Scam me once.
[ Music ]
Dave Bittner: Hello, everyone, and welcome to N2K Cyberwire's Hacking Humans podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is my co-host, Joe Carrigan. Hey there, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: And our N2K colleague and host of the T-Minus Space Daily podcast, Maria Varmazis. Hello, Maria.
Maria Varmazis: Hi, Dave, and hi, Joe.
Dave Bittner: We've got some good stories to share this week, and later in the show, Maria speaks with Alex Hall, Trust and Safety Architect at Sift. They're talking about job scams. Let's jump right into things here. Joe, before we get to our listener follow-up --
Joe Carrigan: Yes.
Dave Bittner: We have some much more important follow-up.
Joe Carrigan: Yes.
Dave Bittner: If I do say so myself.
Joe Carrigan: Uh-huh.
Dave Bittner: So it's been a little while.
Joe Carrigan: Right.
Dave Bittner: Bring us up to date on the chickens.
Joe Carrigan: Well, the last time we talked about the chickens, all those chickens are gone, Dave.
Dave Bittner: All those chickens are gone?
Maria Varmazis: They're gone.
Joe Carrigan: Insider threat, Dave and Maria. It was a terrible --
Dave Bittner: They're all dead?
Joe Carrigan: Terrible day, yeah.
Maria Varmazis: Insider threat, so they were murdered by other chickens?
Joe Carrigan: Other animals. Somebody --
Dave Bittner: [inaudible 00:01:18] in your house?
Joe Carrigan: No. It was a trusted insider, Dave. It was one of the dogs in my daughter's house.
Maria Varmazis: Oh, no.
Joe Carrigan: This dog, who is apparently a mass murdering psychopath of a dog, and she just went downstairs and just killed all 13 of the chickens. That was it. Wiped them out. We were, this happened on Easter Sunday, the night of Easter Sunday. We were all devastated.
Dave Bittner: Right. Did you wait a couple of days to see if any of them, you know -- [laughter].
Joe Carrigan: Well, if it had been Friday, Dave, I would have waited till Sunday.
Dave Bittner: Okay, fair enough.
Joe Carrigan: So, of course, the next day the Pope passes away.
Dave Bittner: Yeah.
Joe Carrigan: Monday morning, and I actually had --
Dave Bittner: Correlation is not causation?
Joe Carrigan: Right.
Maria Varmazis: So did the dog kill the Pope or -- okay.
Joe Carrigan: Pope Francis walking into heaven with 13 little chickens.
Dave Bittner: Okay.
Maria Varmazis: Aww.
Joe Carrigan: It was very nice, and my daughter made a meme of the, you know, Anakin in Skywalker killing the younglings but put her dog's face over Anakin's face.
Dave Bittner: Now, is this a problematic dog, or was it just a crime of opportunity?
Joe Carrigan: Well, all dogs are dogs of opportunity. If you leave --
Dave Bittner: That's true.
Joe Carrigan: If any food hits the floor, and anybody -- everybody that has a dog knows this. If a dog gets a chance to eat some food, they're going to eat it. This dog is a -- this dog, she's part beagle, a lot beagle, so it's not against her nature. The funny thing is, well, not really funny, but the next thing, we have since replaced these chickens, and now we have another 12 chicks that we managed to get. So we have chickens again.
Dave Bittner: Okay.
Joe Carrigan: And there is now a cover over top of the containment unit for the chickens so the dog can't get in, even if the dog does get into the basement, which she's not allowed to be in. But the thing is, when we brought these little peeps into the house, they come in a little like, like a little Dunkin' Donuts Munchkin case, maybe a little bit bigger, and you can --
Dave Bittner: Yeah.
Joe Carrigan: Cram 11 chicks in there.
Maria Varmazis: Oh, the dog got confused. He's like, "Those are munchkins, obviously."
Joe Carrigan: Right, yeah. Well, as soon as we walk in, my daughter comes into the house, I was actually already there, and she comes in the house, and she has the chicks and the thing, and the dogs hear the chickens, and they go and they sit down in front of her like she's got treats for him.
Dave Bittner: Oh, no.
Joe Carrigan: And I'm like, "Oh, yeah. Yeah, I don't think you understand how this works." So we took the chickens downstairs and put them into the container, the -- it's not a kennel, it's not a crate. It's like a pen that's built up. It's a garden --
Dave Bittner: Like a little mini coop.
Joe Carrigan: Yeah, it's only -- they're only going to be there until they can go outside and the coop is finished. So we're still working on the coop, and we -- actually, we got ourselves a little bit more time due to this, but, yeah, we have -- we're still chicken people, Dave. We still have 12 chickens.
Dave Bittner: Wow.
Joe Carrigan: I mean, I can't tell you how devastatingly sad it was for me to hear that these chickens had been removed from the earth. I was really sad. I mean, like, it was so impactful.
Dave Bittner: Yeah.
Joe Carrigan: And, you know, they're chickens.
Dave Bittner: Well, but, you know, they get into your heart, right? They're cute little fluffy little things and you want the -- and you have plans for them.
Joe Carrigan: I have plans for them to be long-term chickens. These are egg chickens, Dave. They're not meat chickens.
Dave Bittner: Right, right, right.
Joe Carrigan: So yeah, so I was over there last weekend feeding the, you know, playing with the new chickens and feeding them, and they're all -- I can't tell the difference between these chickens and the old chickens, but still --
Dave Bittner: Okay.
Joe Carrigan: I like them.
Dave Bittner: What does a baby chick cost these days?
Joe Carrigan: Like $5 to $10, somewhere in there.
Dave Bittner: Okay.
Joe Carrigan: It's not as cheap as it used to be.
Dave Bittner: Yeah, but what is, really?
Maria Varmazis: It costs $5 to $10.
Joe Carrigan: Huh?
Maria Varmazis: Each chick?
Joe Carrigan: Yes, each chick costs $5 to $10.
Maria Varmazis: Wow, that is a lot more expensive than I thought they were, okay.
Joe Carrigan: Yeah, so that dog did a lot of financial damage, too.
Dave Bittner: The dog working it off now.
Joe Carrigan: Right, free dog, yeah. There's no such thing as a free dog.
Maria Varmazis: In this economy?
Dave Bittner: Right, washing the car. Right.
Joe Carrigan: Well, now she's spending all the time out by the shed where there's a groundhog under the shed and she's looking for this, looking for the groundhog.
Dave Bittner: Okay.
Joe Carrigan: And I told her -- I told my daughter what you said, Maria, we need to get a Jack Russell terrorist.
Maria Varmazis: I've been so tempted with at least two groundhogs that I have in my yard. So borrow a neighbor's. Not groundhog, the Jack Russell, yeah. Right. I don't need any more groundhogs.
Dave Bittner: How -- yeah, I've got beavers in my backyard, so --
Joe Carrigan: That's right. You're right up against the lake, though.
Dave Bittner: Yeah, yeah. Beavers are -- they're fun. Although they're wild animals.
Joe Carrigan: Right.
Dave Bittner: And they're like, I don't know, 20 pounds of muscle and razor-sharp teeth, so you give them their space.
Joe Carrigan: Right, because every, like, every 5 to 10 years, you read about a story where a beaver kills somebody.
Dave Bittner: Yeah.
Joe Carrigan: Like, and you're like --
Maria Varmazis: What?
Joe Carrigan: They died from what? Who killed -- what killed them?
Dave Bittner: Beaver.
Joe Carrigan: A beaver.
Dave Bittner: Yeah, usually it's a beaver bite where the beaver just happens on to an artery and the person bleeds out, but --
Maria Varmazis: Oh, well, those teeth, yeah. Well, I mean --
Dave Bittner: Yeah, exactly, the teeth. It's the teeth. They are razor sharp.
Maria Varmazis: Okay. So I was having this conversation with my kid the other day about humans being at the top of the food chain. We don't have any predators. Now I need to amend that to beavers being a human predator. Okay.
Joe Carrigan: It's not that you look like food to the beavers, just that your leg looks like a tree trunk.
Maria Varmazis: Yeah, we will -- they will kill you. Okay, got it.
Joe Carrigan: Beavers cannot stand a tree trunk.
Dave Bittner: No, but you can hear them out there at night sometimes doing their own thing.
Maria Varmazis: That's hilarious.
Dave Bittner: Yeah, I'm serious. It makes -- it's like a clicking sound that you hear with their little teeth. I also had an idea completely unrelated. Well, no, that's a lie. Totally related, which is somebody needs to make a saw blade or a drill bit that imitates the teeth of a beaver, so if there's a tree that's blocking your view and it's on public land --
Joe Carrigan: Right.
Dave Bittner: You want that tree down, you go out there with your beaver bit --
Maria Varmazis: And then you have plausible deniability. Right.
Dave Bittner: You take -- you go, "Oh, look at this. That tree went down. Hmm, must have been beavers. What a shame. Oh, well, my view is back." You know, so I think it's a, you know, it's a marketable idea. Maybe a niche. I don't know. Anyway, we have a show to do.
Joe Carrigan: Right. We have already gone down the rabbit hole and --
Dave Bittner: With many, many, many, many, many.
Joe Carrigan: Right.
Dave Bittner: All right, let's get to our follow-up here.
Joe Carrigan: Thank you for listening to Chicken Chat.
Dave Bittner: That's right. We have an item of follow-up from Jim. Joe, you want to do the honors?
Joe Carrigan: Hi, guys. In the past couple of shows, you have mentioned money launderers and couriers as part of the scams, but they are often scam victims, too. This is correct. And we had -- I had a story about a guy who got busted for laundering money, and I think at the end of the story, I mentioned that he was expendable, but one of the reasons he may have been expendable is because this guy may have actually been a victim of scams.
Dave Bittner: Yeah.
Joe Carrigan: Some people are told they are processing payments, which is true. Hey, it's like a fake job. Often the payments into the victim's account are fraudulent, and by the time they are clawed back, the victim has already transferred the money to the scammer in a way that cannot be clawed back, which means that money's gone. So if, you know, they send you the money, you go out, withdraw the money, buy cryptocurrency and send that off, then they claw back the money. You're not clawing back the cryptocurrency.
Dave Bittner: Right, right.
Joe Carrigan: And in --
Maria Varmazis: Yup.
Joe Carrigan: In scams that use a courier, the courier is often not in on the scam. There was an unfortunate case where a scam victim was shot in -- shot an innocent Uber driver. I remember that case. We talked about that here. It was just an Uber driver who was doing Uber deliveries and they were using that for the scam. And I have a friend who does Uber, who is an Uber driver, and he did a couple of Uber deliveries and then stopped.
Dave Bittner: Oh.
Joe Carrigan: Because he was pretty sure he was doing something that would have put him in jail.
Dave Bittner: Oh.
Joe Carrigan: So he was like, "Yeah, I'm not doing this anymore."
Dave Bittner: Yeah.
Maria Varmazis: Oh, my gosh, wow.
Dave Bittner: By the way, speaking of clawbacks, I learned recently that the Social Security Administration can claw back a payment from a bank account that has been closed.
Joe Carrigan: Okay.
Maria Varmazis: How? What? Special magic powers? My goodness.
Dave Bittner: Well, I guess when you're in the government --
Joe Carrigan: Right.
Dave Bittner: So --
Maria Varmazis: You can do what you want.
Joe Carrigan: You're going to give us that money back.
Dave Bittner: So as I've spoken about before, you know, a couple months ago, my father passed away, and my brother and I went and closed one of his bank accounts at a local bank, closed it out, you know, took care of everything. So this bank account is done. It is closed. It is buttoned up. And I got a call about a week later from very nice woman at the bank who said, "Could you please bring us a check for this amount? Your father accidentally got a Social Security payment that he was not entitled to," which is a common thing to happen. Someone will pass away, depending on the timing, the Social Security payment comes, but you're not entitled to payments after someone has died. So Social Security claws that payment back. That's fairly routine. In this case, it timed out that the account had been closed, but Social Security was like, "Nope, we're taking our money." So they took it from the bank, and the lady at the bank said, "Can you please come bring us a check for this amount?" Which I did, of course, but I don't know --
Joe Carrigan: But what happens if you say no?
Dave Bittner: Well, I --
Maria Varmazis: That's a different --
Dave Bittner: I briefly thought about that. I don't know. I suspect there are probably people who would try to fight it, and I don't know if the bank then tries to transfer the troubles to between you and the Social Security Administration, but --
Maria Varmazis: Fraud issue at that point, I would imagine, so yeah.
Dave Bittner: Yeah, well, I think what surprised me about it was that the Social Security Administration just went and took their money back, that they didn't send me a bill or a letter or that, you know, it became between me and the bank, not me and the Social Security Administration, so that was surprising. I don't know. My knowledge of how those kinds of payments work is limited, and I suppose it wouldn't surprise me if the federal government had special powers when it comes to those sorts of things, so who knows.
Maria Varmazis: If anybody does, yes, it would be them.
Dave Bittner: We'll be back after this message from our show's sponsor. [ Music ] All right. Well, let's move on to our stories here. I actually have two stories this week. These are both from the scam subreddit over on Reddit. Two very different stories. One of them is a little familiar, and one of them is one that I had not heard before. The first one comes from someone who is actually a bank teller who writes -- I'm just going to quote what they wrote here. They said, "I had a customer come in today and he had a check that he wanted to deposit." By the way, this happened in Canada. "Super normal, no red flags. He asked about how long the hold will be. Still no red flags. Since we're in Canada and we celebrate Victoria Day, the banks are closed on Monday, so his five-business-day hold will take us to May 21st. I told him that, and he said he needs at least $9,000 released right away. Now I'm even more curious and I asked why. He said he needs 10% to send to his crypto account so he can withdraw the $90,000 that his crypto account has generated."
Joe Carrigan: Hmm.
Dave Bittner: So the teller, who is the hero in this story, says, "Skeptical, I asked what account, how he opened it, the website, the whole ordeal. To my surprise, he told me he clicked on a" -- wait for it -- "Facebook ad" --
Maria Varmazis: No.
Dave Bittner: "And deposited a couple of hundred dollars back a few months ago, and now it's generated $90,000 U.S., but in order to get the $90,000, he needs to deposit $9,000." Yeah, no. "I told him he's being scammed. I grabbed my phone and showed him the numerous crypto scams posted on Reddit. I said his biggest blessing is losing a couple of hundred dollars and not thousands."
Joe Carrigan: Nine thousand, yeah.
Maria Varmazis: Yeah, yeah, yup.
Dave Bittner: Turns out the investment advisor is based out of Brussels, had yelled at the customer. This teller said the customer was 75 years old and vulnerable, but thank goodness he came to the bank to talk about it and it saved him $9,000. So I think that one's pretty straightforward as to what was going on there.
Maria Varmazis: Good on the teller, yeah.
Dave Bittner: Yeah, good for the teller. Interesting that it all came through a Facebook ad. Not surprising.
Joe Carrigan: Yeah, not surprising.
Dave Bittner: But good that it got stopped in the middle. This next one, though, is more interesting because I don't recall us seeing something like this before, and I'm curious for both of your takes on this. So in this one, a family member gets arrested for a DWI, okay?
Joe Carrigan: Like really arrested?
Dave Bittner: Really arrested.
Joe Carrigan: Okay.
Dave Bittner: Yeah.
Maria Varmazis: Driving under the influence, driving with --
Joe Carrigan: Driving while intoxicated.
Maria Varmazis: While intoxicated, okay, yup.
Dave Bittner: Right. So the details of that aren't terribly important, but this person is cooling off in the slammer while things are getting worked off.
Joe Carrigan: Like Otis from Mayberry.
Dave Bittner: Exactly. So this person who is in jail had listed the person who wrote this account on his visitation list, and the person who wrote this account got a phone call from a Sergeant Shane Kitchens saying that the family relative with the DWI would be released with an ankle monitor, but they needed someone to pay for the ankle monitor deposit.
Joe Carrigan: Hmm.
Dave Bittner: Now, this person who got the call, he said, "I'm broke as hell, so I gave him his mom's number." So called the mom and spoke for about 15 minutes, and the police officer was doing all sorts of rapport-building, saying that these sorts of things happen, that they should file a complaint, that he would help her with the complaint and, you know, there should be no charges, all this, that, and the other thing. But then he said between the bail and the payment to the ankle monitor company, it was going to be around $3,500 and asked for the mom to pay with Venmo, PayPal, or Zelle. Mom was suspicious.
Maria Varmazis: Good.
Dave Bittner: She said that this police officer should call the lawyer. The police officer said, "Okay," called back a few minutes later and said, "I talked to the lawyer and the lawyer said, pay it." [laughter].
Maria Varmazis: Wow.
Joe Carrigan: Okay.
Dave Bittner: Good enough.
Maria Varmazis: Wow, ballsy. Jeez. All right. My goodness.
Dave Bittner: Called back from the jail's number, jail's phone number.
Joe Carrigan: Right.
Dave Bittner: Okay? Now, in the meantime, the mom has looked up Officer Shane Kitchens and found that it was a name that had been used many times from scammers doing the same thing, and the mom hung up. So this is a scam, obviously. This person pretending to be the police officer nearly scammed this person out of $3,500 by saying it was for bail money and the ankle monitor.
Maria Varmazis: Yeah.
Dave Bittner: What I'm curious about, and I'm wondering for what you both think about this, and it seems to me like this is taking advantage of some kind of public records flow, like someone got incarcerated.
Maria Varmazis: Yeah.
Joe Carrigan: Yeah, I know that in some towns, some small towns, every arrest is published in the newspaper.
Dave Bittner: Right.
Maria Varmazis: Yeah, but how quick is -- this was quick, though. I mean, same day, day after? I mean, that's a very fast -- there's got to be, you know, something digitally published somewhere. I mean, local newspaper for me is weekly, if I'm lucky. So yeah, somebody's watching the feeds and going through this. That's a lot.
Dave Bittner: Right, or maybe an insider who's in on the deal of sending, you know, sending along information about people who have just been booked.
Joe Carrigan: Right. That is also a possibility.
Dave Bittner: Yeah, but I had not heard of this particular type of scam before, of taking advantage of someone who -- a family member of someone who's been put in jail temporarily, right, and then taking advantage of that very emotional situation.
Joe Carrigan: Hmm.
Dave Bittner: Yeah.
Maria Varmazis: And we're sure that family member was for sure arrested and not the one perpetrating the scam, right, saying, "Oh, I've totally been arrested. Believe me on this."
Joe Carrigan: Ah, that's an excellent point.
Dave Bittner: I hadn't thought about that.
Maria Varmazis: "I'm hard up for money," yeah.
Joe Carrigan: It's like the old fake kidnapping scam.
Maria Varmazis: Yeah, "I'm totally being held for ransom. Please pay this guy." Yeah.
Joe Carrigan: I tried that with my dad. He said, "Keep him." [laughter].
Maria Varmazis: Yeah, I'm going to choose to believe that the first part of the story is true, that the person was arrested, for realsies, but then, yes, that is fascinating that somebody is watching these arrests. I just -- I didn't think paperwork worked that fast. So that's the part where I'm wondering maybe this -- the guy faked it, the whole thing. "I was totally arrested and this Officer Kitchens guy is conveniently scamming mom." I gotta wonder.
Dave Bittner: Could be, could be. I mean, I don't know, I tend to think that it is what it appears to be, which is someone's keeping an eye on the records. Someone somehow has access to the arrest records, and it could be, you know, that may be a daily bulletin, you know, like our police forces around here put out a daily crime blotter.
Maria Varmazis: Oh, oh, that could -- this might really vary by location about how modern the police are in your jurisdiction and maybe like state, if you're in the U.S., like state privacy laws about arrests. I wonder, because I know some states are much more open about that than others. So that --
Dave Bittner: Absolutely.
Maria Varmazis: That is -- this is an interesting little rabbit hole we could go down. I'm so curious if our listeners have any insights on this.
Dave Bittner: Well, I know we have some listeners who are, if not current, former law enforcement, so I'm sure they will share with us what the spectrum of possibilities are when it comes to this sort of thing and information sharing. So we'll look forward to hearing that. All right, we will have a link to both of those stories over on, again, the scam subreddit if you want to check them out for yourself. Let's move on to Joe's story. Joe, what do you got for us?
Joe Carrigan: Well, Dave, not to be outdone with your two stories, I have three stories today.
Dave Bittner: You know what that means for you, Maria.
Maria Varmazis: I have one.
Dave Bittner: Oh, man.
Joe Carrigan: She has an interview, though.
Maria Varmazis: Actually, I have zero, so there you go. Overflow to zero.
Joe Carrigan: So someone tried to scam my wife.
Dave Bittner: Oh.
Joe Carrigan: Guess what platform? Guess the platform that they started on. Come on, take a guess.
Maria Varmazis: Facebook, yeah.
Joe Carrigan: My wife has a Facebook page where she showcases her quilting work, and somebody said, "Hey, that's a beautiful quilt. Can I buy it from you?" And she was like, "No, this is mine, but I can make you one." My wife doesn't like making quilts for people, so --
Dave Bittner: Does she make them for the chickens?
Joe Carrigan: She does. She likes making quilts for the chickens, for the grandkids that you --
Maria Varmazis: Okay.
Joe Carrigan: Like, you know, and she's much more interested in doing the actual quilting, not putting things together.
Dave Bittner: Okay. So in other words, she is in this to be a quilter, not a small business person.
Joe Carrigan: Yes. We'll say that for now.
Dave Bittner: Okay.
Maria Varmazis: I think I just found your wife's Facebook page, by the way. I'm looking at it right now. It's very lovely work.
Joe Carrigan: Yeah, it's beautiful stuff.
Maria Varmazis: Wow.
Joe Carrigan: So this person says, "Okay, well, you can make me another one. How much would that cost you?" And my wife goes, "I don't want to make people quilts. That's not what I want to do." And I said, well, then just, I mean, like, how much would it cost you? How much would it be worth to you to actually make this, and then double that and tell her that's what it's going to cost.
Dave Bittner: Right.
Joe Carrigan: Right? So she gives her this price that she thinks is just outrageous, and the woman goes, "That sounds great. I'll take it." And she goes, "Great, send me a $200 deposit by Venmo and I'll go out and buy the fabric and we can talk about picking colors." This woman has an address close by, and then she sends back a thing, a little picture that says, "Something's wrong. I need your email address," right? And it's a picture of the Venmo interface with a pop-up over top that says, "Please kindly provide an email address." And my wife goes, "Ah, that doesn't look right." My daughter looks at it. I looked at it. I found out this is a Facebook account that has been cloned from another Facebook account. This is a Facebook account that's just being used to scam people, and fortunately my wife did not get scammed. She immediately thought this was suspicious when I said anytime the workflow, the regular workflow goes off, you're being scammed.
Dave Bittner: Yeah.
Joe Carrigan: That's it.
Maria Varmazis: Yeah.
Joe Carrigan: So it's -- so she was -- she stopped communicating with the person immediately. Today I actually -- I got on there and -- because I have -- I'm an administrator on that page, I deleted the -- deleted the contact and blocked the person, so -- but I'm still fearful that somebody thinks "I can get this woman." So we have to be vigilant. The other -- the second story I have is actually also kind of short, but it has to do with a DoorDash driver who, in San Francisco, or actually, I don't know if he was in San Francisco, but the company is in San Francisco, has pleaded guilty to stealing $2.5 million from DoorDash.
Dave Bittner: Wow.
Maria Varmazis: Dang.
Joe Carrigan: Now, how do you do that?
Dave Bittner: That is a lot of French fries.
Joe Carrigan: It is. That's billions of French fries, wasn't it? I mean, maybe not billions.
Dave Bittner: It's a lot.
Maria Varmazis: Billions and billions served.
Dave Bittner: Huh, okay. Go on.
Joe Carrigan: But he had a couple of accomplices, and the way this worked was he also had access to the back end. So he had compromised DoorDash.
Dave Bittner: Okay.
Joe Carrigan: And what he would do is he would order a bunch of food under a compromised account, and then he would take that order on the back end that he had access to and assign it to one of his conspirators who would then mark it as if they had delivered it. And then very quickly he would go in and change the status of the order from delivered to pending, and then he could very quickly assign that to another one of his conspirators, and he could do this multiple times with a single large order. So in very short order, he was just -- they were just raking in money hand over fist on this. Well, he's going to be a guest of possibly the -- well, he's pleaded guilty, so I don't think he's been sentenced, but he faces a maximum of 20 years in prison.
Dave Bittner: Wow.
Maria Varmazis: Dang.
Joe Carrigan: Which, if you do the math, is only $125,000 a year for the $2.5 million he stole, and that's for three of them, so now you're talking about like $40,000 a year. That's what you made, if you're going to spend that much time in prison.
Dave Bittner: Hmm.
Joe Carrigan: I don't know. Maybe if you get a plea deal, you get less.
Maria Varmazis: There's easier ways to earn $40,000 a year, I just got to say.
Joe Carrigan: There is. I think you can do it at McDonald's. True.
Maria Varmazis: Depending on where you live, yeah.
Joe Carrigan: And the last story I have is actually from the Irish Star. It's all over the place, but I picked the Irish Star, and it's a story about a -- the writing in the story is not the best, I'm going to say it, that this is from the Reach Media. They own like the Irish Star and a lot of the Mirror websites. I initially saw this on -- or also saw this on The Mirror U.S. as well, but this story reads like a tabloid newspaper big scam alert, "Oh, this is new," but it's really nothing new. But Google has actually made an announcement about this and it's about people calling you for the Google second-factor authentication code when they're resetting your password, and the thing is, Google will never call you to help you reset your password. That's not how this works at all, and good luck getting them to answer the phone for help on your Gmail account if you don't pay them any money.
Maria Varmazis: Probably even if you do, good luck.
Joe Carrigan: Yeah, even if you do, you might -- well, I think if you do, you get some kind of tech support, but yeah, it's the standard thing where they call you. They say, "Hey, it's me. I'm from Google tech support. I'm going to send you a code. I need you to read the code back to me." And then they try to reset your password. Google sends you the code. You give them the code. They reset your password to something they know and they have your Google account, which, if it contains your Gmail account that you're using for other services, you've just given them the keys to your kingdom. So it's really, really, really important to not give out your -- protect your email address. Protect the email address that you use for all your services because that is the single basket of eggs, if you will.
Dave Bittner: Yeah.
Maria Varmazis: Not to get back to the chickens thing.
Joe Carrigan: Not to get back to chickens, right. By the way, not a single egg have these chickens laid yet.
Maria Varmazis: Oh, they're, too, young.
Joe Carrigan: I know. It takes months. But, yeah, so don't -- just be vigilant, and, I mean, Google is going so far as to put out press releases about this, so apparently these guys are ramping up these attacks.
Maria Varmazis: I think anybody who's actually tried to contact Google or, I don't know, Facebook for actual issues that they're having with their account can tell you getting an actual human to help you with really urgent things is nigh impossible.
Joe Carrigan: No, you can't do it.
Maria Varmazis: So if you thought that they would be proactively calling you for something should set off every alarm. So yes.
Dave Bittner: Can I just share a quick story?
Joe Carrigan: Sure.
Maria Varmazis: Always.
Dave Bittner: I'm going to go off on a little bit of a rant. So as I mentioned earlier in the show, you know, my father passed away, so we've been dealing with a lot of things with his estate and just taking care of accounts and this, that, and the other thing, all the normal stuff you do when a loved one passes on, and one of the things that I've been working on is he had an account with Comcast, Xfinity, as they like to call themselves these days.
Joe Carrigan: They're still Comcast.
Dave Bittner: Yeah, so he had both internet and cable TV at his condo, and so we're going to be selling the condo, but it's going to be a few months, and we have a family member who is sort of house-sitting at the condo while these transitions are happening, so we want to leave the internet on, and we want to leave some cable TV on, but I just wanted to dial it down, right, because the Comcast bill is like $300 a month and that's too much for whatever. The person who is house-sitting doesn't need gigabit internet, right? So I get online with Comcast and I log in. I have an account. I have access to the account, and really the only way to do business with them is through their little chatty, chatty thing, their chatbot. So we're on a chatbot, right? And it's like, "Hi, thanks for contacting Comcast. How can I help you?" Hi, I have a relative who recently passed away. I would like to reduce the service level in their home while we're in the process of selling the home. "Great. So what I hear you saying is you'd like to reduce your costs." Yes, that's correct. I have a loved one who passed away, and so I'd like to reduce cost, monthly costs of the bill. "Great. Give me just one moment while I look at your bill."
Maria Varmazis: Great, great.
Joe Carrigan: I love how you're making the chatbot sound like it doesn't get it.
Dave Bittner: Comes back, it says, "Good news. I've got a great deal for you. I can reduce your cost by $50 a month and add another mobile line to your account. What do you think of that?"
Maria Varmazis: Nope.
Dave Bittner: And I'm sitting there, I'm like, my deceased father does not need another mobile line added to his account. As a friend of mine said when I described it, that is one hell of a long-distance call.
Joe Carrigan: Right [laughter].
Maria Varmazis: God bless him.
Dave Bittner: So I just cut it off there. I said, "No, thank you. I will pursue other options," because I was seething with rage.
Joe Carrigan: Right.
Maria Varmazis: Yes.
Dave Bittner: Like, just at how ill-equipped this stupid AI-powered ghoul of a chatbot was.
Joe Carrigan: Right.
Dave Bittner: I mean, dealing with it, just couldn't --
Joe Carrigan: Has Comcast never dealt with the death of a customer before? I mean, they are one of the biggest providers in the world.
Dave Bittner: Well, so transferring the account from my father to me was routine, quick, and painless.
Joe Carrigan: Okay.
Dave Bittner: There's like one form I filled out online. A couple days later, account's transferred, so I credit them with that.
Joe Carrigan: Okay.
Dave Bittner: But actually having something adjusted was outside of the scope of what their chatbot could handle.
Maria Varmazis: Yeah, yeah.
Dave Bittner: Since then, I have made another run at it and we cut the bill in half and all is good, and I can't wait to sell the place and close the account with Comcast, as I'm reminded why they are one of the most hated consumer-facing companies in the United States. It's just sad. It's sad.
Maria Varmazis: That reminds me, so I think I mentioned last week that I had to re-up my Facebook account that has been dormant for over five years. I closed it. I closed it down, and I lost my father almost nine years ago to the day, and after my dad died, I made myself his legacy contact because I had seen accounts of friends of mine who have died get hijacked after their deaths, and there's nothing quite like having a friend who died in their 20s or 30s from tragic circumstances having their page become a zombie. It's the worst, and I didn't want that to happen to my dad's Facebook account, even though he barely used the thing, and I gotta say, the language that Facebook uses when you do the legacy contact thing, even if the person is deceased, is in that weird first-person, like, "I am making you my legacy contact because I trust you," and it was very weird getting these messages from my dead dad in my Facebook account, and I was like there's got to be a better way for this. Nothing quite like popping into Facebook after years of being away and seeing that the first thing that comes up is those messages from my dad after his death like, oh, there's a lack of sensitivity around all this from these companies, and of course, there's nothing to talk to.
Dave Bittner: Yeah, no, it's crazy. My wife forwarded me -- like she's been keeping an eye on his phone because you keep his phone account open because as you're settling things, some people will try to call, that sort of thing. Anyway, he got a voicemail message about an account, and my wife forwarded it to me as a text message, and so I'm, you know, sitting there minding my own business, text message pops up and it's from my dad and I'm like, "Uh," right?
Maria Varmazis: Absolutely, yeah, yup.
Dave Bittner: It's just a weird jolt of a feeling, you know.
Joe Carrigan: I have a similar story. My uncle passed away a couple of years ago, and his wife still had access to the Facebook account and made some posts as him or some comments as him, and my cousin saw that and he replies, "Dad?"
Maria Varmazis: Oh, my God.
Joe Carrigan: You know, because we all have that really dark sense of humor.
Dave Bittner: Yeah, yeah, coming to you from the great beyond.
Joe Carrigan: Right.
Dave Bittner: Death has not slowed me down.
Maria Varmazis: There's Facebook here, too.
Dave Bittner: You know what? Let's take a break for -- [laughter]. This is a good opportunity for us to take a break, hear a message from our sponsor, and we'll be back after this message. Stay with us. [ Music ] All right. We are back, and Maria, you do not have a story this week. What do you have for us?
Maria Varmazis: Yeah, in lieu of a story, we're actually running an interview that I did pretty recently with Alex Hall, who is the Trust and Safety Architect at Sift, and he has a really interesting background, which he gets into in the interview, so I don't want to spoil it, but he was talking to me about job scams, both the kinds that affect job seekers as well as organizations that are trying to hire people and keeping potential insider threats out. So here's that interview.
Alex Hall: So I do have a unique background in that of my 17 years of experience, about nine and a half of those years were spent on the other side. I was, I am a former fraudster. So I did operate on the other side. I started with check fraud, moved into credit card fraud. I moved into account vulnerabilities, and account takeovers is what we call them in the industry, and from there, I moved into things like identity theft and synthetic ID fraud. As far as the target industries go, I had a chip on my shoulder during that time, and I found it to be an interesting challenge to find out where the vulnerabilities were within all of these different types of organizations. So it went from e-commerce retailers to banks to iGaming platforms, all these different types of industries. And then in 2017, my daughter was born, I had my come-to-Jesus moment, and ever since then I've been doing all that I can to make up for the misdeeds of my past. And so, yeah, everything in my professional career has culminated in the fact that I am working with TASA over at Sift, which is just amazing. I'm very honored to be here.
Maria Varmazis: That's awesome. My daughter was also born in 2017, so that's amazing. Just twins.
Alex Hall: A good year.
Maria Varmazis: It's a good year. It's such a good year. So thank you for joining me, Alex, and thank you for sharing about your story. You have a lot of expertise in what we're going to be diving into today from both sides, which gives you such a great perspective on just a topic that we've talked a lot about on Hacking Humans, specifically about all these job scams that are AI-fueled specifically, but of course, not always, but certainly the AI is helping. There have been a bunch of stories about how people are either double or triple booking jobs or people from North Korea potentially getting jobs in IT departments at cybersecurity companies. I'm not going to name names, but the stories are out there. I guess I wanted to sort of get your thoughts on maybe the threat landscape right now for these kinds of job scams that are maybe being aided by AI, but maybe not only just. What's going on there? I mean, that cat and mouse game is quite a remarkable one.
Alex Hall: Sure. So as far as the landscape goes, I feel that it would be important to highlight the two sides, the two primary sides of the coin. So it would be to the case that you brought up where a person looking for a job for nefarious reasons down the line is leveraging AI and social engineering and deceit in order to get a job so that when they're in the back end of a platform they're able to do whatever it is they're after doing. Now, that breaks down into two further categories because we have the actors themselves operating independently, but we also have those actors who are being instructed by a higher power to them. You know what I'm saying? So like the fraudster would manipulate them and they would essentially be plants or mules into an organization. So there's that category where people are just trying to get the jobs for bad reasons, right? But then there's a secondary side of the coin where we have job listings that are being posted that are nefarious unto themselves, right? So these job postings are going out. They're being written with AI. There's no intention or real job opening behind it, but what they do is they walk through the process of unsuspecting members of the general public, and as they go through the process of applying for a job and interviewing, there's, of course, requests for information, and fraudsters are taking that information elsewhere and having their way with it, which might result in synthetic ID fraud, might result in identity theft. In some cases, there's payment information being collected. Yeah, it's a big jumbled spider web.
Maria Varmazis: It sure is, and it's so fascinating that -- fascinating in a dark way, but fascinating that, you know, we have both job seekers who are potentially at risk as well as organizations that have to be on even higher alert than normal about potential insider threats from new hires or folks that might get hired and maybe lurk for quite some time before the threat is revealed there. One wonders how on earth -- what you're supposed to even recommend to people. I suppose maybe let's start with job seekers, how to make sure the job posting that you're potentially responding to is legit and that you're not going to be taken advantage of, because you're already in such a vulnerable position looking for a job. I mean, talk about making a bad situation worse.
Alex Hall: Yeah, so typically, whenever we talk about scams, we typically say that there are some telltale signs, right? The situation might be too good to be true. If there's a $10,000 product, you know, being listed for sale for $100, right, it's too good to be true, and all that different stuff. In the case of job scams, it takes a little bit more careful consideration because you might need to go look at the company's LinkedIn page and see who works there and maybe verify that you're speaking to the person who you should be speaking to. Conversely, you might go to their website and you might go to see if the job listing is really there. But I understand it would be weird to go through the job listing and then put in another application for the same position that you just put in for. So what would you do? I feel that what's most important is to scrutinize every communication, right? So an email address typically wouldn't be coming from -- let's use a big-box retailer. Let's just call it "Acme, Inc.," right? So acme.com, if somebody is pretending to be Acme, their email address might be a variation of Acme, right? It might have replaced characters and letters. So I would scrutinize the email address where you're communicating. I would scrutinize the phone number. I would scrutinize and pay attention to every piece of information that pops up during Zoom meetings. Most of these interviews are going to be done remotely. Scrutinize every piece of information. Verify to your best ability every piece of information, and if you feel that something suspicious is going on, reach out to the company directly through their service line and tell them what's going on, just speak to them directly, and that correlates greatly with other pieces of scam prevention tactics that we suggest. For example, when people get these text messages that claim to be coming from financial institutions, don't respond to that text. Don't call that number back. Call the customer service listed on the website or a number that you're familiar with. So yeah, a lot of these elements, there's a lot of overlap. Verify and then contact directly.
Maria Varmazis: Absolutely. Great, always great advice there. And then the flipping over to threats to organizations, this is where I'm always fascinated to see, you know, even stuff in my own personal LinkedIn feed where, you know, I'll see a, you know, a software engineer who's trying to hire for his team and, you know, he finds out maybe 5 to 10 minutes into the conversation the candidate is clearly using like a deepfake AI in real time to try and fake the, you know, the software screen, and I just kind of go, I can't believe we're here already in terms of what technology is able to do, and I know that there are a lot of solutions that organizations try to deploy to prevent being taken advantage of in this way, but is it keeping up with the threat, is sort of the question that I have, and what do organizations need to know to not be taken advantage of?
Alex Hall: So in the case of deepfakes and generative AI, they are advancing, no doubt about it, but the technology does exist to look behind the scenes and see what's going on. For example, when somebody submits a resume or an application, it is possible to run that application through different types of fraud prevention technologies. It is possible to verify what device was used. It's possible to verify the geolocation of the device. It's possible to verify the velocity at which the form was filled in, so like that would be like bot detection and copy and paste applications, things like that. It's possible to build out these frameworks and the technology does exist to circum -- to defend against generative AI and deepfakes. The problem is we don't typically aim those technologies at our application, you know, process, and so we have to be very diligent in understanding exactly what information is available to us during these conversations, and because of the use of ChatGPT, further reinforced with deepfake, generated by AI, it's even more important to understand what's happening off screen, right, and off audio, right?
Maria Varmazis: Yeah, absolutely.
Alex Hall: And so I feel like that's going to be the most important item, is looking at behaviors that are suspicious, looking at, again, geolocation, device intelligence, all these different items. I would really recommend pulling those into the process flow in order to identify what would be suspicious.
Maria Varmazis: Yeah, and it sounds like potentially, hopefully at more advanced organizations, they recognize that this is a major entry point. These applications can be a major entry point for potential insider threats, but if that cultural shift has not happened, then that conversation maybe needs to be happening yesterday, but it's, certainly, it's a mindset shift.
Alex Hall: Absolutely. We didn't -- well, who would have thought that we would need to put fraud prevention in our application process, you know.
Maria Varmazis: Yeah, yeah, it is crazy to think about it. It's remarkable how quickly we've gotten here. Alex, is there anything else that we want to make sure that you mention about either the nature of these kinds of fraud that we're seeing, these job -- job fraud or anything else that you wanted to make sure the audience hears about today?
Alex Hall: Yeah, I would probably elaborate on the story of, you know, exactly what these fraudsters are after once they gain access to the inside, right? And one thing that I say when we talk about fraudsters, so in fraud prevention, we have this -- there's this fraud method that we focus on called "ATOs," account takeovers, right? And when a fraudster takes over an employee's account, they're after certain things, right? Now, in the case of a -- I won't mention them by name, but a certain cybersecurity/fraud story that took place in Vegas, we saw a tremendous loss after social engineering gave an outsider access to an insider account of those insider systems. During that, there was the opportunity to install ransomware or hijack systems or trigger different events downstream. I would hope that the listeners here realize that this is a very important thing to solve for, giving someone access to the backend processes. Maybe they get a job that has the opportunity to trigger wire changes or to edit billing and payment information or to handle invoices, but beyond that, maybe they have the opportunity to decision on the front-end transactions, right? Like in the case of becoming a fraud analyst or something, and they'll specifically watch out for or reverse decisions for transactions that are put in later on down the road. Point being, granting access to somebody on the inside, I'm sorry, granting someone access to internal operations extends well beyond just trying to get a quick cash out. They're in for the long game, and the damage can be catastrophic, so I would highly recommend monitoring behaviors. If anyone gets in and starts to seem suspicious or things just don't necessarily line up, I would put heavy emphasis on seeing exactly what systems they're accessing or how they're interacting with systems, seeing if any suspicious behaviors take place.
Maria Varmazis: That's great advice. Great advice. I just want to make sure I give you an opportunity. If there's anything else that we want to mention before we close out, that it's over to you for that.
Alex Hall: I'll just close out by saying, yeah, job scams are taking off. The truth of the matter is a lot of consumers are -- there's economic times for a lot of people. It's hard economic times for a great number of people and they are susceptible to the scams that are out there in the world, and these people are taken advantage of. By and large, fraudsters have taken a shift into targeting consumers directly, not away from targeting merchants and retailers directly, but there's a continuous growth of the general public and consumers being targeted directly. It's more important than ever that the consumers become educated, and then in the case of hiring potentially bad actors, it's equally just as important that our organizations become educated in exactly how expansive these types of methods can be, how much damage it can cause, and really put thoughts towards strategic response.
Maria Varmazis: Excellent. Alex, thank you so much for your expertise and your time today, and thank you for speaking with me. I appreciate it.
Alex Hall: Thank you for having me, Maria. [ Music ]
Maria Varmazis: And special thanks to Alex Hall at Sift for speaking with me about job scams.
Dave Bittner: Yeah, boy, interesting, and they are, I mean, there's no slowing down, is there?
Maria Varmazis: No, and I think one of my favorite insights from Alex was about how there needs to be a cultural shift for a lot of these organizations who are trying to hire, about maybe they hadn't thought about HR as being a potential vector for these threats coming in, but their HR teams really need to be shored up and given the tools that they need to keep these threats away. So it was a really interesting conversation. So thanks again, Alex.
Dave Bittner: Yeah, we appreciate it.
Joe Carrigan: I am still of the opinion that recruiting does not belong in HR.
Dave Bittner: Recruiting does not belong in HR. Go on.
Joe Carrigan: I just don't -- that's a different, completely different take.
Maria Varmazis: Yeah, okay.
Joe Carrigan: And the reason I say it isn't is because the purpose of HR is to protect the company, and they are there, and please do not -- this is a social engineering tact that companies use. They say, "Oh, we have an open-door HR policy," and I am of the opinion you should never trust that. Never trust that. That is -- HR is not there to service you. They are there to service the company and make sure the company stays out of legal hot water, and I think that portion of the business also is not compatible with recruiting, and I think recruiting should also be faster paced and not bound to as many HR systems and requirements as the rest of the HR department is.
Maria Varmazis: Yes.
Joe Carrigan: I think recruiting should be --
Maria Varmazis: Yup, its own thing.
Joe Carrigan: Different, yup.
Maria Varmazis: Yeah, so misnomer on my part, I'm using "HR" and I probably should be saying, more broadly, "recruiting" or "talent acquisition."
Joe Carrigan: No, you're right, because the vast majority of companies, HR -- recruiting is a sub-department of HR, and so it's not -- I don't think you misspoke at all. I'm just saying there does need to be a cultural shift, and I think that cultural shift starts by separating recruiting and HR.
Maria Varmazis: Yeah, I worked at a place where they were separate, so I'm sort of going shame on me because I've been at places like that.
Joe Carrigan: Right, I worked in a place like that, too, and I mean, I was hired by that place. I got a call for my first interview on a Monday and had my job there the next Monday, which I've never heard of anybody else doing it, but because these guys had separated their -- separated recruiting from HR, the recruiting department's job was recruiting and getting people hired.
Maria Varmazis: Getting them in the door.
Joe Carrigan: That was it.
Maria Varmazis: But then who does the onboarding is usually HR.
Joe Carrigan: HR.
Maria Varmazis: So right, yeah, and then that's a whole process where, again, and Alex gets into some of this about the onboarding process for screening potential insider threats, so I'm going back to Alex's interview because he has a lot of good insights on that, but it's a great point, Joe, because similar situation for me many, many years ago when I was hired at a place where they were two separate orgs, and my interview process was rigorous but quick. Like, I got hired really fast, and it was one of the best jobs I've ever had, but yeah, and then onboarding was a completely separate team within HR, and yeah, good process. Highly recommend.
Joe Carrigan: Right. [ Music ]
Dave Bittner: All right. Well, you know what, gang? We are running long this week, so I'm going to say we're going to skip over our "Catch of the Day" this week and we will save that for next week. So that is Hacking Humans, brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to hackinghumans@n2k.com. This episode is produced by Liz Stokes. Our Executive Producer is Jennifer Eiben. We're mixed by Elliott Peltzman and Tre Hester. Peter Kilpe is our Publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Maria Varmazis: I'm Maria Varmazis.
Dave Bittner: Thanks for listening.
Joe Carrigan: Who chose chickens? [ Laughter ] [ Music ]
