Brushed aside: The subtle scam you didn't order.
Dave Bittner: Hello, everyone; and welcome to N2K CyberWire's Hacking Humans Podcast, where each week we look behind the social engineering scams, the phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan. Hey there, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: And our N2K colleague and host of the T-Minus Space Daily Podcast, Maria Varmazis. Maria.
Maria Varmazis: Hi, Dave and hi, Joe.
Dave Bittner: We've got some good stories to share this week. Let's start and jump right in here with some follow-up. Joe.
Joe Carrigan: I have a complaint, Dave.
Dave Bittner: Okay.
Maria Varmazis: All right.
Joe Carrigan: This is about one of my financial service providers.
Dave Bittner: Okay.
Joe Carrigan: Okay. And I'll name them because I'm really mad about this.
Dave Bittner: Oh, my.
Joe Carrigan: It's Vanguard.
Dave Bittner: All right.
Joe Carrigan: I got an email. Got an email the other day saying something that seemed a little odd that I didn't know was right. And I was like, it looks good. It looks like a regular Vanguard email. But every time I mouse over the links and look at where it's going, it's going to e-vanguard. Not vanguard.com but e-vanguard.com. So I reported as spam immediately. But then I was like, maybe -- I mean, it was really convincing, right? I'm thinking, maybe this is a -- so I go to -- I think GoDaddy has a who is, and you can look up who owns a domain.
Dave Bittner: Right.
Joe Carrigan: And guess who owns e-vanguard?
Dave Bittner: Vanguard.
Joe Carrigan: Vanguard. Vanguard does. That's right. And they registered back in 2007. But my complaint with them is, why? Why are you using something that looks like a scammer's address to send out your emails?
Maria Varmazis: Good question.
Joe Carrigan: Don't do that. Send out -- you know, you can -- you can direct it to a different web server on your -- on your main domain vanguard.com that eventually resolves to e-vanguard.com. You can still use the domain you bought, but don't do this. This is your -- your communication is going to get lost in the shuffle.
Dave Bittner: Interesting.
Joe Carrigan: And I'll be talking more about that in my story today and why you don't do this.
Dave Bittner: Okay.
Maria Varmazis: Yeah.
Dave Bittner: We all have another bit of follow-up. We've gotten, of course, this -- lots of nice, positive responses to our conversations about chickens.
Joe Carrigan: The coop is coming along, by the way.
Maria Varmazis: Oh, that's lovely to hear.
Dave Bittner: Well, Joe, one of our listeners sent in a photo for you. It should be inspiration for your new coop.
Joe Carrigan: Yes.
Dave Bittner: Do you want to describe it for us here.
Joe Carrigan: It is a -- it looks like a -- what I would call a prepper bunker. There is a watch tower in the background. There's -- there's a bunch of sandbags piled up. And then off to the left of the sandbags there is a structure that looks like a standard chicken coop. But there's guns and missiles all over the place. And one of my favorite things: It's surrounded by a moat with sharks with lasers on their heads.
Maria Varmazis: Photo realistic version, right?
Joe Carrigan: I don't think it's too much to ask.
Maria Varmazis: Yeah. Seriously.
Joe Carrigan: Sharks with lasers on their heads.
Maria Varmazis: Lasers.
Dave Bittner: One of our -- one of our colleagues said that she hopes that some of the rocket launchers on top of this chicken coop shoot eggs.
Joe Carrigan: Well, that's why I have the chickens, Dave. I'm not -- I'm not going to have it launch eggs. I'll have it launch -- like, I'll build some little Estes rockets and put, like, nose triggers on the front of them.
Dave Bittner: Okay.
Maria Varmazis: Now you're speaking my language. Right.
Dave Bittner: Right. Yeah.
Maria Varmazis: I want to see this.
Dave Bittner: It's -- you know, imagine if chickens had evolved to use egg launching as a defense mechanism.
Joe Carrigan: Like skunks.
Dave Bittner: Just like all these chickens form a circle. Like, they circle up the wagons; and they all just go bauk! Eggs fly out.
Maria Varmazis: Instead of, like, gently looking through the coop for the eggs that they left behind, we have to line up and catch them mid air. Oh, what a world that would be.
Joe Carrigan: You'd need a catcher's mitt.
Dave Bittner: Just picture the chickens, you know, bent over, their head between their legs looking backwards, you know, to aim.
Joe Carrigan: Right.
Dave Bittner: I don't know. Cut up in a bird version of a spitting cobra but with eggs. All right. Well, thanks to our listener for sending this in. This has been great fun. And I say everybody in the company has very much enjoyed it, so we appreciate you taking the time. I don't know if it's possible for us to include it in the show notes but, if we can, we will. All right. Let's jump into some stories here. Maria, why don't you kick things off for us.
Maria Varmazis: Sure. Well, it's summertime here in the northern hemisphere. And I know I'm thinking about summer vacation. Mine's still a ways away, so I'm sort of dreaming about it at this moment. And our friends at McAfee, yes. Them. Yes, for real. This is not a scam. It's actually McAfee. They put out their yearly survey about travel scams. And this survey, they surveyed 7,000 adults across the US, UK, France, Germany, India, and Japan and Australia, focusing on travel scams and their impact. And the news was not great for Americans specifically because they interviewed all -- they surveyed all these different people, but the results were just about Americans. So I'm guessing that everybody else is great, and Americans didn't do so well. That's what I'm reading in between the lines on this because McAfee said that 1 in 5 Americans, at least in their survey group, has fallen victim to a travel scam while booking a trip. Twenty-three percent --
Joe Carrigan: You know --
Maria Varmazis: Go ahead, Joe.
Joe Carrigan: I'm sorry, Marie. I don't mean to interrupt you because you're about to run through a bunch of statistics.
Maria Varmazis: I am.
Joe Carrigan: And I hate when people stop me from doing that because it's really interesting. But I'm wondering if this has anything to do with the old stereotype about Americans that were not well-traveled to begin with.
Dave Bittner: Yeah. I thought the same thing.
Joe Carrigan: So not a lot of experience with traveling.
Maria Varmazis: I think -- that's exactly what I was thinking is that this is probably due to a lack of experience and perhaps institutional knowledge about holidays. And I'm thinking about, yeah. I think you're exactly right on. That was what my -- where my mind went as well. So, of those scammed -- and I'm going to guess it's Americans and the other people included. But this seems to, again, to focus on Americans. Twenty-three percent lost money, 13% lost over $500, and 5% lost over $1,000 with apparently men more likely to lose money than women. And that was a 29% likelihood for men versus 18% likelihood for women.
Joe Carrigan: Really.
Maria Varmazis: And the group that is the most at risk of losing money in these scams is not older folks. In fact, it is -- so older folks, you win again. It is the young, the youngins. The youngins booking those cheap travel groups and all that kind of stuff. So 21 --
Joe Carrigan: Dave and I are over here high-fiving each other.
Dave Bittner: I know. It's bad enough that we have homes with low interest rates and retirement accounts.
Joe Carrigan: Right.
Dave Bittner: But we get scammed less too.
Maria Varmazis: And you're not getting scammed.
Dave Bittner: Right.
Maria Varmazis: Yeah. So 21% of the 18- to 24-year-olds clicked fake confirmation links so booking links that are saying, Here you go. Click this to confirm, and they're not legit. Ten percent of 25- to 34-year-olds clicked or, rather, were tricked by AI-altered travel photos. So this is -- that one starts getting into a gray area of can you believe what you see on TikTok and Instagram? Is this place that you think you're going to actually real? Do these accommodations actually resemble in real life what you're seeing online? I think that's a very interesting conundrum. And so the types of scams that McAfee said that people are falling for, especially this year, are, as mentioned, fake booking and payment sites. So I would imagine all the lookalikes that we've covered on the show so -- and even the legit ones using sites like booking.com, but then they go to a fake booking itself.
Joe Carrigan: Right.
Maria Varmazis: Those are -- those can be quite tricky, especially if it's in a country that you're not familiar with. You know, trying to book something overseas and you just don't know what sites people tend to use. Scam confirmation links are another common thing that people fall victim to and misleading or manipulated listings, which, again, that is such a gray area and makes me wonder how are we defining that? Because that could be just about anything, if you really get down to it.
Joe Carrigan: Right.
Maria Varmazis: Yeah. And -- and, Joe, I think you were right on the money because McAfee was saying that economic pressures play a role here with 58% of Americans cutting back on personal spending to afford vacations, which increases their susceptibility to scams. And, again, if you're not familiar with the places you're trying to travel to, you just see it online, you're like, I'd like to go there. But I want to do it on the cheap as possible. Then I can see that just being a way that you could definitely get taken without even realizing it so.
Dave Bittner: If you're hunting around for a good deal --
Maria Varmazis: Yeah.
Dave Bittner: -- you Google, you know, discount travel --
Joe Carrigan: I'm sure that there are scam sites all over the place, search engine optimized to rise to the top of that. Or maybe even just they buy ads.
Dave Bittner: Yeah. Absolutely.
Maria Varmazis: Yeah. And we've talked about -- a while ago about some booking sites being specifically in English to target visitors from overseas or, as everyone knows in the country of the targeted country, you don't use that site. You use a different one that's in their native language, and you get different results. We've had stuff like that all over our show before. So the -- I could see these things being just rife. And then events also seem to be an area where scammers are targeting, apparently, especially American travelers. Sixty percent of Americans planning to travel to a sporting event this summer say they're worried about being scammed for fake tickets or lodging. I know I've read the stories. I'm sure you both have heard them, as well, about people trying to book something for this once-in-a-lifetime event.
Dave Bittner: Yeah.
Maria Varmazis: And they get to the place, and the place doesn't exist. So that stinks.
Dave Bittner: You get a lot with the Olympics.
Maria Varmazis: Yes. Yes, indeed. Feel like we -- some of these are really ringing -- ringing a bell of memory for me because I seem to recall we talked about some of these. And trust in third party booking sites remains high. Fifty-nine percent of the people surveyed say they still trust them as much as booking directly. However, these third party booking sites can also be where scammers will put up fake listings and the like and can get -- sometimes get away with it before they are caught. So these are -- you know, if they're the preferred place to go, scammers are going to go there, too, and put those fake listings up. So, yes. The takeaway for this that McAfee was saying just to keep an eye out for was people are trying to save money, especially now. Add that in with deals seeming to be urgent, that or -- fake urgency or real urgency. That is a really nice tactic. And then the trust in online platforms that can be exploited, and you mix it all together, and you get the ideal conditions for travel fraud to thrive. So I already booked my trip. So I'm hoping next month, when I show up to the place that I'm going to, it is a place that exists. I mean, I've been there before. So, if it dematerializes, I will be very concerned.
Joe Carrigan: Very surprised.
Maria Varmazis: Very, very surprised. And it's also in the United States, so it should be okay. But, yeah. I know a lot of people are trying to go overseas this summer on last minute deals and the like. And certainly I remember when I was in my 20s I had to travel on the absolute cheapest possible. So losing $500 or $1,000 at once would have been completely devastating.
Joe Carrigan: Yeah. You're just going back home at that point.
Maria Varmazis: Yeah. There's just no trip anymore. I'm just out of that money, and there's no trip. So people need to be careful. And, yeah. Thanks, McAfee, for that research.
Dave Bittner: Trying to think if I've ever been travel scammed before. I don't think I have, but I don't know.
Joe Carrigan: Maybe it was a really good scam.
Dave Bittner: Could be.
Joe Carrigan: Still don't even know it.
Dave Bittner: Yeah. I mean, I guess there have been times when, you know, I've shown up places. And they're like, We have no reservation for you, sir. And -- but we figure it out.
Joe Carrigan: Right.
Maria Varmazis: Yeah. Or the part where they said about misleading listings, that's the one where I go, I mean, I've booked places overseas. And I get there, and I'm going, that's not what I thought it would be. But it's fine.
Joe Carrigan: Right.
Maria Varmazis: But definitely -- yeah. Those photos are very strategically taken to not show, you know, the huge under construction building next door or whatever. Like, huh?
Dave Bittner: I do remember one time we were -- we were on a family road trip, and we were doing kind of a southern loop, you know, through the Carolinas and -- and back up again through Virginia, just visiting Atlanta and stopping at some theme parks and water parks and so on. And we were kind of booking places as we went. And my wife booked -- she was in the car on her laptop, you know, booking places that we were heading to. And she books this hotel. And she's like, Oh. This is -- you know, this looks good. It's, you know, four stars. You're like, Oh, that's great. So we get there and the place is a dump. Like, it's total dump. We're like, okay. But, you know, it's late. We're tired. We're like, Okay. Here's the deal. You know, don't unpack anything.
Maria Varmazis: Keep it in the back.
Dave Bittner: Tomorrow, tomorrow, we're going to a water park.
Joe Carrigan: Wash all the bed bugs off.
Dave Bittner: The chlorine will clean us.
Maria Varmazis: Make us pure.
Dave Bittner: So, on the way to the water park, my wife, and she -- because my wife, of course, feels terrible, you know, that she booked this awful place. So she's -- she looks, she goes, Oh. It's four stars out of 10.
Maria Varmazis: They always find a way to get you.
Dave Bittner: Yeah.
Maria Varmazis: We're [inaudible 00:13:39] at 10.
Joe Carrigan: That's a four-star hotel. Hey. That sounds nice.
Dave Bittner: Yeah, yeah.
Joe Carrigan: Out of 10. Oh.
Dave Bittner: So, you know, double checked. Someone might have recalibrated the scale.
Maria Varmazis: Yeah. And, also, what does three stars mean in this country? It means we have a bed.
Dave Bittner: Right.
Joe Carrigan: Right.
Dave Bittner: Yeah. That's true.
Maria Varmazis: That could be it. Don't expect anything else.
Dave Bittner: All right. Good stuff. Joe, you're up. What do you got for us?
Joe Carrigan: So everybody here on the show knows Rachel Tobac, right?
Dave Bittner: Yep.
Joe Carrigan: She is --
Maria Varmazis: Yes, indeed.
Joe Carrigan: -- a social engineering genius, owner of her own company. And she has posted a link -- or not a link. We're going to put a link to it -- a post on LinkedIn. And, because she and I are connected on LinkedIn, I saw it. So I wanted to start with what she said. I wanted to cover this because this is my story. It's just Rachel Tobac on LinkedIn. But it's very interesting. She opens with, My favorite way to hack in my ethical hacking is phone call-based hacking with impersonation. Why? Because it has the highest success rate. So I want to pause right here and say to everyone listening, this is probably your biggest threat model right here, someone calling and saying they're somebody they're not on the phone. They're probably not the elite hacker who's got a cadre of zero-day exploits behind you that's going to -- behind them that's going to penetrate your -- your Comcast router, get inside and -- and start messing with your Windows machines and your Mac machines. That's probably not the person you need to worry about. The person you need to worry about is the guy with the cell phone who can convince you that he's calling from Microsoft tech support or from your company's tech support. But what Rachel is talking about here in -- specifically is there is a group -- and I love the name they've given themselves here -- Scattered Spider. Again, scary sounding spider name. I think we had that last episode was another spider name. But these guys are targeting insurance companies. And they're going in, and they're stealing data out of insurance companies. And their techniques are -- she has four techniques here that they're using. Number one, they're impersonating IT and help desk people to get passwords and multifactor authentication codes. So they call up. They say, Hey. I'm -- I'm from your IT department. I need your username and password to log in. Oh. And, while I'm doing that, give me your -- your multifactor authentication code. This is why I say that multifactor authentication codes that are either sent to you or are generated by some third party app like Google authenticator or an RSA token or a hit token or something, Microsoft's authenticator also does this. Those are all socially engineerable. Can I say that? Is that a word?
Dave Bittner: It is now.
Maria Varmazis: It is now.
Joe Carrigan: It is now. Right. So we're going to get to what you can do to protect that. It's better than nothing, way better than nothing. But, if somebody calls and asks a person in your company for that code, there's a pretty good chance they're just going to give it to them, especially if they're very convincing. Number two that she has here is remote access tools as help desk. So we had this happen to work the other day. Somebody actually had somebody -- I called the help desk. And they had to -- they had to run a remote access tool to see what I was talking about because apparently they didn't believe me. But these are real tools that people use, but malicious actors also use them. And, if you can give them access to your computer via these remote tools, it doesn't matter what multifactor authentication you have on there. You're letting them in this way. They are essentially acting as your employee. Then MFA fatigue, which is where they send so many of these repeated prompts. This is -- we saw this with the Microsoft authenticator app that, when you were logging into some service, it would -- it would -- it would give you a Microsoft authenticator alert. And they would just overwhelm the user with so many alerts. And eventually the user just said, Fine and pressed Accept and let the person in. And then, finally, SIM swap. So this is where they call the telco -- telco company, and they pretend to be the employee. And they take over the person's phone, and then they can receive codes for the two-factor authentication. I think that's a really uncommon risk model, but it's not impossible, absolutely not impossible. Best way to protect yourself there is put a PIN on your telco account. So we have a mobile phone service in my family. When we call them, before they talk to -- talk to us about anything on the -- on the account, they say, We need your PIN. And if you can't remember the PIN, they say you need to come into our -- one of our offices and bring a driver's license with you.
Dave Bittner: Right.
Joe Carrigan: Which is good, good practice. So Rachel then moves on to talk about the websites they're using and how they're using things like whatever the victim company name is dash SSO, which is single signon and -- or dash Service Desk or dash OKTA, which is a specific multi or universal signon tool. These look legit, much like e-vanguard.com, right? I told you I was going to tie something in.
Maria Varmazis: Yeah. Well done. Yep.
Joe Carrigan: But they're actually -- they're actually owned by malicious actors, and they can just be cloned versions of the website that let you log in or -- and just collect your username and password. So they say train -- Rachel's saying train your team to spot those specific attacker controlled look-alike domains. The human protocols that you need to implement is start being politely paranoid, or start a protocol to be politely paranoid. So, in other words, when you get a call from the help desk, normalize the behavior that the employee goes, You know what? I know you're calling from the help desk. I'm going to call you right back. Let me have a name, and they'll transfer me to you. And call the help desk back, and use the known good number. And if the person says, Hey. Hold on. Let me give you my cell phone number because I'm out of the office. No. That's not going to work. I'm going to have to call your -- call the help desk and get your cell phone number from them. So don't let them cajole you with that at that point. And make sure that this is part of your company's policy, that you have this -- you're allowing people to question these inbound calls. Educate on the exact types of accounts or attacks that are popular right now. And Rachel says that this attack is -- is the more common attacks that are going on in this industry right now. So, you know, have a little situational awareness about what your industry looks like, right? And say, hey. You know, if you work for a major insurance company and you're not Aflac who got hit as of this recording last week. Maybe you work for another insurance company. You go, Hey, look. Aflac just got hit last week. They're going to come for us. Here's what to look for, right? Get out in front of it right now. Follow the news and know what's going on. She makes three recommendations, Rachel does, about what -- what you can do. I'm going to put them in my favorite order, and that is multifactor authentication with some FIDO token, some FIDO Alliance tool. And she specifically mentions YubiKey. I like YubiKeys because I own them. Google Titan makes one. There -- there are lots of manufacturers of these things now. Next thing she says is or I'm putting next is application whitelisting. If you can do application whitelisting on your network, do it. Do it. And that will take care of so many problems because it stops anything that's not supposed to run from running.
Dave Bittner: Yeah. So just explain real quick what whitelisting is.
Joe Carrigan: Right. Okay. So the idea of a blacklist is here's -- here's the applications that we're not going to let run. This is what standard virus scanners run on. They have some kind of signature-based algorithm of some kind that looks at the -- looks at the file you're about to run. And it goes, nope. That file is not -- is on the not allowed list. So we're not going to do that. The problem with that is, if someone comes in with a piece of new malware or, God forbid, a piece of bespoke malware, your malware detector is not going to see it. So when you do the opposite, the -- or not the opposite. I guess it's the inverse.
Maria Varmazis: Yeah. It's the inverse. Explicitly allowing. It's an allow list as opposed to a block list.
Joe Carrigan: Right. Exactly. I'm going to allow this list of applications to run. If your name is not on the list, you're not running.
Maria Varmazis: Yeah.
Joe Carrigan: So guess what, remote administration tool? You're not our remote administration tool. You're not going to run.
Dave Bittner: Right.
Joe Carrigan: And then, finally, a password manager. So I think, if you do these things, if you're going to do one thing, multifactor authentication with a FIDO token. And then, if you're going to do two things, multifactor and application, whitelisting. And then, if you're going to do three things, implement the password --
Dave Bittner: I think another thing this points to is that I suspect that most people are overconfident when it comes to their own perceived ability to detect and thwart scammers.
Joe Carrigan: Yes.
Maria Varmazis: Yeah. Yep.
Joe Carrigan: I think you're right.
Dave Bittner: I'm reminded of a statistic, and I'm going to just make it up.
Maria Varmazis: Why not.
Dave Bittner: You know, it's a real story, but I'm going to make up the numbers. There's something like 50% of men think they could beat Venice -- Venus Williams in a tennis match.
Joe Carrigan: Right.
Dave Bittner: You know, something absolutely ridiculous like that. You know, one of the greatest tennis players, you know, male or female that has ever lived. But, you know, never underestimate someone's overconfidence when it comes to things they don't actually know about. But I think that -- that people fall for this. And they think, oh, it won't happen to me; or I'll be able to detect it. And these people are doing this every day, day in and day out. You know, they -- they're good at it.
Joe Carrigan: Right. You know what I'd like to see is a survey where you stop a random guy in the street and you say, Do you think you could beat Venus or Serena Williams in a tennis match? And when they say, Yes. Okay. Which one could you beat, Venus or Serena? Either one. And then they roll back a thing, and there's the William sisters standing there with tennis rackets and tennis court behind them.
Maria Varmazis: Let's do it!
Joe Carrigan: Let's go!
Dave Bittner: Right, right. That'd be great on The Tonight Show or something. Yeah.
Joe Carrigan: Right.
Dave Bittner: I'd pay to see that.
Joe Carrigan: Yeah.
Dave Bittner: All right. Good stuff. Well, tell you what. We're going to take a quick break for a message from our sponsor. We will be right back. All right. We are back. And my story this week isn't so much a story as it is hoping to send you all to a website that I found particularly interesting. I don't know why, but somehow the YouTube algorithm brought up a link for me that was a video from the United States Postal Service, Postal Inspectors. And it was about brushing scams.
Joe Carrigan: You know these guys carry guns, Dave.
Dave Bittner: I do know that. And you know how I know that?
Joe Carrigan: How? I want to know. I know because you told me, but.
Dave Bittner: Well, my first job out of college was with the Postal Service.
Joe Carrigan: Oh, was it. Okay.
Dave Bittner: Yeah. I worked --
Maria Varmazis: And they gave you a gun when you walked up into work or no?
Dave Bittner: I did not have a gun, no.
Maria Varmazis: Okay.
Dave Bittner: But I did actually score a pair of handcuffs.
Maria Varmazis: Oh.
Dave Bittner: Different story.
Joe Carrigan: Somebody starts yelling in the -- somebody starts yelling in the waiting room. You've got to shoot them.
Dave Bittner: Yeah.
Maria Varmazis: That's the Hacking Humans After Dark Version. Okay.
Dave Bittner: I was -- yeah. I was fresh out of college with a TV degree, and the Postal Service has a television production facility in Washington, DC. And I got a job there, and I worked with a lot of postal inspectors. And let me tell you the sanctity of the mail is taken very seriously.
Joe Carrigan: Yes, it is.
Dave Bittner: And postal inspectors do have guns. But they also have a really good YouTube page. Like, seriously really good YouTube page with videos about scams. If you look at some of the playlists here, there's -- they have a playlist. It has over 80 videos on it of the -- it's categorized protecting the public, PSAs. There's 84 videos here.
Maria Varmazis: Dang. They're going to put us out of business. Look at these. This is amazing!
Dave Bittner: Investment scams. Yeah. Romance scams, tax identity, text messaging, don't fall for phishing, refund and recovery scams, that's not the IRS, tech scams on the ri -- like, this is an amazing list of -- these are short. They are well-produced. They are informational. They are entertaining. I would just say that this is something that you should send to your friends and family and your relatives. Maybe you could send them just to the site. You could send them one at a time. But they're very good.
Joe Carrigan: They have 88 videos on investment in Ponzi scams.
Dave Bittner: Yeah.
Maria Varmazis: Wow. Wow. That's a lot.
Dave Bittner: Yeah. This may be the most complete collection of scam-fighting easily digestible videos that I've ever seen. And when I think about it makes sense because the Postal Service is at the center of a lot of this. So many of these things pass through the Postal Service, especially historically before we all went online.
Maria Varmazis: Yeah.
Dave Bittner: All these -- you know, there are all kinds of mail scams. So it's a big part of what they do. Yeah. What do you guys think of this?
Maria Varmazis: We've got to get them on the show. We've got to talk to someone from them. I would love to pick their brain. Man, this is impressive.
Joe Carrigan: I do like that, at the very top left here, project safety holiday delivery, the thumbnail is, Police, US Postal Inspection. And they have got somebody in cuffs, and they're dragging them away.
Maria Varmazis: Oh. The package bandit's got, like, the little raccoon mask on his eyes. That's cute. That's exactly what they look like in my neighborhood. So, you know.
Dave Bittner: Yeah, yeah. Evidently they do. They have historical clips. They have -- they have something they call Wanted Wednesday, which is -- you know how they put people's pictures up in the Post office?
Joe Carrigan: Yeah.
Dave Bittner: They put the pictures up on YouTube.
Maria Varmazis: Oh, my gosh.
Joe Carrigan: Interesting.
Dave Bittner: Yeah. Who knew? The Postal Service. But I love it. I legit love this. Like, I'm not being funny or snarky. This is really well done.
Maria Varmazis: Yeah.
Dave Bittner: I love that they're short. They're to the point, well-produced, informational, accurate, all that kind of stuff. So we're going to have some links to it here in the show notes, linking specifically to the brushing scam but then also to the -- basically their page full of playlists, which is where they have -- you know, have everything's organized into handy playlists. So do check it out. And I think really the value here is if -- these are -- would be great to send around to your friends and loved ones, you know, when --
Joe Carrigan: I can think of four people I'm going to send them to tonight.
Dave Bittner: Yeah.
Maria Varmazis: And they've got one on counterfeit stamps, so all your philatelist friends will really appreciate that.
Joe Carrigan: Right.
Dave Bittner: You know, I have a counterfeit stamp story.
Maria Varmazis: You have a story for everything, Dave.
Dave Bittner: Well, if you've been around a while, you collect some stories. I believe this story was actually shared -- shared with me by our N2K CyberWire CEO Peter Kilpe, who went to the Rhode Island School of Design. And, as part of your applying to a very well-regarded art school, of course you have to show a portfolio.
Joe Carrigan: Yeah. You have to draw Tippy, right?
Dave Bittner: Might be a little more complicated than that. Something like that. Yeah. And as the story, as I recall it, is that one of his classmates had applied and applied and applied and had somehow not sent in a portfolio. And the school responded and said something along the lines of, we're very impressed with your background and your grades. And it seems as though you would be a good student here. But we've yet to see any of your work. And the student responded and said, Oh, to the contrary. On all of our correspondence, every stamp that I have sent you has been hand drawn.
Joe Carrigan: Every single one of those letters is 10 years and $10,000.
Dave Bittner: Yeah, yeah. I guess they were absolutely dead on that the Postal Service didn't detect them. You know, this is the time before they were putting, like, you know, infrared ink on the stamps and things to be able to easily detect them. But, yeah. How about that.
Joe Carrigan: So I have a similar story. I know somebody -- not me. Not anybody that I associate with on a regular basis now. But this person was like, you know, you can grab the stamp; and you can erase the cancelation mark on it with an eraser.
Dave Bittner: Oh.
Joe Carrigan: And then you can reuse the stamp.
Dave Bittner: Okay.
Joe Carrigan: And I was like, Can you really? So one day I had a letter with a stamp on it and started erasing it and -- the stamp, and I was shocked to find that it was -- it was possible --
Dave Bittner: Yeah.
Joe Carrigan: -- that I erased a good portion of the cancelation. This -- you know, this is back when I was below the age of 18. So hopefully I'm not indicting myself.
Dave Bittner: Statute of limitations has run out.
Maria Varmazis: If the cancelation stamp was not on the stamp itself and you soaked the envelope bit in water, and it was the kind where it used glue, you could lift the stamp off and then reuse it.
Joe Carrigan: Yeah. And I think that's on the Postal Service, right?
Maria Varmazis: Yeah.
Joe Carrigan: Because they're the ones responsible for canceling the stamp. But I didn't use the stamp because I knew that it was like 10 years -- for a -- for a -- at the time, like, 25 cent stamp, you do 10 years in prison for one of those. And I'm like, No.
Maria Varmazis: This is not worth it. Not worth it.
Dave Bittner: Not a crime that's worth doing. No. The 32 cent stamp or whatever it was back then, no. Not worth it.
Joe Carrigan: Yeah. So I just buy my forever stamps and --
Dave Bittner: Yeah.
Joe Carrigan: I got some cool Dungeons and Dragons stamps and --
Maria Varmazis: Yeah. I have those too.
Joe Carrigan: Then I got --
Dave Bittner: I got those for my son.
Joe Carrigan: Did you?
Dave Bittner: Yeah.
Maria Varmazis: I got them for my husband. I got him the whole thing. You can get, like, note cards. And then I got myself the Webb telescope ones, like on a whole roll. So, yeah.
Dave Bittner: I've got a few sheets of Star Wars stamps, you know. They got -- they get -- they know -- they know how to get me.
Joe Carrigan: Right.
Dave Bittner: All right. Well, we will have links to those stories in our show notes. Joe, Maria, it is time to move on to our Catch of the Day. [ SOUNDBITE OF REELING IN FISHING LINE ]
Joe Carrigan: Dave, our Catch of the Day comes from the scam subreddit, and it is a text exchange.
Dave Bittner: Yes. I'm going to ask Maria to be the first person in this list here. Joe, I'm going to cast you in the part that you were born to play --
Joe Carrigan: Okay.
Dave Bittner: -- which is the skeptic.
Joe Carrigan: The skeptic. Sounds like me.
Dave Bittner: Yeah. So this is a text message that someone received. And it started out like this:
Maria Varmazis: Hey. What are you doing? Hate to ask, but I don't know who else to ask. Can I ask a favor?
Joe Carrigan: Did you get hacked?
Maria Varmazis: I'm not hacked.
Joe Carrigan: Okay. What's up?
Maria Varmazis: I need a big favor, you, one of the few people I can ask. There is no punctuation in this. So it's just a huge-ass run-on sentence. I need you spare me $300 for an emergency. I'll tell you where to send it on, and I promise to send it back later today.
Joe Carrigan: Sorry. I don't have $300. That would be a true statement from me.
Maria Varmazis: How much can you help me with right now?
Joe Carrigan: I don't think I can help at all, to be honest. I don't have a job for the summer, so I don't have any money.
Maria Varmazis: The issue is I have almost $4,000 stuck in my bank account right now. I can't make any -- oh, my God. This is so long. I can't make any transactions. The only way to move the money, it's a mobile deposit that's through check. Would it be okay if my accountant sends you a check of 2000 to $3,000? You can deposit it. And, once it clears, you keep $300 for yourself and send me the rest. Let me know if that works for you. It's a mobile deposit. You don't have to go anywhere before you do that.
Joe Carrigan: This is sounding a lot like a scam. Not going to lie.
Maria Varmazis: It's not a scam. Trust me. It's totally me. If you have to say it. I haven't been able to get anything for myself for days, so the only way I can access money from my account right now is through a check. Yeah. That sounds real. I really appreciate your help. None of your bank details are needed. Just provide the accountant with your full name and email so she can send the check to you.
Joe Carrigan: I just don't trust this. I don't think I'm the person you should go to for this.
Maria Varmazis: You can trust me. I'm trusting you as my whole life savings.
Joe Carrigan: I just don't think that I can help. Sorry.
Maria Varmazis: Just check your banking app and see if there's an option like deposit check or something similar. I've sunk my teeth and I'm not letting go.
Joe Carrigan: Right.
Dave Bittner: Yeah. And it ends. Oh, my.
Maria Varmazis: Oh, my God.
Dave Bittner: So what do we got here?
Joe Carrigan: This is a -- well, first off, it starts off with one of those, hey, send me some money; I'll send it right back to you scams.
Dave Bittner: Right.
Joe Carrigan: Which you never get the money back.
Dave Bittner: Right.
Joe Carrigan: And then, it -- since that didn't work, the guy says, I don't have any money, the person here tries to trick him with an advanced fee scam -- or, no, an advance check scam, a check scam --
Dave Bittner: Yeah.
Joe Carrigan: -- check floating scam. So the way this will work is they'll send -- they will actually send you a check for 2 to $3,000. You deposit it, and then they're going to put the pressure on you to send back everything but $300. So, in this case, like up to $2,700. So you'll send them $2,700. And then that check will bounce, and you will be on the hook for $2,700. And they're going to ask for the money in a way that -- that you can't claw it back.
Dave Bittner: Right.
Maria Varmazis: Wow.
Dave Bittner: All right. So, needless to say, if you get something like this, don't go for it.
Joe Carrigan: Right. I like how this person immediately goes, have you been hacked?
Dave Bittner: Yeah.
Joe Carrigan: You know, the first question out of the gate, before they even -- before they even hit you with the question, I mean, it's very common in English and American English. I hate to have to ask you this, but can you do me a favor?
Dave Bittner: Yeah.
Joe Carrigan: Yeah. That's very common. You know, like, my first question would have been like, what? Not did you get hacked.
Maria Varmazis: Yeah. But, like, did you get hacked? And they go, Yes. Yeah. I got hacked. The part where it goes, This is sounding a lot like a scam. Not going to lie. I feel like we just, should just cut -- crop that image and make that the banner for our show.
Joe Carrigan: Right.
Dave Bittner: Yeah. We should put that on T shirts.
Maria Varmazis: Let's just put it on the [inaudible 00:37:07] scam. Not going to lie. It's not a scam. Trust me. It's really me. Okay. I'm convinced. I'm in.
Dave Bittner: I have to say, just as an aside, that I'm very impressed the two of you got all of these texting abbreviations right.
Maria Varmazis: I was thinking the same thing. There's a lot of NGLs, TBHs. And I was like, Joe knows all of these. Well done.
Joe Carrigan: That's right.
Dave Bittner: Someone like -- I didn't know all of them so I'm --
Joe Carrigan: I've been using shorthand for decades. So when BRB and BT dubs all came out as things -- although I will tell you my favorite BT dubs story is one of -- when I was up at Hopkins, up at the University, I had a student, younger -- younger -- a younger woman. And she says, BT dubs. And I'm like, What? She goes, Oh. BT dubs. That's how we say btw now, which is how we used to say by the way, in, like, IRC chat and everything like that. So she -- You know what? I appreciate that. I'm going to use that on my kids tonight. And I got home, and I shoehorned it into something. I turned to my daughter. I said, Oh. BT dubs and then said something. And I got exactly what I was looking for, which was the chin drop and the eye roll stare right at me. And I'm like, There it is. And that's why I do it.
Dave Bittner: Where did you hear that, Dad?
Joe Carrigan: Right.
Dave Bittner: Who told me that? Who shared that with you?
Maria Varmazis: Now, my -- yeah. That was the sacred knowledge. You're not supposed to have that.
Joe Carrigan: Right.
Maria Varmazis: My question is, when LOL dropped back in the day, did you know that it was laugh out loud? Or did you -- were you one of those, it's lots of love people.
Joe Carrigan: No. I knew it was laugh out loud.
Dave Bittner: Yeah.
Maria Varmazis: Okay. I loved it when people were like, Oh, it means lots of love. I'm going, No, it doesn't. No, it does not.
Dave Bittner: Yeah. There's a few of those. I've heard of people having some understandings of some of those exactly wrong.
Joe Carrigan: Yeah. I can even name the guy that gave me a lot of these abbreviations. It was my friend Evan because we would sit in the computer lab up at Frostburg, and we'd be typing an IRC. And he'd go, Oh. By the way, you need to know these abbreviations: BRB, LOL.
Dave Bittner: Yeah.
Joe Carrigan: This was in the '90s.
Dave Bittner: Yeah, yeah. Good times.
Maria Varmazis: Oh, yeah. NGL and TBH, though, are a little -- TBH is not newer. But NGL I think is a little newer.
Joe Carrigan: Yeah. IR -- IIRC, if I recall correctly.
Maria Varmazis: If I recall correctly. Yep.
Dave Bittner: And that is our show. We are taking an audience survey through the end of the summer, so please check out the show notes and do participate in that survey. That would help us out quite a bit, so we'd appreciate you taking the time. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliott Peltzman and Tré Hester. Peter Kilpe is our publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Maria Varmazis: And I'm Maria Varmazis.
Dave Bittner: Thanks for listening.
Maria Varmazis: YMMV, your miles may vary. IANAL, tricky one. I am not a lawyer.
Joe Carrigan: Right.
