Scammers hit the right notes in the wrong way.
Dave Bittner: Hello, everyone; and welcome to N2K CyberWire's Hacking Humans Podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan. Hey there, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: And our N2K colleague and host of the T-Minus Space Daily Podcast, Maria Varmazis. Maria.
Maria Varmazis: Hi, Dave. And hi, Joe.
Dave Bittner: We've got some good stories to share this week. But, before we get to that, let's look at some of our follow-up here. We've heard from several of our listeners. What do we got? You want to lead us in here, Joe?
Joe Carrigan: Yeah. First we have a correction from me. Last week, I repeatedly referred to the company that makes ChatGPT as ChatGPT. I should have been calling them Open AI.
Dave Bittner: Oh.
Joe Carrigan: I will not, however, apologize for calling Meta Facebook.
Dave Bittner: Okay.
Maria Varmazis: Fair.
Dave Bittner: I think it's like calling -- what you did was like calling -- not calling Google alphabet.
Joe Carrigan: Right. Yeah. I don't want to do that either.
Dave Bittner: Yeah.
Joe Carrigan: Still Google.
Dave Bittner: All right.
Maria Varmazis: Yeah. Forgiven.
Dave Bittner: All right. Next up.
Joe Carrigan: We have -- we have a message from Chris, who is a longtime listener of the show and loves it. He cannot recall if this has been mentioned by name, but his employer uses a company called Hoxhunt, H-o-x-h-u-n-t, for cybersecurity awareness training. And he saw this gem this morning. And it was a -- it's a definition of the term quishing.
Dave Bittner: Yeah.
Joe Carrigan: It says phishing plus QR codes equals quishing.
Maria Varmazis: Full body cringe.
Joe Carrigan: I mean, I guess I'm not going to fault Hoxhunt here because what they're doing is they're trying to educate employees on the terminology that's used.
Dave Bittner: Yeah.
Joe Carrigan: This is not Hoxhunt --
Maria Varmazis: Is that used, though?
Joe Carrigan: It is, yeah. It's not a Hoxhunt problem.
Maria Varmazis: Quishing?
Joe Carrigan: Yeah. Quishing.
Dave Bittner: Oh, yeah. Quishing's the thing.
Joe Carrigan: All over the place.
Dave Bittner: Yeah.
Maria Varmazis: Oh, boy. Okay.
Joe Carrigan: But I hate this term so much.
Dave Bittner: Yeah.
Joe Carrigan: I get why Hoxhunt has it in their -- has it in their training platform because that's a term of art, unfortunately.
Dave Bittner: Yeah. It seems like the only people who like these clever little phishing variants are marketing departments.
Maria Varmazis: I agree. Yeah because there's vishing.
Joe Carrigan: Right.
Maria Varmazis: There's all these different ones. It's like it's just phishing with extra steps. It's just different flavors of it. Can we just be real?
Dave Bittner: Yeah.
Maria Varmazis: If you ask me out of context what is quishing, I mean, maybe I would guess QR code is involved because of the Q, but it's just not --
Joe Carrigan: Right.
Maria Varmazis: I mean
Dave Bittner: I'd be afraid. Yeah. I'd be like, oh, gosh. Is this a round trip to Urban Dictionary or not?
Joe Carrigan: Right.
Dave Bittner: You know, I don't know. What am I getting myself into here?
Joe Carrigan: It sounds like it might be something gross.
Maria Varmazis: It does, doesn't it? Or vishing or, yeah. There's all sorts of really weird ones. Smishing,
Dave Bittner: Smishing. Yeah, yeah. All right. Thank you, Chris. And we've got another bit of follow-up here. What do we got, Joe?
Maria Varmazis: So it's from Jay who says, Hey, Dave, Joe, Maria. My wife, just forwarded me this news clip about a scam running in large cities. The TLDR -- that's short for too long, didn't read -- which is what I look for every time because a lot of these articles are too long, and I just won't read them. Nothing. Okay. So --
Dave Bittner: If you want to wallow in your own laziness, Joe --
Joe Carrigan: Right.
Dave Bittner: -- and brag about it, that's fine.
Joe Carrigan: The TLDR is that criminals are sticking cell phones to victims' cars, and these cars are usually desirable models. And then they are using the phones and their GPS tracking features to show up at the person's house and steal the car, which I think is an interesting way to go about stealing a car.
Dave Bittner: Okay.
Joe Carrigan: I mean, if you walk up to somebody, right, I mean, you're going to car jack them, right, or you steal it out in broad daylight, it's going to look kind of suspicious if you're in a parking lot and you're sitting there trying to break into a window or something. But if you can wait until that person goes home and, under the cover of darkness, you can go out and steal their car, then I think that's an easier way to do it --
Dave Bittner: I suppose.
Joe Carrigan: -- from a criminal perspective.
Dave Bittner: So do you think --
Maria Varmazis: There's a wrinkle in this story that the link that -- Jay included a link and I was reading it where they also show up to your house and intimidate you into giving back their phone, which is kind of wild because, you know, it -- because I was thinking, why would they not just do this with an AirTag or something where it's not easily --
Dave Bittner: Right.
Joe Carrigan: Right. Or --
Maria Varmazis: Because that's what I was thinking it was going to be. But they are actually using a phone so they can claim that, like, you stole their phone. So they have a beef with you, basically. So they're showing up at your house going, you took my phone. I want my phone back.
Dave Bittner: And I'm going to take your car for good measure.
Joe Carrigan: Right.
Maria Varmazis: So it's a whole thing. It was like, you took my phone; and that's sort of like their lead in. But it's odd. Yeah. It's why -- it seems -- it seems overly complicated yet again but --
Dave Bittner: Is this taking advantage of the fact that phones, most phones, have magnets built into them now? Is that --
Joe Carrigan: My phone does not have a magnet. Does your phone have a magnet?
Dave Bittner: Yeah.
Maria Varmazis: Yeah. Mine does. Yep.
Dave Bittner: iPhones do.
Joe Carrigan: Really.
Dave Bittner: For the wireless charging.
Joe Carrigan: Hmm. Okay.
Dave Bittner: And so, like, that's how my phone -- what I use it for is that's how my phone connects to my little, like, dashboard adapter in the car. It just uses that magnetism to click on there.
Joe Carrigan: How does that affect the compass and other gyros?
Dave Bittner: Amazingly and head-scratchingly it does not. So the -- yes. The -- the magicians at Apple have figured out a way to get around that huge magnetic field and still be able to get the magnetic field of the Earth.
Maria Varmazis: The use the accelerometer for the compass, don't they? They don't use an actual magnet.
Joe Carrigan: No. They use -- they use a -- the compass has a magnetic sensor in it, or at least mine does because I -- if I'm too close to a piece of metal, or if I put one of those pieces of metal in the back of my phone case so that I can stick it to a magnet, which I don't because it messes up the compass, I get a message that says, hey. There's a strong magnetic field or maybe some metal near the -- near the compass. We can't -- can't read it.
Maria Varmazis: I'll be danged. All right. That's cool.
Dave Bittner: I did not know that. And yet another point for Team Apple.
Maria Varmazis: Wow. Wow.
Joe Carrigan: I'll grant you that.
Dave Bittner: All right. We got one more bit of follow-up, and it's coming from inside the house.
Joe Carrigan: Yeah.
Dave Bittner: Joe, what have you got going on here.
Joe Carrigan: I think I might have a problem, guys.
Dave Bittner: Yeah.
Joe Carrigan: Yeah.
Maria Varmazis: Yeah. We know.
Joe Carrigan: There's a picture in -- in the script here of six brand new little chickens. And they're at my house right now, chilling out in my garage, which I only recently began unpacking. And I started making some great progress. And my wife and daughter said, Ooh, look at all this space. More chickens. So I, of course, agreed because I love chickens.
Dave Bittner: Yeah.
Joe Carrigan: And I now have six little chicks. We're going to try to integrate them with the rest of the flock, but these are ones that laid color -- lay colored eggs, like little -- little blue eggs and green eggs.
Dave Bittner: Oh.
Joe Carrigan: Maybe I'll actually have some green eggs and ham one day.
Dave Bittner: Okay.
Maria Varmazis: Oh. What kind of chickens are these?
Joe Carrigan: Geez. You asked -- one is an olive layer. That's the one that lays the green eggs; an Easter layer that lays a blue egg; and then an Americana, which also lays a blue egg, different-colored blue egg.
Dave Bittner: Okay.
Joe Carrigan: So we'll have multi-colored eggs along with the Wyandottes, which I've been mispronouncing Wyandotte for a while. I was informed of that one day last week, I think. And they, I think -- we haven't seen any eggs from them, but my understanding is they lay brown eggs. They may not. I don't know. We'll see.
Dave Bittner: Okay. So are these going to stay at your house, or are these getting integrated with your daughter's chickens?
Joe Carrigan: Probably integrated.
Dave Bittner: Okay.
Joe Carrigan: Probably integrated. I mean, I'd love to have six little chickens at my house. I'd have to build a little chicken tractor, which would be fun.
Dave Bittner: Why would you need to build a chicken tractor?
Joe Carrigan: It's like a coop.
Maria Varmazis: What's a chicken tractor?
Joe Carrigan: Oh, a chicken tractor is like a little tiny chicken coupon wheels.
Dave Bittner: Oh.
Joe Carrigan: Right. So --
Maria Varmazis: Okay. So they don't drive it.
Joe Carrigan: Right. Well, it depends on how advanced I want to get.
Maria Varmazis: A bunch of chickens driving farm equipment. I'm like, why would you need that? And, also, how does that work? Okay.
Dave Bittner: Yeah. I'm just imagining little chickens with --
Maria Varmazis: Listen. I don't know these things!
Dave Bittner: -- little cowboy hats, little overalls driving around in little tractors.
Joe Carrigan: You laugh at this, but there was -- there was actually a study done in World War II that had pigeons guiding bombs into ships.
Maria Varmazis: Well, there you go.
Joe Carrigan: And you can Google that.
Maria Varmazis: And maybe chickens and farm equipment, you know.
Joe Carrigan: So maybe I'll -- maybe I'll come up with something similar that has the chickens move the move the tractor around on their own.
Dave Bittner: Why would your coop need to be movable?
Joe Carrigan: Because it would be -- number one, it's smaller, right? It's a coop and a run built together. So it's not -- like, what my daughter has is a -- is a very big coop and a very big run.
Dave Bittner: Okay.
Joe Carrigan: So the chickens are in there, and that -- but that's really expensive, right? So you can cheaply build a chicken tractor that has a smaller coop for like six chickens and then a small run. But you can't have them in that same run every day, all day, every day. You have to move them around the yard, or they'll just destroy the lawn.
Dave Bittner: Oh, I see.
Joe Carrigan: So, yeah. So you --
Maria Varmazis: They get depressed or something.
Joe Carrigan: Well, I mean, I don't know that they get depressed. It might actually, you know, decay the food that's there. But also they will poop all over the place. These birds do not care about where they poop.
Dave Bittner: Yeah. So you move it around, and you don't have to mow the lawn.
Joe Carrigan: You probably still have to mow the lawn because these -- these things are going to actually provide nutrients that make the grass grow.
Dave Bittner: I see. Oh, well. Nothing's perfect.
Joe Carrigan: Yeah.
Maria Varmazis: Ah. Okay. Okay.
Dave Bittner: Well, good luck with your chicks. I hope they all survive.
Joe Carrigan: So far so good.
Dave Bittner: I hope you have no snakes in your garage.
Joe Carrigan: Ooh, that's a good point, Dave.
Maria Varmazis: Oh, geez. He's going to run off right now.
Joe Carrigan: When they're this big -- when they're this big, that's a problem. But, when they get bigger, that becomes the snake's problem.
Dave Bittner: Right.
Joe Carrigan: A full-size chicken will take one of those things out. They'll go, Hey. Look at this big wiggly worm.
Dave Bittner: Yeah. I had a friend with a chicken coop, and the chicken coop had a black snake who was part of the coop.
Joe Carrigan: Part of -- yeah. Part of the ecosystem?
Dave Bittner: Yeah. So, basically, the deal was that, in exchange for keeping the rodent population under control, which is what the snake did, the snake got eggs. So, you know.
Joe Carrigan: You'd think he'd be happy with the rodents.
Dave Bittner: Well, I mean, you know. I mean, that was the incentive to not get the snake to move along.
Joe Carrigan: Okay.
Dave Bittner: Right.
Joe Carrigan: Yeah.
Dave Bittner: So, you know, but you've got to be okay with snakes; and not everyone is.
Joe Carrigan: I'm fine with snakes but not around my little chicks.
Dave Bittner: Yeah. All right. I tell you what. Let's take a quick break to hear from our show sponsor. We will be right back with our stories. And we are back. Maria, you want to start things off for us this week.
Maria Varmazis: Yes, I do. All right. So I was delighted to get an email in my inbox just a few days before recording this show, actually. And the subject line was, Elevate Spotify's global social media strategy as our next vice president, sent to me, Maria Varmazis, in my personal Gmail account. And I was delighted because -- because I said I got a fresh scam in my inbox because ain't nobody want me to be their vice president of anything.
Joe Carrigan: Oh. Okay.
Maria Varmazis: So that would be absolutely --
Dave Bittner: Oh, I don't know, Maria.
Maria Varmazis: -- the biggest giveaway ever that this was a scam.
Joe Carrigan: You know, I was listening to -- on Spotify to one of the great podcasts on our network there or on our distribution system. And, lo and behold, Maria Varmazis, she sounds like she knows things.
Dave Bittner: Could happen.
Joe Carrigan: Yeah.
Maria Varmazis: Could happen. So quick fun fact. Nobody's hiring a vice president in a blind email like this kind of thing. This is never how that kind of recruitment works. So that is, again, like one of the other glaring signs that this is a scam. But I was really kind of excited to get this one in my inbox. I really wanted to see how -- what -- how this one worked because I know that there have been variants of the Spotify job hire scam that's been going around in the world of marketing and marketing adjacent people, which I have been for quite some time. So the -- the email I got came from Spotify HR, and the email specifically was a no reply @appsheet.com. And that made me go, okay. That's -- that is an interesting little inclusion. And the text of the email had, you know, my name. It was very standard. This is the pitch for this job we're trying to hire for. There was no link at all. This was not like a phishing thing where they went, like, please fill out this form on this website. There was nothing like that. There was no attachment. There -- I even checked the source of the email. There was nothing really dodgy that I could see immediately going on, unless maybe Gmail filtered it out, which is possible. And it was signed, Best regards, the Spotify recruitment team. Again, this is never how this kind of communication would go.
Joe Carrigan: Yes.
Maria Varmazis: But anyway, the thing that was interesting is, at the very bottom, it was -- again included powered by AppSheet. So I said, okay. Clearly someone has a whole pile of emails of folks like me who have worked in marketing at some time, and they're sending a whole bunch of bulk emails out through AppSheet and hoping somebody will bite. But, again, I was like, where is this -- like, I know this is not real, but what exactly is the scam here? How is this playing out?
Joe Carrigan: Can we -- can we stop for a second because I have an ignorance hole that needs to be filled here.
Maria Varmazis: Sure.
Joe Carrigan: What is AppSheet?
Maria Varmazis: Okay. Great question. So I didn't know that either. So I actually went to their website. And it's -- I'm going to really nutshell it. It sounds like it's a service that allows you to automate a whole bunch of processes.
Joe Carrigan: Okay.
Maria Varmazis: So if you want to do like, hey, I want to send a whole bunch of people an email, you can automate that through this thing. And you can build -- I think build like little tiny apps that way. So an automation process thing is sort of my understanding. It's a legit tool. It's a completely legitimate tool.
Joe Carrigan: Okay.
Maria Varmazis: It -- to me, it sort of reminded me of Zapier a little bit but not quite.
Joe Carrigan: Okay.
Maria Varmazis: But I'm sure somebody who uses this heavily will be able to correct me. But it's a completely legit tool. But, yeah. Again, no job offer would be coming this way. So I was just trying to figure out, like, what exactly is the scam here, aside from this is obviously a fake job. Like, how are they trying to get me, and what are they trying to get me in to do? Like, what are they trying to hook me in? So I did a little Redditting because I just really was trying to figure out who else has seen this. This cannot -- this I know is not new. And I was reading through the comments on the scam Subreddit of this exact scam. And, actually, Myon Plout, who's been on Hacking Humans, our colleague at N2K, Dave, she's also received a variant of this scam, which I thought was very interesting. She and I sort of are in the same marketing world a little bit. And so somebody who actually fell for this scam wrote down how they got hooked. And, apparently, if you respond to this email, even though it's a no reply, somehow if you respond to it, there is somebody who -- maybe not on the one that I have, but somebody somewhere is responding to the emails that are being sent blindly to unsuspecting folks. If you respond that you are interested, they forward you information about setting up a call. So, again, if you're a job seeker, this might sound really promising. And, when you go to the site to arrange a call, I imagine it's probably something like a -- that might look like a Calendly or some kind of service like that. It will list all potential job openings at Spotify. Again, this is not legit, but it will look like it. And then it'll ask you to log into your Facebook or create an email account. And then, after trying to create one, create an account via email, it redirects you to a forced Facebook login page, still with a fake job URL at the top. So this is very odd to me, that the whole point of this scam is to try and, I guess, harvest legitimate Facebook credentials. I'm not -- I'm -- that was the only thing I could find in a thread of people who got this who actually sort of went down the rabbit hole of following this scam. It feels like a lot of work to go after people potentially who are looking for jobs to just say I'm just trying to steal your Facebook creds. But, in theory, I suppose this could be creds that are reused in other sites, and that could help them validate that this is a real contact. That would be my guess. But I just sort of wanted to put out an FYI for people if they are getting weird outreach, especially if they're looking for jobs, especially if it's Spotify wanting to make you a vice president. Obviously, be careful. But even -- especially when the scam is not obvious, there is something down the line. And, in this case apparently is some sort of credential harvest, either through Facebook or email. So please be careful.
Dave Bittner: It makes me wonder what the comparative value is of different Facebook accounts. In other words, anybody can spin up a Facebook account, and that probably has very little value. But let's say you took my Facebook account, which has been active for over a decade --
Joe Carrigan: Right.
Dave Bittner: -- and has thousands of contacts and photos and all sorts of things that make it --
Maria Varmazis: Yes.
Dave Bittner: -- a legit account, right.
Joe Carrigan: Or -- or if you're a Facebook --
Maria Varmazis: So my guess is if -- if you're a marketing person like me, you probably have admin access to a lot of company pages that you've been an admin for. So, if they hijack your Facebook account, you now have access to a whole lot of other stuff, in theory, although a lot of higher up companies, they don't -- they operate differently; or there's other processes to prevent something like this happening. But not always.
Joe Carrigan: Right.
Maria Varmazis: So, yeah. Someone could go, Hey. I now have access to your Facebook account, which you use to log into all of these different companies and manage your social media. So that certainly for me, like, 10 years ago, that was how we did this kind of stuff. But I don't do it that way anymore.
Dave Bittner: Right, right. I guess there -- there are still some places that allow you to use Facebook as your single sign on. So, you know, the places you go say, Log in with your Facebook credentials, which I would never do. But --
Joe Carrigan: Right.
Dave Bittner: But you can do it.
Maria Varmazis: Enough for a job, yeah.
Dave Bittner: No, no, no. I just mean, like, in general, like, once you have someone's Facebook credentials, could you use that to get into other places? It's possible.
Maria Varmazis: I imagine.
Joe Carrigan: Yeah. Absolutely.
Maria Varmazis: It was very popular back -- when that first rolled out, Facebook single sign on.
Dave Bittner: Right.
Joe Carrigan: Never trusted it.
Maria Varmazis: But I feel like most of us have moved away from that.
Joe Carrigan: Yes.
Dave Bittner: They were one of the first to offer it.
Maria Varmazis: Yeah.
Dave Bittner: And I think it was, like, right in the crossover between when that sort of thing was being offered and people were realizing that Facebook has no moral compass so.
Joe Carrigan: Right.
Maria Varmazis: And the integration doesn't always work very well.
Dave Bittner: Yeah.
Maria Varmazis: And, you know, if you get locked out of your Facebook account, now you can't log into anything. It's that whole thing.
Dave Bittner: Right, right.
Maria Varmazis: Yep.
Dave Bittner: It is remarkable how good this email is. I don't see any particular red flags in the grammar or the formatting or anything like that.
Maria Varmazis: Exactly. Yep.
Joe Carrigan: I -- the one red flag I see is the beginning is I trust this message finds you well and in excellent spirits, which smacks to me of AI writing it.
Dave Bittner: Or a translation.
Joe Carrigan: No. Whenever you -- whenever I have ChatGPT write a letter or whenever I've done this, the opening line is, I trust this message finds you well.
Dave Bittner: Yeah.
Joe Carrigan: For some reason, it always opens with that.
Maria Varmazis: That's interesting.
Joe Carrigan: And when I was working at Hopkins, I would get emails from students that always started with that sentence, like, over and over and over again. And I'm like, Why are they all doing -- and it occurred to me. Oh, these guys are just using an AI to write me a letter.
Dave Bittner: Yeah.
Joe Carrigan: So.
Dave Bittner: Huh.
Maria Varmazis: I wouldn't object to an email that's AI written for something like this, like a job outreach where clearly it's a lot of different people. But, again, I didn't even have to open it to know that this was fake because, again, nobody's reaching out blindly for a vice president role, especially one that I am wholly unqualified for. But, again, it's -- this is not how -- it's just not how this works. It's just not.
Dave Bittner: Don't sell yourself short, Maria. You could totally kill it in this job.
Maria Varmazis: In a sector I have never worked at, oh, yeah. I would totally rock this job.
Dave Bittner: Oh, come on. Where's your sense of adventure?
Maria Varmazis: Oh, my God. How to tank Spotify social media. Hire me.
Dave Bittner: Right.
Joe Carrigan: Right.
Dave Bittner: All right. Well, very interesting. I guess there's no link to share on this one because this one came directly to you.
Maria Varmazis: It landed right in my inbox so --
Dave Bittner: We do have a link to the -- yeah. We do have a link to the Reddit thread that -- the Reddit thread that relates to this, so we'll include that in the show notes. All right. Joe, you are up. What do you got for us?
Joe Carrigan: I got two this week because they're short. The first one comes from Matt Schooley, who is at WBZ News.
Maria Varmazis: Oh. My neck of the woods.
Joe Carrigan: It's a CBS affiliate. Oh, is it? That's right because this is actually up in -- up in Massachusetts where this is happening. This is a story that's headline is, Uber drivers help end scam targeting hundreds of grandparents, US Attorney says. So are you familiar with Leah Foley, Maria? She's US Attorney from Massachusetts.
Maria Varmazis: Yeah. I've heard her name, yes.
Joe Carrigan: Okay. So she has -- she and -- and law enforcement have arrested or charged, I think, 13 people; and they've arrested nine of them. Four of them are still on the loose, two of them here in the States and two of them in the Dominican Republic where they think this scam was being run out of. But this was a grandparent scam that was using Uber to either deliver -- deliver the money to the scammers or pick up the grandparents and take them to the bank, then take them to take the money to the scammer. So the average victim of the scam was 84 years old, and the total amount of money that was lost surpassed $5 million.
Dave Bittner: Wow.
Joe Carrigan: There's something like 400 victims that they know about, 400 victims from 50 states. So here's what's interesting. The way this became known to the FBI is Uber reported it because Uber is frequently used as unwitting courier in this -- in this -- in this kind of scam. So a couple of months ago we -- we were talking about how Uber drivers are used to deliver things. And I had told you I have a friend is an Uber driver, and he was -- did a courier -- a courier thing once, only once. He only did it once because he was almost positive what he did was -- was facilitate some kind of crime.
Dave Bittner: Oh.
Joe Carrigan: So there is -- now, it wasn't -- it wasn't a scam crime like this that he was -- he was part of. He thought it was something else. That's all I'll say.
Dave Bittner: Yeah.
Joe Carrigan: But what they did was they started noticing that a lot of people -- or there were a few people, rather, who were sending out courier pickups for a bunch of different -- different locations. Or they were ordering rides. And that's kind of unusual, so it kind of sticks out like a sore thumb in the Uber -- in the Uber dataset. So they notified the FBI. And FBI -- the FBI investigated, and they wound up arresting all these people, which is -- which is great. And they still have four people to arrest, including this one guy whose name is Ransel St. Arlin Tavarez Jimenez. And there's a picture of him in this article with a mad stack of cash that is allegedly resulting from these scams.
Dave Bittner: His ill-gotten gains.
Joe Carrigan: His ill-gotten gains. Right. He's like, Look at all this money I took from old people.
Dave Bittner: Hey, Bob. Come over here. Let's create some evidence.
Joe Carrigan: Right. Exactly.
Maria Varmazis: Oh, they're not always the smartest, these criminals, are they.
Joe Carrigan: I cannot tell you anytime there's something kind of mischievous going on and somebody pulls out their cell phone, I said, No; that's evidence. Don't do that.
Dave Bittner: Right. Oh, my goodness.
Joe Carrigan: I'm not worried about law enforcement evidence. I'm just worried about, you know, maybe -- maybe my wife is, like, Why are you doing this?
Dave Bittner: Right.
Joe Carrigan: You know.
Dave Bittner: And how did it end -- end up on the internet?
Joe Carrigan: Right. Why do you have this gasoline and the -- in the fire pit?
Dave Bittner: Yeah.
Joe Carrigan: Right. So it's -- it's more me protecting myself from somebody finding out I did something incredibly stupid. But that's my first story. My second story, and we haven't -- you know how last week I said we haven't had a pyramid scam story in a while.
Dave Bittner: Yeah.
Joe Carrigan: Well, it's not a pyramid scam. I'm really still looking for a good one. But it is a -- it's a -- it's an in-person scam. This is out in Northern California. It's called the cash drop scam, which is kind of like the pigeon drop scam.
Dave Bittner: Yeah.
Joe Carrigan: But this is where somebody walks up to you and says, Hey. Did you drop this $20 bill? Now, I don't know about you. But whenever anybody asks me that, I immediately go no because I don't carry cash at all.
Maria Varmazis: Okay.
Dave Bittner: Okay.
Joe Carrigan: I just don't. And I've always had this policy of rigorous honesty where things like that have -- have saved me from getting in not getting scammed but, you know, getting -- well, I mean, having pranks pulled on me.
Dave Bittner: Yeah.
Joe Carrigan: You know, having you -- having somebody say, Hey. Did you drop this money over here? And then you go over there, and something terrible happens to you, like, you know, maybe you walk into a room that has a bucket of water on the -- on the -- on the door. And I would just say, No, I don't have any money. I don't carry money around. So it wasn't my money.
Dave Bittner: Pull my finger.
Joe Carrigan: Right.
Maria Varmazis: So I was wondering if the scam worked like, you know, there's a little fishing line attached to the $20 bill. And, as you go to reach it, someone's pulling it away from you and you just keep chasing after it.
Joe Carrigan: Right. And then they hit you with a club when you go around a corner.
Maria Varmazis: Yeah. I was like -- that was like, Hey. Drop that money. But that's where my mind goes.
Dave Bittner: I would pay $20 to see Joe chasing after a $20 bill on the fishing line across the parking lot.
Maria Varmazis: But he doesn't carry cash. Oh, no.
Joe Carrigan: I don't carry cash. I would not --
Maria Varmazis: What would he do with the $20?
Joe Carrigan: I would be thinking, Hey, I just found $20.
Dave Bittner: Right, right.
Joe Carrigan: That'd be cool.
Dave Bittner: And then I would win $100,000 on America's Funniest Home Videos.
Maria Varmazis: Right.
Joe Carrigan: I did one time fall for the quarter glued to the floor trick one time.
Dave Bittner: Oh, yeah. Sure.
Joe Carrigan: It's just a quarter, and I bent down to pick it up. And, like, a bunch of kids started laughing at me. I was, like, good one.
Dave Bittner: Yeah. Did you split your pants?
Joe Carrigan: No.
Dave Bittner: Because that would have been perfect.
Joe Carrigan: No. Hilarious. They were all, like, Ha. Got ya. I'm like, Yeah, yeah. You got me. Bye.
Dave Bittner: Okay.
Joe Carrigan: So -- no. The way this works is these guys actually kind of watch you withdraw money from an ATM. So they go up, they get your ATM pin, and then they watch you withdraw the money. And then they say, Hey, you dropped this money. And then they're also kind of pickpockets. So they will either take your ATM card or replace it, swap it out. And then they just go and they make a withdrawal to -- you know, to all your -- to your account. So there was a -- the way this was found was there was a loss prevention agent who was at a local business who noticed that there are these two people out there milling about constantly and talking to people, and he reported it to the police. And the police came in, found out that they were scamming people and arrested them. And they're both now in custody. And they are -- they -- when -- when they were asked for identification, they showed Romanian passports. So, when they were arrested, they were found to have multiple felony warrants for fraud, identity theft, conspiracy, and caretaker embezzlement/elder abuse.
Dave Bittner: Oh, wow.
Joe Carrigan: So these are just not just two scammers out in the parking lot. These are serious people that make their living doing this.
Dave Bittner: Right. Professional scumbags.
Joe Carrigan: Right. Exactly. So I don't know. My only advice here is that, if someone walks up to you and says, Hey, did you drop this money, you know, put your hand on your wallet or something.
Dave Bittner: Right, right.
Joe Carrigan: And, you know, I don't like using ATMs, but, when I do, I'm always -- I always make sure that I'm the last guy in line. You know, somebody -- if somebody comes up behind me --
Dave Bittner: Okay.
Joe Carrigan: -- I just stop what I'm doing; and I go, Why don't you go ahead. Little old lady who's probably going to pull a stick out of her bag and hit me with it. Take what I -- I don't know. I'm very suspicious. I don't trust anybody, Dave. No way to live.
Dave Bittner: Yeah. I usually use my -- my grocery store as my ATM if I need to, you know.
Joe Carrigan: Yeah. That's a good policy.
Dave Bittner: Yeah.
Joe Carrigan: Yeah. You get a little extra money out you buy something.
Dave Bittner: Yeah. Big public place, you know.
Joe Carrigan: Yeah.
Dave Bittner: They typically ask, Would you like some cash back? And I'll say, Yeah. Sure. Why not? It's mine, after all.
Joe Carrigan: Yep.
Dave Bittner: Yeah.
Joe Carrigan: Hannibal Burress has a great bit about that where he says some people will -- will get cash out when they buy something, but I like to return the thing I bought right after I -- right after I get the cash out. Yeah. I'd like to return these Skittles. My receipt is actually still in your hand.
Dave Bittner: Okay.
Joe Carrigan: You have to buy something.
Maria Varmazis: I feel like I'm missing something with that.
Dave Bittner: Oh. You have to buy something to use -- to use --
Joe Carrigan: To use it. Right.
Dave Bittner: I see. All right. I'm with you now.
Joe Carrigan: It's a transaction fee free ATM, essentially, is what he's doing.
Dave Bittner: Right, right, right. Gotcha, gotcha. All right. We will have links to both of your stories in the show notes. We're going to take a quick break here to hear from our sponsor. We'll be right back. And we are back. My story this week comes from a couple of sources. We've got the folks over at Bitdefender actually initially brought my attention to this story. But it was also reported by the Sun from the UK. And this is actually about a reporter for Good Morning Britain, which I guess is like Good Morning America, only smaller.
Joe Carrigan: Yes, yes. Much smaller metric.
Dave Bittner: Right, right.
Joe Carrigan: No guns.
Dave Bittner: Yeah. And -- and free healthcare.
Maria Varmazis: Sounds nice.
Dave Bittner: So Good Morning Britain's North American correspondent named Noel Phillips, he went public with his own personal story. He lost his life savings, which in his case was about 22,000 pounds.
Joe Carrigan: Pounds.
Dave Bittner: And -- and this -- Noel is a young guy so just kind of getting, you know, started in life and had managed to tuck away, you know, nice little nest egg for himself.
Joe Carrigan: That's pretty good for a young man.
Dave Bittner: Yeah. And it started when he got a call from Chase Bank warning him that his account had been compromised. The number matched up with what he had in his phone from Chase Bank. And so he didn't answer that call, but he called them back. And he thought he'd reached customer service, and he had not.
Joe Carrigan: So how did -- well, now I'm confused.
Dave Bittner: Don't ask too many questions, Joe, because I'm not going to be able to have the answers to them. So once these folks engaged with him, somehow they were able to get inside of his banking app or to -- I guess I should say to trigger a notification from his banking app showing a payment that he had not made. Okay. So this freaked him out. He was like, What's going on here? I just got a call from my bank. They said my account has been compromised. Now my bank app is telling me that there's a problem, and he is on the phone with the scammers as all this is happening. But he doesn't think they're the scammers. He thinks they're the bank. So he rushes to his local branch, and the people on the phone with him persuade him to transfer his savings into safe accounts. And I'm putting safe accounts in air quotes --
Joe Carrigan: Right.
Dave Bittner: -- that they say are in his name.
Joe Carrigan: So is this at a branch of Chase Bank?
Dave Bittner: Correct. He walks into a branch of Chase Bank. Now, the scammers convinced him that the people at the bank were in on the scam, and so he should not tell the tellers what's going on because they're in on it.
Maria Varmazis: Wow.
Joe Carrigan: Okay.
Dave Bittner: Right.
Maria Varmazis: Oh, my goodness.
Dave Bittner: So he goes to the -- goes to the local bank, transfers this money that he thinks is transferring to safe accounts. He believes that the security folks from Chase Bank are on the phone with him. He gets all this done, and his money is gone.
Joe Carrigan: Right?
Dave Bittner: And Chase bank tells him that they can't recover his money because they don't know who the criminals are. Interesting sort of wrinkle to this story is that in the -- the Sun's version of this story from the UK, they had to point out that, because banking laws are different in the US, he can't get his money back. In the UK, he would have gotten his money back.
Maria Varmazis: Oh.
Dave Bittner: Right.
Joe Carrigan: So this was a bank in the US.
Dave Bittner: Yeah. So he's the North American correspondent for Good Morning Britain.
Joe Carrigan: Right. So here's my question. Does -- does Chase Bank not follow the Know Your Customer regulations? Because these were accounts that were open to Chase Bank.
Dave Bittner: Yeah.
Joe Carrigan: Right. So they --
Dave Bittner: Well, which accounts, the safe accounts?
Joe Carrigan: Yes, the safe accounts.
Dave Bittner: I think the safe accounts were just random accounts at some other bank that that he routed his money to.
Joe Carrigan: Oh, okay. So they weren't Chase bank accounts.
Dave Bittner: Yeah. I think the fraudsters convinced him that these were safe accounts and that they were with Chase, but they were not. I'm guessing they were with some other bank, you know, halfway around the world. Right.
Joe Carrigan: Right.
Dave Bittner: So he did not get his money back because he was the one who put all this into action, right? He walked into the bank, and he's the one who transferred it. So it's his -- the way the rules are written for us here in the US --
Joe Carrigan: Right.
Dave Bittner: -- he's responsible for that action. He said that he felt embarrassed, ashamed, and worthless after being a victim.
Joe Carrigan: Yeah. I get it.
Dave Bittner: Yeah.
Maria Varmazis: Yeah.
Joe Carrigan: You know, last week or two weeks ago I talked about how I fell for a phishing email --
Dave Bittner: Right.
Joe Carrigan: -- and felt very much the same over something small and stupid like a phishing email.
Dave Bittner: Yeah.
Joe Carrigan: I cannot imagine how I would feel over 22,000 pounds. What is that in dollars?
Dave Bittner: Right. What's that in real money, right?
Joe Carrigan: You know --
Maria Varmazis: It's under 30k, which is a lot of money. I mean --
Joe Carrigan: Still, I mean, 30k is a lot of money. Yeah.
Dave Bittner: Oh, yeah. Yeah. No doubt about it. So in terms of red flags to share with your friends and family, I mean, obviously an incoming call from your bank automatically should be a red flag.
Joe Carrigan: Right. You should call your bank back but use a number you know is the bank. Right.
Dave Bittner: And you know it's so -- it's frustrating how detailed we have to get with this because now we have to tell people don't Google the phone number of your bank.
Joe Carrigan: Right, right.
Maria Varmazis: Yeah.
Dave Bittner: Because it might not be the number for your bank that comes back.
Joe Carrigan: A paid ad that the scammers have bought --
Dave Bittner: Right.
Joe Carrigan: -- targeting you. They want to target you so when you -- yeah.
Dave Bittner: Get the number, get the -- the local number for your local branch, right? But look at -- look at this case. He physically went to his -- to his bank.
Joe Carrigan: Right.
Maria Varmazis: Right.
Dave Bittner: He got in his car.
Maria Varmazis: Right. And because he did -- yeah. He didn't say what this was about because he'd been told that the bank was in on it. I'm sure had he mentioned what this was, the bank's been trained to tell people, Hey. Like, hey. That's actually a scam. Let's maybe slow down.
Dave Bittner: Right.
Maria Varmazis: But he didn't say anything because he was primed not to.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Maria Varmazis: That's -- oh. That's -- so now the -- now the criminals are trying to work around that.
Joe Carrigan: Yep.
Maria Varmazis: I am wondering, genuinely wondering, given that he has a sort of public profile job, did his employer train him at all in saying, hey. Because you have a high profile job, you might be getting targeted in scams that are going to go after you like this. I'm wondering because, again, anybody can get hit by a scam like this.
Joe Carrigan: Yeah.
Maria Varmazis: But especially if you're regularly appearing on TV, this feels like something that your employer should be maybe going a little bit out of their way to tell them be very, very vigilant.
Dave Bittner: Right. Absolutely.
Maria Varmazis: Yeah. I just wonder. Yeah.
Dave Bittner: Yeah.
Joe Carrigan: I think -- I think the way this -- I don't know. I'm not familiar with exactly with how these anti-fraud things should go. But, when you get a call from fraud prevention, you should be able to say, That's not me. Lock it down. And you shouldn't have to take any other action.
Maria Varmazis: Yeah.
Joe Carrigan: They're the bank. They're the bank security department. If they are calling you -- because fraud prevention will call you.
Dave Bittner: Right.
Joe Carrigan: And, when they call you, they say, Hey. Was this you buying -- you know, buying, I don't know, $100 worth of chickens at Tractor Supply?
Maria Varmazis: That could be Joe.
Dave Bittner: Because no rational man would do such a thing.
Joe Carrigan: And I'd have to go, Yes.
Maria Varmazis: Isn't it interesting, though, also that we sort of have become primed to think that, if there's a mistake that was -- like, that it's on us to fix it and that the banks will do nothing to help you. And I think that's also maybe a panic that's spurring people to take these actions that end up hurting them in the long run because think about it. If you get a call, they're not going, And we'll fix it. We just called you to make sure. These cameras are going, And it's your job to fix it, which -- and everyone's going, Okay. That makes sense.
Joe Carrigan: Right. So, I mean --
Maria Varmazis: No customer service.
Joe Carrigan: Yeah. That's --
Dave Bittner: Yeah. I may have mentioned this before. A few months ago, I was chatting with a friend of mine who's a commercial banker. And he was saying just what a huge amount of his time every day is taken up dealing with scams.
Joe Carrigan: Right.
Maria Varmazis: I can only begin to imagine. Yeah.
Dave Bittner: Just it's a gigantic problem for banks. Yeah.
Joe Carrigan: I don't know. I think the answer here for the bank is to not conduct any transactions with somebody that's on a phone. You know, just look at them and go, we can't conduct any transactions for you when you're on the phone. Sorry.
Dave Bittner: Oh, oh. Right. If you're -- if you're -- yeah.
Joe Carrigan: If you're on the phone, we can't help you.
Dave Bittner: So interesting wrinkle to this. They actually mentioned in the story that he had an ear bud in his ear.
Joe Carrigan: Okay.
Maria Varmazis: Oh. One of the ear pods?
Dave Bittner: Yeah. Like an air pod. So he was not holding the phone up to his ear. But you're absolutely right, Joe. And I would -- I would imagine that by this point that bank tellers are trained for that. They would say, I'm sorry. Can you -- would you mind putting down the call and, you know, that sort of thing because the -- to -- I mean, to the bank's credit, the tellers are trained to look for these scams --
Joe Carrigan: Right.
Dave Bittner: No doubt about it.
Maria Varmazis: Yeah.
Dave Bittner: -- and -- and certainly have helped save people from them.
Maria Varmazis: Yes.
Joe Carrigan: Right. Because it is much easier to tell someone that's a scam; your money's fine than it is to have to respond like your -- like your friend does to the -- to the I've now lost 23,000 pounds. What are you going to do about that?
Dave Bittner: Right.
Joe Carrigan: And now you have to get legal involved, right?
Dave Bittner: Yeah.
Joe Carrigan: That's not going to be cheap. So, I mean, if I were this guy, I think I'd just start making them pay 23,000 pounds or 20, you know, whatever, in to somebody else. And I'd make it clear I'm just going to cost you 23,000 pounds in, like, legal fees. So it's cheaper for you to give me back my money, or I'm going to continue to just file these lawsuits against you because I can go down to court and file lawsuits against you all day. I'll learn how to do it.
Dave Bittner: It's good to have a vindictive streak.
Maria Varmazis: You would, Joe.
Joe Carrigan: Yes.
Maria Varmazis: And I know you would, Joe.
Joe Carrigan: I would. I absolutely would.
Maria Varmazis: Yeah. And I'm -- from the bank's point of view, they're going, you made a transaction that you later regretted, but you did it knowingly. That is not our problem. I'm sure that that is what the bank is saying,, and I hate taking their side on this, but I can -- yeah.
Dave Bittner: I'm just imagining -- I'm imagining, Joe, much like the person in your story called the police about the person hanging out outside of the bank --
Joe Carrigan: Right. >> Dave Bittner -- that the similar thing would be -- happen, that they call the bank and they'd say, There's a guy who's hanging out in front of the bank every day, all day. And they say, Oh, that's just crazy Joe Carrigan. Crazy Old Joe Carrigan.
Dave Bittner: Yeah.
Maria Varmazis: Crazy Joe.
Dave Bittner: Yeah. He wired all of his money to somebody, and now he's made it his mission to -- he's warning everybody on their way in to not do business with us. But, yeah. He's harmless. He's harmless.
Joe Carrigan: Mostly harmless.
Dave Bittner: Yeah. Just don't make eye contact with him.
Joe Carrigan: Don't make eye contact.
Maria Varmazis: Just super annoying. Harmless but super annoying.
Joe Carrigan: Largely describes what I am.
Dave Bittner: Yeah. All right. We'll have a link to that story in the show notes. Joe, Maria, it is time to move on to our Catch of the Day. [ SOUNDBITE OF REELING IN FISHING LINE ]
Joe Carrigan: Our Catch of the Day comes from Patrick who sent in an email from the International Monetary Fund, Dave.
Dave Bittner: Oh.
Joe Carrigan: IMF, if you will.
Dave Bittner: All right. It goes like this. The International Monetary Fund is compensating all the scam victims with some of $9.8 million US, and your email address was found on the list. This office has been mandated by the IMF to transfer your compensation fund to you via MoneyGram money transfer. However, we have concluded to affect your own payment through MoneyGram money transfer, $5,000 US per daily until the total sum of $9.8 million US is completely transferred to you. We cannot be able to send the payment with your email address alone. So we want you to get back to us with your full information where we will be sending the funds to you. Director, Mr. W. Alexander Holmes. We will give you direction on how you will be receiving the funds daily. Remember to send us your full information to avoid wrong transfer. Through Mr. W. Alexander Holmes, he will send $5,000 in your name today. So reply these email ASAP, or text him with your full information as soon as you receive this email; and tell him to give you the MTCN sender name and question/answer to pick the $5,000. Please let us know as soon as you received all your fund. Note that your payment files will be returned to the IMF within 72 hours if we did not hear from you. This was the instruction given to us by the IMF. He will start the transfer soon as he received your information. Thanks. Best regards, Reverend Father Patrick Smith, MoneyGram agent.
Joe Carrigan: Good old Father Patrick Smith.
Dave Bittner: Oh, no.
Maria Varmazis: Reverend Father.
Dave Bittner: Reverend Father.
Joe Carrigan: Works because of principle, right?
Dave Bittner: Right. I should have done it Reverend Father Patrick O'Malley.
Joe Carrigan: Right.
Dave Bittner: Yeah. You know, I mean, look. Priests aren't paid very much, so he's got a little side hustle going on here as a -- as a MoneyGram agent.
Joe Carrigan: Right. So here's the thing: $9.8 million at $5,000 a day, will take you over five years to get that money.
Dave Bittner: Oh.
Joe Carrigan: Yeah. I mean, that's -- every day I'm going to send you $5,000. Oh, that sounds miserable. I don't want to do this every single day. That's if I do it every day for the next five years, 365 days a year.
Dave Bittner: Yeah. I'd be okay with it.
Joe Carrigan: Would you.
Maria Varmazis: Yeah. I would definitely. I would knuckle down and do that.
Dave Bittner: Yeah. Honestly, I could find -- I could find the energy to make it happen. Sure.
Maria Varmazis: 5K a day from Reverend Father Patrick Smith from the Church of Cold, Hard Cash?
Dave Bittner: Yeah.
Maria Varmazis: Yes. I would do that.
Dave Bittner: Yeah, yeah. Does that include weekends, Joe?
Joe Carrigan: Yes. That's with weekends. You get no vacation day. You can't -- you can't go anywhere.
Maria Varmazis: What about Sundays?
Joe Carrigan: Sunday, yeah. Well, Father, he's going to say mass; and then he's going to go to the MoneyGram place.
Dave Bittner: That's right. I mean, he's going to expect you put his little something in the plate when they pass it around.
Joe Carrigan: Right. Yeah. That's right.
Maria Varmazis: Right. That's true.
Dave Bittner: Because he knows, you know. There's no holding back from the good Father Smith because he knows that now we've got --
Joe Carrigan: I expect to see $500 in the operatory plate today --
Dave Bittner: That's right.
Maria Varmazis: More on --
Joe Carrigan: -- because I know I gave him $5,000 this morning.
Dave Bittner: Get the old priestly stink eye on your way out of church. Don't want that to happen. All right. Well, that was a good one.
Joe Carrigan: Right.
Dave Bittner: We would love to hear from you. If there's something you'd like us to consider for the show, please email us. It's HackingHumans@n2k.com. We're going to take one more quick ad break here. We will be right back. And that is Hacking Humans brought to you by N2K CyberWire. We would love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There's a link in the show notes. Please do check it out. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliott Peltzman and Tré Hester. Peter Kilpe is our publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Maria Varmazis: And I'm Maria Varmazis.
Dave Bittner: Thanks for listening.
