Hacking Humans 2.22.24
Ep 278 | 2.22.24

Scamming the innocent.


Dave Bittner: I'm Dave Bittner.

Joe Carrigan: I'm Joe Carrigan.

Maria Varmazis: And I'm Maria Varmazis.

Joe Carrigan: Thank you for listening. That sounded dumb. [ Laughter ] Not you, Maria. Me. [ Laughter ]

Maria Varmazis: I was like, it's my name! What's wrong with it? [ Laughter ] [ Music ] >> Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: You got some good stories to share this week. And we are joined once again by our N2K colleague, and host of the "T-Minus" daily space podcast, Maria Varmazis. Maria.

Maria Varmazis: Hi! I'm so glad to be back yet again [laughs].

Dave Bittner: Welcome back. Welcome back.

Maria Varmazis: Thank you [laughs].

Dave Bittner: All right, we'll jump into the show right after this word from our sponsor. All right. So before we jump into our stories this week, we have some follow up here. Joe, you want to let us in on what's going on here?

Joe Carrigan: Sure. I found this on LinkedIn, courtesy of Paul Eglehoff. And it is an article from The Sun, which is a UK newspaper, but this is the U.S. edition of it.

Dave Bittner: Okay.

Joe Carrigan: And it's pretty good news. It's Walmart gift card scammers caught spending $15,000 on jewelry, big screen TVs, and lobster tails at Sam's Club.

Dave Bittner: [laughs] Okay. Sounds like somebody was going to have a party [laughs].

Joe Carrigan: Right.

Maria Varmazis: Can I come? Sounds great [laughs].

Joe Carrigan: I don't know if you want to come to this party. There are mug shots involved. So yes. We'll put a link in the show notes. It looks like they caught some of these guys doing these gift cards -- gift card scams. You know, putting the gift card back on the shelf and scamming money?

Dave Bittner: Yes.

Joe Carrigan: Which is nice. And then we had Cynthia wrote in to ask -- or to state that she was listening to the podcast about scammers calling people and acting like they were from the victim's bank. Oddly enough, I'll be talking about that again. And her husband was scammed like this, and now the bank is refusing to refund him. Any suggestions on how to respond to the bank? Yes. I don't know -- I'm assuming Cynthia that you live in the U.S. And if you do, I would call your state's attorney general office, and talk to them to see if there's anything that can be done. Failing that, go to the news media.

Dave Bittner: Yes.

Joe Carrigan: Right?

Dave Bittner: That's what I was going to say.

Joe Carrigan: Go to the news media and shame that bank. If nothing else, you'll do two things. One, you will make public the scam that happened and name the bank that did this and is not refunding you. Many times that will induce the bank to say okay, fine. We'll give you the money back.

Dave Bittner: Please make it stop.

Joe Carrigan: Right. But if nothing else, you can at least shame the bank and make other people aware of the situation.

Dave Bittner: Right.

Joe Carrigan: So if you have like, a reporter on your side, like we frequently have Mallory Sofastaii as a guest on our show, and she does these kind of stories. And your local news probably has somebody like that as well. Call them up.

Dave Bittner: Yes. I would also say, depending on how much money it was that you were scammed out of, it may or may not be worth contacting an attorney, you know, who would know what the legal responsibilities are of the bank.

Joe Carrigan: Yes.

Dave Bittner: If it's $500, it's not going to be worth getting an attorney. If it's $5,000, maybe.

Joe Carrigan: Maybe.

Dave Bittner: Yes.

Joe Carrigan: Yes. Might be worth it to have the attorney write a letter.

Dave Bittner: Right, right. All right. Well, thank you all for writing in to us. We do love to hear from you. If there's something you'd like us to consider or the show, you can email us. It's hackinghumans@N2K.com. Maria, why don't you start things off for us here today with our stories.

Maria Varmazis: Oh this is -- I'm so thrilled to be talking about this story. This one just recently dropped. It's a very new story on a website that doesn't normally talk about scams. So that's part of the reason I'm glad it's here. It's featured on this website called The Cut, which is part of New York Magazine. And The Cut is sort of, as the name might imply, is sort of a fashion and style-related website. And the story is --

Joe Carrigan: I've never heard of it.

Maria Varmazis: Yes [laughs]. No comment.

Dave Bittner: Fashionista that you are, Joe? [ Laughter ]

Maria Varmazis: So I love when I see stories about scams on websites that don't normally talk about this stuff, because those are the folks that maybe need to hear it the most. And the headline on this story was: The Day I Put $50,000 in a Shoebox and Handed It to a Stranger: I Never Thought I was the Kind Of Person to Fall for a Scam. This story has gone super viral, and it's pretty much all I can see people talking about right now, because the story is so harrowing. And the person who wrote it is a financial advice columnist. Not the typical demographic you would think of for someone who would fall for a scam that starts over the phone. She's young; she's aware of these scams and their existence. And you know, she writes about money for a living. So she figured that she's pretty savvy.

Dave Bittner: Yes.

Maria Varmazis: But this did happen to her. And another piece of color that I think is interesting is she also recorded a lot of the phone calls that she received from the scammers. So we have some direct quotes from the scammers in this really long comprehensive article, and I'll call a few of them out. But essentially, she got a cold call, incoming, from somebody saying they were from Amazon, amazon.com, Customer Service, reporting usual activity on her account. You know, did she buy a whole bunch of laptops recently, that kind of thing. And it just also so happened to be Halloween night in the United States. Big trick or treating night, very busy night, and Charlotte has a two-year-old, so she was kind of halfway out the door trying to be like I'm going to go trick or treating with my kid. This is not a good time for this phone call [sighs]. Unfortunately, she believed the fake Amazon Customer Service caller, and said no, that definitely was not me. And the scammer starts to escalate things. Oh well, looks like you've been hacked. Somebody's using your information in an unlawful way. I need to connect you to another person, to the FTC. So the scammer then connects her to the supposed FTC, and she starts talking to someone working at the FTC, supposedly, saying that not only has Charlotte's identity been stolen, she's now been linked to a number of series criminal activities including money laundering and drug trafficking. And just to make sure that Charlotte is who the FTC think she is, could she please verify the last four digits of her Social Security number, home address, and her date of birth to confirm that they have the correct information on her.

Dave Bittner: We send the wrong person to jail.

Joe Carrigan: Right.

Maria Varmazis: Right. So can you verify that you are who we think you are?

Dave Bittner: Yes.

Maria Varmazis: And Mitchell was the name of the scammer from the FTC, supposedly. And he goes on to say something like 22 bank accounts have been opened in her name, nine vehicles have been purchased for properties registered under her name, and $3 million have been wired overseas. So right now she is freaking out, because this started with an innocuous Amazon Customer Service phone call, and now the FTC is involved? Holy heck!

Joe Carrigan: Right.

Maria Varmazis: So at that point, Charlotte's starting to panic, and she is being told by the scammer -- who we know is a scammer -- the scammer's telling her, don't tell anyone about this, including your husband. Do not tell him about this, because your home is being watched. You are the suspect. And also, if you tell your husband, you could get him in trouble. So at this point, Charlotte's going, this might be a scam, but I don't know why it would be a scam. How would this be a scam? They're not asking me to tell them information. They already have information on me. And they're not telling me to divulge stuff to them. They're telling me to protect myself. It sounds like they're looking out for me.

Joe Carrigan: Right.

Maria Varmazis: So what's the play here? She couldn't figure it out. So she's taking them seriously at this point. And so at that point, the FTC supposedly has gotten everything they need out of Charlotte. And they say okay, this is really serious, because we think this is money laundering, and you're the suspect. You need to talk to the CIA. And so they pass her -- she's still on the phone -- she's being passed over to a colleague at the CIA. And he's making all sorts of claims. And this is where the urgency really kicks in.

Joe Carrigan: Now this is New York this happened?

Maria Varmazis: This is on the New York website. I don't know what state she is located in.

Joe Carrigan: Okay.

Maria Varmazis: But she is in the United States.

Joe Carrigan: Okay.

Maria Varmazis: The supposed CIA agent says your Social Security number's about to be frozen, all your assets are going to be frozen, and we need to, quote, follow protocol to catch the people who are really committing the crime under your name so we can clear you. But if we're going to do that, we have to act fast. And this is where I'm so glad she recorded the call, because this quote is chilling. And the scammer said, if you talk to an attorney, I cannot help you anymore. You will be considered non-cooperative. Your home will be raided, and your assets will be seized. You may be arrested. It's your choice.

Joe Carrigan: Right.

Dave Bittner: Wow.

Maria Varmazis: Just -- I'm reading this article, and my blood just ran cold, because earlier in this call they verified they know where she lives. So this went from we're verifying your information to we are now threatening you.

Joe Carrigan: Right.

Maria Varmazis: I'm freaking out on her behalf, frankly.

Joe Carrigan: Yes! Yes! You're experiencing part of the exact same physiological response as she did.

Maria Varmazis: Yes! She's being threatened. She's being actively threatened. This is quite scary. And in the back of her mind, on top of all of this, like, I don't need this right now is also, what are people going to think of me? What are my neighbors going to think of me if they see my house being raided on Halloween night! I've got a two-year-old who just wants to go trick or treat in the neighborhood. She's thinking also, I still think there's a scam here, but I still can't figure out what it would be. So she starts thinking what I think anybody in her situation would do. I need proof that you guys are who you say you are. And good for her for doing that. And they go, well, that's easy. So they send her a picture of their badge. And she goes, well, that's easy for you to fake. That's definitely not enough. And the scammer says, okay, if you don't believe me, that I'm actually from the government, you look up the number of the FTC right now. And hang up. You can just stop talking to me right now, and she does that. And then they call her immediately from that number that she found on that FTC website. And she thinks to herself, okay, this has got to be legit, and the scammer said it's a government number. It cannot be spoofed.

Joe Carrigan: That's incorrect.

Maria Varmazis: Yes. People don't know that. People don't know that. Yes, yes. That's sort of where you start going, I don't know how many people are aware that that's not true. So at this point, I'm thinking, she's got a husband, has she told him what's going on? Because I don't know about you, but if something's going on that is serious, I tend to want to tell somebody. Just to go, you know, sanity check. What's happening? The scammer reiterates that she cannot tell her husband anything that's going on. And he says this, you must reassure him that everything is fine. In many case like this, we have to investigate the spouse, and the less he knows, the less he is implicated. From now on, you have to follow protocol if you want us to help you. And she says, I don't think I should lie to my husband. And the scammer replies, you are being investigated for major federal crimes. By keeping your husband out of this you are protecting him. So -- just like -- we know that this is a scam, so we hearing this and we're just going this is a bald-face lie. It's so bold.

Joe Carrigan: Right. But what I'm thinking about this more is just how vile this is

Maria Varmazis: Yes.

Joe Carrigan: This isolation tactic here is what they're doing, is not part of every single social engineering attack, but it's a part of a lot of them. And usually when they happen, they're pretty aggressive like this.

Maria Varmazis: Yes, yes. And this continues. Eventually the scam sort of reveals itself, what they're after. It's money. No big surprise. The play is something like well, there's money laundering here, so you need to withdraw a large amount of cash, because you're probably going to be on trial for a long time, and while that happens, your assets will be frozen. So go to the bank right now, withdraw $50,000 in cash, because you're going to need to live off of that for some time. And again, the scammer is -- and this is such a great quote: You need to go to the bank and get that cash out now. You cannot tell them what it is for. In one of my last cases -- this guy is pretending to be helping her -- the identity thief was someone who worked at the bank. So --

Dave Bittner: Oh, wow.

Maria Varmazis: Right? So we know that many times, banks when they see someone coming in and withdrawing a large amount of cash, they'll say hey, is somebody putting you up to this? You know, they know to look for this. So now the scammers are sort of responding, don't tell them what it's for, because they could be in on it. I mean, it's absolutely mental. Trust no one, really. And he also insisted don't tell the police, don't get an attorney. Under basically the not-so-veiled threat that this is just going to cause more problems for you. So here's where I should mention, how long do you think she was on the phone for with these guys?

Dave Bittner: And this is all happening on Halloween night?

Maria Varmazis: Halloween night. I don't know how -- how long do you think she was doing this for, because I'm curious how long you thought this takes.

Dave Bittner: A few hours?

Maria Varmazis: Yes. She was on the phone with him for five hours. Or rather, they had her on the phone for five hours. She is just completely exhausted at this point.

Joe Carrigan: Yes, they wear her down.

Maria Varmazis: And she's terrified. They completely wore her down. And she followed their instructions, and lo and behold, around 6:00 that night, an SUV pulls up to her house, and she hands this cash in a box to the person in the SUV. And of course, she realizes pretty much immediately after that it was all a fraud and the regret sets in. And it's devastating for her. I mean, it's a lot of money.

Joe Carrigan: Yes, it is.

Maria Varmazis: I mean, it's certainly a lot of money. But when she was looking back on it over time, as she was writing this piece, because she wanted to tell people like hey, this happened to me. It's amazing how it was -- I gave a very summarized version of what happened. The whole article's pretty harrowing. It's just these little drops of threats and little escalations at a time. They never make a huge jump. It's little by little, like little water drops.

Joe Carrigan: Right.

Maria Varmazis: And then they use real proof points to sort of inject some fear. Classic false urgency, perceived authority, secrecy, and then blatant threats at one point.

Joe Carrigan: Right.

Maria Varmazis: And then it just ups the ante over time, slowly until it just -- handing a stranger, in a shoebox, $50,000 in cash seems like the obvious logical course of action here.

Joe Carrigan: Yes, it's like boiling a frog, they say, right?

Maria Varmazis: That is exactly -- hat's exactly it. And I think to some degree, you know, they did get lucky that they called her at a really bad time, where she was just a bit preoccupied.

Joe Carrigan: Right.

Maria Varmazis: But she wrote this piece basically saying I never in a million years would have thought this would happen to me. I would have thought I'm the last person to fall for this, and the comments, many of them were basically saying how on Earth could you fall for this, but that's the thing, people do.

Joe Carrigan: Those comments are invalid, "how could you fall for this?" Because you don't understand what this is like until you've been through it. These guys are really good at ratcheting up the fear. And what they're inducing is the fight or flight response, and they're shutting down your rational capacity for thought. They're just literally stopping it by inducing this fight or flight. What happens is your amygdala fires off a signal to your adrenal glands, it pumps your blood full of adrenaline, and then you ignore all the subtle inputs that are going on.

Maria Varmazis: Yes.

Joe Carrigan: Even that little voice in the back of your head that says this is probably a scam. You say, but what if it isn't, you know?

Maria Varmazis: Yes. What if it isn't. And like, what's the take? Until they reveal the 50K, which was hours into this conversation, it just seemed that they were helping her. So you know, they were trying to keep her from getting arrested and charged with a federal crime. They're on her side. They have all this information on her. Like what on Earth could they possibly want?

Dave Bittner: And even the 50K is framed in such a way that they're trying to help her. You're going to need this one to survive. I'm doing you a favor by getting this money out of the government's hands.

Maria Varmazis: Yes. Yes. It's absolutely amazing. It's a fantastic read. As I said, I just gave a summary version. There's a lot more to it. But I just wanted to say kudos to Charlotte for sharing her story, because this is -- I mean, nobody's happy to reveal that this happens to them. But I hope that this will reach a lot of people who might need to hear it. And it's a good reminder for all of us. These scams are quite sophisticated, so you think it couldn't happen to us, it could.

Joe Carrigan: Right.

Dave Bittner: I'm trying to imagine -- and I'm in no way, you know, blaming or shaming the victim, but I'm trying to imagine my wife response to me being on the phone for five hours.

Joe Carrigan: Yes.

Dave Bittner: Right? [ Laughter ]

Maria Varmazis: And throughout the story, it's interesting, her husband knows something is up, and she just kind of, oh I'm just dealing with this thing. Don't worry about it, honey.

Dave Bittner: I see. Right, right, right.

Maria Varmazis: He knows -- I mean I think any spouse would notice when you've been on the phone for five hours.

Dave Bittner: Yes.

Maria Varmazis: But she keeps telling him, because she's been compelled to by the scammers, just tell him everything's okay, because she thinks she's protecting her husband.

Dave Bittner: Right.

Maria Varmazis: So it's so manipulative. It's -- man, my heart just broke reading it. But it was also a great read. So highly recommend.

Dave Bittner: Yes. Well, I will check that out. Wow. All right, well let's move on to my story this week. This actually comes from one of our listeners who is a regular contributor and friend of the show, but they prefer to remain anonymous. So we will respect that. But I'll just say I know who this person is, and know their credentials, and I vouch for their credibility [laughs] so. This person writes in, and I'm going to read most of what they've written in here, and then we can talk about it. So feel free to interject as we go, or we can talk about it at the end. This person writes and says, I'm always astounded by how many younger folks I see who get themselves easily crypto-scammed on Telegram. So I decided to get on Telegram last night and put myself out there for a while to see what if anything would happen. Didn't take too long of perusing some crime groups for someone to reach out to me. Let me just pause here and say that I have not been on Telegram. There are crime groups?

Maria Varmazis: Oh, there's everything. It's -- Telegram reminds me a lot of sort of the weird parts of Craig's List, where it's just so -- weird [laughs].

Dave Bittner: Okay.

Maria Varmazis: And seedy. You can use it for good purposes, but there's also a lot of really gross stuff.

Dave Bittner: I don't think I've ever been on Telegram, come to think of it.

Maria Varmazis: Oh, you're missing out, Dave [laughs].

Dave Bittner: You know, reading this story, I think I'm good. [ Laughter ] So they go on, and they say my goal was to let a scammer run their game, so I could see the first movement when I would actually be in a position to move beyond mere words and conversation. Something substantive where I could verify an aspect of a scam. His story was that he's in a country where his Bitcoin was stuck on crypto exchange, because crypto is banned in his country. He needed somebody who wasn't from his unspecified country to do the withdrawal for him, and then he would give me 10% if I could help him. Joe?

Joe Carrigan: Yes?

Dave Bittner: What's the scam?

Joe Carrigan: This is an advance fee scam. So he's going to send you to some crypto exchange, and you're going to see that there's a bunch of crypto currency in it, and then you're going to try to make a withdrawal and it's going to say, well first, enter your credit card number and then we'll charge you 20 bucks to make this withdrawal. Is that right?

Dave Bittner: It's not that far off. I will continue.

Joe Carrigan: Okay.

Dave Bittner: They write, so I played along, and he eventually got to the point of sending me the below screenshot of his supposed crypto account with $10,198 in it. Well, at this point, I was able to actually do some verification. A simple whois check of the domain shows that it was registered on January 27, 2024. So two weeks ago, right? And then the domain is flipnswap. The word flip, the letter N, and the word swap, which -- I don't know about you all, that gives me a bunch of confidence that I want to do major financial -- [ Multiple speakers ]

Joe Carrigan: That sounds exactly like some site that a crypto bro would set up.

Dave Bittner: Actually, you know, what Joe? That's a great point. It really does. It really does. So this person says this in and of itself is 99.999 prima facie evidence of a crypto scam operation. All the info you need to know is present right then and there. Yet so many young folks simply do not know to do this, or are consumed with excessive misplaced trust and greed, and simply don't do it. And they wind up getting themselves sucked into a scam. They write, I did not let it play out, but what the dude wanted me to do was to create an account on this flipnswap, a bogus online crypto exchange account, completely controlled by the scammer. My guess is that in order to create an active account, I would have put some crypto in it, possibly Bitcoin, and the bro would have simply have gobbled up whatever I put in. Yes, that makes sense.

Maria Varmazis: Yes.

Dave Bittner: So what we've got here is a website that was created by the scammer that's made to look like a legitimate crypto exchange, I guess.

Joe Carrigan: Right.

Dave Bittner: And this listener did send in a screenshot, and I mean -- [sighs] well I guess I'll just go ahead and be snarky, I mean, it looks as legit as any crypto exchange looks. [ Laughter ] [ Multiple speakers ]

Maria Varmazis: And there's the problem.

Dave Bittner: Yes. So -- but Joe, I mean, to your point that, yes, they're going to require you to put in some money to create your account and you know --

Joe Carrigan: That's gone.

Dave Bittner: Yes. Zip.

Joe Carrigan: Whatever you give is gone.

Dave Bittner: Right? Absolutely. All right, well our thanks to our listener for sending that in. I think this is an interesting little cautionary tale so for those of you who are out there frequenting the crime groups on Telegram, first of all shame on you. [ Laughter ]

Joe Carrigan: I'm going to see if I can get into some of these crime -- no, I'm not going to do it. I don't have time for this.

Dave Bittner: You know what's going to happen? Next week, Joe's going to come in, Dave, I never thought it would happen to me.

Joe Carrigan: I lost all my crypto, Dave. [ Laughter ]

Dave Bittner: I'm living in a cardboard box -- [ Laughter ] Under the bridge down by the river. [ Multiple speakers ] I thought I was going to be rich. Rich, I say! Rich! It seemed so logical at the time. All right.

Maria Varmazis: Can you flipnswap?

Dave Bittner: Right, exactly. I both flipnswap coins and I thought I was going to get in on the ground floor, Dave. The ground floor!

Joe Carrigan: Well, I told you about when I became a crypto millionaire, right? When I bought a million Shiba Inu?

Dave Bittner: That's right.

Joe Carrigan: For like 20 bucks. Now it's worth, like, 11.

Dave Bittner: There you go.

Joe Carrigan: I'm still a crypto millionaire, because I still have a million of them.

Dave Bittner: You're adorable, Joe.

Joe Carrigan: They're worthless.

Dave Bittner: You're adorable. Yes. All right, well that is my story this week. And before we get to Joe's story, I tell you what, let's take a quick break to hear a message from our sponsor. [ Music ] All right. We are back. Joe, what do you have for us this week?

Joe Carrigan: Dave, I have two of them. Because the first one's really short.

Dave Bittner: Okay.

Joe Carrigan: It's from a listener named Heather, and she says a friend of hers works at a crypto -- not a crypto currency. You got crypto exchanges on my brain, Dave. [ Laughter ] Works as a U.S. defense contractor, and they put a job posting up, and they got three remarkably similar resumes from three remarkably similar email addresses at the same email provider.

Dave Bittner: Okay.

Joe Carrigan: So they noticed this and it turns out that what they were trying to do, what they think was trying -- going on here was somebody was trying to just get an interview so they could ask a bunch of questions. Like this is an intelligence operation. And the company, they flagged these resumes and reported it to the appropriate security authorities, which you have to do as part of your requirement for having a secure facility, and holding clearances, and stuff like that. When you see something like this, you have to let the counterintelligence people know that this is happening. It doesn't look like they gave anything up, so -- but my statement on this is that if you work at a defense contractor, look out for this kind of stuff.

Dave Bittner: Well, help me understand here.

Joe Carrigan: Okay.

Dave Bittner: So the scam is that -- so let's say that I'm the scammer.

Joe Carrigan: Right.

Dave Bittner: And I send in my resume --

Joe Carrigan: First off, you work for a foreign intelligence, or some kind of -- you want to gather intelligence.

Dave Bittner: Right, right, right. So --

Joe Carrigan: So you get on some job site, and you say yes, I have a clearance. And I'm going to apply to -- let's say it's Northrop Grumman.

Dave Bittner: Sure.

Joe Carrigan: That's not the company. Yes. That's just the first one that popped into my head.

Dave Bittner: Sure. So I reach out with my stellar resume and my goal is to get in a room with these people so that --

Joe Carrigan: Or get on a phone call.

Dave Bittner: Okay.

Maria Varmazis: Oh, a phone call. Okay. I was going to say, wouldn't they notice it's the same person three times?

Dave Bittner: Yes.

Maria Varmazis: Yes.

Dave Bittner: So I can say tell me about the projects that I'd be working on?

Joe Carrigan: Yes, exactly.

Dave Bittner: Oh. Okay.

Joe Carrigan: Exactly.

Dave Biter: And so for the people who are part of this espionage operation, it lets them suss out which contractors are working on which projects.

Joe Carrigan: Exactly. Exactly. It can provide information on where they should focus their cyber operations.

Dave Bittner: Right.

Joe Carrigan: It can provide information about maybe some projects that aren't even known, right?

Dave Bittner: Yes.

Joe Carrigan: So this was kind of a really hackneyed attempt, and it is a common technique. In fact, that's what the security folks told this contractor. But I'll pretty much guarantee that this is often executed much better. That there are -- that this has been successful in the past, in getting operatives on the phone with contractors.

Dave Bittner: Yes, I would say just by virtue of the fact that they're still trying, it means that it must work sometimes.

Joe Carrigan: Yes.

Dave Bittner: Interesting.

Maria Varmazis: Wow.

Joe Carrigan: So that's a word of caution for this one.

Maria Varmazis: What a dilemma for a hiring manager, though, how much you can actually disclose in an interview process.

Joe Carrigan: Right.

Dave Bittner: Right, right, right.

Joe Carrigan: And that's an excellent point, Maria. And the -- there's really not a lot you can disclose in these hiring processes. Until the -- well, actually you can't disclose anything classified until the person's cleared, and then briefed in on the project.

Maria Varmazis: Oh, of course.

Joe Carrigan: So there is a process that protects against this, but they're looking at more of the -- I wouldn't say it's open source intelligence, but it's probably not classified.

Maria Varmazis: Yes.

Joe Carrigan: These guys are aggregating this information on the back end.

Dave Bittner: This reminds me of something I saw -- this is not directly related to this, but it's funny, so I'll share.

Joe Carrigan: Okay.

Dave Bittner: Someone was saying that if you have a gap in your resume, or a gap in your work experience, you know, let's say you took a few years to raise some kids, or you took a break, or you had -- you know, you needed some time off for mental health, or whatever. And people -- and then you're out there looking for a new job, and people ask you to explain the gap in your employment, that you should simply say, I'm sorry, I'm not at liberty to divulge what that break was about.

Maria Varmazis: [laughs] Yes, there you go.

Dave Bittner: And if they push you, you can say I'm sorry, but I honor nondisclosure agreements.

Maria Varmazis: There you go.

Dave Bittner: So I'm not at liberty to say what I was doing.

Maria Varmazis: Well, it reminds me of the inverse. There's sort of an inverse hack that sometimes really cheap companies will do where they'll interview a bunch of specialists. And they'll have them work on a project as part of the interview process, and then never hire any of those people.

Dave Bittner: Oh yes. Yes.

Maria Varmazis: [laughs] So it's like this is a flip of that.

Dave Bittner: Right, exactly. Listen, Bob, we're going to see how good you are at assembling a Boeing 707. [ Laughter ] For the next several weeks, this is just your test to see how you do. And then --

Maria Varmazis: Yes. To really impress us, maybe we'll hire you, put bullets on that door frame panel thing [laughs].

Dave Bittner: Right, right. Exactly. Joe, what's your other story here?

Joe Carrigan: My other story comes from Rob Low, no "e" on this one, at KDVR out in Denver. And we'll put a link in the show notes. This is a story about a phishing attack to the one we talked about with Andy Cohen a couple of weeks ago.

Maria Varmazis: Oh yes, yes.

Joe Carrigan: And this was at Chase Bank, and there's a couple from Golden, Colorado. Their names are Scott and Kate Zoll, Z-o-l-l, and they were victims in this attack, and they lost $137,000. So these are two social engineering attacks that we've heard of today with financial losses. And we're already pushing 200 grand. So it's -- this has real impact. But it started with the same text message that Andy had, Andy Cohen had. And it was like, are you trying to transfer 2500 bucks? And the first thing Scott does is he calls his local branch of Chase. And they give him the number to the fraud department. But then Scott -- and he knows this was a mistake now, and he openly says that -- he says, I replied to the text saying no, I didn't authorized that. And the scammer immediately responds via text, saying someone will be in touch with you from our fraud department. And Scott gets a phone call and again, it looks like it's coming from Chase's fraud department. It looks like it's coming from the number that the person at the branch just gave him.

Maria Varmazis: The second time we've seen that today! That --

Joe Carrigan: Yes. Wow.

Maria Varmazis: Geez.

Joe Carrigan: Those phone numbers can be easily spoofed, apparently, right? I don't know how they do it, but they do it. So he starts talking with this department, these scammers, thinking they're the fraud department. And what happens is, the call drops, right, because of the technology. Something happens and the call drops. So Scott calls Chase back on the actual fraud number. And when he gets the actual fraud team, they have no idea what he's talking about, right? "We haven't talked to you about this." And Scott gets frustrated, and while he's on the phone with the fraud department, the scammers call back from the fraud department's number, and Scott answers that call and says, oh these are the right people. They know about the case that I'm working.

Maria Varmazis: Oh, no.

Joe Carrigan: Right? So the rest of the scam is very similar to what happened with Andy Cohen, and they eventually started sending him the text messages that allowed them to transfer out this money, and they took $137,000 out of his personal and business accounts. Now here's my take on this. I think Chase has some culpability here, okay? Because Scott called his branch, and they should have known that this was the beginning of a scam, and rather than just telling him to call the fraud department, they should have done something to secure his account. Make sure there weren't any transfers happening until this was sorted out. And then he actually got in touch with the actual fraud department. He did call into the fraud department, and nobody there recognized that he was in the midst of a scam.

Maria Varmazis: Yes.

Joe Carrigan: They were like, we don't have any record of this, and it never dawned on anybody there to go, hold on, hold on. Somebody --

Maria Varmazis: Everything will be fine. We're calling for no reason.

Joe Carrigan: Yes. These guys should have known this. So I'm thinking that the Zolls have a pretty good case here against Chase to get this money back as opposed to somebody who was, you know, did everything the scammer said and, you know, didn't inform the bank of anything. Didn't try to make any effort to inform the bank of anything.

Dave Bittner: Right.

Joe Carrigan: And lo and behold, they're out 50 grand. But these folks made two phone calls into Chase to say I'm worried about a fraud situation on my account, and they still allowed $137,000 to be transferred out.

Dave Bittner: You'd think that, like, the moment somebody engages with the fraud department, or even calls your branch, like there should be some kind of rate limiting that happens.

Joe Carrigan: Right.

Dave Bittner: You know? Like you can only -- you know, you can only pull out so much until we verify something or other. I don't know. I'm not sure how -- I'm with you, Joe. It seems crazy that with as much contact as these folks had with the bank, that nothing was flagged, when all of a sudden, over $100,000 was pulled from their accounts.

Joe Carrigan: Right.

Maria Varmazis: Yes. Nobody tapped the brakes at all, at any point.

Joe Carrigan: Yes.

Maria Varmazis: That is odd.

Joe Carrigan: Yes.

Maria Varmazis: Wow.

Dave Bittner: And this whole thing about whether or not the banks are liable, you know, and I know there are different rules here in the U.S. versus in the UK and elsewhere, and it's my understanding that a big part of this is whether or not the bank was simply doing what you requested them to do. In other words, if a scammer calls me up and convinces me to withdraw the money, and I go go the bank and say I want to withdraw my money and the bank gives me my money, the bank's just doing what I asked, and I'm the legitimate person who can ask for my money. And so in that case, the bank is not liable. Versus if the scammer were able to convince the bank that they were me. Because in that case, the bank had substandard security, let's say, hypothetically.

Maria Varmazis: Right.

Joe Carrigan: Right.

Dave Bittner: And so then they could be on the hook for some of the money. But that's a broad-stroke description. I'm sure I'm missing some of the nuance, and if there's somebody who's listening who actually works in the banking industry and can give us a real precise description of where we stand when it comes to policy on this thing, we would love to hear it.

Joe Carrigan: Right. And like you said earlier, it depends on how much money you've lost -- $137,000, I would be in touch with an attorney.

Maria Varmazis: Yes.

Dave Bittner: Yes.

Maria Varmazis: For sure.

Dave Bittner: Absolutely. All right, well those are our stories this week. Joe it is time to move on to our Catch of the Day. [ SOUNDBITE OF REELING IN FISHING LINE ] [ Music ]

Joe Carrigan: Dave, our Catch of the Day is a new first. This is going to be a video Catch of the Day, which unfortunately for our listeners, there will be video along with it, but --

Dave Bittner: For our listeners, it will be an audio.

Joe Carrigan: It will be an audio Catch of the Day, but there is video.

Dave Bittner: Right [laughs].

Joe Carrigan: But it comes from Thomas who writes, I heard your recent episode on AI videos impersonating famous people, and I came across this one and thought I'd share, because it's pretty awesome. And it seems legit is what it says.

AI Tucker Carlson: Hey everyone, I'm Tucker Carlson. You're lucky if you're watching this, because I'm going to make you rich, right at this moment, instantly. And no, this isn't a joke. I'm not going to reveal much details, but if you are a holder of Bitcoin or Ethereum, this will be the happiest day of your life. I can assure that. Scan the QR code below at the bottom of this video now. 2023 was a wild year. I was fired by Fox, which is now a good thing. A lot has changed since then. I moved to X and launched my show, Tucker on X, which generates hundred times more views for my episodes than I had on Fox. Thank you for being with me through all these times. And this is my way of thanking to you all. See you soon, and don't forget to watch my interview with Putin.

Maria Varmazis: Wow.

Dave Bittner: Something for everyone in that.

Maria Varmazis: Wow!

Joe Carrigan: Now the thing is, that the facial expressions on that are actually pretty good.

Dave Bittner: So before we dig too much in here, Joe, for -- because our podcast listeners don't get to see the visuals.

Joe Carrigan: Right.

Dave Bittner: What are they looking at here?

Joe Carrigan: They're just looking at a fake video of Tucker Carlson from the chest up. Now Tucker Carlson is a former Fox News, one of the pontificators that they have on.

Dave Bittner: Yes.

Joe Carrigan: And they fired him after they lost the case with Dominion Voting.

Dave Bittner: Right.

Joe Carrigan: I don't know if it was related to that or not.

Dave Bittner: Couldn't have helped.

Joe Carrigan: Couldn't have helped [laughs]. But now he's on -- now he has a show on X apparently. I don't know. I stay off the social media as much as I can.

Dave Bittner: Yes.

Joe Carrigan: With the exception lately, I've been more active on Linked In.

Dave Bittner: But it's safe to say Tucker Carlson is a well-known celebrity.

Joe Carrigan: Well-known celebrity.

Dave Bittner: And he is somebody that a lot of people trust.

Joe Carrigan: Yes.

Dave Bittner: So when he says to do something, or to trust something, or that he's going to be generous and share something, there are a lot of people who will take that to heart and do what he says.

Joe Carrigan: Yes, absolutely. And they're going to get victimized by whatever is in that URL and that barcode that shows up on the screen for about 30 seconds.

Dave Bittner: Right.

Maria Varmazis: Yes. It looks like his real TV set, too. It's not just like, him against a white backdrop. It looks legit. It's got, like, the lower third. The whole thing. It looks very real.

Joe Carrigan: Right. And the thing I will say about it is, it does kind of look a little bit like a mannequin of Tucker Carlson. It doesn't really look exactly like Tucker Carlson.

Dave Bittner: It's like a Tucker Carlson ventriloquist dummy.

Joe Carrigan: Right. [ Laughter ] I could see me looking at that and going, well, it's because of the poor quality of the video.

Dave Bittner: Yes.

Joe Carrigan: But also there's some really bad text in the -- that was entered in there as well. You know, hundred times more views. Watch my interview with Putin.

Maria Varmazis: [laughs] Yes, there's some weird grammar going on in what he's saying.

Joe Carrigan: There's some weird grammar in there.

Dave Bittner: Yes.

Joe Carrigan: So there's some minor stuff. But this is by and large, I think it's pretty good. You know, I've heard what Tucker Carlson sounds like. I'm not a regular watcher of his or any of those shows.

Dave Bittner: Yes.

Joe Carrigan: Anybody's shows, particularly. The last thing -- I've said it over and over again. The last thing I want to hear is somebody else's opinion. So I really don't read or look at --

Dave Bittner: When you have so many of your own to share.

Joe Carrigan: Right. [ Laughter ] I want news. When I'm reading a newspaper, I don't even go to the opinion page. I don't care what your opinion is. I want to know what the news is. And these shows on Fox and CNN, all those shows after the newscast are just opinion shows. And people treat them like news. This is a different problem that I'm getting into. But they're not news; they're opinion. They're all opinion. So I don't watch those. But I know what he sounds like. As far as I can tell, sounds pretty close.

Dave Bittner: Yes.

Joe Carrigan: Sounds a little robotic, but sounds pretty close.

Dave Bittner: Yes. And these things are only going to get better.

Joe Carrigan: Yes.

Dave Bittner: Like --

Joe Carrigan: They are.

Maria Varmazis: There you go. Yes, and if you --

Dave Bittner: Go ahead, Maria.

Maria Varmazis: Yes, if you're scrolling on your phone -- I was noticing this is a screen share from someone's phone, I've seen these kinds of ads, like the Tucker Carlson one, I've seen them on Instagram. And I'm sure Meta is squashing the all the time, but they keep adding different -- yes. And you know, you're just quickly scrolling through. You're not really paying much attention. It's on a tiny screen. It's easy to over -- hey, he looks a little robotic, but you know, it --

Joe Carrigan: Yes.

Maria Varmazis: If you're into what he's saying, you're probably going to ignore a lot of those signals.

Joe Carrigan: Yes.

Dave Bittner: And also, you're overtaken by greed.

Joe Carrigan: Yes.

Dave Bittner: Right? [ Laughter ] I mean, which is real. It's the same thing -- we talked earlier on the show about people being overtaken with fear.

Joe Carrigan: Right.

Dave Bittner: And it's the same thing, that impulsive greed can take over your rational thinking.

Joe Carrigan: Yes.

Dave Bittner: And make you want to ignore the obvious signs that there's something up with this.

Joe Carrigan: So a couple weeks ago, we were talking about actually Taylor Swift and the Le Creuset pots. Somebody was doing a Le Creuset giveaway.

Dave Bittner: Yes.

Joe Carrigan: Using Taylor Swift ads, fake Taylor Swift to talk about the pots. And no matter how many times the ads got reported to Meta, they kept showing up.

Dave Bittner: Oh yes.

Maria Varmazis: I keep seeing them now.

Joe Carrigan: They came back time and time again.

Maria Varmazis: I still see them.

Joe Carrigan: Yes. You still see them, the ones with Taylor Swift?

Maria Varmazis: Yes! I do! I've seen a whole bunch of different Taylor Swift. And not even just the Le Creuset ones. I've seen a bunch of different variations on it. Anything with Taylor Swift. She's very easy to -- I'm not a Swiftie. I just know who she is. Like, she's very easy to replicate with AI. She's everywhere. So I've seen all sorts of different things. Like different giveaways. It's everywhere.

Dave Bittner: Yes. By the way, I met Tucker Carlson once.

Joe Carrigan: Did you?

Dave Bittner: Yes.

Maria Varmazis: I'm sorry to hear that. I mean --

Dave Bittner: So this was long -- before he had his show at Fox. And he was the keynote speaker at a charity event that I was the emcee of. So I actually introduced him, you know, shook his hand. Had a chance to chat with him a little bit. And you know, again, this was a long time, this was before he was at Fox, and so he was not -- he had not yet evolved into the Tucker that we know and love today.

Joe Carrigan: Right.

Dave Bittner: And he was quite pleasant, you know? It seemed -- I had no problem with him one-on-one. So for what it's worth, seemed like a nice guy at the time, but you know, can't say I'm a fan anymore. But there you go. My brush with the fame that is Tucker Carlson.

Maria Varmazis: You knew him when.

Dave Bittner: I did [laughs]. Exactly. Right.

Maria Varmazis: Yes.

Dave Bittner: Haven't washed my hand since.

Maria Varmazis: Oh. [ Laughter ]

Joe Carrigan: When Dave goes into the bathroom, and it says employees must wash hands, he disregards the sign.

Dave Bittner: I just wash my left hand, because Tucker has touched my right. [ Laughter ] All right. Well, with that, we're going to wrap things up. Thank you, Maria, for joining us here. And we are going to try to make it a regular thing here. I know we can't have you back every week, but we're going try to get you back as much as your scheduled allows. We do appreciate you taking the time for us. It's always great.

Maria Varmazis: It's my joy to be here. I thank you both. I appreciate it a lot. [ Music ]

Dave Bittner: Our thanks to all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. A quick reminder that N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at N2K.com. Our executive producer's Jennifer Eiben. This show is edited by Tré Hester. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: I'm Joe Carrigan.

Maria Varmazis: And I'm Maria Varmazis.

Dave Bittner: Thanks for listening [ Music ]