Hacking Humans 3.28.24
Ep 283 | 3.28.24

Exploring emerging trends in online scamming.


Because I think a lot of these people deep down, they do suspect, "Well, maybe it is a scam because it is a little bit strange that he's never come around to visit, and he's never telephoned me, and he's never done a Zoom call, and he's always -- he hasn't got enough money for his flight back home," but there's that tiny chance that it's true.

Dave Bittner: Hello, everyone, and welcome to N2K's CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines, and taking a heavy toll on organizations around the world. I'm Dave Bittner and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hey, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We've got some good stories to share this week. And later in the show, the illustrious, the one and only, Graham Cluley from Smashing Security joins me to talk about some of the trends that he's been tracking in online scams.

Joe Carrigan: Graham, if you're listening, I'm the one that called you illustrious.

Dave Bittner: We'll be right back. [ Music ] All right, Joe, before we dig into our stories here, we have a little bit of follow up. So--

Joe Carrigan: We do indeed.

Dave Bittner: I don't know, I think it was a couple of episodes ago, you and I were talking about oxygen--

Joe Carrigan: Right.

Dave Bittner: -and we were wondering why oxygen requires a prescription here in the U.S, anyway.

Joe Carrigan: Yes.

Dave Bittner: As it is so readily available. It's practically in the air we breathe.

Joe Carrigan: It is in the air we breathe. In fact, Dave, there's some oxygen right there.

Dave Bittner: There you go. So--

Joe Carrigan: Why do you need a prescription for that, Dave?

Dave Bittner: -we had a couple people write in about this, but -- and I do appreciate that. Thank you, everyone for sending in the information, but even better than that, one of my N2K colleagues here, Gina Johnson, joined me because she knew all about what goes on and why you need a prescription for oxygen. So, here's my conversation with Gina Johnson. [ Music ] So, I am joined here by Gina Johnson, who works with me here at N2K, CyberWire. She is in our Operations Department, with that team, making sure that all the stuff happens behind the scenes in the ways that it should happen. Gina, thank you for joining us.

Gina Johnson: Thanks, Dave. It's great to be here.

Dave Bittner: So, in our recent episode, Joe and I were wondering, and mostly Joe was wondering, why do we need a prescription for oxygen. And you heard that episode and you got in touch with me behind the scenes and said, "Ah-ha, I have an answer." So, what is the answer here? Why a prescription for oxygen?

Gina Johnson: So, it does seem silly that you would need a prescription for--

Dave Bittner: Right.

Gina Johnson: -air. But oxygen is considered a medication by the FDA, and there's a reason for this. When you breathe, you breathe in room air and oxygen makes up about 21% of that.

Dave Bittner: Okay.

Gina Johnson: In the ordinary course of events, your body knows what to do with that 21% oxygen that you're taking in.

Dave Bittner: Right.

Gina Johnson: People who need oxygen therapy, need it because their body isn't utilizing the oxygen or can't process the oxygen out of the air appropriately. And when that happens, your brain sort of becomes used to that oxygen deprivation. So, your oxygen requirements are -- they seem greater, but they're a little bit less. Oxygen supplementation comes with a whole bunch of risks, and one of those is oxygen toxicity that causes a lot of nasty things. It ultimately can lead to brain damage. So, when you're prescribed this oxygen therapy, you're prescribed it at a specific rate. When you get oxygen supplementation, a lot of people get things like oxygen tanks. You see people carrying them around.

Dave Bittner: Right.

Gina Johnson: You described that your mother needed a oxygen concentrator, which just pulls that oxygen out of the room air, concentrates it and delivers it purely to the patient. Everybody's requirements are different. You may have noticed that there are settings on the concentrators that deliver a certain flow rate per minute. You need to have that dialed in. And you can't just do that, you know, coming off the street and saying, "Hey, I need a tank of oxygen."

Dave Bittner: Right, okay.

Gina Johnson: So, these things are delivered through companies that are contracted with a hospital or a healthcare system, through durable medical equipment, and it comes with this long list of things that you need to do, do's and don'ts like, "Don't smoke around your oxygen tank."

Dave Bittner: Right.

Gina Johnson: "Don't shut your tubing in a door. Don't let your kids play with it," things like that. Having prescriptions kind of allows for these controls.

Dave Bittner: Yes. It's interesting because I guess part of it is that the point is, it's not pure oxygen that you're getting, you know, through that mask or you know, through those little -- in other words, your body isn't ending up with a pure -- a stream of only oxygen, right? It's a mix -- it's more oxygen than you get out of air--

Gina Johnson: Correct.

Dave Bittner: -but you're still getting other stuff in there, and too much oxygen can be a bad thing.

Gina Johnson: Exactly.

Dave Bittner: Okay.

Gina Johnson: Now, in light of this conversation that we're having right now, I did notice that -- over the weekend I went to Lowe's, and saw these little -- it almost looked like a mini oxygen tank--

Dave Bittner: Yes.

Gina Johnson: -with a mask.

Dave Bittner: Yes. I mentioned that in the conversation with Joe that I saw those at Dick's Sporting Goods. They had them where you check out. And what's this?

Gina Johnson: Yes, yes. I meant to grab one just to look at it and kind of see what the deal is and how they were able to bypass these regulations with the FDA and stuff. I guess much like your multivitamin that you pick up off the shelf, they consider it a supplement. It was interesting.

Dave Bittner: Yes, because I wonder like -- you see, you know, professional athletes on the -- you know, sitting on the sidelines sucking oxygen, right? You see in airports, they'll have oxygen bars. So, there must be a little bit of loosey Goosey, or maybe look around, I don't know.

Gina Johnson: Maybe, I don't know. And I meant to try and maybe kind of spend a little bit of time over the weekend sort of looking -- taking a deeper dive, because Dave, you know me, if it's medical or biological, I am going -- I'm pulling on my nerd glasses and taking a deep dive into this stuff.

Dave Bittner: Yes.

Gina Johnson: So, I guess that's going to be my homework for the week, and I'm going to follow up this follow up--

Dave Bittner: Okay. Fair enough.

Gina Johnson: -to say -- see why the heck you can buy oxygen tanks at Dick's Sporting Goods and Lowe's.

Dave Bittner: Right, right. Yes. It's interesting. I wonder if it's, you know, or medical grade or not, you know? If that makes all the difference in the world.

Gina Johnson: I very highly doubt it. I suspect maybe it's you know, got some other components into it that makes it not pure oxygen, but--

Dave Bittner: Right, right.

Gina Johnson: - it stuck out to me. But yes, the long and short of it is, is that you know, oxygen in any respect in any respect is not something to be trifled with, and you know, doctors want to make sure that the patients who do need it are getting it appropriately and it's not going to cause harm to them.

Dave Bittner: Yes. All right, well Gina Johnson, thank you so much for stopping by the studio to help give us a better understanding of what's going on here.

Gina Johnson: Thanks for having me. [ Music ]

Dave Bittner: All right, interesting, huh, Joe?

Joe Carrigan: Yes, oxygen toxicity.

Dave Bittner: Yes.

Joe Carrigan: Didn't even consider that. Now, I don't know why I didn't consider that. I know I'm well aware of water toxicity or water intoxication.

Dave Bittner: Right.

Joe Carrigan: That can be fatal.

Dave Bittner: Yes.

Joe Carrigan: And I guess oxygen toxicity can be, too. Too much of anything is not good for you. That's kind of why they call it, "too much."

Dave Bittner: Yes.

Joe Carrigan: But I was unaware there is such a thing as too much oxygen and that these things had to be -- or regulated in the sense you regulate a gas, like with a regulator, into your body. So, I guess that's more regulated in the sense that you have to regulate drugs from a government standpoint, as with prescriptions. So, it makes sense.

Dave Bittner: Yes. One of our listeners wrote in and mentioned, in addition to what Gina had to say, that if you have particular lung diseases, like COPD or cystic fibrosis--

Joe Carrigan: Right.

Dave Bittner: -too much oxygen can override your breathing reflex.

Joe Carrigan: Really?

Dave Bittner: Yes.

Joe Carrigan: Oh.

Dave Bittner: Yes. That sounds awful.

Joe Carrigan: Would not want to do that.

Dave Bittner: No. So, again thank you folks for writing in and thank you Gina for taking the time. It's interesting stuff.

Joe Carrigan: Yes, the one thing that really concerns me is, I've been to conferences, or you know, like I don't know, group meetings, and you know, big, big events where there are people that have oxygen bars.

Dave Bittner: Right.

Joe Carrigan: And they just hand you a hose. And I've put that hose underneath my hose and breathed in whatever it was they were -- they were giving me.

Dave Bittner: Right.

Joe Carrigan: But who knows what that was?

Dave Bittner: Yes.

Joe Carrigan: I don't think I'll be doing that again. That was very trusting of me.

Dave Bittner: Yes. Did you have a security clearance at the time, Joe?

Joe Carrigan: No.

Dave Bittner: Okay, good.

Joe Carrigan: I did not. I do remember that clearly.

Dave Bittner: Yes. All right, well again, thank you Gina for taking the time, and thank you to our listeners who wrote in as well. We do appreciate it. Let's move on to our stories here, Joe. Why don't you start things off for us here?

Joe Carrigan: I have more of a topic today than a story, Dave.

Dave Bittner: Okay.

Joe Carrigan: And I have a couple of stories that I'm -- we can link to, but there was a story on dark reading that was produced by Microsoft Security called "The Rise of Social Engineering Fraud in Business Email Compromise." Let's leave aside the terrible headline for that--

Dave Bittner: Okay.

Joe Carrigan: -because that's essentially all social engineering is. One of the lines in this article says that 90% of phishing attacks involves social engineering. Again, I think that 100% of phishing attacks are social engineering attacks, but I think the more accurate thing, and what this writer probably meant, was that 90% of incidences and attacks involved some social engineering element. It could be phishing. It could be business email compromise. And that's where they're going with this, is towards the business email compromise end of things.

Dave Bittner: Okay.

Joe Carrigan: As I've said before on this and -- on this podcast and on other speaking events, wherever I am, I think business email compromise is the king of social engineering attacks. Number one, it produces very good results, in terms of monetary gains for the criminals. Very bad results for the person or the organizations being attacked. And the reason is, is because it's coming from a trusted, inside email account, or now, Teams accounts.

Dave Bittner: Right.

Joe Carrigan: Or any kind of other chat thing. We're going to talk about that here in a minute.

Dave Bittner: Okay.

Joe Carrigan: So, this article lists four groups that are -- that are out there doing things, and of course, Microsoft has these really cool naming conventions, like Octo Tempest. And I think they--

Dave Bittner: Yes.

Joe Carrigan: -they -- the last word, they go with some weather-based thing. You know, I really think we need to go with insulting names for hacker groups. Like Angry Weenies, or something like that, or just making these up off the top of my head.

Dave Bittner: Right. My favorite is -- we've actually talked about this behind the scenes with my CyberWire editorial team, and my favorite is -- if the Canadians had a name, it would be something like Apologetic Beaver.

Joe Carrigan: Apologetic Beaver. That would be a good one. Yes.

Dave Bittner: Yes.

Joe Carrigan: Anyway, this Octo Tempest group is a -- they are a group of native English-speaking actors. And I don't know where they're based out of, but they are -- their adversary in the middle is one of their techniques, which is that the -- there are multiple ways to accomplish this, but what they do is they present you with a fake webpage, or that's actually just a pass through for the actual log on service. It looks like it. It looks exactly like the log on service, but there's a server on the back end that's collecting your credentials. And actually, logging you in. Then if they have a one-time password requirement, like for multi-factor authentication or an SMS code that's sent to your -- your device, they'll ask you for that through the same interface. That's the attacker in the middle. They're also pretty good at social engineering, which I would say this is, and then SIM swapping is one of the things they have in their repertoire. SIM swapping can be absolutely devastating. If you are someone who is at risk for SIM swapping, you'll know it. I don't think somebody's going after SIM swapping to get into like your or my Twitter account, right?

Dave Bittner: Okay.

Joe Carrigan: But if you were somebody that had millions of dollars and you had a code being sent to your phone from your bank, someone's going after that. So, find a different way to do multi-factor authentication.

Dave Bittner: And also, put a code on your SIM.

Joe Carrigan: Yes, put a code on your--

Dave Bittner: A pin code, I guess. Yes.

Joe Carrigan: -account at your cellular provider.

Dave Bittner: Right.

Joe Carrigan: The next cool organization with -- or malicious organization with a cool name is Diamond Sleet. These guys are -- have attacked the German software company JetBrains, which I know one of the things they develop is an IDE for Python, which is an integrated development environment. If I can get malicious code into an integrated development environment, think of the havoc I wreak. That would be terrible. Sangria Tempest, which is also called FIN, they target the restaurant industry to steal payment card data. The restaurant industry is a great place to -- because when was the last time you went out to dinner and paid cash, Dave?

Dave Bittner: Yes.

Joe Carrigan: I haven't done it in years.

Dave Bittner: Yes.

Joe Carrigan: I haven't even done it at like a McDonalds in years.

Dave Bittner: Okay, right. Sure, sure.

Joe Carrigan: I just don't do that anymore.

Dave Bittner: Yes.

Joe Carrigan: Everything happens on a credit card. So, if I can get inside of a point of sale system, and sit there and watch credit card numbers come across, I'm going to exfiltrate a ton of data. Now, this isn't really business email compromise, but the way they do this is they get in by sending threatening email messages with malicious attachments claiming that they've been poisoned by the restaurant, food poisoning. They're victims of food poisoning. And the malicious attachments of course let them come in. They are out of Eastern Europe. And then finally the fourth group here is Midnight Blizzard. This is a Russian group that is going after government targets, diplomatic entities, NGOs, and IT service providers. And they're attacking all across -- these folks all across the U.S. and Europe. They use Teams messages to send -- to try to get into your accounts. And they -- if this is the same group, there's a group out there that impersonates Microsoft Support, and comes in as the Teams person, or says they're Microsoft support, and they try to get you to cough up your credentials. Then they go inside to your network because if you're using Microsoft 365, and your teams gets compromised, that's your Microsoft 365 log in. That's everything. Your Teams is not the only thing that just got compromised. Your email also just got compromised.

Dave Bittner: Right.

Joe Carrigan: Bad stuff. So, there's another article that I found from Marcus White that's on Infosecurity Magazine.

Dave Bittner: Okay.

Joe Carrigan: And of course, his big thing here, he's talking about the EA breach and the MGM Resort hack. But the solution is multi-factor authentication. I think it's far past time for companies to -- when they are authenticating their employees to their -- or their contractors, and either customer -- or not their customers, but their vendors, to their system, it's time to insist that your employees and all your vendors use something that's like UTF, or Universal Two-Factor to log into your network. Something like the Yubikey or the Google Titan, from the FIDO Alliance. There are tons of solutions out there. If you go to the FIDO Alliances website, they have like eight pages of vendors for these tools.

Dave Bittner: Right. So, there's no excuse.

Joe Carrigan: Yes. It's a lot of -- I mean, this has grown. I mean, when you and I started talking about this, there were like maybe -- there was one page of vendors, and there was like maybe ten of them on there.

Dave Bittner: Right.

Joe Carrigan: Now, there are eight pages of vendors for solutions.

Dave Bittner: Yes.

Joe Carrigan: It's time to move on. It's time to move beyond username and password, and at minimum, put universal two-factor on our authentication system for your network at -- for your enterprise network.

Dave Bittner: Right. Your mentioning of people in the food service industry, it made me think about someone described a scam, I saw on Reddit just a few days ago. And this was in Washington D.C. So, imagine if you've ever been to Washington D.C. and you've done any touristy kind of things, you're familiar with a -- the National Mall, which is where all the museums are, and the--

Joe Carrigan: Right.

Dave Bittner: -the big monuments and all that sort of thing. And around the mall, there are lots of food trucks.

Joe Carrigan: Yes.

Dave Bittner: So, imagine you walk up to a food truck, actually an ice cream truck, right? Like the old Good Humor man--

Joe Carrigan: Right.

Dave Bittner: -kind of ice cream truck, right? You walk up and you say to the person there who's in the truck, "Hey, I'd like four ice cream cones."

Joe Carrigan: That sounds exactly like me.

Dave Bittner: Yes.

Joe Carrigan: You're speaking my language, Dave.

Dave Bittner: That person says, "But, sir, you're alone."

Joe Carrigan: Right.

Dave Bittner: "And you need four ice cream cones."

Joe Carrigan: And I turn to my wife and say, "What do you want?"

Dave Bittner: Exactly. So, you order four ice cream cones, and the person serves you up the ice cream cones, you hand them your credit card, they hand you the ice cream cones, and immediately the ice cream truck speed away.

Joe Carrigan: Really? With my credit card?

Dave Bittner: No, no. You've gotten your credit card back.

Joe Carrigan: Oh.

Dave Bittner: But the ice cream truck speeds away and you have been charged $150--

Joe Carrigan: Oh, okay.

Dave Bittner: -for the four ice cream cones.

Joe Carrigan: Right, the maximum.

Dave Bittner: Right.

Joe Carrigan: The maximum they can do without a signature.

Dave Bittner: So, whatever that is--

Joe Carrigan: Yes.

Dave Bittner: -yes. That's what they do. Now, I heard about this scam. You know, I read this and first thing I did was I laughed, because I imagined like, you know, like a scene from the Benny Hill Show or Mr. Bean or something, you know, like--

Joe Carrigan: [inaudible 00:19:12] playing in the background.

Dave Bittner: -or you know, some sort sap character who gets his money stolen by a, you know, a fake ice cream thing. Now--

Joe Carrigan: Now, Dave--

Dave Bittner: Yes?

Joe Carrigan: -we frequently say, "This is something that would work on me."

Dave Bittner: Yes.

Joe Carrigan: This is absolutely something that would work on me.

Dave Bittner: But I have to wonder how many times can this work, and how hard would it be for law enforcement to track down a rogue ice cream truck, right?

Joe Carrigan: Yes, I don't know.

Dave Bittner: You know, are--

Joe Carrigan: It seems--

Dave Bittner: -you hopping from town to town?

Joe Carrigan: Are you changing your license plate every time you do this?

Dave Bittner: I mean, you could go -- I guess if you pull this off ten times in one day, that's a good day.

Joe Carrigan: Yes.

Dave Bittner: You can move on to the next city, or I don't know. Maybe you're living out of your ice cream truck. Anyway, who knows if it's real or not, but it was novel and new and not something I'd heard of before. So, I thought I'd share.

Joe Carrigan: Yes, if that -- you know, because I would -- what would happen to me is I would get a text message that said, "The ice cream truck just charged you $150." And I'd be like, "Oh, no they didn't." And I would be on the phone with--

Dave Bittner: Yes.

Joe Carrigan: -you know, with the credit card issuers going, "Yes, don't pay that. Here's what happened."

Dave Bittner: Right.

Joe Carrigan: "And what do I need to do? Do I need to file a police report because this seems really sketchy to me."

Dave Bittner: It seems like a short term scam--

Joe Carrigan: It does.

Dave Bittner: -but who knows. If it's even real. I don't know, but like I said, it tickled me, so I thought I'd share.

Joe Carrigan: Yes. It's a good story.

Dave Bittner: Should I move on?

Joe Carrigan: Yes, that's it for my story. I just want to encourage everybody to use -- it's time to move on, on the enterprise level, to universal two-factor multi-factor authentication.

Dave Bittner: Got you.

Joe Carrigan: Or something compatible, but I think UTF is probably the industry leader right now.

Dave Bittner: Yes. All right, Joe, so my story this week actually doesn't come from any publication or anyone else. It's about me.

Joe Carrigan: It's about you?

Dave Bittner: I got scammed.

Joe Carrigan: You did?

Dave Bittner: I did.

Joe Carrigan: It happens to all of us, Dave. Now, I'm not the only person on this show, since we started doing this show, who's been scammed.

Dave Bittner: Oh, I've been -- I've talked about being scammed on this show.

Joe Carrigan: Oh, you've been scammed but not since we started doing the show.

Dave Bittner: Yes, I have. Remember I talked about there was a guy who was on the side of the road--

Joe Carrigan: Oh, right.

Dave Bittner: -who thought his -- he needed his car repaired, and--

Joe Carrigan: Yes, but you just gave that guy 20 bucks, right?

Dave Bittner: -took me for 20 bucks, yes. Yes. But, so I've been scammed again. This time it was on Facebook.

Joe Carrigan: Oh, no.

Dave Bittner: Yes, yes. I heard someone this week describe Facebook as being like chemotherapy. It has its good uses, but mostly it poisons you.

Joe Carrigan: I would agree with that 100%.

Dave Bittner: Yes. So, I'm on Facebook minding my own business, and this thing scrolls by. And it says, "Catonsville Online Yard Sale." Now, Joe, you and I live in the same community.

Joe Carrigan: Yes.

Dave Bittner: You know as well as I do, that Catonsville is right up the road from us.

Joe Carrigan: It is indeed.

Dave Bittner: A few miles away, so it's a town that I'm very familiar with. And there's a message here from the Catonsville Online Yard Sale and it says, "Update, it's now the fifth day and I'm urgently looking for the owners of this beautiful Tucker we picked up on the side of the road in Catonsville." Now, Joe, there are two pictures here. Describe Tucker.

Joe Carrigan: Tucker looks like a very sad dog in a kennel.

Dave Bittner: Yes.

Joe Carrigan: With some food. I'm assuming this is a boy dog. I don't know, with a name like Tucker.

Dave Bittner: Yes, who knows?

Joe Carrigan: And he is laying down in one of them with his back against the cage. In the other one, he's kind of moping about inside the cage--

Dave Bittner: Yes.

Joe Carrigan: -inside the kennel.

Dave Bittner: He's a very pretty but sad-looking dog.

Joe Carrigan: Yes.

Dave Bittner: And says, "Tucker's really depressed. Not eating. We took them to the vet, and they're not chipped. Please help me bump this post so I can find the owner." So, I did. Right? I thought, "Oh." Now, let me just say here, Joe. Like you, I'm a dog lover.

Joe Carrigan: Yes.

Dave Bittner: I have a dog. So, this tugged at my heartstrings.

Joe Carrigan: Of course it did.

Dave Bittner: And I thought to myself, "Well, I will share this and try to spread the word about Tucker the lost dog."

Joe Carrigan: Poor Tucker.

Dave Bittner: Let me tell you, I got pounced on, Joe. I got pounced on by my well-meaning friends who were like, "Dave, this is a scam. This is a well-known scam. Anytime you see something like this in any of these online yard sale groups or anything that's for sale, if you see a lost dog or a lost cat, a lost pet in any of these for sale things, they're scams." And what happens is they post this. People like it and share it, and then they go back and edit the post to them selling something.

Joe Carrigan: I see.

Dave Bittner: And so, the thing they're selling gets populated by all these people who are helping them spread the word about the thing, because they suckered you in with the poor, lost dog.

Joe Carrigan: I see.

Dave Bittner: Now, needless to say--

Joe Carrigan: That is very creative.

Dave Bittner: It is. Needless to say, Joe, I was quite ashamed.

Joe Carrigan: Yes, well that's okay, Dave. You didn't lose any money on this one.

Dave Bittner: I didn't lose any money, but Joe, I don't know if you know this, I host a podcast about not getting scammed.

Joe Carrigan: Dave--

Dave Bittner: And I fell for this -- this is -- I mean, this is one of the -- how did I -- first of all, how did I not know about this?

Joe Carrigan: Right.

Dave Bittner: This was new to me. I don't think we've ever talked about this particular scam here.

Joe Carrigan: I don't think I have seen it either.

Dave Bittner: But we have now.

Joe Carrigan: Yes.

Dave Bittner: So, but I just want to share. Like, I experienced firsthand the feelings of shame--

Joe Carrigan: Right.

Dave Bittner: -that so many people feel when they realize they've been scammed.

Joe Carrigan: Right. It's like when I put my credit card number into the fake hotel website, Dave.

Dave Bittner: Yes.

Joe Carrigan: All it cost me was a new credit card, but unfortunately my -- the credit card provider, I can't remember which one it was. I think it was Capital One--

Dave Bittner: Yes.

Joe Carrigan: -they declined the charge because they recognized it was fraudulent.

Dave Bittner: Oh, okay.

Joe Carrigan: And then I realized when they declined it, and I actually went through a second time to try to make sure everything's right. And they declined it again, and I get a text alert that goes, "Hey, there looks like there's some fraudulent activity." It took three thing to happen before I went, "Oh, that was a -- one of those malicious Google Ads that I clicked on."

Dave Bittner: Oh, I see.

Joe Carrigan: And I'm not making a hotel reservation. I'm getting scammed.

Dave Bittner: Right.

Joe Carrigan: So, yes, it happens. I mean, and this is the exact reason I say when -- and Graham Cluley is talking about this a little bit in his interview today. This is the exact reason I say, "Don't think you won't fall for something."

Dave Bittner: Yes, right. Right.

Joe Carrigan: You will. And Dave, you're not stupid. You're not -- I know you.

Dave Bittner: I felt pretty stupid, Joe.

Joe Carrigan: I know you felt stupid. Trust me. I am keenly aware of how you -- I know exactly how you felt.

Dave Bittner: Yes.

Joe Carrigan: But you've got to come in here and tell the story when it happens.

Dave Bittner: I know. I hope Tucker found his home.

Joe Carrigan: That's just some guy's dog somewhere.

Dave Bittner: I know there's no Tucker.

Joe Carrigan: Right.

Dave Bittner: Tucker doesn't exist. And yet, in my head canon, I'm really hoping that Tucker found his family or whatever, you know, and is living his best canine life.

Joe Carrigan: Yes.

Dave Bittner: So. All right, well that is my story. My shame-filled, embarrassed, stupid story. But thank you Joe for helping me not feel so bad about it.

Joe Carrigan: Don't feel bad, Dave.

Dave Bittner: I'll do my best.

Joe Carrigan: You're not stupid. You love dogs and you thought a dog needed help.

Dave Bittner: That's right.

Joe Carrigan: And--

Dave Bittner: Yes, there it is. Okay. All right, Joe. It is time to move on to our Catch of the Day. [ Music ]

Joe Carrigan: Dave, our Catch of the Day comes from Vance who writes, "Hello, Dave and Joe. I really enjoy your show and listen along with all the other N2K ones.

Dave Bittner: Oh, that's very nice.

Joe Carrigan: I've been meaning to send you the attached file for a while. It's a scanned copy of a letter I received via snail mail last year, which I found to be pretty amusing -- a pretty amusing variant of an age-old scam. I haven't lived at this address shown for decades. The only reason I received it is my sister still lives there.

Dave Bittner: Oh.

Joe Carrigan: So, this is like you live in the house you grew up in, right?

Dave Bittner: That's true. I do, yes.

Joe Carrigan: And my brother still lives in the house that I grew up in.

Dave Bittner: Yes.

Joe Carrigan: So, he never comes to me and says, "Hey, Joe, here's your mail." I think if he sees something for me, he just throws it away.

Dave Bittner: Okay. No, it's true though. Occasionally, mail for my brother or my father or my sister will come to my house--

Joe Carrigan: Yes.

Dave Bittner: -what is now my house. That does happen.

Joe Carrigan: Yes.

Dave Bittner: Yes.

Joe Carrigan: So, oh, please keep doing what you're doing. And it's a very official looking letter, Dave. It comes from B and B Associates LLP in London. And it's addressed to Vance. I won't put his actual address on here, because that would -- Vance sent us this in confidence, I'm sure.

Dave Bittner: Sure. All right. Well, it goes like this. It says, "Dear Vance, My name is James Brown." Joe. "I am a partner at Brown and Brown Associates LLP in United Kingdom. Apologies if my letter came to you as a surprise, since there's been no previous correspondence between us. There is an unclaimed permanent life insurance policy held by our deceased client. The transaction pertains to an unclaimed life insurance policy, savings monetary deposit in the sum of 11,550,300 Unites States dollars."

Joe Carrigan: That's a lot of money.

Dave Bittner: "The policy holder was one of our clients, the late Dr. Marcus Jones, who was a real estate investor and precious stone dealer. He was a COVID-19 victim who died about two years ago. Since his death, no one has come forward for the claim, and all our efforts to locate his relatives have proved unsuccessful. The insurance company code stipulates that insured permanent policies not claimed must be turned over to the Abandoned Property Division of the state, after two to three years. Therefore, I ask for your consent to be in partnership with me, for the claim of this policy benefit in view of the striking similarity in the last name and nationality with the deceased. If you will permit me to add your name to the policy, all proceeds will be processed on your behalf. I wish to point out that I want 10% of this money to be shared among charity organizations, while the remaining 90% will be shared between us. This is 100% risk-free."

Joe Carrigan: Sure it is.

Dave Bittner: "I do have all necessary documentation to expedite the process in a highly professional and confidential manner. I will provide all the relevant documents to substantiate your claim as the beneficiary. This claim requires a high level of confidentiality, and it may take up to 20 business days from the date of receipt of your consent. For more details, please contact me. Your earliest response to this matter would be highly appreciated. Best regards, James Brown." You know, if only this was the great James Brown. Right?

Joe Carrigan: I don't think it was.

Dave Bittner: I mean, it doesn't get any cooler -- how cool would it be to get a letter from the actual James Brown -- the dearly -- from the grave--

Joe Carrigan: From the grave. Right, from the dearly departed James Brown.

Dave Bittner: The great James Brown.

Joe Carrigan: He's no longer with us.

Dave Bittner: Yes, so I'm sure whatever impersonation I was trying to do did not do him justice.

Joe Carrigan: No.

Dave Bittner: So, forgive me.

Joe Carrigan: But, you know, I don't know. That's one of the things about James Brown is that he had a distinctive voice.

Dave Bittner: He sure did.

Joe Carrigan: Man, he was great.

Dave Bittner: Yes, he sure was.

Joe Carrigan: I mean, they don't call him the Godfather of Soul for nothing.

Dave Bittner: That's right.

Joe Carrigan: Right? This email is well worded.

Dave Bittner: That's true.

Joe Carrigan: It's not a lot of grammatical errors in here.

Dave Bittner: No, no.

Joe Carrigan: Everything looks good. I mean, except for the fact that Vance is right, this is an obvious scam.

Dave Bittner: Yes.

Joe Carrigan: You reach out to these guys and start talking to them, they're just going to hit you up for money. And they're going to keep asking you for money until one of two things happen, is you run out of money, or you realize it's a scam.

Dave Bittner: Right.

Joe Carrigan: That's it.

Dave Bittner: Right. And they're using -- they're tugging at your heartstrings, trying to demonstrate that they're good folks by saying they want to give 10% of the money goes to charity.

Joe Carrigan: Right. If this was actually a life insurance policy, there would be no cut for anybody but the beneficiary.

Dave Bittner: Right.

Joe Carrigan: And that would be solved through probate court.

Dave Bittner: Correct.

Joe Carrigan: So, yes. This -- you wouldn't have to split your life insurance proceeds with anybody.

Dave Bittner: Yes, yes. All right, well thank you to Vance for sending that in. We do appreciate you taking the time. Of course, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans@N2K.com. [ Music ] All right, Joe. I recently had the pleasure of speaking with Graham Cluley. Of course, he is the co-host of the Smashing Security podcast, along with our dear friend Carole Theriault who's been a regular on our show in the past.

Joe Carrigan: She is.

Dave Bittner: So, Graham agreed to come on the show to talk about some of the recent trends and online scams that he's had his eye on. Here's my conversation with Graham Cluley. Well, Graham, welcome back to Hacking Humans. It is great to have you back on the show. I think it's been too long.

Graham Cluley: It has been too long. Thank you for allowing me back through the door. What a lovely studio it is here. So, cozy. Fantastic. Thank you.

Dave Bittner: Isn't it lovely? Yes.

Graham Cluley: I love it.

Dave Bittner: Thank you. We really -- I love what we've done with the place. So, I want to touch base with you. I've been reading a lot of the articles that you write, your blogs, you do some writing for other companies who hire you to write security research for them, and then of course, the word that you do on Smashing Security with Carole, I wanted to touch base with you and check in, as it were, on some of the trends that you're tracking when it comes to these online scams that are hitting so many people around the world. Can we start off at a high level here? I mean, what -- what are some of the sort of broad directions that you see things going in these days?

Graham Cluley: Well, I think what we're seeing is really a reflection of these desperate times that we're living in. Everyone's feeling the pinch. Economies are on the downturn. Everyone's, you know, cost of living crisis. Everything's getting expensive. And so, of course, if a scam arrives in your inbox promising that you can make millions and millions or even a few thousand, chances are that you're going to be more and more likely to fall for it.

Dave Bittner: Oh, that's interesting. So, I -- it's funny, because when you started describing that, I was thinking of the tough times for the scammers themselves, but I think you make a -- but I think you make a really good point here, which is that when times are tough, perhaps our skeptical thinking gets put on a shelf, because we're looking for anything to make life a little easier.

Graham Cluley: Well, I mean, I'm speaking to you from the United Kingdom at the moment. And we've had huge problems with our energy bills. I don't know what it's like over your side of the pond. But electricity and gas prices gone through the roof. It's quite astonishing how much they've gone up. And so, if you receive a message which claims to come from the U.K. government offering you a discount on your energy bills under some energy bill support scheme for instance, you're more likely to click on that link and maybe not have your normal, careful perusal of the URL or you know, exercise enough caution before accepting it. And it -- and so many other things as well. So, there's so many things which are emptying our pockets and draining our wallets and our bank accounts. So, we're looking to save every penny we can, and the scammers are taking advantage of this. And there are also of course huge, huge rise in the number of crypto currency related scams. You can't turn on Twitter without seeing some fake Elon Musk or another celebrity who appears to be promoting some kind of crypto currency scam, asking you to make an investment, and of course, you're not going to see your money back.

Dave Bittner: It's amazing to me how lasting those scams have been, because this is not new, and yet, you would think word would get around, but they're still working.

Graham Cluley: Well, yes. Unfortunately, we -- you know, we do keep on raising awareness of these things. We keep on sending out alerts. We keep on warning people about these types of scams and say, "Look, tell other people in your family, watch out for these things." But again, I think it's a reflection of desperate times. And it's not just necessarily desperation financially. It can also be desperation romantically. And we've seen an increase in these pig butchering scams as well, where the scammers appear to be prepared to spend months convincing you that you're in a romantic relationship, and then, only then they begin to drop in comments that, oh well, you know, "It's wonderful, this online relationship that we're having but if you really want to make some money, there's this great scheme which I've been doing. Maybe you should put some money into it, too?"

Dave Bittner: Yes, I was talking to a friend just about a week ago who, she has an uncle who is into these scammers. They've taken about $400,000 from him. And they keep coming back for more. And the family of course is trying to do everything they can to put an end to it, but this person believes -- they cannot convince this person that the romance isn't real. That the -- or the opportunities aren't real. And so, the money just keeps on flowing. And I mean, it's -- it's really that human element, isn't it, that we all -- at the end of the day, as you say, we, you know, we all want to be loved, and it just overpowers our critical thinking.

Graham Cluley: There's only one thing that we want more than love and that's a decent wi-fi connection, right? I mean, once you've got those sorted, you think your life is looking pretty good. So, people are, you know, people are desperate. Everyone wants to be loved. Every month I receive emails from women who believe that they're in a relationship with Hollywood heartthrob and hard man, Jason Statham. All the time. I have -- and I've got this page on my website where I'm talking about the Jason Statham romance scandal. So, many women have left messages saying that they've been contacted by this guy as well, and they believe it's real, and he said that he's broken up with his hot model girlfriend, and you know, unfortunately, he still can't afford to get his webcam fixed, but he's chatting to them online. And they are giving him a huge amount of money. I'm sure it's not just one guy doing this. I think there's a whole bunch of guys somewhere out -- Lord knows what part of the world, pretending to be Jason Statham, and for whatever reason, he is the man that these women are going for. And--

Dave Bittner: It's interesting.

Graham Cluley: -but it is -- it's actually absolutely heartbreaking because I think a lot of these people deep down, they do suspect, "Well, maybe it is a scam because it is a little bit strange that he's never come around to visit, and he's never telephoned me, and he's never done a Zoom call, and he's always -- he hasn't enough money for his flight back home." But there's a tiny chance that it's true. It's that tiny chance that that person who contacted them really might be the person who fulfills their life and fills whatever empty hole they have in their existence, with romance. And so, that's what they want to cling to. And so, they don't listen to their family and friends.

Dave Bittner: You know, you bring up a really interesting element here, which is that you being someone who is well-known when it comes to cyber security and your name is one of the ones that comes up regularly if people search on that, I think that's probably a big part of why you get so many people reaching out to you for help. Can you give us a sense for the kinds of things that people reach out to you about?

Graham Cluley: Other than Jason Statham, Mark Ruffalo, the guy who used to be the Incredible Hulk or is in the Avengers movies.

Dave Bittner: Right.

Graham Cluley: That's a common one. But generally, I mean generally, it doesn't include celebrities. Generally, people who are contacting me are victim of what are now being called pig butchering scams where there are these gangs of people, often out in the Far East. And there's a story or two about them as to how those people are hired, which is horrific, but you know, there is organized criminal gangs who are targeting people who've got money in the west, trying to convince them into romance. The story by the way about the creation of these gangs, is there have been tales in the past that these people who are actually working in these gangs, they're actually slaves.

Dave Bittner: Yes.

Graham Cluley: People who are being held against their will and being told to participate in these criminal gangs, scamming people in the -- I mean, it's horrific what appears to be going on. But someone is making an awful lot of money as a result. The other kind of thing which people contact me with is actually when I think they are the scammers themselves. People contact me saying, "Oh, my wife or my girlfriend, she's gone missing. I don't know how to contact her. I'd really like to break into her Facebook account and see who she's been messaging. Can you help me do that, or can you break into her Instagram account?" So, they present it as you know, "This is a real emergency. Can you do this?"

Dave Bittner: Right, right.

Graham Cluley: And of course, I can't, and I wouldn't even if I could.

Dave Bittner: Yes.

Graham Cluley: But there's a lot of people who try and pull on the heartstrings to break into an account. And you have to think, "Is this a jealous ex-boyfriend or partner or some other kind of identity fraudster at work?"

Dave Bittner: When you do get the sense that it is someone who's genuinely been taken advantage of here, I mean, do you ever respond?

Graham Cluley: Oh, I know it's going to shock you, David, but I actually do have a heart. And so--

Dave Bittner: Really?

Graham Cluley: -I know you've known me for a while, and you've -- all of the evidence suggests the contrary, but no, I do because I'm a big softie, really. And so, I will say some, "Look, you know, I think this is really unlikely that Jason Statham or whoever it is," I think, you know, or "Go and view this webpage where you'll see there are dozens of other women who believe they're in a relationship with him as well. What are the chances, seriously, that he's chosen you to be -- you know, rather than his hot model girlfriend?" It's, you know, it's -- yes, so I try and help them. I try and point them in the right direction. I say, "Look, if you really think about this, it probably isn't true, and you know, take care," but there's only so much you can do those people. I don't help the people who are trying to break into accounts because--

Dave Bittner: Right.

Graham Cluley: -you know, they're dodgy. They're not worth my time, are they? But the ones who are innocently scammed, you've got to have a heart for because it could so easily be your auntie who falls for these. I mean, you know, all of these people who have been scammed, they are somebody's auntie, someone's brother, someone's sister-in-law. So, you know, we need to take care of each other.

Dave Bittner: Do you have any thoughts on what it might take to move the needle on this?

Graham Cluley: It's a depressing thought but maybe everyone needs to be scammed at least once. Hopefully not to a great degree, before you actually learn. I mean, it's -- I do believe there's no one who can't be -- I think people who think, "Oh, it would never happen to me," I think sometimes they might be the most susceptible to these kind of attacks. If you have that kind of approach. Even though, for instance you and I work in this field--

Dave Bittner: Oh, yes. It's happened to me.

Graham Cluley: -I suspect if -- has it?

Dave Bittner: Oh, yes.

Graham Cluley: What? You and Jason or someone else?

Dave Bittner: No, but I mean I have been -- I have been -- so, I have been tricked into turning over my credentials once. And it was -- it was a very straightforward kind of thing where I got a text message from someone I know that said, "Hey, you should check out this video of you." And there was a link and I clicked through and the link was a Facebook log in, and I logged in.

Graham Cluley: Oh, boy.

Dave Bittner: And that was it. Right. And I didn't think twice about it. This was a few years ago. And so, yes, and you know, in the heat of that moment of wanting to see what the video of me was -- in retrospect, they were purposefully vague about what the video was, right? Which of course got my anxiety up.

Graham Cluley: Yes, yes.

Dave Bittner: Right? Because who knows? I don't know. And so, they got me. Now, fortunately I realized pretty quickly, and I was able to change my credentials and I didn't lose any money or anything like that. But yes, to your point, if somebody wants you bad enough, they will find the thing that you are so interested in as it will be irresistible.

Graham Cluley: Or their message only has to land at the right time. A time when you're either vulnerable or you're distracted. Many of us are working from home these days. You know, even though the pandemic is supposedly over and all the rest of it, a lot of us now are working from home, which means you've got craziness going on in the home, especially if you've got young kids, or if you've got a partner who's telling you to load the dishwasher or take the bins out, and you've got phones going -- and all the -- you know, trying to manage your life and do your job, and these messages are coming in and your bosses are contacting you all hours of the day, and it's so easy on your mobile phone to click on a link. And boom, you've made a mistake. So, you only have to be distracted for a short time to fall for these things. And sometimes, the social engineering is so clever. And sometimes it doesn't start with an email, right, or even a text message. I say a scam, it was actually -- the scam was to ultimately install ransomware onto a school's network. And the way in which it began was the secretary of the school would get a phone call from someone claiming to be from the government, and saying, "This is the Department of Education here. We are sending your head teacher this form which needs to be replied, yada, yada, yada, yada, yada. Please can you tell them to look out for it? It needs to be responded to, today." So, the receptionist goes to the head teacher. Says, "There's this email coming through from this department. You have to reply to it." Have to open the PDF of whatever it may be. And of course, bam, they are infected.

Dave Bittner: Right.

Graham Cluley: So, sometimes that's how it happens now. It will start with a phone call. And because we're so used to attacks happening via the internet, your guard is down when the phone call comes through, and it gives it a legitimacy which maybe you haven't previously expected.

Dave Bittner: Well, before I let you go, for our listeners, in terms of your bits of advice, your top tips for the folks who are outside of the cyber security industry, to best protect themselves, what are your recommendations?

Graham Cluley: Oh, golly. Obviously, always be careful about links that you click on. Install a password manager. That's a great tip, because of course, if you do get taken to a bogus website, the password manager won't offer to enter your password for you. So, that should raise your suspicion a little bit. It's like, "Well, why isn't my password manager allowing me to enter my Facebook password?" for instance on this particular domain. Reason is, it's not the real Facebook. So, do that as well. Be careful about the attachments you open. Be careful if you get a Word document and it says, "Oh, this Word document is encrypted. You have to disable security on Word to access the--." You know, it's like oh my goodness. And also, just look after your heart, you know? Be a little bit careful. If someone contacts you out of the blue, be suspicious about that kind of start to relationship. That's not to say necessarily you are safer on dating apps, because some of these scammers will be lurking there as well. But always, always be careful about the personal information you share, and never ever send someone money, unless you've actually met them, and you're convinced you're having a real relationship with them. [ Music ]

Dave Bittner: Joe, what do you think?

Joe Carrigan: I think it's great to have Graham back on the show. That's what I think.

Dave Bittner: That's right.

Joe Carrigan: Interesting that Graham's position on this is pretty interesting. The broad -- the bad, broad economic situation makes us more vulnerable to this. I thought he was going exactly where you thought he was going with this. Incentivizes people to be more frequent scammers. But it doesn't just do that. It also makes us more vulnerable. I could not agree with that more. The first scam that Graham talks about is a scam that targets Brits with the promise of lowering your energy bills. It's interesting that the costs have gone up and the scammers know this. So, they -- I mean, we say this all the time. They follow the news. They know what's going on.

Dave Bittner: Yes.

Joe Carrigan: When you see something that makes sense, that shouldn't give any more weight to you, but it's going to. It's going to work. You made an excellent point about the crypto scams, that these things have -- should be gone by now, right? That we shouldn't be -- we shouldn't be talking about investing in Crypto as a scam anymore. People should be wise to this, but they're not. They're still falling for it. The pig butchering I get. The pig butchering is like a romance scam with a crypto scam as the icing.

Dave Bittner: Right.

Joe Carrigan: So, I get that. You know, by the time you're getting hit with the crypto part of that, you're already months deep into a romance scam.

Dave Bittner: Right.

Joe Carrigan: And it -- and it's really tough to get people out of that situation. And the romance scams are -- which kind of leads to my next point. The romance scams are devastating to watch. You talk about your friend who recently had somebody in their family lose $400,000 to a romance scam.

Dave Bittner: Right.

Joe Carrigan: Devastating. There needs to be something that we can do. I don't know. I mean, maybe there's something -- like I don't know, if you could get a Power of Attorney, you could -- I don't know--. I'm just shooting at the wall here. I don't know. But something has to be done about this.

Dave Bittner: Yes, to me--

Joe Carrigan: To protect people.

Dave Bittner: -that's part of it. I mean it's hard to take away someone's ability to manage their own money.

Joe Carrigan: Right. And if -- but if they're getting scammed, the thing that if you actually take away their ability to manage their own money and you don't let them send more money to the scammer, the scammer will very quickly go away.

Dave Bittner: Right.

Joe Carrigan: And that problem will resolve itself almost instantaneously, within weeks, I would say. They're not going to spend money if they don't think -- or they're not going to spend time if they don't think there's anymore money involved. They're on to the next victim. The Jason Statham scam, that makes me wonder if this is a new Brad Bitt scam. Right? Because we hear about this -- we've heard about this with Brad Pitt, or I think I'm dating Brad Pitt. I like what Graham says. There's a tiny, tiny, tiny chance that this is Jason Statham. It's smaller than your chance of winning the Power Ball lottery, but still, it's still a chance, right?

Dave Bittner: Right, but I mean, you mentioned Power Ball. I mean that's how Power Ball works is--

Joe Carrigan: That's exactly right.

Dave Bittner: -people say, "Well, I know it's a mathematical impossibility, but somebody wins."

Joe Carrigan: It's not a mathematical impossibility. It's a mathematical highly unlikeliness.

Dave Bittner: Okay, Joe.

Joe Carrigan: I'll tell you -- I'll tell you the -- we have--

Dave Bittner: Let me put it to you this way. The Power Ball is a tax on people who don't understand math.

Joe Carrigan: Yes, I agree with that.

Dave Bittner: Okay.

Joe Carrigan: But I had somebody one time argue that -- he said -- he said, "The thing about the lottery is when you buy a ticket, your chances of winning are only slightly greater than if you hadn't bought a ticket. And I said, my argument to that was, "No, they're infinitely greater because your chance without buying a ticket is zero, and anything divided by zero is undefined or infinite. Right? But you're right. It's really, really small. And it's not worth the money. Don't buy lottery tickets. The lottery is just another scam. I get angry when I think about it.

Dave Bittner: Okay, I'll move on.

Joe Carrigan: But I think it's interesting that people call Graham or get in touch with him and ask him to break into people's social media accounts.

Dave Bittner: Yes.

Joe Carrigan: That's crazy. I've never been approached with that request.

Dave Bittner: Yes.

Joe Carrigan: That has -- has that ever happened to you?

Dave Bittner: Yes, it has.

Joe Carrigan: Really?

Dave Bittner: Not very often -- not nearly as often as what Graham describes here.

Joe Carrigan: Right.

Dave Bittner: But, yes, I have gotten those requests, and my take on it is that most of the time, it's like someone who is, you know, stalking--

Joe Carrigan: Yes.

Dave Bittner: -someone. And want to get into their social media and they're trying to make it appear as though they're just trying to help someone out.

Joe Carrigan: That would be my first guess, is that. The other thing is that I would think it was somebody trying to take hold of an account to gain access to a page, like we talk about people doing frequently.

Dave Bittner: Yes.

Joe Carrigan: You've got a page with a lot of followers, you know, in fact I've got someone in my life that I'm worried about this with now--

Dave Bittner: Yes.

Joe Carrigan: -because there's a page with a lot of followers on it, and I think that page can be targeted by malicious actors.

Dave Bittner: Yes, we get letters, Joe. We get letters.

Joe Carrigan: Yes.

Dave Bittner: We get lots and lots of letters. And some of the people who write us letters, you know, have serious issues, and sometimes it's really sad.

Joe Carrigan: Yes.

Dave Bittner: You wish you would help everybody, but it's just not possible.

Joe Carrigan: Yes, and I'll tell you, if you've lost control of your Facebook account, good luck getting it back. Your best bet is just to go create a new Facebook account.

Dave Bittner: Right.

Joe Carrigan: And forget about it, because they -- there is no help from any of these large tech organizations.

Dave Bittner: No.

Joe Carrigan: Like I said before, earlier and like we learned today with your story, there is something that will work on every one of us.

Dave Bittner: Yes.

Joe Carrigan: What I really found interesting was the particular story that Graham told about the ransomware attack that started with a phone call. What a -- what a clever, I don't want to say, great, but clever, because it's not. It's awful. Clever way to get somebody to look forward to your malicious attachment and make them much more likely to open it up.

Dave Bittner: Right.

Joe Carrigan: They create the sense of urgency by saying, "Hey, this is something that needs to be today. We're from the Department of Education." If this is a university, then the Department of Education might be providing funding. So, who knows what the underlying thing is, but it doesn't surprise me that that was really effective at getting it to work. You call the secretary. You say, you know, you lie to her or him. And you say, "This email needs to be answered today. Make sure that the head of the school takes care of it please?" That's it.

Dave Bittner: Yes.

Joe Carrigan: And game's over as soon as he opens the malicious attachment.

Dave Bittner: Right. All right, well our thanks to Graham Cluley for joining us, and of course if you love our podcast, chances are you will love "Smashing Security."

Joe Carrigan: Yes.

Dave Bittner: So, please do check that out. Graham cohosts that with Carole Theriault and it's definitely worth your time. It's a fun one. So again, we appreciate Graham taking his time for us.

Joe Carrigan: And they often have -- don't they have Maria on there frequently, too?

Dave Bittner: Maria is I believe Maria is their Number One guest.

Joe Carrigan: Yes.

Dave Bittner: Yes. That's right. I'm Number Two.

Joe Carrigan: Excellent.

Dave Bittner: But it's become a distant Number Two to Maria.

Joe Carrigan: Well, don't worry. I've only been on two episodes of the show. I'm way back there.

Dave Bittner: There you go. [ Music ] Well, that is our show. We want to thank everyone for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at ISI.JHU.EDU. A quick reminder that N2K's Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at N2K.com. Our executive producer is Jennifer Eiben. This show is mixed by Elliott Peltzman. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening. [ Music ]