Hacking Humans 7.11.24
Ep 297 | 7.11.24

The costly consequences of communication scams.

Transcript

Dave Bittner: Hello, everyone, and a warm welcome to the "Hacking Humans" podcast brought to you by N2K CyberWire. This is the show where every week we delve into the world of social engineering scams, phishing plots and criminal activities that are grabbing headlines and causing harm to organizations all over the world. I am Dave Bitner and joining me is my co-host, Joe Carrigan. Hi, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We've got some great stories to share. But, first, a word from our show sponsor. All right, Joe, we're going to jump right into our stories here this week. Let me kick things off for us. So -

Joe Carrigan: As you wish, Dave.

Dave Bittner: I saw this story come by from the folks at WIRED and this is sort of a handy how-to. It's called "How to Spot Business Email Compromise Scams."

Joe Carrigan: Ooh.

Dave Bittner: It was written by Justin Pot, one of the writers over there at WIRED. And I thought it was a really good guide. And the other thing I like about this is this is one of those things you can forward to your friends and your family and your loved ones, I guess, in particular, your work colleagues -

Joe Carrigan: Right.

Dave Bittner: Would be particularly helpful for this.

Joe Carrigan: Yes.

Dave Bittner: So -

Joe Carrigan: It is "business" email compromise.

Dave Bittner: That's right, that's right. But, you know, a lot of the lessons you can learn here apply to all sorts of scams.

Joe Carrigan: Absolutely.

Dave Bittner: But this is abso - this is targeted on the business email compromise. So - and a couple of interesting things I took away from this article here. Business email compromise scams generate over $26 billion annually.

Joe Carrigan: Yeah.

Dave Bittner: Billion with a "b".

Joe Carrigan: Right. And the average payout per successful scam is pretty high.

Dave Bittner: Yeah.

Joe Carrigan: It's - it - I don't know what it is, but I frequently see hundreds of thousands of dollars lost to these guys and occasionally millions.

Dave Bittner: Yeah. Oh, yeah, they go into the millions. And, of course, you know, we talk about these all the time here, but for folks who may not be all that familiar with it, this is where folks - they get into your email or one of your colleagues emails and generally they impersonate your colleagues.

Joe Carrigan: Mhm, very well actually.

Dave Bittner: Yeah. And quite often they will impersonate your boss or someone who is important within your organization. These are the scams where you get a message from your CEO asking you to go buy some gift cards. Have you ever gotten one of these, Joe?

Joe Carrigan: I have, Dave.

Dave Bittner: Yeah.

Joe Carrigan: Yeah. I fell for it, too.

Dave Bittner: Really?

Joe Carrigan: I didn't fall - well, it was the beginning of the scam. It was back when I was with ISI.

Dave Bittner: Oh, okay.

Joe Carrigan: I got an email impersonating Tony Dahbura -

Dave Bittner: Yeah.

Joe Carrigan: Who was my boss. And he said - it was just "are you available?" And I've told this story before.

Dave Bittner: Yeah, yeah, yeah.

Joe Carrigan: I grabbed my notebook, I reply "yes," and I run downstairs.

Dave Bittner: You sprinted down the hall.

Joe Carrigan: Sprinted down the stairs. Two flights of stairs.

Dave Bittner: Good employee that you are.

Joe Carrigan: Right.

Dave Bittner: Skipping every other step.

Joe Carrigan: Yes. Oh, I get to see my boss. Actually, I really, really am a big fan of Tony. But, anyway, I get down there and his office is empty. And Laura, who is the head administrator, walks out and goes, "I think that email was a scam." And I was like, "Ah! Got me."

Dave Bittner: Oh.

Joe Carrigan: Yeah.

Dave Bittner: Had she gotten it, too?

Joe Carrigan: I think so, yeah.

Dave Bittner: Okay.

Joe Carrigan: I think everybody got it.

Dave Bittner: Ohhh.

Joe Carrigan: And it came from just a Gmail address so it wasn't a business email compromise attack, it was just a gift card scam coming from an outside email address.

Dave Bittner: Right. Impersonating -

Joe Carrigan: Impersonating.

Dave Bittner: Your boss.

Joe Carrigan: Right. It was more of an impersonation scam.

Dave Bittner: Yeah, yeah. So, that's one of the ways that they do it. This article points out that one of the other really popular avenues is that they will contact an employee in payroll, for example, and ask them to change direct deposit information.

Joe Carrigan: Yes.

Dave Bittner: So, someone will pretend to be you or me, send an email to the payroll person and say, "Hey, listen," you know, "here's a routine thing, I just changed banks" -

Joe Carrigan: Right.

Dave Bittner: "And, you know, well, here's my new routing information."

Joe Carrigan: Yes. And then they get the paycheck.

Dave Bittner: Right.

Joe Carrigan: Yeah.

Dave Bittner: Two weeks from now, whatever your paycheck is goes in. And, you know, it might take somebody - depending on your financial situation, it might take somebody a week or two or a payroll cycle to even detect that something like this has happened.

Joe Carrigan: Yeah, that's not me.

Dave Bittner: I don't think that's me either.

Joe Carrigan: I notice -

Dave Bittner: Right.

Joe Carrigan: Quickly.

Dave Bittner: Right. I notice when the mortgage company calls and -

Joe Carrigan: Right.

Dave Bittner: Says, "Hey, why haven't you paid us?"

Joe Carrigan: Right.

Dave Bittner: And I go, "What?" Because I haven't been paid. So, this article has a lot of great tips here for how to spot these things and avoid them. Something we talk about all the time, question urgency.

Joe Carrigan: Right.

Dave Bittner: Right? The scammers, they try to put you in a state of stress to shut down your critical thinking. So, they say, you know, "Take a step back, calm down, take a deep breath and reassess what's going on here."

Joe Carrigan: Yep.

Dave Bittner: And they point out that our red flag is if someone asks you to keep the request confidential.

Joe Carrigan: That is 100% correct.

Dave Bittner: Yeah. And, you know, this is something that you - wouldn't be out of the ordinary I guess. If it was from your boss or from an executive in your organization, then they might say, "Hey, you know, we've got an important deal going here."

Joe Carrigan: Right.

Dave Bittner: "And it's important that we keep this confidential. And I need you to - you know, we don't want this deal to fall through, so I need you to transfer this money and do it on the on the QT."

Joe Carrigan: Right, on the down-low.

Dave Bittner: That's right. That's right. And, actually, Selena Larson, a friend of the show, a friend of the CyberWire and my co-host on the new podcast "Only Malware in the Building," which you should all should check out, she's quoted in this article saying, "Just breathe, slow down and think critically." And all good advice.

Joe Carrigan: Yeah.

Dave Bittner: They say that you should confirm through a second channel.

Joe Carrigan: Yes.

Dave Bittner: Very good. So, someone makes a request, if they do it via email, pick up the phone.

Joe Carrigan: Right.

Dave Bittner: Do what you did, go down the hall.

Joe Carrigan: Yes.

Dave Bittner: Right?

Joe Carrigan: Right. And that's exactly what I did. That's when I - I realized it was fake right away as soon as I saw the dark office. But I have a horror story about this.

Dave Bittner: Oh.

Joe Carrigan: And it's anecdotal and I can't - you know, somebody - the person who told it to me wouldn't, of course, tell me where this happened.

Dave Bittner: Okay.

Joe Carrigan: But a junior employee got an email saying, "Change our banking information for our payment stuff from a vendor for a company."

Dave Bittner: Okay. Yeah.

Joe Carrigan: And he went to the senior employee and said, "This kind of looks suspicious." And the guy said, "Yeah, it is suspicious. Give him a call." So, he calls him and then the junior employee comes back and goes, "Yeah, everything's good. We should change the money, change the direction of the money." So, they change the direction of the money and the vendor calls him up and goes, "Hey, where's my money?" And What had happened was the junior employee called the company that was being victimized here. It was a business email compromise attack. Didn't get the guy on the phone. So, he left a voicemail that said, "Are you trying to change your banking details? Because we got an email that says you're trying to change your banking details." The voicemail system transcribed that email and sent an email - or transcribed that voicemail and sent an email to the inbox of the person whose email address had been compromised.

Dave Bittner: Oh, wow.

Joe Carrigan: And the scammer said - sent him another email and said, "Yeah, I got your voicemail, that is us. That's fine. That's legit."

Dave Bittner: Wow.

Joe Carrigan: And that was the verification. So, he did not verify through two channels, but he thought he had.

Dave Bittner: Yeah.

Joe Carrigan: He only verified through the email channel.

Dave Bittner: Right.

Joe Carrigan: But he didn't know that the - he didn't know that the emails - or the voicemail was going to be transcribed and emailed to the guy.

Dave Bittner: Yeah.

Joe Carrigan: So -

Dave Bittner: Wow.

Joe Carrigan: Yeah.

Dave Bittner: Well, and this article kind of touches on that. It says to avoid the contact details that are in the suspicious email. Right? So, in other words, you get an email from somebody and you think it's suspicious, don't use the contact details at the bottom of that email.

Joe Carrigan: Right.

Dave Bittner: Because the phone number is probably to the scammers -

Joe Carrigan: Right.

Dave Bittner: Not the actual company.

Joe Carrigan: That's a good point, too.

Dave Bittner: Count on it. Like we always talk about, you know, look up the phone number. If you have to, go to the library and get a phone book. I hate that we have to say this because like all of - you know, so many of our - I will use air quotes, "trusted sources" aren't trusted sources anymore.

Joe Carrigan: Are gone, yeah.

Dave Bittner: Yeah. You can't count on Google to give you the right -

Joe Carrigan: No.

Dave Bittner: Information.

Joe Carrigan: Oh, what a terrible - and it's such an awful solution. You know, I was trying to get in touch with somebody recently -

Dave Bittner: Yeah.

Joe Carrigan: At one of my financial institutions.

Dave Bittner: Okay.

Joe Carrigan: So, I called customer service. And - or I googled "customer service." But I wound up, you know, skipping over whatever Google told me that may have been the right number. I didn't even look at it. I've trained myself. I went to the website and clicked on Contact Us.

Dave Bittner: Okay.

Joe Carrigan: But Google gives me a phone number right at the top.

Dave Bittner: Right.

Joe Carrigan: It might be legit, I don't know.

Dave Bittner: Yeah. Yeah.

Joe Carrigan: Can't trust them.

Dave Bittner: No. What a world, Joe, what a world.

Joe Carrigan: It's a terrible world. The internet sucks now, Dave.

Dave Bittner: They also make the point that it's good to proactively save the phone numbers that you know are legit into your - on your mobile device or in your company directories.

Joe Carrigan: Right.

Dave Bittner: So, when - so, you're not - do this when you're not in a situation of where time matters.

Joe Carrigan: Yeah.

Dave Bittner: You know?

Joe Carrigan: And that takes a little bit of forethought and -

Dave Bittner: Right.

Joe Carrigan: And maybe a little bit of adversarial thinking on your part.

Dave Bittner: Yeah.

Joe Carrigan: Which a lot of people just don't have. Right? And, in fact, I've said many times that when I demonstrate adversarial thinking, I often offend people.

Dave Bittner: Right.

Joe Carrigan: You know, they think that you're a monster, why would you think that way. I do think that way because the bad guys think this way.

Dave Bittner: Right, right.

Joe Carrigan: But, yeah, you have to think that - you have to think about that in advance.

Dave Bittner: Yeah, yeah. They talk about following proper protocols -

Joe Carrigan: Yes.

Dave Bittner: For companies, like to have, you know, these proper processes in place -

Joe Carrigan: Yes, processes.

Dave Bittner: In your organization.

Joe Carrigan: Absolutely imperative here. It's one of the key things to protect yourself from these kind of attacks.

Dave Bittner: Right, right. To have a - just having a second set of eyes on something. -

Joe Carrigan: Yep.

Dave Bittner: You know, a lot of organizations before a - you know, a check more than a certain amount of money requires two signatures and those types of things I think are excellent to have in place because the second person is likely not to have had their critical thinking shut down by some time sensitive, you know, emotional trigger that -

Joe Carrigan: Right.

Dave Bittner: The bad guys are so good at.

Joe Carrigan: Yes.

Dave Bittner: Yeah.

Joe Carrigan: Yeah, that's exactly right. They may provide a moment of clarity.

Dave Bittner: Right, right. And then they also say just avoid using email for sensitive workflows. You know, financial stuff shouldn't primarily rely on email.

Joe Carrigan: Yeah, agreed. Yeah, I mean, I've said this many times here as well, email is still terrible.

Dave Bittner: Right.

Joe Carrigan: It's just awful.

Dave Bittner: Yeah.

Joe Carrigan: All the security is bolted on after the fact. I mean, it was developed in the '60s as a way to communicate amongst academic institutions. And not a lot has changed except for the addition of these literally added on after the fact and they even rely on a different - completely different system, the domain name system -

Dave Bittner: Yeah.

Joe Carrigan: To function. So -

Dave Bittner: Yeah.

Joe Carrigan: Yeah, it's - I maintain that email is still terrible.

Dave Bittner: Yeah. And then they have just a couple tips here for leaders and folks in organizations. You know, they say foster open communications -

Joe Carrigan: Absolutely.

Dave Bittner: Have a culture of transparency and also make it a safe place where people feel like if they are worried that they did something wrong that they can tell somebody without feeling like, you know, the hammer's going to come down on them.

Joe Carrigan: Yeah. Perry Carpenter, who also has a show on this - on our network -

Dave Bittner: Right.

Joe Carrigan: "8th Layer Insights," since we're plugging shows, Dave, Perry Carpenter has a great saying about this. He says, "You are always doing something to modify your company's security culture." "You're either improving it or you're making it worse," is what he says.

Dave Bittner: That's interesting.

Joe Carrigan: That's correct.

Dave Bittner: Yeah, I like that.

Joe Carrigan: Yeah.

Dave Bittner: Yeah, I like that. And then, just again, they say have a culture where you're openly talking about scams. So, sending this information out to your employees so that it's on their radar so that they can know what to look for and that these conversations don't have any shame. You know -

Joe Carrigan: Right.

Dave Bittner: That these can be conversations around the water cooler or, you know, these days, virtually with so many folks remote. But the more information you can share, then the better off you're going to be. So, to that point, we will have a link to this story in the show notes. But I think this is a good one to send around and it only takes a couple minutes to read through it, but it's a lot of good information in one small, concise package. So -

Joe Carrigan: It is, very nice.

Dave Bittner: A nice thing from the folks at WIRED. All right, Joe, well, before we get to your story here today, we are going to take a quick break to hear from our show sponsor. All right, we are back. Joe, what do you got for us here today?

Joe Carrigan: Dave, I wanted to talk about two scams. These are not business or professional scams, these are like interpersonal scams.

Dave Bittner: Okay.

Joe Carrigan: These are scams that you're going to get at home

Dave Bittner: Yeah.

Joe Carrigan: And I have two of them here. One of them was sent in by a listener named Jay who says, "Hi, guys. Here's a scam that one of my family members from New Zealand sent to me."

Dave Bittner: Huh.

Joe Carrigan: And it's a posting from it looks like Facebook. Maybe some - I don't know.

Dave Bittner: Yeah.

Joe Carrigan: I don't spend a lot of time on social media, Dave, deliberately.

Dave Bittner: It does look like Facebook, yeah.

Joe Carrigan: Right. So, it's a posting in a group from a lady named Liz and it says, "Scam alert. Please let anyone with a landline know, especially older friends and family, had a call from a private number on my landline today from a young guy with a British accent claiming to be Detective Constable Rogers from the Auckland Central Police Station." So, interesting that he has a British accent and is calling you in New Zealand. Slightly different accents in England, Australia, New Zealand. They're all - and they can tell.

Dave Bittner: Yeah, but I wonder - you know, this is something I honestly don't know the answer to. I wonder do New Zealanders hold the British accent in the same type of high regard that we do here in the U.S.? I suspect probably not.

Joe Carrigan: Yeah, I don't know.

Dave Bittner: Yeah. Well, okay.

Joe Carrigan: I don't know.

Dave Bittner: Carry on.

Joe Carrigan: I can tell the difference, but I don't know that I can nail it.

Dave Bittner: Yeah.

Joe Carrigan: But I prefer the New Zealand accent. "He was advising me that they had arrested an individual in the city overnight and that he was in possession of 13 different ETFPOS cards." That's electronic funds transfer payments - point of sale cards.

Dave Bittner: Okay.

Joe Carrigan: Credit cards of some kind.

Dave Bittner: Okay.

Joe Carrigan: "One of which had my name on it. He asked me to check and make sure I still had all of my cards and none of them had been stolen. And they hadn't been. Apparently, the cards were all from around my area so he must have been targeting my area. Then he asked me," this is a scammer, "to write down his details and gave me his name and badge number, Detective Constable Rogers, BA5513. He then told me to call 111," which is like the emergency number in New Zealand I guess.

Dave Bittner: Yeah.

Joe Carrigan: "And to do a police ID check to verify that he was with the police. To do this, all I had to do was enter 111 on the phone and it would be - and it would disconnect our call and transfer me to emergency services."

Dave Bittner: Hmmm.

Joe Carrigan: "I did this and hung up when the phone started ringing on the other end. I called from my mobile instead and confirmed that it is definitely a scam. So, he called back again a couple hours later, not realizing he had already spoken with me, repeated the same script, but gave me a totally different badge number," which is great. "When I questioned him on the detail, he started to joke around and said that he'd been promoted to superintendent since we last spoke" -

Dave Bittner: Wow.

Joe Carrigan: "A couple hours ago." Fast promotion rate at that -

Dave Bittner: Yeah.

Joe Carrigan: That police department.

Dave Bittner: Quick ceremony, yeah.

Joe Carrigan: "He knew he was busted in the end of the call." Liz says she's reported this. Jay goes on to say, "The interesting part of this one is that the scammer will tell the victim they're going to transfer the call to emergency services by having them dial 111 while they're still connected."

Dave Bittner: Right.

Joe Carrigan: This won't do anything.

Dave Bittner: Right.

Joe Carrigan: Right? It's just pushing numbers on the phone.

Dave Bittner: Yeah.

Joe Carrigan: Didn't you ever annoy your friends when you were a kid by pushing numbers on the phone?

Dave Bittner: All the time.

Joe Carrigan: Yeah, me, too. You'd try to come up with music to play.

Dave Bittner: Yeah, play songs, whatever.

Joe Carrigan: Right.

Dave Bittner: Yeah, yeah.

Joe Carrigan: It was very loud and very annoying.

Dave Bittner: Yeah.

Joe Carrigan: But then what would happen is they would just play the - play a ringing sound and then somebody else would answer the phone or maybe it was even the same guy with a different - you know, change his voice up a little bit.

Dave Bittner: Yeah.

Joe Carrigan: And he would confirm the badge number and that would lend authenticity to the call.

Dave Bittner: Hmm.

Joe Carrigan: So, that's not how any of this works. Right?

Dave Bittner: Right.

Joe Carrigan: When you get one of these calls in, you know, call your bank on the known good number on the back of the credit card and if you think your card has been stolen, cancel it.

Dave Bittner: Yeah.

Joe Carrigan: Next - the next one comes from Allison Gormly, who is a consumer reporter - or consumer writer - reporter rather at WTHR in Indianapolis.

Dave Bittner: Okay.

Joe Carrigan: And my daughter sent me an Instagram post and we'll put a link to it in the show notes. She has a ton of videos on the Gram that start with "Hey, Allison" where somebody - the person with the phone filming her is asking her questions.

Dave Bittner: Okay.

Joe Carrigan: And this one starts with somebody saying, "Hey, Allison, a stranger sent me money on Venmo. Should I send it back?" Have you heard about this?

Dave Bittner: Hmmm.

Joe Carrigan: This is the accidental payment scam.

Dave Bittner: Okay.

Joe Carrigan: So, here's -

Dave Bittner: Yes, yes, I have heard of this.

Joe Carrigan: Here's what happens. Somebody sends you $200 on Venmo -

Dave Bittner: Uh-huh.

Joe Carrigan: And you get an alert that says somebody you don't know has charge - has sent you $200. Immediately you get a message that requests $200 in payment from you. And they send a message that says, "I am so sorry. I sent that to the wrong ID. Can you please send my money back?"

Dave Bittner: Hmm.

Joe Carrigan: Okay? So, if you send your money back, you think everything's fine. But really the initial transfer was done with a stolen credit card that gets challenged and they won't pay it.

Dave Bittner: Ohhh.

Joe Carrigan: So, you are now stuck with a $200 debit, essentially. You just gave somebody $200.

Dave Bittner: Right. So, when the credit card is challenged and that money - that initial payment gets backed out of your Venmo account -

Joe Carrigan: Right.

Dave Bittner: Because it was fraudulent -

Joe Carrigan: Right.

Dave Bittner: But there's a time delay there and so you're out -

Joe Carrigan: Yes.

Dave Bittner: The money.

Joe Carrigan: It's very similar to the floating check scam, but using Venmo.

Dave Bittner: Okay. Wow.

Joe Carrigan: So, the problem is that Venmo views these as two completely atomic transactions. They are not related at all.

Dave Bittner: I see.

Joe Carrigan: In your head, they are absolutely related. In the system, they are not.

Dave Bittner: And Venmo probably says to you, "Well, you sent the money."

Joe Carrigan: Right.

Dave Bittner: "You pressed the button."

Joe Carrigan: Exactly. Venmo -

Dave Bittner: "We didn't have anything to do with it. You weren't scammed. You did it under your own will."

Joe Carrigan: Yep.

Dave Bittner: I mean, you were scammed, but it's not like somebody broke into your device and made this happen. You manually -

Joe Carrigan: Sent somebody $200.

Dave Bittner: Triggered - yeah. Triggered the -

Joe Carrigan: You committed the -

Dave Bittner: Yeah.

Joe Carrigan: Transaction.

Dave Bittner: Interesting.

Joe Carrigan: Right. So, Venmo has a statement out that says, "Venmo is only a system that should be used among people who know and trust each other."

Dave Bittner: Mhm.

Joe Carrigan: Okay? It's like waving cash around essentially.

Dave Bittner: Right.

Joe Carrigan: So, you know, walking around with Venmo in your pocket. I have Venmo, I use it a little bit. You know, I kind of like the convenience of it.

Dave Bittner: Yeah.

Joe Carrigan: But I'm really starting to not like the convenience of it with the way -

Dave Bittner: Yeah.

Joe Carrigan: They just don't stand behind their customers. But it's not a payment card, it's just - it's a quick transfer application.

Dave Bittner: Yeah. The other thing that I find odd about Venmo, and I would say in our household my wife pretty much handles the Venmo transfers and things -

Joe Carrigan: Right.

Dave Bittner: You know, like if I need to send somebody something with Venmo, I call my wife and I say, "Honey, will you please send such and such" and she takes care of it. And it all works out better that way.

Joe Carrigan: Right.

Dave Bittner: But one of the things she's pointed out to me is that I guess when you spin up a Venmo account, it defaults to making all of your transactions public.

Joe Carrigan: It does.

Dave Bittner: Which is bonkers to me.

Joe Carrigan: That - isn't that nuts?

Dave Bittner: It's nuts.

Joe Carrigan: I knew that when I opened my Venmo account and the very first thing I did was set all my transactions to private.

Dave Bittner: Yeah.

Joe Carrigan: And I'm seeing - on all the people I've interacted with, I can see their like - it's like a social media app.

Dave Bittner: Right, right.

Joe Carrigan: "So and so sent this money." I can see -

Dave Bittner: Just like -

Joe Carrigan: I can see every payment -

Dave Bittner: Yeah.

Joe Carrigan: Somebody makes to my daughter for lunch -

Dave Bittner: Right.

Joe Carrigan: When she buys lunch. It's like, "Hey, Dave, it looks like our county council person paid off - paid their dog walker." You know?

Dave Bittner: Right.

Joe Carrigan: What? How could this be the default?

Dave Bittner: Right.

Joe Carrigan: It makes no sense.

Dave Bittner: Why would you -

Joe Carrigan: Terrible.

Dave Bittner: Think this would be something that you would want to share publicly?

Joe Carrigan: I have no idea.

Dave Bittner: No.

Joe Carrigan: What about the case where you look down there and you see, oh, this person's buying drugs. It just has like five marijuana leaves in the - and you're like, "Uh-oh."

Dave Bittner: Right. Yeah, I mean, it makes no sense to me. So, to our listeners -

Joe Carrigan: Yeah.

Dave Bittner: Be careful. Check your Venmo.

Joe Carrigan: Absolutely.

Dave Bittner: Make sure your postings aren't public because, you know, clearly, a lot of people are unaware that their postings are public -

Joe Carrigan: Right.

Dave Bittner: And prefer they not be.

Joe Carrigan: Right.

Dave Bittner: So. All right, interesting stuff. So, as always, we will have links to those in the show notes. And, of course, we would like to hear from you. If there's something you'd like us to consider for our show, you can email us. It's hackinghumans@n2k.com. All right, Joe, it is time to move on to our Catch of the Day. [SOUNDBITE OF REELING IN FISHING LINE]

Joe Carrigan: Dave, our Catch of the Day comes from Cameron, who writes, "I wanted to start out by saying how much I love the show and appreciate the valuable information you provide each week."

Dave Bittner: Thank you, Cameron.

Joe Carrigan: Yeah, yeah.

Dave Bittner: Can I say Cam is the man?

Joe Carrigan: Cam the man.

Dave Bittner: Cam the man.

Joe Carrigan: "As a business owner with a public-facing email address, I get my fair share of scam emails. But this one made me chuckle. I am based in Australia." Here we are again with those -

Dave Bittner: Yeah.

Joe Carrigan: That collection of accents.

Dave Bittner: We are spending our show down under today.

Joe Carrigan: That's right. "So, the idea of the EuroMillions office randomly wanting to send me money by replying to a Gmail address while the original email was sent from a Wisconsin-based health provider struck me as somewhat odd." Somewhat odd, Cameron?

Dave Bittner: You know, he's - you know, he's, - being understated.

Joe Carrigan: Right.

Dave Bittner: It's the - it's that rapier-like wit from, you know, south of the equator.

Joe Carrigan: That's right. It's - there's a screenshot here, Dave -

Dave Bittner: Okay.

Joe Carrigan: That's from EuroMillions. Now, remember what we say about lottery scams, Dave.

Dave Bittner: Yeah, they are - what, what do we say?

Joe Carrigan: You've got to play to win.

Dave Bittner: Oh, that's right.

Joe Carrigan: It's the old Maryland lottery slogan.

Dave Bittner: That's true. You've got to play to win. I was going to say that lotteries are attacks on people who don't understand math.

Joe Carrigan: Well, yeah, the lottery -

Dave Bittner: But -

Joe Carrigan: Itself is already a scam. Right? You're right.

Dave Bittner: Okay.

Joe Carrigan: A hundred percent correct.

Dave Bittner: All right, it goes like this. "Congratulations, winner. EuroMillions and partners did a random selection through email selection globally to help many out of the intense global economic recession. You are one of the lucky winners of the EuroMillions' promotion held on 26/05/2024. Your email address picked the ticket reference which attracted the winning prize of 1,111,176 British pounds."

Joe Carrigan: That's a lot of ones, Dave.

Dave Bittner: That's a lot of ones. "Reply back with the winning ref attached to your email and your full details for instructions on how to claim your winning amount. The tickets were jointly purchased by NGOs and this winning information will be valid for only seven working days from the date of this notice."

Joe Carrigan: There's the artificial time horizon.

Dave Bittner: "Send your full names, address and phone number through this email, alfredolapaz@outlook.com, for the immediate processing of your winning amount. Alfredo de la Paz, Promotion Director." Okay.

Joe Carrigan: Alfredo has an outlook.com address.

Dave Bittner: Sure.

Joe Carrigan: Not a EuroMillions - I don't even know if that's the lottery in Europe.

Dave Bittner: Yeah.

Joe Carrigan: I love how it says that you have - you've won a million dollars, but then when you see that - or pounds I guess, but when you see the number of pounds, it's a billion in -

Dave Bittner: Oh, yeah, you're right.

Joe Carrigan: In the -

Dave Bittner: Oh, you know - well, that's - yeah, I guess that's right. I was a little confused because sometimes in the UK, you know, they use -

Joe Carrigan: They use decimals -

Dave Bittner: Commas -

Joe Carrigan: Instead of commas for periods.

Dave Bittner: Or - yeah, or something like -

Joe Carrigan: But -

Dave Bittner: That. Yeah.

Joe Carrigan: And, by periods, I mean the groups of three numbers. That's what those are called -

Dave Bittner: Correct.

Joe Carrigan: Periods. I actually know the names of these things.

Dave Bittner: Yeah, they group them together differently than we do, which causes confusion for us.

Joe Carrigan: Yes.

Dave Bittner: So.

Joe Carrigan: Dave, if I could talk about knowing the names of things -

Dave Bittner: Yeah.

Joe Carrigan: Do you know what those little crosses in your window are called? If you have the little crosses that look like fake panes.

Dave Bittner: Munions?

Joe Carrigan: Muntins.

Dave Bittner: Muntins.

Joe Carrigan: Right.

Dave Bittner: I was close.

Joe Carrigan: You were close.

Dave Bittner: Okay. All right. Well, today's Vocabulary Corner is brought to you by our good friends. I didn't know before.

Joe Carrigan: I just bring it up because my son-in-law was surprised I knew the name.

Dave Bittner: Ah, okay. All right. You must be fun at trivia night.

Joe Carrigan: Yeah. I like to think I'm fun at trivia night.

Dave Bittner: You'd be a good team member on a trivia team. You know, there's a lot of things you know. Yeah. All right. Well, again -

Joe Carrigan: It's all worthless information.

Dave Bittner: Well, but not on trivia night.

Joe Carrigan: Right. That's where -

Dave Bittner: At last.

Joe Carrigan: My payoff.

Dave Bittner: Right, exactly. All that knowledge finally pays off -

Joe Carrigan: Right.

Dave Bittner: On trivia night. All right. Well, thank you for sending this in. And, again, we would love to hear from you. Our email address is hackinghumans@n2k.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliot Peltzman and Tré Hester. Our executive editor is Brandon Karpf. Peter Kilpe is our publisher. I'm Dave Bitner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening.