthetic.

Joe Carrigan: A quick Google search says there are 900 million.

David Bittner: Okay.

Joe Carrigan: And if there are 21 million fake. First off, that's probably from some research that she's citing there. That's probably the ones they could definitely identify as fake. I'm going to say that number's probably high. Higher, higher rather. That's a low estimate.

David Bittner: Okay.

Joe Carrigan: So, yeah, and they're going to be the most active ones out there trying to scam you.

David Bittner: Yeah.

Joe Carrigan: They're going to be the ones maybe you see the most. That's what I'm thinking about here. Maybe I got some kind of bias in my head about it. Red flags, paying for anything upfront. You should never have to buy your own laptop and get reimbursed by the company.

David Bittner: Right.

Joe Carrigan: You should never have to buy a certification. By the way, that's a great scam. As I think about it. Because they could tell you, you need some certification that we have to have for everybody. Go to this site, take this test. Don't worry, you'll pass it and you'll get the certification. And then you actually get a certification. I mean, this is something I could do in a week. And start

telling people it's 100 dollars to get the certification, we'll reimburse you for it. David Bittner: Right.
Joe Carrigan: I mean, that's a great idea. Don't fall for it.
David Bittner: Okay.

Joe Carrigan: Onboarding is a great opportunity for identity theft. One of the things that is key here. And Kathleen touches on it. Is don't start giving them your personally identifiable information until you have a job offer letter and until you've vetted this company and know that it's-- you've been to a job interview. Right? You know what they do. You know who these people are.

David Bittner: Right.

Joe Carrigan: You know, this is one of the problems with work from home is that you're going to be working from home. The CEO of your company might also
be working from home. There are companies now that don't have offices. Everybody works from home. How do you validate that? How do you verify that?

David Bittner: Right.

Joe Carrigan: You have to have a network, and that's one of the things I'm getting to now is the recommendations. And I like what Kathleen says here as her last recommendation. I'm going to put it first. Have a network of people that you trust. And she says in the recruiting industry. And you can verify stuff with them. I think that's really important. I think having a network is just of paramount importance. And over time, everybody will build a network. It's just hard to maintain that network.

David Bittner: Right.

Joe Carrigan: It takes effort. Be grounded and think about what you want and think about what you're doing. And think about every single job offer that comes to you. I'll tell you a story of one time. I had a-- one time, I was working at a defense contractor and I got laid off because priorities change, Dave.

David Bittner: Yep.

Joe Carrigan: And I was of course frantically looking for a position. And I got this one email that says hey, I want to submit you for this over here. And I'm like okay. And the guy submits my resume. And that's it, I never hear from him again. But I was keeping track of everything that I was doing with a notebook and Kathleen recommends a spreadsheet, which is good. But then another third party recruiter calls me, has a conversation with me and says I'd like to submit you for the same position. I'm like this guy already submitted me.


Joe Carrigan: So, I wrote to the first guy and I got very terse emails back. This guy was from one of those organizations like Kathleen was talking about that are just throw as much at the wall as you can and see what sticks.

David Bittner: Right.

Joe Carrigan: And this is one of the reasons I don't-- I'm not really a fan of third- party recruiters as a journal--

David Bittner: You know, just this week I saw some mention online, some folks were talking about a recruiting scam where-- and, well let me describe it to you and we can unpack exactly what the scam is.

David Bittner: So, let's say I'm the recruiter. And I want to generate some business. Okay? So, I'm looking around and I'm checking on social media, I'm checking resumes, I'm checking talks on YouTube or whatever. And I identify a top-- let's just say a top cybersecurity professional.

Joe Carrigan: Right.

David Bittner: Right? Someone with really good talent. And then I call up a company and I say hey, I've got this top talent here who I'm representing. And what do you think about them? They're interested in your company. And the people at the company go what, us? That person? Wow, okay. Interesting, okay, sure, sure, sure, let's do it. And then the recruiter calls the person, who they have never spoken to before!

Joe Carrigan: Right.

David Bittner: And says I've got a hot lead for you on a job possibility. I just got contacted by my client, this company, and they are really interested in you. Can I make a connection?

David Bittner: Now, that's dishonest.
Joe Carrigan: Yeah!
David Bittner: Right?
Joe Carrigan: Yeah. How does that not get past the first interview?

David Bittner: It must work. To a certain degree. I mean, I'm just trying to think in an interview, would you care about who contacted who first? Like where, at what point would that come up, I guess? In the process. I don't know.

Joe Carrigan: Yeah, I don't know.

David Bittner: Yeah, right?

Joe Carrigan: Right. Well maybe in the interview the guy says, "Oh hello, Mr. Cybersecurity Superstar. We are very excited that you're interested in our company. And that you reached out to us." "I didn't reach out to you." Maybe that's how it comes up.

David Bittner: I don't know, yeah. But you know, it's scammy.

Joe Carrigan: Yeah, it is scammy.

David Bittner: Anything else?

Joe Carrigan: I like the idea of keeping a spreadsheet. And she talks about-- because it helps you remember where things were.

David Bittner: Yeah.

Joe Carrigan: If I ever have to do another job search, I will keep a spreadsheet.

David Bittner: Yeah.

Joe Carrigan: The social media is friend and foe. And I tend to think it's more foe. Friend. But, you know, I hate social media so much.

David Bittner: Yeah. Alright, well our thanks to Kathleen Smith for joining us. Again, she is from ClearedJobs.Net. And I've known Kathleen for a number of years now. She's one of those folks who puts a tremendous amount of time back into the community just making connections and helping people and volunteering and all that good stuff. So she's one of those good people out there. And I'm glad that she took the time for us this week. So, thanks to Kathleen for joining us.

Joe Carrigan: It was a great interview.

David Bittner: We want to thank all of you for listening and of course, we want to thank our sponsors at KnowBe4. They are experts at enabling a fully integrated approach to security awareness training. That is our show. We want to thank all of you for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at HarborLabs.com and ISI.JHU.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.

David Bittner: Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.


David Bittner: Thanks for listening.