Nice to meet you, I'm a scammer.
Dave Bittner: Hello, everyone, and welcome to N2K CyberWire's "Hacking Humans" podcast where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines, and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan. Hey, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: And our N2K colleague and host of the "T-Minus Space Daily" podcast, Maria Varmazis. Hey, Maria.
Maria Varmazis: Hey, Dave, and hey, Joe.
Dave Bittner: We've got some good stories to share this week and we will be right back after this message from our sponsor. All right, before we get to our stories, we have a couple items of follow-up here. What do we got, Joe?
Joe Carrigan: Dave, Ricky wrote in and commented on the fact that I kind of offhandedly said diamonds are a scam in one of our last episodes.
Dave Bittner: Yeah.
Joe Carrigan: And I still stand by that. I think they are a scam.
Dave Bittner: I'm with you.
Maria Varmazis: I'm with you on that.
Dave Bittner: And I'm not saying that just so I have a reason to not buy them for my wife. Right.
Joe Carrigan: Here's a discussion I'd like to hear you guys ponder. Diamonds are the original cryptocurrency. Production and value are almost entirely based on mining difficulties used in illicit activities. And they are both tracked allegedly by ledgers of sorts. They are oft used for anonymously conducting transactions. So that's an interesting observation and an interesting assertion. The only difference is that diamonds are not as fungible as a cryptocurrency, like a Bitcoin or whatever, an Ethereum token. Yeah, they are very different. Each one is different. Each one can be mapped to and fingerprinted, they can be engraved with identifiers, although you can just sand those identifiers off, I guess.
Dave Bittner: But you physically have to, it's a physical item, whereas crypto is not.
Joe Carrigan: It is not, right?
Dave Bittner: You couldn't-- it would be-- but let's-- if we only had diamonds, the whole ransomware thing wouldn't be, it wouldn't be what it is if it were diamond-based.
Joe Carrigan: Right.
Maria Varmazis: Watch out, 2025, maybe that's happening.
Dave Bittner: What's that, Maria?
Maria Varmazis: Maybe that'll happen in 2025, we see ransomware, diamond-based ransomware.
Joe Carrigan: Right. Because we're seeing gold bar-based things.
Maria Varmazis: Why not?
Joe Carrigan: Why not diamonds?
Dave Bittner: Right, right. Now that's interesting. I think Ricky makes some interesting points here.
Joe Carrigan: Yeah, I agree.
Dave Bittner: I mean, the fact that it is based on mining. I mean, I have heard, and I think this goes to your point, Joe, that diamonds really aren't very rare.
Joe Carrigan: Yes, they're not.
Dave Bittner: And it's-- what is it? The De Beers company who makes them rare?
Joe Carrigan: They keep them, they keep the supply controlled.
Dave Bittner: Yes, yes, so--
Joe Carrigan: It rains diamonds on Jupiter, actually.
Dave Bittner: Is that right?
Joe Carrigan: Yes.
Dave Bittner: Oh, okay.
Joe Carrigan: Pressures are great enough that carbon forms into diamonds in the rain. Of course, those pressures are so high we can't get in there and collect the diamonds. I don't know how we ever would but the theory is that it rains diamonds on Jupiter.
Dave Bittner: Oh, okay. That's interesting.
Joe Carrigan: Yeah.
Dave Bittner: Yeah, so I think this is an interesting idea. I think Ricky's on to something here, so thank you for sending it in. I'll be thinking about that for a little bit.
Joe Carrigan: Right.
Dave Bittner: All right. What else do we have, Joe?
Joe Carrigan: Dave, we have another one. I'd like you to read this one because I have a response to this one. This is actually directed to another one of my comments. Apparently, people don't like my stupid comments.
Dave Bittner: They just like your smart comments, Joe, not your stupid ones.
Joe Carrigan: I make a lot of smart comments too.
Dave Bittner: Unfortunately. It's up to them to decide which is which.
Joe Carrigan: Right.
Dave Bittner: All right. It goes, "Hey, guys and Maria. Just a bit of feedback for Joe. For a comment he made regarding Yubikeys for organizations. He said something to the effect that each new hire should be issued two keys, about 90 US dollars when starting with the company. While I like the idea of issuing Yubikeys, two per employee is overkill. We rolled out Yubikeys for a client, and you can include management tools that integrate with Active Directory, only requires one per employee and a couple of spares for the administrators. Yes, it requires some upfront work to set up the integration with AD-- " I guess it's Active Directory -- "but once it's in place, we help the client roll this out and it works like a charm. It even works as the 2FA for the staff until they-- or when they VPN in from home. Further, the client issued NFC keys to each employee. When they rolled out Ubiquiti door locks, the Yubikeys doubled as their passcards to get by the electronic locks." That's fun. This works as a great incentive not to lose your Yubikey. It says, "Love the show. Maria brings a long overdue source of calm to help keep Joe from going too far down a rabbit hole."
Maria Varmazis: I've never been described that way in my life, but thank you.
Dave Bittner: It's truth they say every time you enter a room, right, Maria?
Maria Varmazis: Oh yeah, me calm.
Dave Bittner: This sense of calm has just come over this room. What happened? Oh, it's Maria.Maria Varmazis: I'm here. Everything's great.
Dave Bittner: It's the aura of your presence. "One thing though, I do miss interviews that Dave used to do in the second half of the show. What happened to those? That's it. So long from the Great White North." From Crow Child Bob.
Joe Carrigan: Yes, and Bob, so Bob is 100% correct, you do not need to buy two Yubikeys for every employee. However, I recommend you do and the reason is this, is because this is the way Twitter rolled it out. Twitter bought everybody to Yubikeys and they said, "Here's two Yubikeys. Start using this on all your multi-factor authentication."
Dave Bittner: Right.
Joe Carrigan: And you're going to have to use it on your Twitter multi-factor authentication. This was after that hack where the young guy convinced somebody that worked at Twitter that he was calling in from the help desk. And if they'd had Yubikeys, then this would not have happened.
Dave Bittner: Right.
Joe Carrigan: So the point is that if you're going to equip people with Yubikeys and encourage them to use them in their personal lives, and what happens like if you're using Yubikey for your Google account or your Facebook account, your personal Facebook account, or any of these other accounts, and then you lose it, you lose the Yubikey, you may lose access to your account, which is-- the reason I say it's worth the $45 to buy an extra one, even if you're just doing it yourself, is because it will save you the time and hassle of trying to contact these big tech corporations and trying to get them to respond to you because that is like pulling teeth. It is a terrible experience all around. It is worth the $45 to have two of them. And I think that if you're going to be a company that does this, maybe you want to consider going ahead and getting your employees two of them and encouraging everybody to do it. No, you do not have to do that. And Bob is 100% correct here. You could do it with and a couple of extra spares, and when somebody loses one, you just give them a new one. That's fine. And you can tell them we don't care about your personal accounts, but that's essentially what you're going to be telling them.
Dave Bittner: Right. I like the idea of two. Now, we use them here at N2K, and I was issued two when all that happened. Obviously, I like having a backup, knowing myself as I do, but the other thing I think is that this is a measure of convenience for your tech support team because, in this case, if you issue two and somebody loses one, they can still limp along with the backup while you're taking care of replacing the lost one.
Joe Carrigan: That's right. They don't lose access immediately.
Dave Bittner: Right. And it just makes it less of-- important. We must fix this now because I can't get into my accounts. They can still get into their accounts and you replace the lost one at your leisure.
Joe Carrigan: Yes. And loss is not the only thing that can happen to these. You can damage them too. I'm very afraid that I'm going to damage mine because it's on the back of my backpack on a lanyard. It swings around, it gets slammed in car doors and everything. I mean, I'm glad I have two of them, that's what I'm saying.
Maria Varmazis: Like you could reconsider where you put it. I'm just saying.
Joe Carrigan: Yeah, I could, I could. I'm probably not going to.
Dave Bittner: For those who have never crossed paths with Joe, first of all, he brings his backpack with him just about everywhere, but also his backpack weighs about 400 pounds.
Joe Carrigan: It's very heavy, yes.
Maria Varmazis: You're one of those.
Joe Carrigan: You're not picking it up when I say hand me my backpack. She goes, "No."
Dave Bittner: Nobody has ever said, "Hey, Joe, toss me that backpack." No, it's-- so anything attached to it is a crushing risk.
Joe Carrigan: Yes, sure. Absolutely.
Dave Bittner: All right. Well, thanks for the kind words about Maria. And the interviews aren't necessarily gone forever. We've just sort of changed modes where we wanted-- when we brought Maria on the show every week, we wanted to make sure that we had enough time for Maria to do the things she wants to do and for the three of us to each tell our stories. So that pushed the interviews aside, but we're still open to them. So when a really interesting interview comes along that we think is great for the show, then we will include that. So not necessarily gone forever, but for the most-- most of our episodes will be interview-free from this point on, we traded the interviews for one Maria and I think it's been a good trade.
Maria Varmazis: Hope it was a good choice.
Dave Bittner: A Maria to be named later, yeah. No, I think it's been great, so that's where we are. All right. Well, that is our follow-up and, of course, we would love to hear from you. If there's something you'd like us to discuss on the show, you can email us, it's hackinghumans@n2k.com. All right. Let's get to our stories here. I'm going to lead things off for us. And I want to talk about the Honey scam.
Maria Varmazis: Yeah.
Joe Carrigan: Now I think I see this in my new neighborhood. It's where you drive by a house and it says, "Honey for sale."
Maria Varmazis: Oh, is it AGNNY?
Joe Carrigan: Local Honey for sale. Is that what this is?
Dave Bittner: No, this is not that.
Joe Carrigan: Oh, okay. Maybe I'll stop by and actually buy some honey.
Dave Bittner: What do you envision a honey scam would be? Or it's not actually local honey, or--?
Joe Carrigan: Okay.
Dave Bittner: Industrial honey?
Joe Carrigan: That's quite right. That's right. It's honey from some mass-produced farm out in the Midwest. And they just ship it in in a tanker truck. And then somebody sells it to you like it's local honey.
Dave Bittner: Right.
Joe Carrigan: Which homeopathic people will say, local honey will help you with allergies that you have.
Dave Bittner: Yeah, I heard that.
Joe Carrigan: I don't know if that's true or not.
Maria Varmazis: I don't know if it works. I've tried it, I don't know if it's worked. But it's nice honey, it tastes good.
Joe Carrigan: I love honey. Honey's one of my favorites.
Dave Bittner: Oh, it's delicious. Evidently, it lasts just about forever.
Joe Carrigan: Yeah, it does. It does not go bad.
Maria Varmazis: Oh, great story, Dave. Love this one. This is great.
Dave Bittner: Thanks. This has nothing to do with any of that, right? So, remember when our commenter was talking about Joe going too far down a rabbit hole?
Joe Carrigan: Here we are. Look at all these old bunnies, Maria.
Dave Bittner: Save us. Okay. So here's what's going on. And I want to preface this by saying, at this point in the life story of this "scam", the word scam is in quotes because these are all allegations.
Joe Carrigan: Okay.
Dave Bittner: The accused has not officially made a meaningful response to any of this. So these are allegations, but there's a good amount of verification and backup. And it seems like what is being alleged is going on here, but I just want to frame it that way, just so everybody knows, you know, this isn't a done deal. So there is a web browser plugin called Honey and what Honey is supposed to do is you install this browser plugin and when you go shopping for things, right before you check out, you click the Honey button, and what Honey says they do is they search the web for all the best coupon codes. And so, just as you're about to check out, they search the web, they pop up a coupon code, you put that coupon code in, and you save some money. That's what it's supposed to do. Makes sense?
Joe Carrigan: Yes.
Maria Varmazis: Yes.
Dave Bittner: Maria? Yeah. All right.
Maria Varmazis: Yes, I'm with you, yep.
Dave Bittner: So Honey is also one of the largest advertisers on, let's call them influencer channels. So YouTube channels, and we're talking about the big names here, most of them have been sponsored by Honey.
Joe Carrigan: Now I'm looking at this lineup of guys, and I only recognize two of them. One of them is one of my favorites, Mark Robert, who I like a lot, and the other one is MrBeast, who I have blocked on all of my YouTube stuff. And the only reason I blocked him is because I can't stand seeing his stupid face on the-- his stupid face he makes? You know, that stupid face he makes like, oh, it's a shocked face. He puts it on all of his thumbnails.
Maria Varmazis: Oh, every YouTuber does that. That's like required.
Dave Bittner: The YouTube thumbnail face. Yeah.
Joe Carrigan: If you do that, I block your channel so quickly. I hate it.
Dave Bittner: I installed a plugin that blocks that.
Joe Carrigan: Oh, did you?
Dave Bittner: Yeah. Gets rid of the YouTube.
Maria Varmazis: I need to get that plugin.
Dave Bittner: Yeah. All right. So, and down the rabbit hole he goes. Marques Brownlee is one of the, you know, well-known YouTubers who I frequent and he was sponsored by Honey as well. Now, it's worth noting that Honey was purchased by PayPal. So Honey has deep pockets.
Maria Varmazis: They've been around not that long. I feel like they just had a meteoric rise though. I remember when they were new and it just seemed like they got snatched up pretty quickly. It's quite amazing.
Dave Bittner: That's right. I think that's right. So there is a YouTuber who goes by the name MegaLag, who published a video with all of these allegations.
Joe Carrigan: Awesome name, by the way.
Dave Bittner: So here's what's going on. When you go to purchase something that was recommended by someone online, you often get an affiliate link. And an affiliate link is a special link, let's just use Amazon as an example because it's easy. It's a special link that connects to that YouTuber or influencer's account. They say, you know, go buy this, you know, a bottle of facial cream and when you do, we'll get a small percentage back to support our channel, right? I think we've all seen that.
Joe Carrigan: Yes.
Dave Bittner: And so, that is a special affiliate link code. So what the allegation-- allegation number one is that when you go to, let's say Amazon, with that affiliate link and you click on the Honey plugin, Honey replaces the affiliate link with their own.
Joe Carrigan: I knew that-- when you started saying that and said the first allegation, I knew exactly where this was going to go.
Dave Bittner: Yeah. So everything you buy then, the kickback doesn't go to the creator, the person you intended to support, it goes to Honey. So that's allegation number one, and that Honey is not making that clear that that's what they're doing. Allegation number two is, as we mentioned, Honey claims to the user, to the user of their plugin, that they are going out and searching the web for all of the best coupons. Well, if you are a Honey affiliate, someone partnering with Honey, let's say you are a brand like Coca-Cola, right, you can partner with Honey. And part of your agreement is that Honey will only present the coupons that you want them to present. So, let's say there's a 20% Coca-Cola coupon floating around on the web for very special reasons, but you run Coca-Cola and you only want a 5% coupon to show up on Honey. You partner with Honey, you tell them in exchange for only presenting this 5% coupon, we will partner and, you know, you'll get a-- and Honey will get a kickback for that deal as well. So the notion that Honey is searching the web for all the best deals and coupons isn't necessarily true.
Maria Varmazis: Yeah, I'm not surprised at all.
Dave Bittner: Because if they partner with a company, they only present the deals that that company wants them to present.
Joe Carrigan: This seems like way more than shady, you know?
Dave Bittner: It does.
Joe Carrigan: Yeah.
Dave Bittner: It does seem that way.
Maria Varmazis: And yet it's not surprising, is it?
Joe Carrigan: No. Absolutely. You know, that's a good point, Maria. I am absolutely not shocked at any of this.
Dave Bittner: No. We all respond with learned resignation.
Joe Carrigan: Right. Right.
Dave Bittner: Another thing-- another good thing ruined.
Joe Carrigan: Yeah.
Dave Bittner: Yeah.
Maria Varmazis: Made credful.
Dave Bittner: Right. Credful. So many of the original folks who were-- who had sponsorships from Honey, for example, Marques Brownlee has posted a video basically saying, you know, if I knew they were doing this, I never would have allowed them to sponsor. And I suggest that and everybody uninstall the Honey plugin.
Joe Carrigan: I imagine that these influencers are all losing revenue to this app.
Maria Varmazis: Yeah.
Dave Bittner: Absolutely.
Maria Varmazis: Very likely.
Dave Bittner: Absolutely, absolutely. So what do you guys make of this?
Joe Carrigan: It's like a pack of weasels that run a company, that's what.
Maria Varmazis: There have been so many browser extensions like this, like Honey. I mean, I think Capital One makes one, I get advertisements for it all the time, that do the similar-- I'm not saying they do the cookie stealing, but the whole running coupons in for you. They're just a dime a dozen. So, I don't know, it just doesn't surprise me that they're scammy at all. I never wanted one on my browser, but I get-- they're everywhere. I mean, they're just-- people are getting bombarded with them. So, I don't know, it just speaks more to the, again, incredification of everything on the Internet like, yeah.
Joe Carrigan: I think I may have gone looking for coupon codes like a total of four or five times. And every time I go looking for a coupon code for whatever it is I'm buying, I quickly get disgusted and just like stop looking and just go, this is all just a scam. I'm just going to pay the extra 10%. I don't care.
Dave Bittner: For your dignity.
Joe Carrigan: Right, for my dignity. Insanity, yes.
Dave Bittner: Yeah, I've done the exact same thing. There are times when I've definitely gone looking for coupon codes and most of the time, I'm not successful. Either the coupon doesn't work or it's expired or who knows, but I can understand this. It's interesting to me that someone as big as PayPal is behind this now. There is a class action lawsuit.
Joe Carrigan: Good.
Dave Bittner: At the end of last year, there were a group of lawyers representing some of the content creators who partnered with Honey have filed a class action lawsuit. They're claiming damages in excess of $5 million.
Joe Carrigan: Oh, good.
Dave Bittner: So we'll see how that plays out. The other thing I've been thinking about this is, I wonder how far and wide does this story go. Does it spread far enough to actually have a meaningful effect on Honey? And let's-- should the class action lawsuit not succeed, do they change anything about how they're doing business?
Joe Carrigan: I say if the class action lawsuit does not succeed, they don't change anything.
Dave Bittner: Yeah.
Joe Carrigan: Yeah-- that's probably what's going to happen.
Maria Varmazis: Because I'm sure they're saying they've done nothing wrong that, you know, they provide an incredible value to customers and, you know, we're saving you money and time, that's why we're great. So yeah, they've done nothing wrong, I'm sure, in their eyes.
Dave Bittner: Yeah. This idea of stealing the affiliate links though, rubs me the wrong way.
Joe Carrigan: Really does, yeah.
Dave Bittner: I mean, it's just, it just awful, right? How could anyone think that's the right thing to do?
Joe Carrigan: Right. I mean, if you're on your phone or on your web browser and you click on an affiliate link and you think you're supporting the content creator and it turns out because you have this app installed or this extension installed, you're just supporting PayPal.
Dave Bittner: Right.
Joe Carrigan: Right?
Maria Varmazis: Who doesn't need that money?
Joe Carrigan: Yeah, they don't need that money.
Maria Varmazis: That content creator does, but PayPal, PayPal's good.
Joe Carrigan: Right, right.
Maria Varmazis: Yeah, yeah, it's pretty gross. But I think a lot of it is with these-- this affiliate marketing and a lot of these, these code trackers. And because it is so obscure of the end user and for most people who are not professionals at this, I think a lot of people figure they can get away with doing shady stuff like this and honestly they can because it's, people just don't look at this stuff. A lot of it, they don't understand how it works. So people just like, I'll just do it until somebody figures out that I'm doing something wrong. Lo and behold.
Dave Bittner: Yeah. All right. Well, we will have a link to that story in the show notes. Maria, what do you have for us this week?
Maria Varmazis: Well, a lot of folks were home for the holiday season, and I know for me that tends to be the time of year where I'm doing a lot of family tech support, and I was looking on Reddit's scam subreddit, and I noticed a trend of a lot of people posting, "Hey, my mom or dad is messaging someone they think is Elon Musk, and how do I get them to stop giving them money?" And it just seems like a lot of those posts popped up over the holiday season. It was quite amazing. And that sort of was a natural segue in my mind to a story that CBS just put out about a woman named Sue who is 66 and used match.com to find a traveling companion in her retirement, connected with a man named Santos. And, of course, this is a romance scam, spoiler alert. And over the course of several weeks, he romanced her, he wrote her a poem, it was very romantic. His first money ask was for $40,000 for-- to help with a job certification. And Sue has $2 million in her retirement savings so she figured $40K for someone she's falling in love with, she could manage it. And over the course of some more time, this scammer scammed her out of all of her $2 million of life savings. It's gone in that romance again, which is just unbelievable. And the reason CBS was highlighting Sue's story is that-- there's two points. One is that the FTC said in 2024 over 64,000 Americans alone were hit by romance scams like what Sue went through, with the damage totaling over $1.1 billion and that's in 2024 and that number, $1.1 dollars, is double what it was just four years ago for romance scams damage, which just speaks to the efficacy of how horrible these things are.
Joe Carrigan: And these are only the reported numbers.
Maria Varmazis: And these are only the reported numbers too. Yeah. This is what the FTC knows. Right. So I'm-- it's probably quadruple that. I mean, I don't-- I mean, I'm making that number up, but honestly, it's probably so much larger. And they also said that about half of online daters like Sue, who is using Match, say they've come across scammers looking for money. So, people who are looking for romance in sort of legitimate places, so to speak, they're coming across scammers way more than I would have guessed. When I used online dating to meet my husband 14 years ago, I did not meet, as far as I know, a single scammer. And if my husband's a scammer, the scam's gone a long, long time.
Joe Carrigan: Right, he's all in. He's playing the long game.
Maria Varmazis: He's definitely all in, we've got a kid and everything.
Joe Carrigan: I've got her to have one of my children. Hahaha.
Maria Varmazis: Yeah, I've got my hooks in. So this online dating being the realm of scammers and, you know, the place where they go to find new victims is, you know, a known quantity, we've talked about it. So there is some legislation floating around that is actually bipartisan called the Online Dating Safety Act that is hoping to try and address, or at least stem the flow of all these online dating scams, and it's very easy for me to be cynical and go, this doesn't go far enough, but I applaud the fact that someone's actually trying to do something. And the bill says it would require online dating service providers, either mobile applications or websites, to provide users like Sue with a fraud ban notification if the person they've been talking to has actually been identified as a scammer and then banned through the service. So it may not necessarily stop a scam in progress, but at least the thinking is if they've talked to this person, they know retroactively this person was a scammer, or, you know, if the scam happens to be stopped midway, then they'll know, "Hey, this guy didn't just disappear. He was banned because he was a scammer."
Joe Carrigan: Right.
Maria Varmazis: Yeah. It's limited in its scope, but it's hoping to do something.
Joe Carrigan: One of the first things they do, these scammers, is they try to move you off this platform because they know they're going to get banned. So that's where the scam-- you know, they'll go to a third, another thing like WhatsApp or Signal or something, and they'll scam the people. That's where they actually conduct the scam. So, and that can take some time. So if this can reach the victim, this notification can reach the victim. Hey, we've identified this person as a scam account, you should stop communicating with them. And if you send them any money, you should call the police.
Maria Varmazis: Yeah. I wonder, I mean, we've talked about these kinds of romance scams many times about how all attempts to sort of reason somebody out of something they didn't reason themselves into is very hard. But I do wonder if a message sort of from an authority figure, like the service that one used, if that might be potentially effective in ways that we haven't seen before. Because again, I can be very cynical about this doesn't go far enough, you know, as you mentioned, Joe, these scams are taken into other platforms. You know, so what about Meta platforms? What are they doing? But, again, if you get that official notification, we identified this person definitively as a scammer, maybe that would cause enough friction, maybe. So anyway, the status of this bill was that it passed the House and it did not yet pass the Senate. Fingers crossed. It looks like it's going to be floated in the upcoming Senate session, so to speak. So we'll see if that actually goes anywhere. But it's interesting that at least two legislators, one's from California, one's from Colorado, they're trying. So I would like it to have more teeth, but it's nice that somebody's thinking of it and here's hoping it goes somewhere.
Joe Carrigan: Yeah, and they are bipartisan, the sponsors of this bill. One is a Democrat one is a Republican.
Maria Varmazis: Yep. Yep.
Dave Bittner: It's so hard to be anything but cynical about all this stuff though. Like I mean, yeah, just, I don't know. It's hard to see anything-- I guess, I just don't have confidence that there's much that can move the needle. You know, like it's great. We're trying, we're going to do stuff, but when we're dealing with folks who are out, literally out of the reach of law enforcement by virtue of most of them being overseas, and no way to stop them from accessing folks here. Yeah.
Maria Varmazis: Yeah, it's sort of like the robocalls that have just made phones pretty much useless for everybody, nothing has really helped. I mean, I use an app that sort of helps stem that tide, but I still get these spam calls all the time and it's been going on for years now. And I've sort of lost any hope that this is going to get better. And I'm trying not to lose hope in this case, but I mean, over a billion dollars a year again, that we know about, I mean, this is-- this is an unbelievable amount of money.
Dave Bittner: Yeah, absolutely. Well, cross our fingers and hope, right?
Joe Carrigan: Yeah.
Maria Varmazis: Yeah, what else can you do?
Dave Bittner: Yeah, exactly.
Joe Carrigan: It's all going downhill, the entire content of the internet is just being-- I'll give you another example. I went looking for something on YouTube the other day and like the first three videos I click on are just AI slop of somebody reading a script, some AI voice reading a script and it's just getting put up on YouTube because it's getting through the search engines. And it's-- it's, ah, it's just all awful. You know, there's-- the content on the internet is just going downhill.
Maria Varmazis: Yeah, I miss the old internet.
Dave Bittner: I know. I know. I just-- I think about the-- I mean, we-- it's hard to imagine but like when I was a teen-- when, Joe, when you and I were teenagers, right, so in the '80s, there really was this sense of techno-optimism like we thought computers and the internet, we're going to be a force for good and, you know, people were going to have to work less and there'd be more leisure time. And all these good things were going to happen because all these-- all the drudgery of life would be taken away from us by computers. And here we are.
Joe Carrigan: Right.
Dave Bittner: It did not work out that way.
Joe Carrigan: I, for one, welcome our new computer overlords.
Maria Varmazis: Techno-pessimism is-- techno-dystopianism. That's not a word.
Dave Bittner: Right, right. All right. Interesting stuff, and we will have a link to that story in the show notes. Before we get to Joe's story, let's take a quick break to hear a message from our sponsor. All right. We are back and, Joe, it is time for you to share what you've got for us. Why don't you go ahead there?
Joe Carrigan: I do want to say before we go on to my stories here, that what you were just talking about, the techno-pessimism, William Gibson nailed the techno-pessimism in the '80s, the '90s. So if you read "The Sprawl" trilogy, very much. Like he accurately predicted a lot of what was going on here.
Dave Bittner: Oh, interesting. Okay.
Joe Carrigan: So let's see. First, I want to remind everybody that the Scammers Liturgical Calendar has changed seasons. We are out of delivery in holiday fraud and now it's time for tax scam season.
Dave Bittner: Oh, goodie.
Joe Carrigan: Right. So keep an eye out on your inboxes for anything that looks like it comes from the IRS. It probably doesn't, you know, unless you have a way to communicate with the IRS on a regular basis. They're going to send you letters, read those, open them, they will come on official letterhead. And they will always ask you for money in the form of checks. They will never say, send me cryptocurrencies, send me gift cards, that is not how you pay the IRS.
Dave Bittner: No.
Maria Varmazis: Yet. No, I kid. No.
Joe Carrigan: Yet, that's right.
Dave Bittner: Well, didn't we have a listener write in? What was it? Last show. Who talked about how you could pay some state taxes, to pay with cryptocurrency. This does not seem like a good thing to me ultimately.
Joe Carrigan: Yeah. If you have that option, don't do it. Just don't.
Dave Bittner: Don't encourage them.
Joe Carrigan: Don't encourage them, right? Exactly.
Dave Bittner: Right.
Joe Carrigan: Don't encourage them. And, you know, maybe-- never mind. I was going to say, maybe somebody should try to go in and defraud the governments, but don't do that. Don't do that. Just try to get them to give you your private keys.
Maria Varmazis: Really? Oh, jeez. Wow.
Joe Carrigan: Yeah. Don't do that. Of course, you shouldn't ever do that.
Maria Varmazis: Bad idea.
Joe Carrigan: But I mean, can you imagine that use case, right, or that-- what's the threat model? That threat model. That's the one I'm thinking, not the use case. You know, you have a government that actually collects money in taxes, in crypto, and somebody goes, "Hey, I'll bet they're holding a lot of money in crypto, and I could sit there and get the-- if I can socially engineer their crypto keys out of somebody that works there, I can get the payments and then just forward them onto my wallet and be done with it.
Maria Varmazis: And there's nothing you can do about it.
Joe Carrigan: And there's nothing you can do about it. Now the question will be--
Maria Varmazis: Send us to Hollywood, Joe. You've got a movie idea right there.
Joe Carrigan: Very short movie, that's pretty much it. My story actually comes from the BBC and the headline is, "Madoff fraud victims get 4.3 billion as fund completes payouts." So it's talking about most recently, there's the Madoff victim for now-- let's recap, Bernie Madoff. You know who Bernie-- everybody remembers Bernie Madoff. He died in prison in 2021, but back in 2008 or 2007, somewhere around that time, his Ponzi scheme, as it was called, which I think it accurately was called, or accurately was described as a Ponzi scheme, ran out of money and he couldn't pay victims or pay his investors anymore. And it came to light that it was a Ponzi scheme. He wound up getting a 150-year sentence. The good news for him, he didn't wind up serving nearly 150 years.
Dave Bittner: He showed them.
Joe Carrigan: Yeah, he did. So, yeah, he was only in prison from 2009 to 2021 when he passed away.
Dave Bittner: Okay.
Joe Carrigan: So the latest payouts being made from the victims fund the MVF, Madoff victim fund, is $131.4 million and will bring the grand total of money that's been paid to the claimants to about $4.3 billion. Now before people get upset and think about, you know, this is just rich people getting away with more stuff. There were 40,930 claimants, which means the average amount that people had invested with this Ponzi scheme was around $100,000.
Dave Bittner: Okay.
Joe Carrigan: These were not big investors. These were people that probably had a sizable portion of their nest egg. I'm speculating here, but I can see where these were people who had a sizable portion of their nest egg put in this fund. And when this thing collapsed, they essentially lost all of it. But over time, over the last 15 years or so, the MVF estimates it has been able to recover 94% of what it's calling the victim's proven losses when they wrap up all the distributions here in this calendar year, 2025. So the downside is that-- or the upside is, if people are going to get 94% of their money back, the downside is they've lost the 15 years of time on that money, which is the more valuable part to the investor, right? Because, you know, by now, that could have doubled once, maybe twice, depending on how you invested it properly. So, it's not-- people are not getting back everything they've been robbed, that has been taken from them here, but they are getting back their initial investments or at least most of it, it seems.
Dave Bittner: Has any-- have either of you ever been approached with anything resembling a Ponzi scheme?
Joe Carrigan: Not a Ponzi scheme, no.
Dave Bittner: No?
Joe Carrigan: No.
Maria Varmazis: Not that I know of.
Joe Carrigan: A listener sent something in and I didn't want to put it in here because it's all still in litigation right now. Maybe I'll talk about it once it goes through trial and the outcome is come out. But, you know, there's-- you know, the idea of a Ponzi scheme is you start telling people that you're going to pay them some kind of astronomical return on your investment. And the funny thing is that usually what people are saying is like 8% return on investment. And there are investments out there that will pay that or better, that are legit, that you can just go out and buy. Now they don't guarantee those kind of returns. They're never guaranteed, but, you know-- and of course, your investment can lose money. I'm not giving out investment advice on this podcast. I'm not qualified to do that.
Maria Varmazis: Yeah. Well, the benefit of being a millennial in this case is everyone I know is broke. So I've never been approached about financial stuff.
Joe Carrigan: Yeah, that's another thing. But the idea is they say, we're going to give you like 10% guaranteed returns every year. And then the entire scam relies on them being able to bring more people in because the initial investors are not getting the 10%. They're just getting money that's being paid into the fund given to them as dividends or returns or whatever.
Dave Bittner: Yeah.
Joe Carrigan: And of course, the way this works is the people who get in early actually don't get hurt as bad, but the people who get in late are the ones that get hurt the most.
Dave Bittner: Yeah.
Joe Carrigan: They lose just about everything.
Dave Bittner: I guess the closest to this is there have certainly been a lot of multi-level marketing schemes over the years that if not being this, they rhyme, you know.
Joe Carrigan: Right. Yeah, pyramid schemes and Ponzi schemes are very, very similar. So actually I did a little bit of a refresher on this. Pyramid schemes are, you know, the-- what was the eight square or eight ball, the eight ball game or the pilot and, you know, the airplane game where everybody pays $1000 to get on an airplane if you're a passenger, and then there's four levels, there's pilots, there's one pilot, there's two copilots, there's four crew members, and then there's eight passengers. The eight passengers pay in, and they all pay $1000. So they give $1000, and that all goes to the pilot who then takes the money and disappears. And then the passengers have to go out and find eight more passengers. They become crew members. The copilots split the pyramid, and they become pilots. So they get the next thousand dollars and it sounds like it's great, right? But if you do this 20 times, there's not that many people on the planet.
Dave Bittner: Yeah, a dear friend of mine said once about multi-level marketing. The problem with multi-level marketing is that eventually, you run out of friends.
Joe Carrigan: Right, right, very quickly actually.
Dave Bittner: Yeah, because it really does rely on that.
Joe Carrigan: Yeah, and it alienates people. I mean, I've talked about this. We have somebody in our family who is big in the multi-level market. We don't talk to him anymore.
Dave Bittner: Right.
Joe Carrigan: And I don't care if I ever see him again.
Dave Bittner: Right, right. Yeah, it's true. I mean, it's-- and it can be sad.
Joe Carrigan: Yeah.
Dave Bittner: Yeah, I understand that avoidance. That's no fun.
Joe Carrigan: Yeah. So it looks like these, the people that got hurt in the Madoff scam are getting made almost whole, although they have lost a lot of time. And we'll put a link in the show notes to the story on the BBC.
Dave Bittner: I think it's remarkable how much they've gotten back, actually.
Joe Carrigan: Yeah, I'm impressed.
Maria Varmazis: Yeah, I thought they were all ruined by this.
Joe Carrigan: He had other assets.
Maria Varmazis: Yeah.
Joe Carrigan: He had other assets that they were able to collect on.
Dave Bittner: Wow.
Maria Varmazis: Nice, okay.
Dave Bittner: All right. We will have a link to that in the show notes. All right, Joe, Maria, it is time to move on to our "Catch of the Day." [ Soundbite of Reeling In Fishing Line ] [ Music ] All right. So our catch of the day comes from the Scambait subreddit over on Reddit. This is called John Part One, and it goes like this. Maria, this is you and me, I will start things off. Here we go. The person gets out of the blue text that says, "Hello, my friend, how are you doing today and how's the weather conditions there?"
Maria Varmazis: Sorry, do I know you?
Dave Bittner: Nice connecting with you. I'm John by name.
Maria Varmazis: Okay. Where are you from?
Dave Bittner: I'm from Portugal, currently live in Denver, Colorado.
Maria Varmazis: Oh, wow. So how do I know you? You called me friend.
Dave Bittner: Where are you from?
Maria Varmazis: Do you always ignore questions? I'm from the UK.
Dave Bittner: Everyone is my friend, including you. I'm to meet new friend, chat, and get to know you better.
Joe Carrigan: I already hate this guy.
Dave Bittner: Beautiful country you live, UK.
Maria Varmazis: People are not friends until they know one another, saying hello doesn't make you friends. Where in the UK have you been?
Dave Bittner: I have been to Manchester City. What city in the UK do you live?
Maria Varmazis: I don't live in a city.
Dave Bittner: So where do you live, if you don't mind?
Maria Varmazis: I live in a small village.
Dave Bittner: Okay. That's cool. How's your family, your husband, and kids? Hope all is well.
Maria Varmazis: I don't have a husband or kids.
Dave Bittner: Do you live alone?
Maria Varmazis: Yes, I live alone.
Joe Carrigan: Does anybody else get really creeped out by that question?
Maria Varmazis: Yeah, I'm like, I would never answer these questions. My goodness. Wow.
Joe Carrigan: Like that one, just like, that's like there's somebody behind me waving a red flag and that's all I see.
Dave Bittner: Yeah. Okay. I'm divorced. Have been divorced since two years now. I live alone. I don't have any kids.
Maria Varmazis: Oh, why did you get divorced?
Dave Bittner: It was a long story, my friend. In everything that happened in the past, life goes on. You seem like a very nice and easygoing person. What do you do? I mean, what do you do for work if you don't mind?
Maria Varmazis: Well, it's also important to talk about these things. I'm an accountant and you?
Dave Bittner: Awesome job. I'm a contract worker. I work as offshore. I do all types of constructions, building of oil rigs and pipelines.
Maria Varmazis: Oh wow, so you work for a large company?
Dave Bittner: Right now I'm currently in the Gulf of Mexico working as offshore. I has a contract here and have been here one month, three weeks, and some days now.
Maria Varmazis: I wasn't aware they were building more rigs there. How long will you be there for?
Dave Bittner: I will be here for more 30 days. My job is on progress. I will like to know more about you, but I don't usually chat here due to my job. I don't know if we can chat in another platform, get to know each other more better if you don't mind.
Maria Varmazis: There it is.
Dave Bittner: Hopefully to meet you someday in person.
Maria Varmazis: Well, I have Google chat.
Dave Bittner: Okay. Let me have your Google chat email.
Maria Varmazis: (muffled sound) @gmail.com.
Dave Bittner: Okay, I will text you on Google chat. I sent you messages on Google Chat. Did you got my message on Google Chat?
Maria Varmazis: Yes. Oh no, it keeps going.
Dave Bittner: Hello, it's me, John. Hello.
Maria Varmazis: Hello, how are you?
Dave Bittner: I'm fine, thank you. How are you? And how's the weather conditions there?
Joe Carrigan: So now he's just copying and pasting from the same part of the script.
Maria Varmazis: Oh my God.
Dave Bittner: He started over.
Maria Varmazis: I'm fine and the weather is normal for the time of year. Can you send one photo, please? Only one.
Dave Bittner: Okay. And it's a pretty nondescript, I'd say, older gentleman with closely clipped graying hair, looks pretty normal to me.
Maria Varmazis: And then I send back a hat, I guess, or-- Thank you, we aren't teenagers so we don't need to send multiple pictures.
Dave Bittner: You look very much beautiful and attractive. So tell me more about yourself. How long have you been living alone?
Maria Varmazis: I've lived alone for 18 months. I was with my ex-partner for 17 years, but he met and fell in love with a man. We are still friends, though.
Dave Bittner: Well, I'm sorry about that. Where did you meet your man, and how do you feel living alone all this months?
Maria Varmazis: We met through mutual friends. I feel fine living alone. What about you?
Dave Bittner: Well, being lonely is kind of hard for me. Ever since I got divorced, I've been single, living alone, trying to live my best life and be happy with what life offered me.
Maria Varmazis: Don't you have friends?
Dave Bittner: Yes, I have friends, but they are all married. Do you live in a rented apartment or a house?
Maria Varmazis: You can rent a house or own an apartment. I own my house.
Dave Bittner: Okay, that's nice. Do you have a neighbor that lives close to you and how many bedroom house? I own a two-bedroom house with a beautiful swimming pool on it.
Maria Varmazis: Does it matter how big my house is? Is that important to you?
Dave Bittner: Not at all. Just that I'm interested to get to know you more, hopefully, to meet you someday in person. You seem like a very nice and easygoing person with a sense of humor.
Maria Varmazis: Well, we can get to know each other, but the size of my home is irrelevant to that. So have you been on any dates lately?
Dave Bittner: No, I haven't. How old are you if you don't mind?
Maria Varmazis: I am 59 and you? Goodbye.
Dave Bittner: Sorry my friend, I have been very busy with work here. I'm 67 years of age.
Joe Carrigan: No, he's not.
Dave Bittner: I always got busy with my job. I text whenever I'm free and less busy with things here. Hello, how are you?
Joe Carrigan: How's the weather, man?
Maria Varmazis: Yes, that's why you read my message. What is happening? Yes, that's why you read my message and didn't reply.
Dave Bittner: I'm sorry about that. How are you doing today? And how's your night? Hope you slept well.
Maria Varmazis: I'm fine, and you?
Dave Bittner: I'm fine, thank you. What's the time where you live and where-- oh, and what are your plans?
Maria Varmazis: Geez. It's 9:44. I'm just staying home and you. Man, you're in danger, girl. What are you doing?
Dave Bittner: Okay? Same here. All right. We're going to wrap this up because it just goes on forever.
Joe Carrigan: So, this is like someone's first day on the job at the romance scamming factory.
Dave Bittner: Yeah. He wants to make an impression on the boss, just hanging in there for ages. I'm just scrolling through here trying to get to the end. So here's the last page. We'll start here. He says, "I have been with my job, besides I made a promise to myself that I will navy settle for less and I pray and hope to meet my soulmate someday and retire from my job so my family can enough of my time. I'm not getting any younger and don't want to die single."
Maria Varmazis: Have you ever dated a man?
Dave Bittner: Ever since I got divorced, life hasn't been easy for me living alone without a woman to call my soulmate. Why should I date a man?
Maria Varmazis: I'm just asking you.
Dave Bittner: I can't date a man. And then it ends. So I think you found this scammer's kryptonite, whatever.
Joe Carrigan: Right.
Dave Bittner: Whatever. After-- oof.
Joe Carrigan: That was long, arduous.
Dave Bittner: It was.
Maria Varmazis: Why do they want to know how many bedrooms this person has in their house?
Joe Carrigan: That might be-- actually, that might be a way that they can gauge how much money the person has. So they decide whether or not they want to continue on it, on with the scam.
Dave Bittner: Right.
Joe Carrigan: You know, they say I live in a house with six bedrooms. Right, yeah.
Dave Bittner: Yeah, right. I rent a studio apartment and I'm barely getting by. They're not going to spend as much time, you know, as with somebody who says, you know, I've never counted the number of bedrooms in my house.
Joe Carrigan: So many. My dead husband was making for so much money.
Dave Bittner: The servants tell me there are wings to the estate that I have yet to visit. So I'm looking forward to that.
Maria Varmazis: Some weird voice coming from the attic.
Dave Bittner: That's right.
Maria Varmazis: Some wailing.
Dave Bittner: That's right. There's a room-- I know there's a room on the other side of the campus where we keep all of the gold, but I've never actually visited it.
Joe Carrigan: I've heard it's very bright in there.
Dave Bittner: That's right. It's right next to the diamond vault.
Maria Varmazis: Sometimes I do a giant leaping jumps into it, you know, and go swimming in the gold.
Dave Bittner: That's right, yeah. Are you familiar with Scrooge McDuck? [ Laughter ] All right. That is our "Catch of the Day." And, of course, we would love to hear from you. If there's something you'd like us to consider--
Joe Carrigan: Hopefully, it's something shorter.
Dave Bittner: Yes. Please email us, it's hackinghumans@n2k.com. That is our show. We want to thank all of you for hanging in there, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you liked our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliott Peltzman and Tre Hester. Our executive editor is Brandon Karpf. Peter Kilpe is our publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Maria Varmazis: And I'm Maria Varmazis.
Dave Bittner: Thanks for listening. [ Music ]
