Hacking Humans 11.16.23
Ep 266 | 11.16.23

Unmasking the deceptive.

Transcript

John Wilson: If you look at highly-regulated industries, things like financial services, they are far less likely to fall victim to something like this because they have that playbook that they have to follow for every single request.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans Podcast." This is the show where each week we look behind the social engineering scams. But there's more! We look behind the phishing schemes. We look behind the criminal exploits that are making headlines and taking a heavy toll on organizations, not just in our neighborhood, Joe --

Joe Carrigan: But around the world --

Dave Bittner: -- around the world.

Joe Carrigan: -- Dave, the world!

Dave Bittner: I'm Dave Bittner for the CyberWire and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hey, Joe!

Joe Carrigan: Hi, Dave.

Dave Bittner: We've got some good stories to share this week. And later in the show John Wilson, Senior Fellow, Threat Research at Fortra, is talking about a recent report on email impersonation attacks. All right, Joe. Before we jump into our stories here, we have some follow-up. What have we got?

Joe Carrigan: Yeah, Dave. Terry wrote in with some follow-up and some comments on episode 262. That was where I was talking about the survey --

Dave Bittner: Okay.

Joe Carrigan: -- that we did. By the way, Dr. Dahbura, our student worker Jamie Stelnik, and I will be at the Maryland Cyber Conference --

Dave Bittner: Oh, okay.

Joe Carrigan: -- on December 6th talking about this.

Dave Bittner: Cyber Maryland?

Joe Carrigan: Cyber Maryland -- that's what I meant. Not Maryland Cyber Conference. Cyber Maryland -- that's the one. We'll be there. We are on a panel for this survey.

Dave Bittner: Oh, nice.

Joe Carrigan: If you're there, stop by and say hi.

Dave Bittner: All right.

Joe Carrigan: But Terry writes -- Dear -- Hello -- he doesn't say "Dear." He says, Hello, Dave and Joe. Just some of my thoughts on the comments on how much Joe dislikes the jargon used by the cybersecurity community, and I completely agree. I feel like it hampers efforts to secure non-technical people simply because they don't understand what is being talked about. And I would agree with that statement 100%.

Dave Bittner: Mm-hmm.

Joe Carrigan: I've always tried to use more everyday terms to talk about security such as phishing via text instead -- or 'smishing,' or phishing via QR code instead of 'QRishing' --

Dave Bittner: Right.

Joe Carrigan: -- and -- I have had this conversation about QRishing for -- with, like, three or five times in the past week --

Dave Bittner: Oh, yeah?

Joe Carrigan: -- where everybody is, like, this is the absolute worst! Why are we doing this?

Dave Bittner: Yeah!

Joe Carrigan: As for the term "social engineering," I feel like it could be more closely related to real life since it's called "con games" or "cons." Why not simply call them digital con games or digital cons? Love the show.

Dave Bittner: Yeah, I like that.

Joe Carrigan: I like that, too, digicons.

Dave Bittner: Digicons. Although that sounds like a -- like a digital conference.

Joe Carrigan: Right.

Dave Bittner: There probably is a conference called "Digicon."

Joe Carrigan: Right. And there's also that -- that -- yeah. It also sounds like something -- some anime program that also sells trading cards or something.

Dave Bittner: Right. Right.

Joe Carrigan: Right.

Dave Bittner: But I like -- I mean, digital con games -- that's fair.

Joe Carrigan: Yeah. Digital con games -- good.

Dave Bittner: Yeah.

Joe Carrigan: You know, digital lies. You know? I don't know -- digital lies not so much.

Dave Bittner: I agree that -- look, every industry has their lingo which is partly how they gatekeep and partly how they tell who's in the club and not.

Joe Carrigan: Right.

Dave Bittner: And this is some of that.

Joe Carrigan: In our industry, particularly with the social engineering field, we really shouldn't be gatekeeping this.

Dave Bittner: Yeah.

Joe Carrigan: This should be something everybody should be involved with -- everybody.

Dave Bittner: Yeah.

Joe Carrigan: It's not something that you want to keep -- it's not a club. Right? We want everyone to be safe.

Dave Bittner: Sure. Sure. All right. Well, let's jump into our stories here. What do you got for us?

Joe Carrigan: Dave, my story actually came from a listener. This person would like to remain anonymous, but he lives in Scotland and is from Poland.

Dave Bittner: Okay.

Joe Carrigan: Or at least I assume he lives in Scotland -- he just says U.K.

Dave Bittner: Yeah.

Joe Carrigan: But his bank is the Bank of Scotland.

Dave Bittner: Okay.

Joe Carrigan: He is a recent listener and wanted to tell a story about something that had happened to him and his wife about six months ago.

Dave Bittner: Hmm.

Joe Carrigan: It was a Saturday evening and his wife got a phone call claiming to be from her bank's fraud department.

Dave Bittner: Hmm.

Joe Carrigan: And it seemed legit because the scammer knew the wife's name, her surname, and her date of birth. So they had all this information before they even started the call.

Dave Bittner: Okay.

Joe Carrigan: They knew what bank she was with, and they told his wife that her life savings were in danger --

Dave Bittner: Hmm.

Joe Carrigan: -- so she must move quickly to move the money to -- to protect it, of course. Now this is a very common scam. We see it a lot.

Dave Bittner: Yeah.

Joe Carrigan: Right? We -- we talk about it all the time on this show. Once they did that, they had gotten the money out of her account, they asked for her credit card details and the code on the back. So they continued going on with this -- his wife was on the phone for 45 minutes, and they got all this information.

Dave Bittner: Okay.

Joe Carrigan: At some point in time, his wife says someone from the bank wants to talk to you. And then they try to scam our listener.

Dave Bittner: Huh!

Joe Carrigan: And the first thing they say is that there's a virus on his router and he must quickly give them his account information.

Dave Bittner: Okay.

Joe Carrigan: Right? Now he says he's a person that listens Darknet Diaries and "Hacking Humans." He says, "Who are you and why are you calling me?" He said they also say -- he also said, "That's not how viruses work -- and banks are closed on the weekends."

Dave Bittner: Okay.

Joe Carrigan: Right? But they had a response to that. They said, "No, we're -- we're from a special fraud prevention team and you need to act quickly." But he said, no --

Dave Bittner: They work 24/7.

Joe Carrigan: Right. Yeah. So he -- he said that he essentially hung up the phone at that point in time. He -- he actually logged into his bank account on his own and said, no, everything looks fine. And it was a different bank, so he -- he's not with the same bank his wife is.

Dave Bittner: Okay.

Joe Carrigan: So at this point in time, while he's on the phone with these scammers, he asks his wife to call the police while he's on the phone and trying to stall them, and the police say they can't do anything to help.

Dave Bittner: Yeah.

Joe Carrigan: They say you need to call or file a report with Action Fraud. So they hang up with the scammer and they called the bank and they blocked the card. They called the bank's fraud department and said, no, that -- please turn that card off. Those are -- those are all going to be fraudulent charges. But the money was already gone out of the -- out of the savings account.

Dave Bittner: Wow!

Joe Carrigan: It was already moved.

Dave Bittner: Okay.

Joe Carrigan: When he talked to the fraud department, they were, like, well, this is the weekend. We can't do anything about it until Monday.

Dave Bittner: Mm.

Joe Carrigan: He then looked up the Action Fraud organization, which is a U.K. organization for filing complaints, kind of like our IC3?

Dave Bittner: Okay.

Joe Carrigan: I -- I don't know if there's anything that happens when you file a complaint with Action Fraud.

Dave Bittner: Hmm.

Joe Carrigan: I don't know if this goes -- if there's a -- that there is a -- there is a case that gets opened, but I don't know if that -- if -- if there are tons of cases that get opened. I -- I don't know how it works, but he -- he figured out, or he realized that it was going to take a long time to fill out the forms, so he wanted to make a phone call instead.

Dave Bittner: Mm-hmm.

Joe Carrigan: And he got on the phone and waited for hours to have somebody pick up. And he was not really successful. Then the next day, another couple of hours and finally someone picks up. And they took all the details, but said don't try to pursue these bad guys because they are dangerous criminals --

Dave Bittner: Hmm.

Joe Carrigan: -- which I think is good advice.

Dave Bittner: Mm-hmm.

Joe Carrigan: They called the bank again. The bank says, no, we're not giving you back your 11,000 pounds -- that's how much money was taken out of these people's account --

Dave Bittner: Okay.

Joe Carrigan: -- eleven thousand pounds, saying it was our fault for falling for the scam.

Dave Bittner: Hmm.

Joe Carrigan: Now -- this is Bank of Scotland that -- that was doing this. I think RBS -- is that -- that might be the same bank, I don't know.

Dave Bittner: Royal Bank of Scotland?

Joe Carrigan: Yeah. Royal Bank of Scotland.

Dave Bittner: Okay.

Joe Carrigan: They stopped taking his calls and he finds that he can report the bank for acting this way.

Dave Bittner: Okay.

Joe Carrigan: Now, I mean, here's the thing. He -- he's not a native to Scotland or to the U.K. --

Dave Bittner: Yeah.

Joe Carrigan: -- so I think some people think, okay, well this guy -- you can just make him go away by ignoring him. Right?

Dave Bittner: Hmm.

Joe Carrigan: But he's persistent.

Dave Bittner: Mm-hmm.

Joe Carrigan: So he calls the bank up and he -- he -- and he tells the bank, look, this is against the law. What you're doing is against the law. We notified you of these fraudulent transactions when they were happening. You know, if you're -- if you're going to maintain this bankers' hours stuff, this is -- this is my opinion here -- if you're going to maintain the bankers' hours and not show up to work until Monday and then process all these things -- things on Monday, if I call you on Saturday and call your fraud department, that's plenty of time for you to stop those transactions from happening Monday morning.

Dave Bittner: Yeah.

Joe Carrigan: Those transactions should not happen, regardless of -- of what your system is.

Dave Bittner: Mm-hmm.

Joe Carrigan: The bank personnel essentially buckled here and they did refund him his money.

Dave Bittner: Oh, good!

Joe Carrigan: So he got his money back. He's -- he's upset with everybody involved. I understand. But --

Dave Bittner: Sure.

Joe Carrigan: -- you got your money back, so be happy about that. A lot of people do not get that.

Dave Bittner: Right.

Joe Carrigan: He's upset with the fact that it takes -- it takes Action Fraud. Action Fraud is a sixty-minute web form to fill out. He said it estimate -- he estimated about -- it takes about sixty minutes to fill out a complaint form and you can't get anyone to answer the phone there.

Dave Bittner: Yeah.

Joe Carrigan: And then the police were not willing to help and he had information. Like, they were buying plane tickets.

Dave Bittner: Oh, wow!

Joe Carrigan: So he knew where they were going to be and when they were going to be there. The police didn't do anything.

Dave Bittner: Hmm.

Joe Carrigan: I would have said, you know, it -- it -- it's the U.K. It's not the same as -- as it is here in the U.S. where you -- where you have rights and stuff. There's fewer rights in the U.K.

Dave Bittner: Hmm.

Joe Carrigan: So I would -- were I in law enforcement, I would be very interested in who was getting on that lane, after having fraudulently purchased a ticket. Now, granted -- Dave, I'm not a lawyer and I'm certainly not a U.K. lawyer.

Dave Bittner: Well, I think also this is a nonviolent crime.

Joe Carrigan: It is a nonviolent crime. It doesn't rise to the level that interests them. They're --

Dave Bittner: Right.

Joe Carrigan: -- police are probably overwhelmed --

Dave Bittner: Yeah.

Joe Carrigan: -- with these kind of things.

Dave Bittner: Yeah.

Joe Carrigan: And, really, you're -- you're essentially on your own here, but it's good for our listener that he got his money back and was made whole by his bank.

Dave Bittner: Yeah, absolutely. I -- I -- I'll point out that I -- I -- what this reminds me of is that, in a lot of cases, and I've heard this particularly coming from the U.K., that people don't get their money back because my understanding is that the way that the law works there is that if you enable the transfer and if you make that transfer happen --

Joe Carrigan: Right.

Dave Bittner: -- that's your fault.

Joe Carrigan: Right.

Dave Bittner: And so the bank isn't responsible for those funds.

Joe Carrigan: Yeah.

Dave Bittner: You know, I would say this is a good reason for doing these sort of big transactions through things like credit cards where you have the backing of --

Joe Carrigan: You have recourse -- yeah.

Dave Bittner: -- company behind you.

Joe Carrigan: Yeah, well, this -- this is a different case. This is somebody calling and impersonating your bank.

Dave Bittner: Right.

Joe Carrigan: Right?

Dave Bittner: Yeah.

Joe Carrigan: What we say every time is when someone calls and tells you they're from the bank, you say, "What's your extension. I'll call you right back."

Dave Bittner: Right.

Joe Carrigan: And if they say, "Well, I don't have an extension." You just say, "Can I just ask for your fraud department because that's what I'll do. I'll call -- call -- call you back on the number I have for you and call the fraud department.

Dave Bittner: Right. And don't call back on the number they give you.

Joe Carrigan: No. The number they give you is going to just -- just ring them right back. So don't do that.

Dave Bittner: Yeah. Yeah.

Joe Carrigan: Yeah, they -- they -- I get frustrated with this, Dave. You know, here -- I had something interesting happen to me recently.

Dave Bittner: Okay.

Joe Carrigan: One of my financial institutions said do you want to list a third party we can check with if we think one of your transactions is suspicious?

Dave Bittner: Hmm.

Joe Carrigan: I said that's interesting.

Dave Bittner: Hmm.

Joe Carrigan: That's -- I think that's a great idea. Of course, I didn't fill out the paperwork or --

Dave Bittner: Who would the third party be?

Joe Carrigan: I don't know who the third party would be. You know, I -- I don't think I'm at the age where I need to worry about that yet, but --

Dave Bittner: Oh, I see. Right. Right. Right.

Joe Carrigan: -- when I get to that age, maybe the third party will be, like, my son --

Dave Bittner: Yeah.

Joe Carrigan: -- the accountant.

Dave Bittner: Yeah. I think I mentioned here before that I'm on a number of my father's accounts.

Joe Carrigan: Right.

Dave Bittner: And he -- you know, he's elderly and I actually have triggers in place where, if a transaction above a certain amount happens --

Joe Carrigan: Right.

Dave Bittner: -- I just get a notice.

Joe Carrigan: Yup.

Dave Bittner: And that's -- I think that's a very nice, comforting service that the bank provides, and I'm glad it's there.

Joe Carrigan: Yes. Indeed.

Dave Bittner: Yeah. All right. Well, you know, Joe, my story is a personal one as well.

Joe Carrigan: Okay.

Dave Bittner: I saw an ad pop up on social media over the weekend or earlier this week I should say.

Joe Carrigan: Which platform were you on, Dave?

Dave Bittner: I was on Facebook.

Joe Carrigan: Ah-ha! And so this is going to be from Meta.

Dave Bittner: Yeah. So the thing is the two social media platforms I'm on are Facebook which, I think we've discussed. I just recently re-engaged with Facebook, and every time I log in I'm filled with regret. But -- but it's -- you know, it's where -- it's where the people are.

Joe Carrigan: Yeah.

Dave Bittner: So I go in there to check on my friends and family and loved ones and all that stuff, and -- and I feel dirty every time I do it.

Joe Carrigan: Can I tell you what happened to me on Facebook today?

Dave Bittner: Sure.

Joe Carrigan: I got a memory that came up and it was from -- after Donald Trump had won the Presidential election. And my only post -- my only statement was, "Hey, Facebook, what's going on? Oh, okay. I'll see everybody in a week." Right?

Dave Bittner: Or four -- four years.

Joe Carrigan: I was, like, yeah, you remember after Donald Trump won the election and the -- the entirety of Facebook was either right -- righteous indignation or just seething about -- angry seething about it?

Dave Bittner: It was a divisive event --

Joe Carrigan: It was.

Dave Bittner: -- in our nation's history, I think it's fair to say.

Joe Carrigan: Yeah. But, I mean, it was only made worse by Facebook, Dave.

Dave Bittner: Oh, sure! I mean they -- they absolutely took advantage of it and amplified it --

Joe Carrigan: Sure.

Dave Bittner: -- and all that -- I mean, look. I don't -- you know, I don't care if you're the biggest MAGA fan in the world or you think Donald Trump is pure evil, we all got targeted.

Joe Carrigan: Right.

Dave Bittner: By --

Joe Carrigan: Yeah, you got manipulated by Meta.

Dave Bittner: Oh, yeah.

Joe Carrigan: And -- and, man, Mark Zuckerberg made a ton of money that week.

Dave Bittner: Sure. Sure. So I'm on Facebook. I'm minding my own business. And this ad pops up. Now, Joe, I -- I had the -- the peace of mind to grab a screen shot of the ad.

Joe Carrigan: Ah, very good.

Dave Bittner: So if you scroll down in our little document that we share here --

Joe Carrigan: Okay.

Dave Bittner: -- you can see the ad. Right? You see the ad there?

Joe Carrigan: I do see the ad.

Dave Bittner: All right. Now how -- why don't you describe the ad to our listeners.

Joe Carrigan: Ah, let's see. It says, "Half price discount for elderly p" -- probably "people."

Dave Bittner: People -- yeah, yeah.

Joe Carrigan: "I will give you one for free." And it's Elon Musk, and I do not recognize the woman he's standing with.

Dave Bittner: Okay. So that woman is Joanna Gaines.

Joe Carrigan: Okay.

Dave Bittner: She is the cohost of a show called Fixer Upper. She's a -- she's a home improvement legend. Okay?

Joe Carrigan: Okay.

Dave Bittner: So she is -- she has -- she does these home improvement shows where she's the designer and then her doofus husband, Chip, does all the work. Okay?

Joe Carrigan: That sounds -- that sounds awfully familiar. It's a little close to home for me!

Dave Bittner: So --

Joe Carrigan: That's -- that's how my house got laid --

Dave Bittner: Right. This is a popular format on these home improvement shows, you know, where you have the very smart, capable, attractive woman --

Joe Carrigan: Yup.

Dave Bittner: -- and her doofus husband who, you know, can swing a hammer -- right?

Joe Carrigan: And the woman does make good -- good decision -- good design decisions.

Dave Bittner: Oh, yeah -- yeah.

Joe Carrigan: My house is beautiful.

Dave Bittner: And their show is, you know, very popular. They have a -- in fact, I believe they have an entire network now. Like, one of the -- one of the, you know, home improvement networks got renamed because of them. So, at any rate, she's very well known, very popular. I'm guessing that whoever created this ad did a simple Google search and said "most trusted celebrity men," "most trusted celebrity women."

Joe Carrigan: Right.

Dave Bittner: And Elon Musk was on the list, and Joanna Gaines was on the list for "who do people trust?"

Joe Carrigan: So in this picture Elon and Joanna are standing next to each other. And they're holding these white objects with green lines across the bottom of them. And --

Dave Bittner: Right.

Joe Carrigan: -- from the look of Elon's left hand, it doesn't look like he's really holding that -- at all. It looks like it's just been photoshopped in.

Dave Bittner: Do you think?

Joe Carrigan: Same with Joanna.

Dave Bittner: Yeah. You think?

Joe Carrigan: His right hand, mildly convincing. You know?

Dave Bittner: Yeah. So they're holding a device that's, oh, about the size of a mobile phone. White plastic. It's got a little green stripe, probably two-thirds of the way down it, and there's a -- it looks like it's illuminated from behind.

Joe Carrigan: It looks like a white Alexa to me.

Dave Bittner: Yeah. And it says at the bottom, "Stop overpaying your power bill."

Joe Carrigan: Hmm.

Dave Bittner: All right?

Joe Carrigan: Okay.

Dave Bittner: So there's a link there and if you click through -- now I did not click through because I didn't want to confirm, you know, that I had any interest in this whatsoever.

Joe Carrigan: Right.

Dave Bittner: 'Cause I knew this was a scam.

Joe Carrigan: Scam ads.

Dave Bittner: I knew this was a scam. Yeah. And -- and I knew -- I had a pretty good idea that I knew what this device was, but I knew the ad was a scam, no question. So I went -- you know, I opened up a new tab, put in the web address, and off I went. And, sure enough, this is a scam.

Joe Carrigan: Right.

Dave Bittner: So you get to the page where they're trying to sell you this thing and they make it look like, you know, "Fox News Reports" -- you know, "government is about to shut down secret device. Elon Musk agrees to stop manufacturing super device that will lower your bills by 90%. Power companies hate him!" You know, it's that -- it's -- I mean, every, every of those little tropes thrown at you on this webpage. The device itself -- it is supposed to be plugged into your electrical outlet and it claims to magically smooth the power delivery in your house and that is what's going to lower your electrical bill by up to 90%.

Joe Carrigan: Okay. Smoothing out an electric -- the -- the sine wave from the electric company does not lower your power bill.

Dave Bittner: Correct.

Joe Carrigan: It does condition the power and there are devices that will do this. I bet this device doesn't even do that.

Dave Bittner: Basically, inside this device is a capacitor. That's it. That's what's in there. Now I will include in the -- the links to -- in the show notes here a link to a video from a YouTuber named Big Clive. I don't know if you're familiar with Big Clive, but he is a -- a gent from the U.K. who takes apart electronic things, reverse engineers them, and explains to you what's in them and how they work.

Joe Carrigan: I think I've seen some of Big Clive's work.

Dave Bittner: It's entertaining. If you're -- you're a gadget geek, Big Clive is a channel you might want to know about.

Joe Carrigan: Right.

Dave Bittner: And I enjoy his stuff. And, sure enough, he took one of these apart. One -- exactly one of these apart and it's a scam. There's -- in fact, the one he took apart had a capacitor inside that wasn't wired to anything.

Joe Carrigan: Just sitting there!

Dave Bittner: Right.

Joe Carrigan: Minding its own business.

Dave Bittner: Yeah -- exactly. So here's the thing. This device is based off of a real principle.

Joe Carrigan: Right.

Dave Bittner: In factories, if you had large motors that were running --

Joe Carrigan: Right.

Dave Bittner: -- and those motors fell out of sync with the sine wave of the power source coming to your factory --

Joe Carrigan: Right.

Dave Bittner: -- that could be a problem.

Joe Carrigan: Yes.

Dave Bittner: So they came up with a device that would fix that. This device works off of the principle -- the theory of that so it is a real device in that it does something. But in your home, it does nothing.

Joe Carrigan: Right.

Dave Bittner: Unless you're running, you know --

Joe Carrigan: Don't those motors have to be, like, multiphase motors?

Dave Bittner: Exactly.

Joe Carrigan: So -- in almost every circuit in your house, every time you plug in one of those little prongs, like in the back of your computer, the -- your lamp, everything -- that's one phase.

Dave Bittner: Right.

Joe Carrigan: The only thing in your house that's ever going to be multiphase is going to, like, your oven or your dryer --

Dave Bittner: Yes.

Joe Carrigan: -- and it's going to be one of those big, clunky chargers. Or maybe if you have an electrical vehicle, that is probably multiphase, too.

Dave Bittner: Right. Right.

Joe Carrigan: Because that's your 220 outlet and that gets to be 220 by having two 110 volt phases.

Dave Bittner: Yes. Yes. And that has been "Electrician's Corner" with Joe Carrigan. So the reason I bring that up --

Joe Carrigan: I just like explaining things.

Dave Bittner: -- really!

Joe Carrigan: Yes.

Dave Bittner: So the reason I bring that up is that I think the folks who are selling these -- this gives them cover to say, look, this is a legitimate device. Here's the patent for it. Here's how other organizations use it. It just so happens that the odds of it actually doing anything in your home are next to zero.

Joe Carrigan: Right.

Dave Bittner: The Better Business Bureau has a page dedicated to these devices.

Joe Carrigan: That's -- that's awesome. You know you're a scam if the Better Business Bureau has a page dedicated to you.

Dave Bittner: Right. Right. We'll have a link to the Better Business Bureau's page on that. There's a link I found -- someone else did a write-up on the particular Elon Musk version of trying to sell this device. We'll have a link to that as well so you can check it out. Part of what annoyed me and -- and what prompted me to include this in this week's show as that I did the right thing, of course, which is I reported the ad

Joe Carrigan: Right.

Dave Bittner: -- to Facebook. Probably an hour later, I saw the same ad with a different URL.

Joe Carrigan: Dave -- Meta is making money hand over fist on this ad. They're not stopping it.

Dave Bittner: I know. But I reported -- I report them anyway, Joe.

Joe Carrigan: Yup.

Dave Bittner: I'm pushing that rock up the hill.

Joe Carrigan: That's right.

Dave Bittner: I --

Joe Carrigan: You pushed that rock up the hill. In a half hour, it was down at the bottom of the hill again.

Dave Bittner: That's right. And it had rolled over me.

Joe Carrigan: Right.

Dave Bittner: Yeah. So I'm fighting the good fight. I have the moral high ground here. Right?

Joe Carrigan: Well, at least you're happy. Right?

Dave Bittner: Well, I'm a little less sad, let's put it that way. That was Camus' Thesis -- was the [inaudible 00:22:02] was happy. Right. Right. So I -- I -- I -- you know, look, folks. Be on the lookout for this. They seem to be targeting the elderly.

Joe Carrigan: Right.

Dave Bittner: And they claim a half-price discount. What that means is if you buy one, they'll give you one for 50% off. Right? So the -- it's just they're twisting everything around to try to get people to buy these things, and they're using all the buttons that people usually push when it comes to the elderly, trying to get them to save money. You know, stop overpaying your power bill. This device is going to do everything but bake cookies for you.

Joe Carrigan: Right.

Dave Bittner: So just warn your friends and family about this. This is a scam. It makes me angry that Facebook, as you say -- and I think correctly so -- really isn't motivated to take these down.

Joe Carrigan: They're not.

Dave Bittner: They're just making money off of them.

Joe Carrigan: Yup.

Dave Bittner: The company who is selling them -- I think they have enough cover to say that the device actually, under certain circumstances, could do something, and technically they're not lying. So government isn't shutting them down, but it doesn't do anything.

Joe Carrigan: Right?

Dave Bittner: I mean, it -- it -- you're just throwing -- you might as well throw your money out the window. Let me put it this way, if -- if a twenty-dollar device were able to save you 90% of your electrical bill --

Joe Carrigan: Right.

Dave Bittner: -- every house would come with one built in!

Joe Carrigan: Right.

Dave Bittner: Right?

Joe Carrigan: And power companies would be, like, whew! Now we don't have to generate as much power on the grid.

Dave Bittner: Right. We don't have to build that other power plant. We'll just send everybody one of these things.

Joe Carrigan: It's the -- it's -- utility companies are one of the only businesses in the world where they have to tell people, "Don't use our product as much."

Dave Bittner: Right. Right. Right. Oh -- all right, it's frustrating.

Joe Carrigan: It is.

Dave Bittner: So there will be all kinds of links for this one in the show notes. And enjoy those. It is just -- it's so scammy. It makes me -- it makes me --

Joe Carrigan: It's very --

Dave Bittner: -- it grinds my gears, Joe. It grinds my gears.

Joe Carrigan: It grinds your gears. This is like an episode of things Dave hates.

Dave Bittner: There -- there you go. There you go. All right. That is my story this week. Joe, it is time to move on to our "Catch of the Day." [ SOUNDBITE OF REELING IN FISHING LINE ]

Joe Carrigan: Dave, our catch of the day comes from William. He's got a letter from Chief Charlie Vasquez from the Tampa International Airport Police Department.

Dave Bittner: Okay?

Joe Carrigan: You want to -- you want to read what -- what Chief Vasquez has to say?

Dave Bittner: Sure. It starts off -- it says, "Greetings. We write to inform you that after the directors' meeting yesterday, we've resolved to release your fund with the service of DHL Courier Company as we've secured an immunity that will guide the delivery direct to your doorstep as the delivery will not stop nor verify the shipment on its way to make the delivery to your destination. Despite our initial hold on the fund delivery, which is above the stipulated volume of amount allowed to convene per individual, $2,750,000, we deem it proper to release your fund and also give you every backup on the money since we have ascertained it to be genuine. The shipment documents and clearance papers we retrieve from your delivery agents have been confirmed authentic. Therefore, we advise you to get back to us for the delivery schedule. You are expected to reconfirm your delivery details as given below for our final verification: name; address; telephone; nationality; age; occupation. We look forward to your timely response. Yours, Chief Charlie Vasquez."

Joe Carrigan: Hmm. Yeah. This is a trunk box scam.

Dave Bittner: Right.

Joe Carrigan: Yeah. It's just -- you know, we're going to -- oh, wait. Yes. We are going to send it to you, but you have to pay x amount of dollars to get your $2.75 million.

Dave Bittner: That's right. Right. The low, low price of $500 -- we will --

Joe Carrigan: Right.

Dave Bittner: -- just to verify for -- who knows what for.

Joe Carrigan: Yeah.

Dave Bittner: But, yes, you're -- you're correct. It is a trunk box scam and you ain't getting the $2.75 million.

Joe Carrigan: You're certainly not getting that.

Dave Bittner: No. No.

Joe Carrigan: William said he toyed with the idea of doing the Jake Blues thing and giving them the address of Wrigley Field.

Dave Bittner: I like that.

Joe Carrigan: And --

Dave Bittner: That's good.

Joe Carrigan: -- seeing how that went. But he just decided, nah, I'm just not going to deal with this. I'll send it to Joe and Dave and then call it a day.

Dave Bittner: There you go.

Joe Carrigan: Into the -- into the deleted folder with you.

Dave Bittner: All right. Well, thank you, William, for sending that to us. We would love to hear from you. If there's something you'd like us to consider for our catch of the day, you can email us. It's hackinghumans@n2k.com. All right, Joe. I recently had the pleasure of speaking with John Wilson. He is a Senior Fellow for Threat Research at Fortra, and we were talking about a recent report they published on email impersonation attacks. Here's my conversation with John Wilson.

John Wilson: This is one of the sad things. We put one of these reports out every quarter, and every quarter the top line says pretty much the same thing. "We've hit a new high of threats in corporate mailboxes." And I would love to tell you that, hey, it's going to dip. It's going to go down. The reality is scammers are making money from this and they're going to keep doing it as long as they continue to make money. And, of course, more and more of them will get into it. And so, yeah, that's -- I think that the headlines there which isn't really a headline. You know, "Man Bites Dog" would be a headline. "Dog Bites Man" -- you know, that isn't so much of a headline. But, yeah, the threats -- corporate inboxes hit an all-time high. And no surprise to me, having been in this industry for a long time, the toughest ones to block involved email impersonation. We've gotten pretty good as an industry to sandbox attachments and do other things -- signature-based algorithms as well as sandboxing, static analysis to keep malware out of the inbox. But when it comes to impersonation, that's a much more difficult problem and we see that, still, that is the number one threat that seems to get through to the actual inbox rather than landing in spam or being deleted outright.

Dave Bittner: Well, can you walk me through an example of this? I mean, what exactly does impersonation entail?

John Wilson: Absolutely. So, first of all, it relies on impersonating either an entity or an individual that you would ordinarily trust. So very common ones will impersonate, for example, Microsoft or Apple. They will tell you that there's something wrong with your Apple ID, or there's something wrong with your, you know, Office 365 login. Click here to fix the problem. And they use the branding, the logos. They will set the display portion of the email address to say it's from Microsoft Security Services or, you know, Apple ID security. And these can be quite effective because our immediate reaction is, oh my gosh! I'm being hacked! I have to take an action right away, and so the social engineering aspect comes in. That sense of urgency, that sense of something bad is going to happen if I don't take an action right away. That's one form. I would say the other form, and perhaps the one that's even less understood by the average individual, is when they're impersonating -- rather than an organization -- they're impersonating an individual. Most common ones, say it's fifteen years ago when all of this sort of got started, would be the CEO impersonation. Those still exist and they're still quite frequent. I see them on a daily basis. Someone sends an email. It looks like it's from the CEO. They say, hey, are you at your desk? I have a -- you know, I have a task for you to do. And usually it's either, you know, run to the store and buy gift cards, or the task might be, you know, to pay a vendor that's, you know, owed money, obviously without all the proper paperwork and such. There they're leveraging the social engineering concept of authority. Right? You're more likely to do something if you think the instruction is coming from the CEO. A common one that I'm seeing, though, much more often, and it's much tougher to block, and that is what we call payroll diversion. Someone impersonates an employee. They're typically going to use a webmail account but, you know, sometimes they use compromised accounts or -- or other mechanisms. They'll email the payroll team and they've usually got some sort of sad backstory about how their bank account is locked at the moment, or somebody hacked their bank account. They've lost all their money and they really quickly need to switch the account that they're going to use for their direct deposit. Now if you tried that at my company they'd say, yeah, go log in, use the mobile app, or whatever and go change it that way. But we've seen cases where smaller organizations in particular, that maybe have not set up -- you know, have a strict set of policies and such, will actually go and, based solely on that email, will update the direct deposit settings. And then at least one paycheck is going to go to that new account. And, you know, depending on the individual, how often they check their bank balance, that could go unnoticed for two or three paychecks. And so that one can be quite effective. And the reason it's so difficult to block is that you're no longer just looking for the name of your CEO, your CFO, your Chief Operating Officer. But, rather, you have to consider the name of every single employee. You look at somebody like myself, John Wilson -- there were fourteen John Wilsons in my tiny little hometown of 10,000 people, if you can believe that. It's -- it's obviously quite a popular name. You could not simply block a message that said it was from John Wilson, just because it was being sent from a gmail account to somebody at Fortra because there could be some other John Wilson looking for a job. It could be some other John Wilson who's, you know, doing sales or marketing at another company, at a partner perhaps. And so that's a much tougher type of attack to block.

Dave Bittner: Well, let's dig into that a little bit. I mean, what -- what would be your recommendations in terms of best practices for an organization to not fall victim to that?

John Wilson: Absolutely. Yeah, that's a great question. And so it's really three parts. The first part is technological solutions. Yes, you absolutely need some kind of anti-spam filter. I doubt there's a company on the planet today that isn't using something, whether that's the controls built into Office 365 or whether it's an after-market gateway, you know, that sits in front of your mail server. That's kind of the bare minimum. The next thing from a technological standpoint I would recommend is an email security solution that is specifically focused on identity deception. Most of these that are out there utilize machine learning, artificial intelligence, and they essentially build up a map of who is communicating with whom, who are the individuals that are typically communicating with other people within the company, and then looking at the content of the message and trying to find sentiment. And looking -- putting all those things together, they can start to see that, hey, this does not fit a normal pattern. Why is somebody emailing the payroll team, saying they need to change the direct deposit, but they're using an account that we've never seen before -- you know, be used for that individual before -- and it's an external account? It's not -- it's not their work account. So that's a -- a -- a whole class of solutions that are out there. Obviously, my company Fortra offers one. There are others out there. This is not meant to be a sales pitch. But I would say that that's the second layer that you need. Now I said there were three different aspects. First being the technology, I've covered that. The second is training. There are many different solutions out there. Again, Fortra has one. There are others as well where you train folks to understand the risks of phishing and other security risks and, ideally, if all the employees take that training and adhere to it, you're going to be in good shape. Now the reality is every one of these companies will come in, they'll do an initial assessment, and they'll say, you know, 53% of your employees fell victim to our simulated phishing attack. And then after they do some training, etc., etc., they say, hey, you're down to 16% of your employees are falling victim to phishing attacks. Well, that's great. You've got fewer employees falling victim. The reality, of course, is that you still have some portion of the employees that are going to fall victim. Right? Because you're never going to drive that number to absolute zero. And then the third thing -- and I believe this is really probably the most effective and it's one of the reasons why these tend not to happen at very large, well-established companies -- is policies and procedures. Things that absolutely must be adhered to. I don't care if it's the CEO literally standing behind you at the desk saying, "Pay this." If they don't provide the proper documentation, you don't do it. And so if you look at highly regulated industries, things like financial services, they're far less likely to fall victim to something like this because they have that playbook that they have to follow for every single request. An employee wants to change their payroll, well, okay. You have to fill out this form online that you can only reach with your work account on the company internet or the company VPN. Well, you've just shut down the capability to use email as the sole weapon in that particular [inaudible 00:35:19].

Dave Bittner: Yeah. It seems to me, like, you know, something as simple as a -- a verifying phone call. You know? Hey, we got this request from you to change the routing of your payroll. I'm calling you on the -- the phone number that we know is you from HR --

John Wilson: Yeah, exactly.

Dave Bittner: -- just checking in to make sure this is actually what you want to do.

John Wilson: I refer to that as second-channel verification. And I have a funny story about that. So -- sometime back my mom sends me a quick little email and she told me about this thing that had happened to her. Essentially, she got a message from her choir director saying that, hey, this is really funny. You should -- you should check it out. And it had some link and, of course, it was a phishing link. Turns out that her choir director's email had been hacked. The bad guy was sending the messages out of there. Well, my mom, having talked to me many, many times about scams, knew, oh, I have to validate that this really is who they say it is. Instead of picking up the phone, however, and calling her choir director, she simply replied to the email and said, hey, did you really send this to me? And, of course, the bad actor was there with his fingers on the keyboard and said absolutely. You're going to really enjoy it. And next thing you know, my mom's email got hacked. And that's kind of how I found out about it because I got the exact same message saying, hey, you should check this out. You're going to think it's really funny. And I just rolled my eyes and said, Mom, you didn't follow my instructions.

Dave Bittner: Oh, mom! Mom!

John Wilson: It's very important -- exactly. You know, I -- I -- I worry about my friends and family all the time falling victim to, you know, a whole wealth of scams. Maybe I'm a little bit overly paranoid just because I see so many of these in a given day.

Dave Bittner: To what degree are -- are the bad folks out here, the folks that are using business email compromise -- are they upping their game? Are they evolving? Or -- or are they sticking with the -- the tried and true things that -- that have proven to work for them?

John Wilson: So yes and yes. There certainly are the folks that are just using the tried and true playback. I call them the "lazy scammers." And we will literally see the precise -- they've copied and pasted something out of a -- you know, a tutorial they found online of how to commit payroll diversion fraud. And, literally, they won't even change a single word in the entire thing. Those are the lazy ones and there are plenty of them out there. A lot of young people that are just getting into this type of scam will follow the playbook. What we're seeing, however, is -- we're starting to see evidence of people using generative AI to help them. And, in fact, we don't have absolute proof that they're doing this, but what we're seeing are -- first of all, we're seeing some of these scams occur in other languages. Traditionally, they've almost always been English language. They've gone after folks in the U.S., Australia, U.K., Canada, New Zealand, and that has been their bread and butter. Recently, I've started seeing them in -- you know, pick a language. I saw one in Polish, Lithuanian. Just yesterday, there was one in Lithuanian -- Polish, Swedish, French, you name it. So we're first of all seeing a lot of that. And looking at it, we don't think -- we had a few native speakers look at a few of these. They don't think that it was just a simple copy/paste out of Google translate. They think that there was a little bit more going on there. The other thing that sort of gave us an indication that there might be use of AI here was that we're starting to see things where the backstory sounds -- you know, it's not cookie cutter. It's not cut and pasted from the tutorial that's floating around the internet, but rather, you know, they're adding some unique things to it. They're asking, you know, hey -- how did your weekend go? Just little niceties that we haven't seen prior to about a year ago.

Dave Bittner: Hmm.

John Wilson: And that, again -- it's anecdotal. We don't have absolute proof they're using AI. But we suspect they are and we know if they aren't doing it yet, they're absolutely going to be doing it.

Dave Bittner: What are your recommendations then, I mean, for -- for folks who want to better protect their businesses here? Any -- any -- any words of wisdom?

John Wilson: The protections are no different than what I just said. Although the technique on the scammer side may change a little bit, the messages may be better written, they won't have the typical grammatical errors you would expect. They might occur in another language. It's still those three things. You make sure your technology stack is in place. You have your policies and procedures and you make sure that you adhere to them. And you do that security awareness training so that your employees understand the threat and know how to recognize that threat. Also, of course, informing the employees to report the threat. And this is a big piece because this forms a feedback loop. These attackers typically do not simply email one person in the company. They'll email five or six people in the company, hoping that one will fall for the scam. Well, guess what? If one person remembers their security awareness training, recognizes it's bad, and reports it, well, now the IT team, the security team can go and make sure that none of the other four people have fallen victim to it. So this is, I think, another crucial thing I would add on top of my previous statements. But in terms of how to deal with the shift in, you know, techniques that they're using, the playbook on the defender's side remains the same.

Dave Bittner: You know, you remind me, too, of something that -- that I think about often which is the -- the environment that you foster within your organization where, you know, as you say, putting people in a position where they feel safe and comfortable reporting these things to the powers that be, that it's not going to be a mark against them.

John Wilson: Absolutely. And, you know, the analogy that I look at is what happened to the airline industry. After a couple of crashes where no one wanted to -- the copilot didn't want to question the pilot -- they were more senior and there was sort of this feeling of you don't question the pilot's decision -- after there were one or two accidents where the copilot, if they'd intervened and said, hey, you forgot to put the flaps down or you forgot to do this or you forgot to do that, they could have saved -- that plane, could have saved all those lives. There's a corollary to that over in cybersecurity and that is things like, yeah, it may be very uncomfortable to pick up the phone and call the CEO and ask her if, hey, did you actually send this message? But that's what you need to do. And companies need to foster that environment that, hey, it's okay to do that. Realistically speaking, at most companies you're probably going to get the CEO's assistant and the assistant will probably quickly tell you that, no, you know, the CEO -- she's off in XYZ on a business trip and I can guarantee you she does not need you to run to the store and buy gift cards.

Dave Bittner: Right.

John Wilson: Again, fostering that concept that, number one, it's okay to make that verification. And also that, by reporting something, even if you made a mistake -- in fact, we've found that half of all end-user reports about things they suspect are phishing turn out to actually not be fishing, turn out not to be a threat. But it's important to have that second set of eyes look at it, somebody who is specifically trained to look at the technical indicators, look at the context more holistically to make a determination if this is a threat or not.

Dave Bittner: Joe, what do you think?

Joe Carrigan: It's interesting that every quarter it's just getting worse.

Dave Bittner: Yeah.

Joe Carrigan: That's -- that's -- scammers are profiting greatly from this impersonation scam.

Dave Bittner: Mm-hmm.

Joe Carrigan: So it's starting to attract the attention of other scammers and they're just going to get into it.

Dave Bittner: Yeah.

Joe Carrigan: It's -- it's difficult to weed out. In fact, you know, as I was writing up this episode, my daughter sent me an email of somebody trying to impersonate somebody we know.

Dave Bittner: Oh!

Joe Carrigan: Yeah.

Dave Bittner: Wow!

Joe Carrigan: And -- and they wanted -- they wanted her to go out and get $1,400 in Ebay gift cards.

Dave Bittner: Wow!

Joe Carrigan: It was a gift card scam.

Dave Bittner: Okay.

Joe Carrigan: Fortunately, my daughter saw right through it. But there might be people who are targeted by this scammer that -- that didn't see right through it. It would be terrible if that happens.

Dave Bittner: Yeah.

Joe Carrigan: Impersonation -- difficult to weed out. It's -- it's easy to -- to weed out the spam and the malicious software, but the impersonation is much harder to -- to prevent.

Dave Bittner: Yeah.

Joe Carrigan: Especially if someone is crafting each message individually. It's not going to get caught by those filters.

Dave Bittner: Mm-hmm.

Joe Carrigan: You have to flag the email -- the email address itself as malicious. And, even then, that's not going to help you very much at all. CEO was the number one impersonated thing a while ago. People would say, hey, I'm the CEO and I need you to do something for me. Now it's much more common to impersonate the average employee. I think that's an interesting turn of events.

Dave Bittner: Mm-hmm.

Joe Carrigan: It's probably because it's much more successful as a scam to redivert people's paychecks than it is to get somebody to send out a bunch of money pretending to be CEO.

Dave Bittner: Yeah.

Joe Carrigan: You could probably get a couple of -- you know, a couple thousand dollars pretty easily, as opposed to getting a hundred thousand dollars -- very difficult.

Dave Bittner: Right.

Joe Carrigan: In a more difficult manner.

Dave Bittner: Yeah, it's a good payday either way.

Joe Carrigan: Right. Exactly. Lazy scammers -- he talks about the lazy scammers, John does, when, you know, the people just go out and buy the -- the scamming kits and then start sending messages out. I bet these people -- still, very effective in what they're doing.

Dave Bittner: Yeah!

Joe Carrigan: And it's interesting now that we're starting to see these attacks come from generative AI. And he cites some -- some interesting -- I mean, he doesn't call it evidence yet. He says it's anecdotal. I -- I think as he collects more of this stuff, it will stop being anecdotal and start being evidential data.

Dave Bittner: Yeah.

Joe Carrigan: But we're looking at these generative AI models generating these spear phishing emails in all kinds of languages and being effective. They're not cookie cutter in their -- in their templates, and they even have different back stories --

Dave Bittner: Right.

Joe Carrigan: -- which is interesting, I think.

Dave Bittner: Yeah.

Joe Carrigan: I mean, this is where it's going. We've been talking about this for about a year now, and now we're starting to see it happening. So I -- I'll say this again. Even though John thinks this is anecdotal, I think that, in time, this will be much more than anecdotal. John proposes the same three-pronged defense that I always talk about. It's people, policy, and tech. And policy is the one that's going to protect you against the -- the financial scams like the payroll redirection.

Dave Bittner: Right.

Joe Carrigan: If you're a company and you get scammed into sending someone's paycheck to a scammer, chances are, in every court, at least around America, you're going to be responsible for still paying the employee. That's your loss.

Dave Bittner: Yeah.

Joe Carrigan: Right? So --

Dave Bittner: It's also the right thing to do.

Joe Carrigan: Yeah, well, Dave --

Dave Bittner: I'm just saying. You know?

Joe Carrigan: It -- it is the right thing to do.

Dave Bittner: How quaint. How quaint.

Joe Carrigan: How quaint.

Dave Bittner: Yeah. Yeah.

Joe Carrigan: But, you know, you really want to prevent that from happening. You don't want to -- you don't want to be funding these scammers with your payroll money.

Dave Bittner: Yeah.

Joe Carrigan: 'Cause that also jeopardizes your ability to function as a business when payroll is the biggest expense of any business. And when somebody is diverting a portion of that to their own good without you getting any benefit, it's bad. I don't need to explain why this is bad. Right? This should be obvious on its face.

Dave Bittner: Yeah.

Joe Carrigan: So -- here, policy is your best protection. It's best to have something where you say to somebody who says I need to change my direct deposit, you go that's fine. Log into your portal. Or that's fine -- come into my office. I have a form for you to fill out and we'll get it done.

Dave Bittner: Right.

Joe Carrigan: Doing it over email is never acceptable for this. So make sure you have a policy that protects you against this.

Dave Bittner: Mm-hmm.

Joe Carrigan: Training for your people. That's the most important thing that you can do for your people. Make sure they know what a scam looks like so they can -- they can recognize it when they see it. And tech. Of course, have a spam filter that -- you have to have that. Right?

Dave Bittner: Yeah.

Joe Carrigan: You can't not have that.

Dave Bittner: Right.

Joe Carrigan: And then also I like the suggestion of the identity deception detection product. And John says that Fortra has one of those. And there are other ones out there as well.

Dave Bittner: Yeah.

Joe Carrigan: Again we hear -- use a password manager. John spent a good deal of time talking about that. And John touches on something that is really, really key here and we don't say enough, frankly. You should protect your email password like it's the most important password you have because everything goes back to your email. If I can compromise your email address and get access to, like, your gmail, your yahoo mail, or whatever email it is that you use online, I can just go through all your messages, find out where you bank, go to that bank, enter your email, reset your password, and I'm in.

Dave Bittner: Right.

Joe Carrigan: Right? The -- the email is the keys to the kingdom, so protect that email password. And the best way to do that is with a password manager. And I would add multi factor authentication to it.

Dave Bittner: Yeah. Absolutely.

Joe Carrigan: Yup.

Dave Bittner: All right. Well, our thanks to John Wilson for joining us. We do appreciate him taking the time. That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. N2K's Strategic Workforce Intelligence optimizes the value of your biggest investment -- your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. Our Senior Producer is Jennifer Eiben. The show is edited by Elliott Peltzman. Our Executive Editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening.