Fraud's festive frenzy.
Dave Bittner: Hello everyone, and welcome to N2K CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me are my co-hosts, Joe Carrigan. Hey, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: And our N2K colleague and host of the "T-minus Space Daily" podcast, Maria Varmazis. Hello, Maria.
Maria Varmazis: Hi, Dave and hi, Joe.
Joe Carrigan: Hi, Maria.
Dave Bittner: We've got some good stories to share this week, and we'll be right back after this message from our show sponsor. [ Music ] All right. Before we dig into our stories this week, we have a couple of bits of follow-up here. What do we got here, Joe?
Joe Carrigan: Right. Well, first we got Will, who writes in to tell us that he apologizes for being a little late on this, but he's going through some old episodes and in -- in short, he works for a bank. And FinCEN is the Financial Crime Enforcement Networks. He wanted to tell us about how we were -- how they're clawing money back on --
Dave Bittner: Oh, okay.
Joe Carrigan: -- on these events. It was set up during the Patriot Act to cover how to get -- cover ways to get money back from fraud or from terrorism. And the problem with --
Maria Varmazis: Is it post 9/11? Yes.
Joe Carrigan: Right. Yes, with FinCEN is that it's voluntary. So, banks have to volunteer to join. He says they have a recent incident at their bank that said they attempted to notify the other bank who, I don't know if I should even name who this is, but it's a bank you've heard of. And he said basically, they ignored us. They said that they were waiting for the owner of the account to approve returning the money, which of course will not happen. So, the customer was out the cash. So, there are some big --
Maria Varmazis: Geez.
Joe Carrigan: -- banks out there, very big banks. I'm going to not even say my opinions, but he also wants us to keep the great work on the show. But they're not participating in this. They're not participating in this FinCEN.
Maria Varmazis: Yes. It being voluntary is -- there's the problem right there.
Joe Carrigan: Yes. I think you're right.
Maria Varmazis: Geez.
Dave Bittner: Right. Right. All right, interesting. What else do we have here, Joe? You got another one?
Joe Carrigan: We have an anonymous listener who wrote in and was talking about the DocuSign API. Remember we were talking about people using, you know, cyber -- cyber criminals using DocuSign to trick people into opening things and clicking on things and paying them or giving them information. Well, it's -- this is a illegitimate use of a legitimate tool, the -- the API. So, he -- he writes in, and he says, "I love the show and -- and how it provides awareness and education about social engineering. I hope this e-mail may contribute. In my role, I've looked at a lot of these DocuSign API emails and wanted to share some indicators of attack that I see frequently. A DocuSign e-mail that was sent via the DocuSign API will show that it was sent via the DocuSign API by having 'XAPI Host Field' in the header and a DocuSign host name as the value." Okay, so you immediately know that's how you can scan for a DocuSign e-mail.
Dave Bittner: That's how you can scan for a DocuSign e-mail.
Maria Varmazis: I personally will not be doing that, but yes, okay.
Joe Carrigan: No, of course. If you're -- let's say you're an e-mail system administrator.
Dave Bittner: Right. Right.
Maria Varmazis: Yes, yes.
Dave Bittner: Right.
Joe Carrigan: He says --
Maria Varmazis: That's how one can do that. Yes.
Dave Bittner: That's right.
Joe Carrigan: The Reply To field for these phishing emails, all the ones that -- that our listener has seen, all have some free e-mail account, like a Gmail or a -- an outlook.com or mail.com, or the field can be blank.
Dave Bittner: Oh.
Joe Carrigan: Right. So, there's -- there's nothing.
Maria Varmazis: Okay.
Joe Carrigan: Interestingly, he says the To field sometimes is sent to a similar domain, not the recipient's domain, but the recipient is blind carbon copied. So, I think they do that so they can shove like 100 e-mail addresses into the BCC field and send it all out with one click.
Dave Bittner: Yeah.
Joe Carrigan: Right.
Dave Bittner: That makes sense.
Maria Varmazis: That makes sense. Yes.
Joe Carrigan: Scammers are lazy, just like the rest of us, right? So, he says creating two e-mail rules on these emails -- on these fields will quarantine them. First, check the API host field with DocuSign that -- with a DocuSign value and the Reply To with any of the free domains, right? So, if you see one of these DocuSign emails come in and it's got a reply to a Gmail, just put it in quarantine. Don't even send it out.
Maria Varmazis: Yes, yes. Yes.
Joe Carrigan: And the same, check -- check the same -- the same -- the Reply To field for not having an at symbol, which means it doesn't have an e-mail address. It's a really simple way to check for an e-mail address. You don't have to write a big regular expression. Just say, "Does it have an at? Then it's not valid if it doesn't."
Dave Bittner: I see. Okay.
Joe Carrigan: Because if it's blank, that's what it is.
Dave Bittner: Right.
Joe Carrigan: He said he hopes that this information is not too technical, but useful to somebody. So, thank you, A Noni Mouse [phonetic].
Dave Bittner: I think it'll be helpful to the technical.
Joe Carrigan: Yes.
Maria Varmazis: Yes.
Joe Carrigan: I would agree.
Dave Bittner: All right. We appreciate you sending that information in. Good stuff. And of course, we'd love to hear from you. If you have something you'd like to share with us, you can e-mail us. It's hackinghumans@n2k.com. All right, let's jump into our stories here. And Maria, you have the honors here. You want to start things off for us?
Maria Varmazis: Yes, it's the holiday season. Well, it was inevitable.
Dave Bittner: Right.
Maria Varmazis: Yes, now -- now that song's in your head.
Joe Carrigan: It won't go away.
Maria Varmazis: And you're very welcome. I'm going to get hate mail for that.
Joe Carrigan: Maria's coming down the chimney tonight.
Maria Varmazis: Keep going, Joe. Keep going. I -- I think for my story, I kind of wanted to do the -- the obligatory PSA for the holiday season, especially since we are in the thick of Black Friday sales, which is no longer a one-day thing. It's now basically all of November until December at this point.
Dave Bittner: Yes.
Maria Varmazis: They've just given up on it being a day. It's -- there's no Cyber Monday, either. That's just -- it's gone. And there was a report out in the Guardian featuring an interview with the UK's cybersecurity chief saying, "Black Friday should now be called," and I love this, "Black Fraud Day."
Dave Bittner: Nice. Nice.
Joe Carrigan: Good one.
Dave Bittner: Yes, I love it.
Maria Varmazis: I've got to give it to him.
Dave Bittner: Yes.
Maria Varmazis: So, there are a number of -- of data points that the UK Cyber Bureau kind of pulled together thanks to Action Fraud, which is Britain's scam reporting center. And they said on average, people who are reporting online scams that they've fallen victim to, they're -- especially around this time of year, they're losing about 700£ on average. And that's not weight. That's around $800, when we convert it.
Dave Bittner: I was going to say, "What's that in real money?"
Joe Carrigan: Yes. Do they have a scam where I can lose 50 pounds? Like, in a month?
Maria Varmazis: I would -- it's called Ozempic.
Dave Bittner: Yes. That's right.
Maria Varmazis: And it's -- it's sort of, I was looking through some of these data points and it's one of those things that -- where it just feels right to me given -- I don't know about you two, but the flood of emails I'm getting this time of year, I'm at probably quadruple the normal amount of marketing emails I normally get, which is already too high.
Dave Bittner: Yes.
Maria Varmazis: But it's I -- I just get so many and it's very easy to feel a bit overwhelmed by it. I don't know about you two, but --.
Joe Carrigan: Yes, absolutely.
Maria Varmazis: Yes. And I'm, I have sort of opted out of the doing the obligatory social ties of buying gifts for people. I -- I managed to do that many years ago, but I know a lot of people do that part of -- of maintaining social ties. It's a good thing, network maintenance in the meatware way. So, if you're -- you're doing that, you're usually buying a lot of gifts for people and things are coming and going and it's honestly, even in normal times, it can be really easy to forget what you've ordered and what's coming to your house, if you're ordering large volumes of things. I don't know. I've sometimes -- it's like if something arrives at my house and I'm going, "I don't remember ordering that."
Dave Bittner: Yes.
Maria Varmazis: Yes, it's been a while.
Dave Bittner: Yes.
Maria Varmazis: And that -- there's actually some data to back that up also from -- from Action Fraud. They found that there is a -- been a -- a large uptick in social media related scams. Forty-three percent of the scams that they've had reported to them are social media related. And many of them involve people paying for items that they see advertised on social media that literally never arrive. So, especially if you're ordering a lot of stuff this time of year, you might just completely forget that something was supposed to come to your house. And I think some scammers are really banking on that, things getting lost in the shuffle. And another data point I thought was very, very salient was the people who are reporting scams. The largest proportion of people reporting to Action Fraud are aged 30 to 39. And the average age of victims is 42 years old. So, to me, that completely turns on its head a lot of these stereotypes people have about who tends to get scammed. And it speaks a lot to who's doing a lot of the shopping this time of year and what age they are. It's probably a busy parent or -- or, you know, a sandwich generation person who's got grandparents or elderly parents on one end, and then maybe cats, dogs and children on the other to shop for. And there's just a lot of money coming and going. Another thing that this report mentioned is, as we've talked about many times on this show, generative AI is making everything a lot worse. And a lot of the people that Action Fraud has talked to, people feel very confident in their ability to spot a scam, whether or not generative AI is involved. And I think there was a McAfee survey that they -- they said 59% of people said they feel confident that they can identify deep fakes or AI generated content, which is red alert.
Joe Carrigan: Yes, well --.
Maria Varmazis: We are all very overconfident on that.
Joe Carrigan: Yes. And my story's going to touch on -- well, not touch on this, be about this as well. But it's I think -- I think that's remarkable that 59% of respondents say they feel confident in this. That's -- that's high, I think.
Maria Varmazis: Too high.
Joe Carrigan: Yes.
Maria Varmazis: That's very, very high. Yes, every time I've taken one of those, "Can you tell if this picture is AI or real?" I -- I do miserably.
Joe Carrigan: Yes.
Maria Varmazis: So, it's very humbling. I really recommend doing it. Yes, it's -- it's not the extra fingers or feet for hands thing anymore. It's way more sophisticated than that. So, I -- I just sort of wanted to put a PSA to our listeners about all of this, all these data points, because if you're listening to this show, chances are you're very, very aware, well, I would hope so, of -- of these kinds of scams and fraud. But I'm -- I'm very curious how much we think the regular person knows and how much has -- has percolated to the general world, because we've talked a lot about on the show about how generative AI has made scams really easy to, you know, pass the sniff test. But a lot of people still are looking for the very obvious signs that aren't necessarily going to be presenting anymore. So, you know, the really -- the -- the -- the hilarious emails with the -- ladened with typos or the really --
Joe Carrigan: Right.
Maria Varmazis: -- obvious looking fraud website. Those are the easy ones. It's -- the -- the -- the ones that are harder to spot, I don't know if people know to even look for those. So, tell your friends. Tell your family.
Joe Carrigan: Right.
Dave Bittner: There's an element of this that I don't -- there's a reality to this that in my life that I'm -- that I'm not proud of, but it is the reality. And that is that when the holidays come around and it's time to start buying gifts, my wife and I just go to Amazon, right? Like, we just go to Amazon because everything's there. It's easy. It comes to us. We can ask family members to make a request on Amazon. We can, you know, generally when you order from Amazon, you're going to get the thing you ordered. Yes, I, you know, I do know there are --
Maria Varmazis: Some exceptions. Yes.
Dave Bittner: Some except -- yes, and there are -- there are counterfeit items and things like that. But it just makes it easy. And there's a part of me that likes that because there's less a chance of being scammed. But on the other hand, it means I'm not shopping at that Main Street, you know, person who has the brick and mortar store because it's so easy --
Maria Varmazis: Small Business Saturday.
Dave Bittner: -- to use Amazon. Yes.
Maria Varmazis: Yes, yes. And I think to the social media scams point, many people and I'm just going to say it, a lot of women who are doing a lot of the shopping, and I include myself on this. You see an ad on Instagram, or a social media platform of choice and you feel that sense of, "This must be okay because it's the proximity to my friends that I trust." And it's, you know, it sort of lulls you into that sense of false security. And so, you're just -- it's very easy how these social media platforms have made it seamless to check out and shop while you're still on the platform. Like, Instagram has these integrated shops now. It's -- you don't even have to leave the app anymore to do your shopping. And yes, it's -- it encourages you to shop at smaller boutiques. But yes, you may not actually get the thing you ordered and it's very easy to forget that you ordered it. So, yes.
Dave Bittner: Yes.
Joe Carrigan: Right.
Dave Bittner: Yes.
Joe Carrigan: Yes, I have never shopped on a social media platform. Like, I've never bought anything from a vendor on there. I've gone and purchased like things off Facebook Marketplace, but every time I do, it's, "I'm going to go and meet you somewhere and give you cash for the product." You know, and that's how that's going to work. And if that's not how it's going to work for you, then guess what? We're not doing business. Thank you.
Dave Bittner: Yes. I can think of one or two times where I purchased something that I first saw on Facebook, but I did not buy it through Facebook, through the Facebook interface. I went to the company's actual website or I -- I -- I'm just -- I don't trust Facebook at all for anything, you know? Like, I don't want to -- it's not a platform I want to transact through.
Joe Carrigan: Yes. It's not -- you don't want to reward them for their terrible corporate citizenship.
Dave Bittner: Right.
Joe Carrigan: Yes --
Dave Bittner: Right.
Joe Carrigan: -- by giving them -- by enabling them to profit from your business -- your purchases. Yes, I feel the same way.
Maria Varmazis: Yes.
Dave Bittner: All right. Interesting.
Joe Carrigan: I don't mean to judge, Maria. I'm not saying --.
Maria Varmazis: I'm just sort of like, "Well, that's nice."
Dave Bittner: Right.
Maria Varmazis: There are a lot of people -- I mean -- I -- I want to say I actually do a lot of my shopping through Instagram, which I'm not proud to admit that, but it is my reality. I know I'm not alone.
Joe Carrigan: That's okay. I'm not --
Maria Varmazis: So --.
Joe Carrigan: -- I'm not judging you.
Dave Bittner: Well, have you ever been scammed?
Maria Varmazis: You totally judged me and I'm feeling it right now.
Joe Carrigan: Sorry. Don't feel bad.
Maria Varmazis: It's okay. I accept your judgment. It's all right.
Dave Bittner: Have you ever been scammed, Maria?
Maria Varmazis: Oh, I'm sure I have. I -- I've probably been scammed and didn't even know I'd been scammed.
Joe Carrigan: That's the perfect crime.
Maria Varmazis: Yes. Yes. I -- I -- it would be the height of arrogance for me to think that I haven't been scammed. Nothing comes to mind recently. I tend to be really, really diligent about keeping track of things that I've purchased. But again, I -- I -- I realize I'm a bit of a corner case because I don't have like a huge family that I'm shopping for, and my family is very non-materialistic for the most part. So, we don't do that kind of thing. But I again, that's just not the reality of most of my friends. So, they're, you know, inundated and -- and some of them are -- it's all year round. They're always trying to figure out what to get for this cousin or that person or this nephew. So, it's -- it's a lot of work.
Joe Carrigan: We don't -- we don't do that in my family either, anymore. We -- we all agreed, you know, like my brother, my sister, my mom, dad, no more presents. That's it. And that was years ago that we did that. So --
Dave Bittner: Yes.
Joe Carrigan: -- you know, like we don't -- I don't like, not even for the kids. But all the -- the kids are all adults now. That's really the thing.
Dave Bittner: Yes.
Maria Varmazis: That makes it easier.
Joe Carrigan: Yes.
Dave Bittner: Yes.
Joe Carrigan: So, I hope you enjoyed all the presents I got you, nieces and nephews, but there will be none -- no more of that.
Dave Bittner: The Joe gravy train has left the station.
Maria Varmazis: What's the cut off?
Dave Bittner: It's not coming back.
Maria Varmazis: Is its age 18, college graduation? I'm very curious what your cut off is for adulthood.
Joe Carrigan: We just kind of decided one day, all the kids were adults and that was it. And you know, there --
Dave Bittner: Yes.
Joe Carrigan: -- I mean, I guess there are still two, you know, there are still two young nephews that we buy presents for, but it's not -- not like super, big presents.
Dave Bittner: The moment for us was a couple of years ago when the youngest, my youngest Jack, who's now -- who's about to turn 18, he -- I say a couple of years ago, we decided that there was no reason to get up at the crack of dawn to run downstairs and see what Santa left under the tree.
Maria Varmazis: Cover your ears, children.
Dave Bittner: Yes, so, well, so we've all decided to sleep in. So, instead of -- instead of like at 8 AM start, it's now like a 10 AM start. So --
Maria Varmazis: Eight AM?
Dave Bittner: Yes.
Joe Carrigan: My kids would wake me up at 6 o'clock.
Dave Bittner: Yes, well --
Joe Carrigan: And that's because I said, "You can't wake me up before 6 o'clock."
Dave Bittner: Well, then we -- we did the same thing, except it was 8 AM, so. So, now people come down and they get their coffee, and they get their danishes and doughnuts and bagels and whatever they want. And it's just more of a, "Oh, should we go in the living room and start opening gifts?" "Oh, sure, why not?" You know? But it also makes it easier because we have family who comes to the house and, you know, just shifting it all a little later made it all easier. But it was the result of people aging out of that -- that childhood joy of, you know, going down to get your presents. All right, well, we will have a link to your story in the Show Notes here, Maria. Joe, you're up next. What do you got for us?
Joe Carrigan: I've got two stories. I was going to do this story last week, but the story about the bear was too good, so we -- we couldn't.
Dave Bittner: I'm still laughing.
Maria Varmazis: Nobody can [inaudible 00:17:37] that.
Joe Carrigan: Right. So, the US Trustee Program is part of the US Bankruptcy Court, and they are warning people of bankruptcy fraud alerts. There it's -- it's -- it's -- it's a scam about fake fraud. So, here's what happens. If you -- let's say you are in the -- in the throes of bankruptcy. When you -- when you go to bankruptcy and you file for bankruptcy protection, you are given a trustee of somebody who is going to help you go through this process and what they're doing here is they're -- they're saying -- these scammers are saying, "We're from the Bankruptcy Fraud Watchdog Group," and they've -- they're sending out information accusing debtors of failing to disclose assets in their bankruptcy case. So, when you go to bankruptcy, you have to disclose all your assets. Not disclosing assets as criminal. But these guys are saying, "We can -- we can waive any penalties for a one-time fee of $450 in Bitcoin or paid via QR code for -- avoid further legal consequences."
Dave Bittner: I see.
Joe Carrigan: The actual watchdog group in the bankruptcy system is saying, "No, don't fall for this. This is not how this works. This is not what we do."
Dave Bittner: Right.
Joe Carrigan: "We do not accept payment in Bitcoin and we will not let you -- if you -- if you try to defraud your creditors by hiding assets, we will not waive any penalties by assessing you a $450 fee."
Dave Bittner: Right.
Joe Carrigan: I think it's actually pretty severe.
Dave Bittner: Are there any federal agencies that -- that actually legitimately take Bitcoin? Like, can you pay your taxes with Bitcoin yet?
Joe Carrigan: I don't think so.
Dave Bittner: I don't think there are.
Maria Varmazis: Not yet. Just wait. Just you wait.
Dave Bittner: Oh, that's true. That's true. Yes. That's right.
Joe Carrigan: You must pay it in DOGE.
Dave Bittner: Okay. You're right. I spoke too soon.
Joe Carrigan: Right. Speaking of DOGE and we're all alluding at this at Elon Musk, my next story is actually from CBS Texas is where it is. CBS News, Texas. This is written by Brian New, Lexi Salazar, Mike Lozano and Scott Fralicks. So, that's four people working on this story. I got to question what's going on over there when you got four people working on a story this -- this short, but it's -- there is a woman named Heidi Swan and she saw an ad on Facebook and then again on TikTok, talk of -- it was a deep fake of Elon Musk talking about cryptocurrency and she invested in this scam ad $10,000. And of course, now it's gone, which is unfortunate. But, I mean, we all -- we all know that how this -- how these scams work is, you know, they -- they run these ads and Facebook and TikTok don't do anything to stop the ads from running there because they -- they've got a vested interest in keeping these ads on the platform because they're getting paid for it. You know? So, what if somebody gets scammed out of $10,000? That's okay with them. They weren't scammed out of $10,000. But Swan, who is Miss Swan, who is bold enough to come forward on this and -- and I'm always grateful when -- when people who have been scammed come forward on this and go, "Look, here's what happened to me," because I think that takes courage and I think it takes a -- a -- an amount of bravery that is not common. So I -- I -- and I don't -- and that's why when -- when we hear about this, I don't try to blame the victim here. But she is looking at these videos and she goes, "These videos are still convincing," even though she knows it's a scam and she knows the video is fake, it's still convincing. So, according to Deloitte, this article states that the AI generated content contributed to more than $12 billion in fraud last -- losses last year. Billion with a B. That's how much is -- is people are getting hurt in this. And Deloitte is saying this could go up to 40 billion by 2027. Any bets on how soon we get to 40 billion, because I'm betting it's a lot faster than 2027?
Dave Bittner: Yes, and you know, it's just hard to measure these things.
Joe Carrigan: It is also hard to measure these things. The problem is that these -- these AI -- these AI -- these AI generated deep fakes are getting harder and harder to spot. You know? You remember when they first came up with the things that were like deep fakes, like face swapping?
Dave Bittner: Right.
Joe Carrigan: You'd see people's faces like, literally moving around in the video.
Dave Bittner: Right.
Joe Carrigan: That -- that does not happen anymore.
Dave Bittner: Right.
Joe Carrigan: They had another -- another bug where they -- people who were being faked wouldn't blink. Now they have blinking. You know, all these things are -- are just improvements that have happened over the past four years in this field. And remember, a deep fake does not need to be perfect. It just needs to be good enough to fool somebody into coughing up some money. So, CBS News, the Texas I-Team, they put five websites and they -- this is an admittedly a -- an unscientific test. They took six deep fake videos, and they tested five sites. One called Deepware, one called Attestiv or maybe that's Attestiv. I don't know. DeepFake-O-Meter. That's my favorite name because it's really easy to remember. Sensity and Deepfake Detector. Deepfake Detector's a good name, but I -- I'm still saying DeepFake-O-Meter is my favorite. In -- in total, these tools, all five of them combined, only recognized 75% of the videos as fake. I think it was in fact it was Sensity -- S-E-N-S-I-T-Y that actually measured all six of the videos as fake. It was the only one that caught all six of them. So, you -- here's the thing. We can't as Internet users, right, go around and say, "I wonder if this is real," and then dump a video that we -- that we've seen into six different engines that will tell us whether or not it's real or fake. You know, I barely have time to do that when -- when somebody with a suspicious looking LinkedIn photo connects with me on LinkedIn. But I -- I still do it, Dave, because I'm very interested in how it works. But you know, it's -- it's -- the problem is that these things are getting so good. This is what Maria was talking about. They -- they do say watch for the lip sync being a little bit off, but I can even see lip syncing being a little bit off just being because the audio is out of time with the video.
Dave Bittner: Oh yes, that happens on live TV. I mean --
Joe Carrigan: Right.
Dave Bittner: -- broadcast television has occasional lip sync issues. That's -- that's just a digital issue.
Joe Carrigan: If you lose lip sync, I -- I can tell that it's out of sync, but I can't tell if what the -- the way the person is moving their mouth is in line with the audio I should be hearing at a different time. It's totally gone for me. Any recognition of what they said is gone. So, and I'm not saying I'm a lip reader or anything, but I mean if -- if -- what I'm saying is it's entirely plausible for me to be listening to audio that's different from the way the mouth is moving and me just to say, "This audio is out of sync with the video." And that would be a plausible way for me to believe that or -- or for -- for me to fall for this kind of thing.
Dave Bittner: Okay. So, you -- when you were a kid, you didn't notice that the Godzilla movies were dubbed?
Joe Carrigan: No, no, I did. I did. But I couldn't tell that the people were, you know -- it didn't look to me like the people were speaking Japanese. It just looked like they were, you know, maybe they were speaking English, but it was just out of sync.
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: Right.
Joe Carrigan: No, I could -- you can tell. You can tell that things don't add up, but what I'm saying is, you know, if you watch a video that's out of sync and somebody says, "Hello, Dave," and you see their mouth make them move, "Hello, Dave," there's no -- there's no -- there's no join on that data for me --
Dave Bittner: Okay.
Joe Carrigan: -- is what I'm saying.
Dave Bittner: Yes. Yes. I see it, but you know, I -- this used to be my world, so like --
Joe Carrigan: Right. I'm sure. You've done a lot of video editing.
Dave Bittner: Right. Right.
Joe Carrigan: Not me. I've done a lot of video watching.
Dave Bittner: It was important. Yes.
Joe Carrigan: Right.
Dave Bittner: Interesting.
Joe Carrigan: But I can tell when it's out of sync and the -- the least bit of out of sync really does irritate me --
Dave Bittner: Yes.
Joe Carrigan: -- which is kind of, I guess, my defense on this because --
Maria Varmazis: I'm guessing you don't play a lot of video games then.
Joe Carrigan: I do. And their lip movements are just awful.
Maria Varmazis: Yes, lip flap, mouth flap is just endemic to video games. It's --
Joe Carrigan: Yes.
Maria Varmazis: -- it's comical how bad it is sometimes. So, I was going to say I'm probably completely desensitized to it at this point because nothing ever matches.
Joe Carrigan: Right.
Dave Bittner: I -- I saw a thing just this past week, talking about the -- the detection software. I saw a thing where somebody put something into ChatGPT and they said, you know, "Create an image of a slice of pizza," and ChatGPT generates a delicious, you know, hot, steaming, wonderful looking slice of pizza. So, the person then downloads that image, and in the same interface uploads it back to ChatGPT and says, "Is this an authentic photo of a slice of pizza?" and ChatGPT says, "Absolutely. It looks real to me." It's like you just generated this two minutes ago.
Joe Carrigan: Right.
Maria Varmazis: Total amnesia. That's great.
Dave Bittner: Yes. Yes. Yes, so, all right, well, interesting stuff, as always. We will have links to these stories in the Show Notes. We are going to take a quick break before we get to my story to hear this message from our show sponsor. [ Music ] All right, we are back. Before I dig into this story, I want to ask both of you. And let me start with you, Maria. In your life, do you feel as though you have ever crossed paths with a serious con man or con woman, a con person?
Maria Varmazis: How -- how serious are we talking?
Dave Bittner: Well, in other words, were -- was there anyone who you've ever had a friendship with or a relationship with? In other words, more than just someone you crossed paths with casually while out and about. You know, someone who you felt as though you were getting to know, but it turned out that they were someone who was either conning you or your friends, or that this person didn't turn out to be who they thought they were in a -- in a very -- in a negative way.
Maria Varmazis: Yes, I have definitely have that -- I have before -- I've had experiences like that. The con was not necessarily for -- for monetary gain. It was more taking advantage of people and -- and -- and I'm trying to figure out how to how to phrase this. Taking advantage of people's time and -- and benefiting from basically labor that should have been paid for.
Dave Bittner: I see. Okay.
Maria Varmazis: If that makes sense?
Dave Bittner: Sure.
Maria Varmazis: Yes.
Dave Bittner: Sure.
Maria Varmazis: People who -- who are pretending they were much more important than they actually were and saying, "Oh, I need you to help me with this thing." And it ends up that this person was a complete fraud. That definitely happened to me in my early 20's, I would say.
Dave Bittner: Yes. How about you, Joe?
Joe Carrigan: Yes.
Maria Varmazis: Okay. That's also my answer. Yes.
Dave Bittner: Right. Right.
Joe Carrigan: No, no, no I get it. No.
Dave Bittner: And one of them was named Dave Bitner.
Joe Carrigan: No, not Dave Bitner.
Maria Varmazis: What the hell are we doing here? Yes.
Joe Carrigan: Why?
Dave Bittner: Well, can you share one of them?
Joe Carrigan: Let's see. Well, one of them is a family member --
Dave Bittner: Okay.
Joe Carrigan: -- that we don't communicate with anymore.
Dave Bittner: All right. Yes, that's heartbreaking.
Joe Carrigan: They were -- well, they were -- they were skilled in the way of the scam, if you will.
Dave Bittner: Okay.
Joe Carrigan: The scam way --
Maria Varmazis: Gosh.
Joe Carrigan: -- if you get it.
Dave Bittner: Oh, I see. Sure, sure.
Maria Varmazis: Oh, yes.
Joe Carrigan: And another one is a little recent, so I'm not going to breach that -- broach that.
Dave Bittner: Okay, sure. I had one that I can remember actually back in college. It was a college dorm mate, you know, so somebody who lived down the hall from me.
Joe Carrigan: The shifty dorm guy.
Dave Bittner: Right.
Maria Varmazis: There's always one.
Joe Carrigan: Yes, there is.
Dave Bittner: Yes, who just and it only -- only in retrospect did I figure out. In fact, it dawned on me years after college that this person was absolutely just full of it with like everything that he claimed to be and say and do and promised and -- and he -- he was just he -- he was someone who, through the boldness of his claims and the total confidence in the things that he said, somewhere along the lines, he learned that many, many people, including me, would just believe it. And I did.
Maria Varmazis: Yes.
Dave Bittner: So.
Maria Varmazis: There's a bunch of people like that in Infosec, actually. And it's amazing that -- how long they were successful before the -- the community would go, "Hey, wait a second." So, that's a bit of a --
Dave Bittner: Yes.
Maria Varmazis: -- sad reality.
Dave Bittner: Yes. So, that brings me to my story, which was shared from one of our N2K colleagues here sent me this article. This is from Outside magazine. It's an article written by Brendan Borrell, and it's titled, "Inside the Mind of Thru-Hiking's Most Devious Con Man." So, this is the story of a woman named Melissa Trent, who was a single mom. She lived in Colorado Springs, and she was on the dating app "Plenty of Fish." And she was approached by a man named Jeff Cantwell. And he had rugged outdoor photos of himself. Just it seemed like the -- the perfect guy for Melissa. He was an outdoorsy kind of guy. He was training to be an arborist. He was a military veteran, a nature enthusiast, and he had a tragic back story where his family, both his parents and his wife and child had died in a tragic car accident. And Melissa and this guy Jeff hit it off. They grew to know each other very well. They met in person. They -- they had dinners together. He was very kind to her children, and it seemed like everything was going great. They both loved the outdoors and enjoyed adventures, those sorts of things. And then one day, Jeff borrowed Melissa's car. She was -- I can't remember if she was at work or school or, you know, something like -- she was somewhere else where she didn't need her car for the day, and she loaned Jeff the car and didn't really think much of it. And while Jeff was out using the car, Jeff sent her a message and said, "Hey, while I'm out using the car, this car's a -- a little low on gas here. Do you mind if I use this credit card that you left in the car to buy some gas?" And Melissa thought to herself, "I don't remember leaving a credit card in the car, but sure, why not?" She trusted him.
Joe Carrigan: Also -- also, a violation of my car borrowing policy --
Dave Bittner: What's that?
Joe Carrigan: -- which is to always return the car full of gas.
Dave Bittner: Oh, yes. Well, that's, yes.
Joe Carrigan: At my expense.
Dave Bittner: Yes. Yes.
Joe Carrigan: Right.
Dave Bittner: No, I think that's a good policy.
Joe Carrigan: Yes. When you borrow someone's car, return it full of gas.
Dave Bittner: Yes. You're a gentleman, Joe. I agree.
Maria Varmazis: And a scholar. It's true.
Dave Bittner: So --
Joe Carrigan: Maybe. Maybe I'm one of those things.
Dave Bittner: -- she starts getting a little suspicious about this. This just feels different, right? And eventually Jeff makes off with the car and the credit card. And Melissa contacts the police and they do some digging and they find that this gentleman, Jeff Cantwell, was actually Jeffrey Dean Caldwell, who was a career con man with a history of theft and fraud. He had spent the past couple of decades posing as this outdoorsman, and he was preying primarily on women and elderly people with his tales of hardship and adventure. And the story talks about this pattern that's so -- so common with -- with con men. You know, he earned her trust using flattery and also shared stories. But then he orchestrated a crisis to manipulate his victim. You know, he talked about his, you know, his family passing away, which wasn't actually what had happened. His family was still around.
Joe Carrigan: Probably hates him.
Dave Bittner: Yes, I mean, Melissa, the -- the victim here, you know, she stayed hopeful for a long time, as the victims often do --
Joe Carrigan: Right.
Dave Bittner: -- but he eventually he was arrested in South Dakota while driving her car, which, by the way, he had just beat the crap out of while he [inaudible 00:34:50].
Maria Varmazis: [inaudible 00:34:50] surprise.
Dave Bittner: Right.
Maria Varmazis: Yes.
Dave Bittner: You know, that's -- that's what these types of folks do, I think. They go from one person to another, use them up and then find someone else. Now, Melissa eventually got access to his Facebook account and she updated it.
Joe Carrigan: Oh.
Maria Varmazis: Wait, wait. She --
Joe Carrigan: How did she do that?
Dave Bittner: She found --
Maria Varmazis: -- I was going to say, did she hack it or something?
Dave Bittner: No, no, she found -- so, one of the things he left behind was a notebook that had access to his face -- it had the -- the credentials written down for his Facebook account.
Maria Varmazis: Oh, good for her.
Dave Bittner: So, granted, in violation of the Computer Fraud and Abuse Act, Melissa logged into his Facebook account and basically put a warning up for everyone to see, saying that he was a con man and that he was heading to prison. And sure enough, when he got caught in South Dakota, he was faced with the reality of the many, many people that he'd conned. And he'd been in prison before. This was not his first time in the slammer. So, now he's facing up to 25years. And the author of this article spoke with him many times.
Joe Carrigan: Really?
Dave Bittner: Yes. Yes. And said that he is a charmer. He -- he wins you over. For some reason, you -- he's -- he's someone that you can't help kind of rooting for, which again is this -- this -- like the folks who have this gift of the gab who are able to do this over and over and over again, somewhere along the lines, they realize that they can -- they have this skill. They can weave a spell over people, and it's even easier, they think, than living an honest life, despite like, you know, Caldwell could face the next couple decades in prison.
Maria Varmazis: Yes, he should have become a podcaster like the rest of us, Dave.
Dave Bittner: That's right. That's right. The -- the place where all ne'er-do-wells land, right?
Joe Carrigan: Yes.
Dave Bittner: Podcasting. It's either prison or podcasting. There's no in between.
Maria Varmazis: One or the other.
Dave Bittner: That's right.
Maria Varmazis: That's how it goes.
Dave Bittner: Yes. So, hopefully, hopefully, you know, soon we won't be down to two hosts of this show.
Joe Carrigan: Everybody's taking bets on which one of us is --
Dave Bittner: That's right.
Joe Carrigan: -- going to prison.
Dave Bittner: Which one will fall first?
Maria Varmazis: What's the over-under on that one?
Dave Bittner: Yes, yes. So, it's an interesting read. There's a lot more details here. We'll have a link in the Show Notes. I recommend that folks check it out. This is one of those articles you can send around to your friends because it really does have so many of the -- the indicators that seem obvious in retrospect, but as you're in the middle of it, you could understand how people would fall for this thing, this sort of thing. People are, you know, they create a connection, and they tug at your heartstrings and they're so good at doing that. They're effortless at doing that. And folks fall for it and, you know, end up losing a lot of money. In this case, Melissa lost her car and some money from her credit card. So, not so bad in the grand scheme of things, but still, you know, terrible, a real hassle. And so --
Joe Carrigan: Yes.
Dave Bittner: -- Mr. Caldwell's doing time.
Joe Carrigan: Yes, hopefully he'll do a good amount.
Dave Bittner: Yes. It's just a shame. And -- and you know, I think you -- like we were talking about, you know, we all know -- we've crossed paths with these sorts of people and some of them just get away with it. You know? They -- they just -- they manage to do it time and time again and they just get away with it and that can be frustrating on its own. So, all right, we will have a link to that story in the Show Notes. Joe, Maria, it is time to move on to our "Catch of the Day." [ SOUNDBITE OF REELING IN FISHING LINE ]
Joe Carrigan: Dave, our "Catch of the Day" comes from Raul, who says, "This was sent to my mother, whom I've educated over and over again about what to look for when it comes to a scammy/spammy text message." Now, Raul notes that his parents' first language is not English. So, bear that in mind in that that seems to have an impact on how they would overlook the bad grammar, which I think is, you know, an excellent observation we've never really addressed here, that if you're not a native English speaker, some of this stuff may not seem as hilariously awkward --
Dave Bittner: Right.
Joe Carrigan: -- as it does to us.
Dave Bittner: Right.
Maria Varmazis: Yes.
Dave Bittner: All right, so let me read this one. It says, "Apple transaction info. We have noticed that your Apple iCloud ID was recently used at Apple Store California for U.S. dollars $149.93, paid by iPay pre-authorization. Also, some suspicious sign-in request and Apple Pay activation request detected. That looks like suspicious to us and a temporary hold has been initiated. In order to maintain the security and privacy of your account, we have placed those requests on hold. If not you, please reach to us at 1-808 blah blah blah blah blah to talk to an Apple representative. Failing may lead to auto debit and charge will not be reversed. Call immediately to cancel this charge. Have a great day."
Joe Carrigan: So, that's the text message that Raul's mom got.
Dave Bittner: Yes.
Joe Carrigan: Yes, I don't know -- I --
Dave Bittner: First of all, there's no such thing as iPay.
Joe Carrigan: Okay.
Dave Bittner: It's Apple Pay.
Joe Carrigan: But how would I know what that is?
Dave Bittner: Yes.
Joe Carrigan: Not an avid iPhone user.
Dave Bittner: Yes.
Joe Carrigan: I have one for work now, but I really hate it only because it's not like --
Maria Varmazis: I mean, I'm big on the Apple ecosystem and even I didn't know that. I -- I just -- I everything, I would just assume it's legit because why not?
Dave Bittner: Yes, yes.
Joe Carrigan: Why not? It certainly could be.
Dave Bittner: What strikes me about this is there are so many of the telltale things here. There's the --
Joe Carrigan: Right.
Dave Bittner: -- you know, you have to call now and if you don't, you'll be charged something that will not be able to be reversed.
Joe Carrigan: Yes. And that looks like suspicious to us. That's my favorite sentence.
Dave Bittner: Right. That looks like suspicious to us. Yes. That looks like suspicious to us.
Joe Carrigan: Raul notes that -- that he sees a lot of this happening in people close to him and it -- he -- he knows a lot of people have been targeted and he's still shocked that a lot of people don't understand whether or not these are real.
Dave Bittner: Yes.
Joe Carrigan: And you know, we see this often. Like for example, in my story today, Mrs. Swan, who has lost $10,000 to a deep fake Elon Musk scam for crypto, I get exactly why that works. And I -- I don't think, I hope at least I never -- I never start thinking that "Why does this continue to work?" It's -- it works because people are -- are humans and you know, it's just it -- this -- something will make sense to somebody. And everybody's vulnerable to something. At some point in time, there's going to be something that comes up and it's going to get me. I've talked about how things have gotten me before.
Dave Bittner: We've all been got.
Joe Carrigan: We've all been got. Yes.
Dave Bittner: Everybody's been got.
Maria Varmazis: Oh, yes. Yes.
Dave Bittner: And we'll be got -- we'll be got again. You know?
Joe Carrigan: Yes, I'm sure I will be.
Dave Bittner: Just got to try to minimize the glass radius.
Maria Varmazis: And we'll talk about it on.
Joe Carrigan: Right. Exactly.
Maria Varmazis: Yes.
Joe Carrigan: And you're right, Maria. We talk about it.
Dave Bittner: That's right.
Maria Varmazis: Yes. And we'll talk about it. And if we want to rename the show, we should call it, "That Looks Like Suspicious to Us," instead of "Hacking Humans."
Dave Bittner: See, that could be our spinoff show.
Maria Varmazis: There you go.
Dave Bittner: "That Looks Like Suspicious to Us." We should do T-shirts. All right. Well, thank you, Raul, for sending that in. And I have to say, I think your family members are lucky to have you looking out for them and having their back. So, we do appreciate you sending that in. And of course, we would love to hear from you. If there's something you'd like us to cover on the show, you can e-mail us. It's hackinghumans@n2k.com. [ Music ] That is our show. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an e-mail to hackinghumans@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliott Peltzman and Tre Hester. Our executive editor is Brandon Karpf. Peter Kilpe is our publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Maria Varmazis: And I'm Maria Varmazis.
Dave Bittner: Thanks for listening. [ Music ]
