Live from Orlando, it's Hacking Humans!

Dave Bittner: Hello everyone and welcome to N2K's CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner and joining me is my N2K colleague and host of the "T-Minus Space" daily podcast, Maria Varmazis. Maria.

Maria Varmazis: Hi Dave. Thanks. Thank you.

Dave Bittner: We are recording this week's show in front of a live audience at Threat Locker's Zero Trust World 2025 Conference in Orlando, Florida. Let's hear our live audience. Thank you. And our special guest today is Seamus Lennon. He is ThreatLocker's VP of Operations for Europe. Seamus, thank you for joining us.

Seamus Lennon: Thank you very much for having me. Thank you.

Dave Bittner: As I said, our co-host Joe Carrigan is unable to join us here in Florida, but don't fret. He will be back with us for our next episode. We've got some interesting stories to share this week. We will be right back after this message from our show's sponsor. And we're back. Maria, we don't have any follow-up this week, so why don't you kick things off for us? What do you have for us this week?

Maria Varmazis: All right, so it's a shout out to Joe Carrigan's scammer liturgical calendar. It is the most wonderful time of the year for tax scammers. So, I have two stories that I wanted to talk about today. The first one is by Kate Gibson of CBS News Money Watch. There is a tax text scam going around claiming that the IRS has a $1,400 refund just for you, actually, Seamus.

Seamus Lennon: Thanks.

Maria Varmazis: All you need to do is click the link to confirm your personal information to get a check mail directly to you. Sounds fantastic, honestly. So, the scammers are clearly taking advantage of some, how shall we say politely, tumbled, at the IRS currently, but they are also latching on some news that is valid in a way that you might have heard that the IRS is actually sending $2.4 million to about a million taxpayers legitimately who are eligible for a pandemic era stimulus payment but didn't receive them. However, those payments are automatic. You don't need to do anything to get those. And also, the IRS will always send a letter. They will not text you. So, that is really, really important to remember. You're not going to get a text from the IRS. That said, while the IRS will not text you, I have a follow-up follow-on story from one of our listeners, Kaylee. Kaylee is, like many of us, doing their taxes right now. And Kaylee noticed that they're looking around at tax firms. So, these are the companies that will help you file your taxes. It can be hard when you're trying to figure out who's going to help you with your taxes, who exactly you've reached out to and what marketing spiel you've signed up for. And Kaylee got a message -- a text message saying that they had gotten a tax refund that was expiring soon, and apparently that they'd already agreed to get text messages from this firm. But Kaylee noted that they actually had never agreed to any of this. They'd never signed up for anything from this firm, didn't recognize the company at all. And the very first message from this kind of iffy company was the firm promising a refund. Again, just click this link to get it. And it wasn't actually a direct phish. It was more fraud, like a PH-fraud. Ha, ha. This is -- this tax firm is promising a refund under a pandemic-related tax cut that doesn't exist. It's called the Self-Employment Tax Credit that the IRS goes through pains to mention does not exist. But a lot of scammers are taking advantage of misinformation about this on social media right now. So, people pay phony tax preparers, which there are many. It doesn't cost much to spin up a website and say, "I'm a tax preparer." And people pay these preparers for money that will never come. So, you're out of the money that you've paid these preparers for, and again, the $32,000 that you thought you were going to get from the IRS is never going to appear. And also, they have your social security number. So, isn't that grand?

Dave Bittner: Wow. Wow.

Maria Varmazis: Yes.

Dave Bittner: I'm curious, so Seamus, your comments on this. I mean there's -- when you think about this kind of scam coming into someone, what are some of the red flags that come to mind for you?

Seamus Lennon: Well, if I receive a text message from the IRS, I'm going to get really worried.

Maria Varmazis: Why?

Dave Bittner: I'll bet you --

Seamus Lennon: [inaudible 00:04:15] don't pay tax in the United States. But if I do, I'm going to get really, really worried. But it is typical. Like, they'll attach on to anything that's relevant in the time that's relevant. It's tax period, let's just hit everybody with tax. And the thing is, most people won't fall for that, but a lot of people do --

Maria Varmazis: Yes.

Seamus Lennon: -- you know? Like, postal delivery. I mean, how many people have received a text message or an e-mail to say, "Hey, we've got your package, but you need to go on to this link and pay the customs for it." When do you have an order then? Now, if you're an online shopper, is that person going, "Did I order something?"

Maria Varmazis: Yes.

Dave Bittner: Yes.

Seamus Lennon: Did I order anything?

Maria Varmazis: Easy to forget. Yes.

Seamus Lennon: So, and -- and that's the thing. And -- and that's how to dupe people very simply and very easy. Very easy, so. I'm based in Ireland, so we have the regulation commission in Ireland for communication as ComReg. Now, they've actually introduced something new, which is totally new in Ireland, which basically means, as a business in Ireland, you must register your number with ComReg. If you do not register your number or caller ID or your SMS ID with ComReg, every time you send out an e-mail or a text message or a voicemail to a user in Ireland, it will come up as potentially fraudulent --

Maria Varmazis: Oh.

Seamus Lennon: -- straight away.

Maria Varmazis: That sounds nice.

Seamus Lennon: And they're taking control. So, the amount of times any of their -- their like, voicemails, like the phishing, I look at my phone, I see a number, I don't answer it, look up the number, it's a help and support site for, you know, a telephone provider in Ireland. They advertise the number online. So, with, you know, technology like voice over IP, I can just phone on like a phone number and I could be anybody. But with the introduction of this now, when they do that, it's flagged straight away. Now, it's going to say like three and a half thousand people get duped every day in Ireland. We're not a huge country. We're only five and a half million.

Dave Bittner: Three and a half thousand?

Seamus Lennon: People.

Dave Bittner: That's adorable.

Seamus Lennon: It is. I'm not saying -- I'm not saying we're very silly people in Ireland.

Dave Bittner: No, no.

Seamus Lennon: Very silly people in Ireland. So.

Dave Bittner: It's a -- but it's a numbers game, right?

Seamus Lennon: It is a numbers game. Yes.

Dave Bittner: Yes, it also makes me think about how so many parts of the world, it seems, are ahead of us here in the U.S. when it comes to regulations, you know, tamping down on these things. I -- I know for me personally, like, every time I get a -- what is obviously a fraudulent phone call or text message or something, and I think to myself, "Why is this still happening? You know, we -- in today -- in the amount of technology we have, why are we still getting these things?" It's -- it's maddening that we aren't farther ahead. But it's interesting to hear that other nations are taking action. Yes.

Seamus Lennon: And -- and it's great that it's taking the control out of end users' hands. And -- and -- and that's essentially what it is, because, you know, they're -- they're not targeting intelligent people. They're not targeting people that are aware of these things. They target everybody.

Maria Varmazis: Yes.

Dave Bittner: Yes.

Seamus Lennon: Everybody. So, you know, my 70-year-old auntie picks up the phone. Again, she's maybe ordered the package, maybe hasn't. Very simple, very easy to be duped.

Maria Varmazis: Yes.

Dave Bittner: Yes. Show of hands, how many people have gotten a fraudulent text message in the past month?

Maria Varmazis: That's everybody.

Seamus Lennon: Pretty much everybody.

Dave Bittner: Yes. Two -- two -- this gentleman raised both of his hands. I believe he has -- he has a work phone and a personal phone. So, yes, nobody's immune.

Maria Varmazis: Yes.

Dave Bittner: All right. What else do you have, Maria?

Maria Varmazis: That was actually the -- both of my stories.

Dave Bittner: All right. Terrific. Well, my story this week is more of a sort of a broad informational kind of thing. This is actually from the folks at ABC 7 in Chicago, one of the local affiliates there, and they did some reporting on the Better Business Bureau's report on the top local scams of 2024. So, the Better Business Bureau, probably -- most of you are probably familiar with. They're an organization that helps keep track of businesses in your community. They help take care of disputes that people might have with local businesses. One of the things they also do is they have a cyber scam reporting line, and they keep track of the scams that are going on and they generate statistics. In this case, they generated a report for 2024. And I thought it'd be interesting to see some of the top scams that they were tracking from their perspective as folks who are keeping an eye on the consumer retail side of things. Let me start with a question. So, I'm going to quiz the two of you. What do you suppose the number one reported scam is for the Better Business Bureau, for consumers?

Maria Varmazis: Consumers. Is it gift card related?

Dave Bittner: No.

Maria Varmazis: No. Okay.

Dave Bittner: Seamus?

Seamus Lennon: Is it reformed related?

Dave Bittner: Maybe.

Maria Varmazis: Oh, that's an interesting guess. All right, yep.

Dave Bittner: It's actually online purchases. So, this is fake websites. This is fraudulent transactions, situations where people believe that they have purchased something online and it never shows up. We're seeing a ton of situations, especially on platforms like Facebook, where someone will generate what looks like a totally legitimate storefront, sometimes offering impossible prices on irresistible products that are well-known name-branded things, and people shop around. The bad guys pay to have these ads put in front of people, and you're minding your own business, scrolling through and you see, "Oh, there's a -- a kayak, and I really want a kayak, and that's half the price that the kayak usually is." You go through, looks like the legitimate website for the company who sells the kayak, 100%. You put in your credit card information. They send you an e-mail that says, "Good news, your kayak is on the way." And of course, you're never going to get the kayak. There never was a kayak. This -- this fake store is just imitating the -- the actual retailer of the kayak. And in most cases, you'd be out of luck there. You could go back to your credit card company, but these are rampant on platforms like Facebook.

Maria Varmazis: Yes, it costs pennies to do.

Dave Bittner: Yes.

Maria Varmazis: If that. Fractions of pennies. Yes.

Dave Bittner: Right. Absolutely. I'm going to go through some of the other ones here. Phishing, of course, is number 2. I'm sure everyone in this room is familiar with what phishing is. Number 3 is employment scams. So, we've been seeing this in the headlines a lot, particularly some of the stories coming out of places like North Korea, where folks are either setting up fake recruiting services, they're trying to get folks who are looking for jobs, or there are folks who are signing up for jobs fraudulently. So, people who are from places like North Korea will apply for jobs here in the U.S. Sometimes get those jobs, let's say engineering jobs, but the money is all being funneled back to North Korea, which of course is illegal. So, we're seeing both of those. In fact, just about a week or so ago, there was a woman in, I believe, the Midwest who got arrested for having a laptop farm, that was facilitating fraud from North Korea. So, the North Koreans were taking advantage of her laptop farm to make it appear as though they were here in the United States when they were doing all of their work from around the world. Coming in at number five, I'm sorry, I skipped number four. Number 4 is debt collection. So, this is a really easy one. You get a text message or a phone call, someone saying that you owe someone money. One of the key components of this is it puts you in an emotional state.

Maria Varmazis: Of course.

Dave Bittner: Right?

Maria Varmazis: Yes.

Dave Bittner: And that's what these scammers rely on. They short circuit your brain's rational thinking. Someone calls you up and they say, "You owe us money, and if you don't pay us, we're going to do something bad to you. Bad things are going to happen and we're going to ruin your credit," or, you know, all sorts of -- you could go to jail if you don't pay. And of course, it's all -- it's all fake. Number 5 is counterfeit products. Number 6 are travel, vacation, and timeshare scams. Government agency imposters. So, this one we touched on with the --

Maria Varmazis: Yes.

Dave Bittner: -- fake delivery schemes, the Postal Service, that sort of thing, the IRS.

Maria Varmazis: IRS, yes. Yes.

Dave Bittner: Yes, these are big. Sweepstakes and lottery prizes. Number 9 is tech support scams. How many folks have seen a tech support scam? Yes. Seems like these aren't as popular as they used to be, but they're still out there, particularly you see pop-ups of you know, someone who is running a browser and they don't have what I would call a -- a fundamental level of pop-up blocking or ad filtering or, you know, the things that to probably the folks in this room would seem like basic, but they don't have that. And so, something pops up and it says, "Your computer is infected." My favorite thing was years ago, my elderly father had a hand me down MacBook Pro that I'd given him and he called me over one day. He said, "Dave, the computer's broken. Please come over." And I'm sure there are many people in this room who have that relationship with their parents as well. So, I go over to the -- to help him fix the computer, and sure enough, there's a pop-up on the -- on his Macintosh that says that his Windows operating system is infected. And I said, "Dad, I think we're okay here."

Maria Varmazis: Dad's not dual-boxing? No? Okay, right?

Dave Bittner: No, no, no Dad is not running a VM on his Mac. I can --

Maria Varmazis: I mean, I don't want to say, but you know.

Dave Bittner: No, I can assure you. My father, I love -- obviously, I love my father dearly, but he's one of those people who knows what to do but not why he's doing it. So, he will have a USB cable that he has a sticker on that says printer. And so -- and then he has a sticker on the computer above the USB slot that says printer. And so, he knows the thing with the printer label goes in the hole with the printer label. And if he does that, the printer works. That's all he needs to know. It's a good reminder that there are lots of people, people we work with, and our loved ones, who are running successfully, doing their day-to-day lives, with that level of understanding. But they have big targets on their backs because of that. They don't understand what's going on behind the scenes. And then the last one here are investment scams. And of course this has to do with cryptocurrency. We see lots of investment scams also tied to romance scams where someone will get a message out of the blue. It'll -- someone will say, "Oh, I'm sorry, I texted you accidentally. By the way, who are you, and where do you live?" And they'll send a picture of someone who's quite attractive, and they'll start building a relationship, sometimes over days, weeks, or months, that inevitably leads to a pitch for some kind of investment. And at that point, they have built up so much trust, and they have done so much relationship-building and love-bombing, where they're just telling this person that they are the best person and how important they are to them. And they get the person's defenses down, go in for the kill, get the investment scam, and now, off we go. People lose thousands of dollars, hundreds of thousands of dollars, and even millions of dollars, in some of the stories we've covered here, just devastating. I'm curious, Seamus, as we go through this list, are there any ones in particular that stand out to you that you've either, through you or your loved ones, that have affected your -- your family or ones that are particularly notorious in your mind?

Seamus Lennon: Well, obviously, number one is phishing. It's always been around, it always will be around. One thing, as a cyber security professional, I always get asked is, "What about AI? Can AI stop all this?" Or "How is AI improving things or disproving things?" Well, realistically, what AI has actually achieved when it comes to phishing is corrected spelling mistakes. That's about it. And it can also be used then for targeted phishing. So, you mentioned first about the -- the Facebook ads and -- and that. I have a Facebook profile. The last one I posted on Facebook would have been six years ago. I still use Facebook. I just don't post anything. There's nothing personal there. There's no information about me there. You know, if you want to find anything out, you can find everything professional about me on LinkedIn. And that's it.

Maria Varmazis: Yes.

Seamus Lennon: But I've got no personal information shared on the internet so people can use against me. Because that's what AI will do. It'll go off, search up your name on social media sites, and it'll create a persona of a phishing attack that suits you. Just you, very simple, very easy, and it can be done in seconds.

Dave Bittner: Yes.

Seamus Lennon: Seconds, and -- and that's the thing. So, it's still always going to be primary, and it'll hit all the notes that you, as a reader, will see that, "Oh, maybe this is genuine?" So, you know, it's never going to go away. But look, there's two things for phishing. Either it's credential compromise, or it's to get a net user to run something on the device. Simple as that. It's to gain access. With ThreatLocker in place, we believe in zero trust, which only allows access where access is required. So, we can Control -- although we can't control the phish itself, we can control what happens in the aftermath of that. Now, if it's credential [inaudible 00:17:48], obviously we can help with that, we just launched network -- cloud control, which says even if your credentials were stolen, if somebody tries to log in from an unauthenticated device, the device isn't yours, it gets blocked [inaudible 00:18:02]. So, it's again, stuck on that level of access as well.

Dave Bittner: Yes. Well, and I think, you know, particularly at the corporate level, it seems as though there's recognition of the need for these type of things and more of these things are in place. But I still can't help worrying about my friends and family.

Seamus Lennon: Yes.

Dave Bittner: Like, I say my elderly father. And I'm -- I'm looking forward to the day when those level tools filter down and become the day-to-day things that just operate in the background that people don't have to worry about.

Seamus Lennon: Yes, but --

Dave Bittner: Do you think we're heading that way?

Seamus Lennon: We -- we are heading that way. And as I said in my example about the Irish ComReg --

Dave Bittner: Yes.

Seamus Lennon: -- that's filtering up to the top. So, that's taking it out of the equation completely. So, imagine how many thousands of people it's going to save from those phishing attacks, the -- the submission attacks, those text messages for packages and the IRS in -- in Ireland. No, it's not going to happen, but the Revenue Service. You know, but that's just going to take it all out of the equation. So again, that's taking it from the top level all the way down to the bottom. So, look, it's about awareness. It's always been about awareness. Now, you're not going to be able to teach everybody. And that's the unfortunate thing. You cannot teach everybody how to be secure and how to be safe.

Dave Bittner: Right.

Seamus Lennon: And I live by zero trust. So, you know, basically, I'm very much paranoid about everything. Not in that sort of way, but I am when I'm -- I'm online, I'm on my computer, the websites I go on to and stuff like that. You mentioned Bitcoin. I do bits in Bitcoin and then cryptocurrency. And there's you know, if you start reading anything about what's the next best thing because look, everybody that's into cryptocurrency is into it for one reason, is to make that 200-plus-thousand profit on what you've invested in. But if you look on what's the next big thing in cryptocurrency, you can guarantee that five out of the teams that you look at are fake, completely fake. They don't exist. All they want is the initial investment, because it's not even the cryptic ones. It hasn't even been published. And that's what they utilize. What are people interested in to dupe them into this? Basically, taking the money.

Dave Bittner: Yes. Yes. I'm -- I'm curious for -- for you, Maria, are -- are there any of these things that have touched your life?

Maria Varmazis: Oh my goodness. I've mentioned it a few times on the show, but I've known people who've gotten really badly involved with these romance scams. And I've talked about it a couple times also, but even when you have people in their lives, like myself, who know about these things, or people who work in law enforcement who can speak to you know the dangers of these romance scams, a lot of times people just really want to believe that they're true.

Dave Bittner: Yes.

Maria Varmazis: And it's -- it's very, very hard to disentangle them from these things. But to your point about helping out family and friends, actually to both of us -- both of what you were saying, it's -- it's -- I have -- my mother's in a similar situation of she doesn't know a lot about how these things work, and my mother is very intelligent. But my view is she shouldn't have to know how these things work. She's extremely smart in her own areas of expertise. You know, this is not -- this just happens to not be what she is an expert in. So, it's -- as much as we try to stay on top of these things, and we should because it's our jobs, we have to just also remember that nobody can know everything. And hopefully, we have solutions like what you've been mentioning that can help people not have that burden of knowledge because it's just not possible for everyone to do it, yes.

Dave Bittner: Yes. We -- we -- you know, I think it's true that nobody is 100% immune to these sorts of things, particularly the social engineering types of things. Every one of us has something that we love to do, if it's a hobby or an interest or you know a collection, that would, if sourced from something we know and trust and love, would probably get our defenses down.

Maria Varmazis: Yes.

Dave Bittner: And that's not a dig against us. We're all human. And we have emotions. And so, that's what they take advantage of. It's interesting too, just swinging back to the -- what you're saying about not being on Facebook for so many years and doing things on LinkedIn and -- and that sort of thing. It really is, I think, a shame that so many of us, when we have these conversations about social media platforms, it is the lesser of all the evils, right? Like, we sort of begrudgingly say, "Oh, you know, yes, I -- I do this because I have to, not because there's any real joy and pleasure so much in it." I -- I know there are new things in Mastodon and -- and Blue Sky and things like that are doing their best, but it's a shame that we've gotten to that where that is the point of where we are today.

Maria Varmazis: Yes, and that the best way to use them is to basically not use them.

Seamus Lennon: Not use.

Maria Varmazis: I wish --

Seamus Lennon: That's certainly the safest way to use them.

Maria Varmazis: -yes.

Dave Bittner: And how aggressively bad they've gotten. I mean, I would say even in the past year, you know I'm on Facebook to keep track of my friends and family all over the United States and around the world and it's just -- just remarkable to me how aggressively bad it has gotten in putting scams in front of me and things I'm not interested in, just ad after ad after ad. It's -- it's maddening that they have us kind of linked into that. Wait, that was a mixed metaphor, wasn't it?

Maria Varmazis: Yes.

Dave Bittner: All right. All right. We are going to take a quick break to hear a message from our show sponsor. And we're back. It is time for our "Catch of the Day." [ SOUNDBITE OF REELING IN FISHING LINE ] Our catch of the day this week comes from a listener. His name is Diesel, and he is from West Virginia. And he received this message from the Venmo support team. And the message is, "We were frozen to process your recent unauthorized activity attempted." Now, we were saying earlier that AI has helped make the English in these messages better, that it is harder to just spot the poor English than it used to be because of AI. This is an exception. So, see if you can spot where the AI that generated this message goes wildly off the rails. Here we go. "Dear customer, we inform you that we would like to proceed with a frozen transfer activity. As you may know, a frozen transfer involves the use of cryopreserved embryos, which are thawed and transferred into the uterus in order to achieve a successful pregnancy."

Seamus Lennon: Wow.

Maria Varmazis: Don't look at me. Don't look at me.

Dave Bittner: "If you disabled sign-in to your account by accident through our phone line, and you do not believe unauthorized activity or access has occurred, you will need to verify your account and complete the prompted steps to regain access to your account." And then there's a big button that says, "Verify Now," and it says, "Thanks, Venmo Support Team."

Maria Varmazis: I got pregnant thru Venmo.

Dave Bittner: Oh so, obviously, I'm going to leave it to you here, Seamus, to unpack. Like, walk us through the connection of where the AI, we think, made a faulty connection between several different things. What do you make of this?

Seamus Lennon: This is one hacker that actually hasn't found AI yet.

Dave Bittner: Really.

Maria Varmazis: Really.

Dave Bittner: Really. See, my assumption was that the AI went from frozen assets and somehow connected the word frozen to frozen embryos and just ran with that. And it's completely nonsensical and nobody, you know -- the bad guys -- they don't -- they don't bother to proofread anything. It's all a numbers game. And that is our show. We want to thank all of you for listening. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an e-mail to hackinghumans@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliott Peltzman and Tre Hester. Peter Kilpe is our publisher. I'm Dave Bicker.

Maria Varmazis: And I'm Maria Varmazis.

Seamus Lennon: And I'm Seamus Lennon.

Dave Bittner: Thanks for listening. Thanks for being here, everybody. [ Music ]