Podcasts
Hacking Humans
Ep 356
Hacking Humans 9.25.25
Ep 356 | 9.25.25

The new weapon in text scams.

Show Notes
Transcript

[ Music ]

Maria Varmazis: All right. Hello, everybody, and welcome to N2K CyberWire's "Hacking Humans" podcast where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Maria Varmazis from "T-Minus Space Daily" standing in for my colleague Dave Bittner from the CyberWire. And joining me today is Joe Carrigan. Hi, Joe.

 

Joe Carrigan: Hi, Maria. How are you?

 

Maria Varmazis: Good. I miss Dave. Do you miss Dave?

 

Joe Carrigan: I almost said "Hi, Dave." I had to stop myself.

 

Maria Varmazis: I know. He'll be back next week, everybody. He's just at an off site today so we're filling in. We're doing our best Dave impression. And we have some interesting stories to share with you this week, but first let's get in to some follow up and some listener feedback. And, Joe, this listener feedback actually came about an hour before we started recording and it's a really good one so I'm actually really amped to share this with everybody. And this one comes from listener Daniel. And he said, "My son was recently in a car accident in Texas." Sorry to hear that, Daniel. "While driving my vehicle. He wasn't at fault, but as usual we had to wait for the official police report before starting any insurance claims. Since accident reports are public in Texas and include personal details I suspect that is how my information was accessed. Shortly after," I assume he means the accident, "I got a voicemail from someone referencing my truck's make and model and the accident date. And when I called back they said they could send me the accident report and help me start a claim. To do this they texted me a link that took me to a website" that I'm not going to repeat because it's a scam website. Spoiler alert. "Which only displayed basic info like my name, accident date, and location. I was traveling in Greece at the time with limited SMS access so my responses were delayed. The caller didn't seem to notice this and just kept reading from a script. That plus the sense of urgency they tried to create made me suspicious." Good for you, Daniel. "But only after I clicked the link and the subsequent link to quote get the free accident report. Fortunately I was on mobile Safari and the link just showed basic accident information with portions of the VIN numbers redacted. I still don't know if this was a scam, an aggressive claims or attorney service, or a legitimate process, but it felt very similar to toll scams where just enough personal data is used to make the call sound real and pressure you in to acting quickly. Have you heard of this?" Daniel, good instincts. This sounds -- this smells like a scam to me. What do you think, Joe?

 

Joe Carrigan: I have not heard of this, but not being from Texas even though I spend a lot of time in Texas or --

 

Maria Varmazis: With the hat on.

 

Joe Carrigan: Yeah. I do. I have the hat. It's upstairs. I'm recording from home today so I do have it close by. Maybe I should get it.

 

Maria Varmazis: You should get your cowboy hat just for this story, just to [laughs].

 

Joe Carrigan: Right. Now giving my Texas accent. This is actually more of a -- there it is. So it -- I don't -- I'm not familiar. I've never gotten in to a car accident in Texas thankfully. Knock on some -- there. I'm going to knock on some wood. Because hopefully we're going to be going down there again this coming winter. So but no. I have not. I have not heard of this scam.

 

Maria Varmazis: Yeah. It's -- I did a little bit of digging because this really smelled like a scam to me. And, Daniel, you noticed the same thing so great instincts there. And I saw a post from the Fredericksburg police and Fredericksburg is in Texas and they actually posted about this in 2024, this exact scam about the website that Daniel -- that you sent across. That is a scam. And I was looking in to Texas' laws about accessing crash reports because of course in the United States every state it seems it's different what information you can get and what you can't get. But it seems in Texas which I bet for most states it's similar you just pay a very nominal fee like you would for getting a copy of your birth certificate. I think it's 6 or $8 from Texas DOT. And you can get a copy of your crash report. So any service that's trying to do this for you purportedly I would absolutely never trust. I would imagine that they're probably going to try and shunt you in to either some kind of insurance scam or maybe some really pushy lawyer who's going to try and extract money from you. But of course you're not going to -- you're not going to win in this case. It's going to be just a money extraction process. So --

 

Joe Carrigan: Right. Or they're going to try to push you towards a certain body shop or something.

 

Maria Varmazis: Yeah. Something like that. They're going to try and just funnel you somewhere in order to get money out of you. And my advice on anything like this is just never talk to anyone who's not your insurance or law enforcement or the department of transportation because there could be all sorts of nasty reasons why someone else is trying to talk to you about an accident. I would not do it. Good instincts, Daniel, on not falling for this scam. And well done. Well, before we get to our stories let's take a quick break now to hear from our sponsor. Okay. And we are back. Joe, you are starting us off today. I always tell you to regale me with your story. So maybe tell us a tale, Joe. Take me on that journey.

 

Joe Carrigan: My first story comes from O.K Henderson, and that's O dot K Henderson. Not okay. Not like this. I'm sure that O.K Henderson is actually a pretty great Henderson. Not just an okay Henderson.

 

Maria Varmazis: Yeah. Not just okay, but [inaudible 00:05:26].

 

Joe Carrigan: I'm sure that Mr. and Ms. Henderson hears that all the time. Anyway, this story says -- is about a judge sentencing four to a text scam run out of a Georgia prison. This is --

 

Maria Varmazis: Run out of a prison?

 

Joe Carrigan: Right. And this is from Radio Iowa. So these are Iowan authorities who have helped bust a texting scam run out of an Iowa -- or a Georgia prison. So it's multi state crime here and the police department in Iowa City and - in Iowa City, Council Bluffs, and Omaha along with the state police and the FBI investigated what turned out to be a nationwide scam. And the U.S justice department has been involved in this and they said it was being led by a 26 year old Russell Weatherspoon who was an inmate at Georgia state prisons. And he had gotten his hands on some phones that were flown in via drones. So, you know, he's sitting there in the prison. Somebody outside of the prison sends him a phone.

 

Maria Varmazis: Okay. Via drone.

 

Joe Carrigan: Via drone.

 

Maria Varmazis: Not the way I would have expected because we're talking about prison and I've seen "Orange is the New Black" and I, you know -- I was thinking about how they got cell phones in and I'm like wait a second. That's gross. So drone. Nothing gross. Okay. Drones. Okay.

 

Joe Carrigan: Yeah. Nothing -- nothing -- yeah. I'm going to just leave that. I haven't seen "Orange is the New Black" but I'm going to leave it there because I'm guessing and immediately I've got horrible images in my head.

 

Maria Varmazis: Yeah.

 

Joe Carrigan: So when they -- the drones -- they gave them the cell phones in the prison yard. And prosecutors say that for over two years four of these inmates in this prison were able to send text messages out using the name and phone numbers of law enforcement officers. So they were spoofing phone numbers and victims were told they failed to appear at a trial to testify as an expert and would be arrested if they didn't post a cash bond.

 

Maria Varmazis: That they didn't appear as an expert.

 

Joe Carrigan: Right. Right. They didn't appear as an expert witness.

 

Maria Varmazis: I'm sorry for laughing at someone else's misfortune. It's just that is such an angle. Like not you didn't appear at your trial or something, but you were supposed to be an expert at something and you didn't show up.

 

Joe Carrigan: Right. Yeah. Now I've worked in this field before. I've worked with people who have testified. You know you're going to testify if you're going to be called as an expert. Not only that, but you are paid a lot of money to show up and testify as an expert. You would not miss this. This is not something you would miss. Now I will happily agree not everybody knows this. Right? Not everybody has had the same life experience I have. If you haven't worked with people who have a particular technical expertise and you haven't worked with people who are looked to by law firms to be their technical expert on things you would have no idea how this works.

 

Maria Varmazis: Yeah. I'm just imagining if I got a text message like this I'd go, "I'm not an expert on anything. What do they want me to talk about? What is this?"

 

Joe Carrigan: Right. I'm frequently touted as a cybersecurity expert. I don't like to think that I am, but I mean truth of the matter is I know more about it than just about everybody else and there's people that know more, a lot more than I do, but you know they're few and far between. You know, and especially -- I hope I'm not sounding like I'm like an arrogant jackass.

 

Maria Varmazis: No. No. I got called a cybersecurity expert at a recent webinar I was part of and I cringed because I'm going, "I'm not." I know more than the average bear, but I'm not an expert. I would -- I would --

 

Joe Carrigan: Knowing more than the average bear makes you an expert in this field I think. So right.

 

Maria Varmazis: Oh goodness. Anyway yeah. So if I got a text message like this I would just I would immediately go, "That doesn't make a lick of sense." However maybe if I was somebody with a professional degree of some kind maybe I would go, "Maybe I missed that email." So plausible I suppose, but wow. That just it seems a very risky angle to pursue as a scammer.

 

Joe Carrigan: Well, it worked. They got one victim in Minnesota who told police she met two men across the street from a county office building and paid the scammer 16 grand. So they got $16,000 out of one victim which is a lot of money. Now that was in Minnesota. So, you know, these guys were in Iowa or in Georgia. Iowa police are scamming them in the -- they're probably hitting people in Iowa as well. Once the FBI gets involved they find out they're hitting people in Minnesota as well. So yeah. $16,000. That's probably the highest amount they got out of somebody.

 

Maria Varmazis: Yeah. I'm just thinking. We've got drones. We've got illicit cell phones. We've got a list of people for this specific scam. And then you have the people on the ground receiving money. This is a very sophisticated scam.

 

Joe Carrigan: Right. Right. And these guys in prison don't have anything else to do, but just -- good news. They're going to spend more time in prison and they're going to go to federal prison. Three. Not only Weatherspoon, but also three other guys. And they're going to have to pay restitution to the victims. So that's the first story I have. The second story this -- and it's good that they're -- that these guys are going to be spending more time in prison. And I wanted to focus on people spending time in prison today because, you know, a little bit of good news because we frequently have these horrible stories about not being -- you know, these stories not turning out good. And there is a Cincinnati man who was accused of taking over $2 million by defrauding people from websites. And this comes from Grace Erwin at WCPO which I imagine would probably be one of Dave's favorite radio stations if he was -- television stations if he lived in Cincinnati.

 

Maria Varmazis: 3PO. WCPO. Yeah. Yeah.

 

Joe Carrigan: WCPO. Yeah. That's -- I'm kind of reaching there I guess, but my -- I love the sub headline to this story.

 

Maria Varmazis: I got it. Yeah. Yeah.

 

Joe Carrigan: The sub headline is "Cincinnati man pleads guilty to scamming dozens out of over $2 million in dating app fraud." The man is accused of creating dating profiles using false information. So.

 

Maria Varmazis: Well, a lot of men are in trouble now.

 

Joe Carrigan: Yeah. Yeah. And women. There are a lot of women out there who also -- a lot of people are in trouble here.

 

Maria Varmazis: All those 6 foot 1 men on dating apps are just sweating bullets right now. Hilariously that is my husband's actual height though. I will just put that out there.

 

Joe Carrigan: My son is 5' 2" and puts that on the apps and he says it --

 

Maria Varmazis: Actually 6' 2".

 

Joe Carrigan: Yeah. He's actually he's tall. He's a big guy. Gets a lot of -- a lot of his genetics from my wife's side of the family where the men tend to be much taller than my side of the family where I at 6 feet even was one of the tallest men in my family. Anyway this guy his name is Richard Agyeman, Agyeman, A-G-Y-E-M-A-N. And he is 41 and he has been accused of doing the typical thing where he sets up dating profiles using other people's pictures and then goes on to trick the victims in to sending him money under the false pretenses that they're going to "Oh, I need medical expenses. I have these medical expenses. Oh, I got in to a terrible car accident. I need some money to fix my car. I need these other -- I'll pay you back. I'll pay you back. I promise." But dozens of victims sent him over $2 million by wiring money or depositing checks in to accounts he controlled.

 

Maria Varmazis: Wow.

 

Joe Carrigan: Yep. He was originally indicted on 11 charges including conspiracy to commit wire fraud, money laundering, and engaging in a monetary transaction with proceeds from criminal activity which I didn't know was a crime. So I mean let me ask you. If you're committing a crime and you're profiting from it does that mean you can't spend the money? That doesn't make any sense to me.

 

Maria Varmazis: Is that where you're drawing the line?

 

Joe Carrigan: No. I'm not drawing a line. I draw the line way before the criminal activity.

 

Maria Varmazis: Like excuse me. Profit is sacred. What are we Ferengi? Anyway yes. I'm getting a little Star Trekkie now.

 

Joe Carrigan: So after he was federally charged, which by the way when you hear those terms understand that that is a no fooling charge and when people -- when the federal government charges you with a crime they're pretty sure they can convict you. They don't waste their time on trials that they can't convict you. Agyeman pled guilty to one count of money laundering stemming from a transfer of $32,000 from way back in 2022. And the plea agreement says that he's going to spend -- or recommends a sentence rather because he hasn't been sentenced yet, but he has pled guilty. So they recommended a sentence of 41 months in prison. So he's going to spend a little less than three and a half years in the federal pen to quote [inaudible 00:14:43].

 

Maria Varmazis: Yeah. It's a [inaudible 00:14:45] for sure if the feds are going after you. So don't -- don't be stupid. Don't do crime.

 

Joe Carrigan: When you gain federal attention in these kind of cases -- I'm really glad to see news stories like this. I think we need to see a lot more news stories of people who are -- you know, even people who are in prison getting sentenced to more prison time. And people who are not in prison then going in to prison for three and a half years.

 

Maria Varmazis: Honestly I think -- I hear these stories and I also think some people need better hobbies. I mean honestly. Like just it's just it's so much work and I'm just thinking, "It's just -- just do something more fun with your time." You won't get sent to the federal prison. I mean come on, guys.

 

Joe Carrigan: Right. I can imagine this being fun. I mean well maybe it's just because --

 

Maria Varmazis: The money. The money's fun. But oh take up knitting or something. Come on. Just --

 

Joe Carrigan: I've tried crocheting and I hated every second of it.

 

Maria Varmazis: May I interest you in knitting?

 

Joe Carrigan: Maybe. I'll hear it. I'm more interested in weaving. I actually bought a loom. So.

 

Maria Varmazis: Weaving is a great deal of fun. Also how are your chickens, Joe? How are they doing?

 

Joe Carrigan: My chickens are doing great. They're getting big. But they're still not ready to go outside yet. I was just actually -- my wife was just down here in the basement and she's like, you know, this -- we were talking about how this room is still a mess even after our move almost a year ago now. And she's like once you get out of here you won't be leaving this room. Once this room is cleaned up you won't leave it. I'm like, "My chickens will still be outside." And she said, "You'll probably bring them down here." And I said "Maybe."

 

Maria Varmazis: Do chickens over winter in basements?

 

Joe Carrigan: No. They do not. They over -- they over winter in coops and yeah. The thing about chickens is they really don't care about where they poop. They don't care. It's not their concern. So they don't -- I don't plan on bringing them in the house ever.

 

Maria Varmazis: That is smart.

 

Joe Carrigan: Yeah.

 

Maria Varmazis: Yeah. No one wants that.

 

Joe Carrigan: Like most birds.

 

Maria Varmazis: Yes. Like most birds. I was just thinking that. Like most birds. Well, thank you for that very important chicken update, Joe. And also your stories were excellent. So thank you for that. I think we did Dave proud. And let's take a little ad break now. Okay. And we are back and now it's my turn to disappoint Dave. I mean making Dave proud. So I also have two stories except my first one's not really a story as much as it's a I want you listeners to go to this link and then share this link. And I'm not trying to phish or scam anybody. It's a Reuters story and it's called "Scammed into Scamming" and it's -- here. I'm just going to read the subhead. Across southeast Asia a multi billion dollar fraud industry has emerged staffed in part by victims of trafficking. In lawless regions of the Myanmar Thai border compounds run by Chinese criminal gangs contain thousands of people forced to scam strangers online or face brutal punishment. Thailand has become a key transit hub for trafficking victims Reuters' found. Okay. This -- for listeners of our show that is not new, but this story is told in sort of an illustrative style. It's very, very compelling. It goes in to really harrowing detail about some victims of human trafficking and what they've experienced in these call centers which again we've covered on this show how horrible this is. So if this is something that you want to learn more about I really encourage you to go to this link. We'll have it in the show notes. Again it's a Reuters story called "Scammed into Scamming." And I really encourage you also to share it with people because the way it's told it's very easy to follow. It's very compelling. And I think a lot more people need to be aware of what is going on. These scams are horrible. You know, they trick people out of a lot of money and we covered that. But also the people who are being trafficked and kidnapped it's a horrific crime. So.

 

Joe Carrigan: I have -- I actually have an issue with the term human trafficking here because human trafficking could be -- we think of it as -- sometimes we think of it as a crime with victims and sometimes we think of it as a service. Right? Like I need to get in to this country illegally and there's a whole industry around that in the United States. The people that do it are called --

 

Maria Varmazis: A lot of the world. Yeah.

 

Joe Carrigan: Yeah. Right. Called coyotes. And sometimes these people are not victims. Right? Sometimes they're actually customers. A lot of times. But they're taking a huge risk and a lot of times they're victimized along the way. I'm not saying that this is always a cake walk. That's not what I'm saying. But what's going on here is not human trafficking. This is just slavery. That's what we should call this.

 

Maria Varmazis: Yes. It is slavery. These people are being kidnapped and enslaved. I mean that's -- that's just you're right on that. That is exactly what is happening. And I think listeners of our show know that very well and very good points, Joe. And I want to make sure that if there's some advocacy listeners would like to do and broadcasting this out to your community so people know. I don't think people understand the scale of what's going on and this story tells it very, very well. So just I wanted to put a shout out to the story in our episode because I think it's just really worth taking a look at.

 

Joe Carrigan: Yeah. It's a very important topic.

 

Maria Varmazis: It really truly is. And the more I learn about it the more horrified I get.

 

Joe Carrigan: It's just awful.

 

Maria Varmazis: It really is just awful. All right. So for my second story this is something that I was reading about in "Wired" recently and it's about cyber criminals have a weird new way to target you with scam texts. And it's a story by Matt Burgess. Yes. Like we needed that. But it's sort of one of those what's old is new again because this is a story about SMS blasters. Joe, I bet you've heard of these, the backpack size things where people walk around basically blasting text messages through like little tiny antenna. This is not a totally --

 

Joe Carrigan: I have not heard of this, but I've seen like jammers like that.

 

Maria Varmazis: Yeah. Sort of akin. I mean not the same. It's in that family I think. If you've ever been to Defcon or any kind of hacker conference you'll see people with things like this on their backs sometimes. Not necessarily doing this. You'll see people with antenna in backpacks doing fun stuff. This is a specific -- I don't know. Again I don't think this is necessarily new, but it's sort of new to us right now. So SMS blasters just so everybody can understand what this is they're little devices again. They are often backpack sized that impersonate a cell phone tower. So they simulate a cell site. So criminals will then drive around in a van or just carry them in a crowd, in a city especially, and then phones in range of this SMS blaster will then be forced to connect to that fake tower in their backpack. So what will happen is the blaster will capture phones on a fake 4G signal. A lot of phones nowadays are on at least 4G if not 5G. And then the blaster will force the phones to downgrade to 2G signal which is a much older version of -- well, I'm trying to remember when we were all on 2G. This was basically phone and text only. I don't think it was even -- if data existed it was minuscule.

 

Joe Carrigan: Yeah. I'm not a phone guy, but I do know that 2G had absolutely no security.

 

Maria Varmazis: Zero security. Zip. Yes. That's right. And then basically while those phones are being forced to go in to 2G the blaster will blast out a ton of malicious SMS messages with links. So it still does depend on the recipient of these spam messages to actually take an action and click the link and get phished. However the blasters are essentially taking advantage of the fact that phones have a built in hierarchy of essentially five years not available you can downgrade to four and etcetera, etcetera, etcetera. And most of our phones have the ability to connect to 2G if that's all that's available. And the blaster, people using the blasters, know that. So they're going, "Well, if we can force you to connect to 2G your phones are basically going to have to connect to it and then we can just do whatever we want." And the interesting thing to me about this technology is that cycle of capture the phones on 4G, downgrade them to 2G, blast the scam text out, and then let the phones go. Happens in a matter of seconds. Like 10 seconds at most. So all that time your phone's probably in your pocket. You don't even realize what has happened. You're not necessarily staring at your screen and going, "Oh, that's weird. Why am I suddenly on a 2G network right now?" You won't even know.

 

Joe Carrigan: Yeah. You just start getting tons of texts.

 

Maria Varmazis: Yeah. Yeah. Exactly. So the reason "Wired" was looking in to this, and the reason why this has been happening more and more is I guess a weird silver lining to all the spam messages we've all been getting in the last years. Mobile carriers are getting better about recognizing these and they're actually doing better at filtering those out from the source and blocking scam texts before we receive them. Hooray. So now criminals are going, "Well, we've got to get around that. And instead of trying to blast things out on a macro macro scale let's go really old school, get boots on the ground, and blast these scam messages in areas where we can hit a lot of people at once." So these SMS blasters do operate outside of normal carrier controls. So the filters that the carriers are deploying do not apply. So this is a great way for them to completely circumvent all that control again at the sort of top level.

 

Joe Carrigan: Right because they're in control of the communication to the phone.

 

Maria Varmazis: Correct. It's like almost a grassroots thing. Interestingly enough. But of course it's being used for terrible reasons in this case. And then so this is not one of those capabilities that we should keep an eye on because maybe one day it will get deployed. It is actually happening. So unlike -- I'm trying to think of like what's the one? USB jacking which is a threat that everybody loves to talk about, but a lot of security researchers are like this has actually never happened. SMS blasting is a thing that is happening. So for example there are some reported capabilities of messages sent to all phones in a 1,000 meter radius. So 1 kilometer radius. Right? Am I doing that correct?

 

Joe Carrigan: Yeah. That's 1 kilometer radius. But that is an area of 3.14 square kilometers.

 

Maria Varmazis: There you go. But 3.14. Interesting. Yes. Almost like pi is involved there.

 

Joe Carrigan: Pi is involved. Right?

 

Maria Varmazis: There was one incident reported in Bangkok Thailand that reportedly blasted over 10,000 SMSs in an hour. Sorry. Not 10,000. 100,000. I can read. 100,000 SMSs in an hour. This SMS blaster use has been detected in Asia, Europe, and South America so far. And then one quote from the article that I wanted to pull out was, "Law enforcement officials in London say they have so far seized seven SMS blasters and in June of this year, 2025, a student from China was sentenced to jail for more than a year after being caught using one of these devices." So yeah. So as I mentioned at the top of this story the messages themselves do rely on the oldie phishing techniques. So these are scam messages and scam links and they are being pushed to the user. You need to -- in order to be scammed you have to click and be compromised. So that attack chain is still sort of the way it's always been. So it does require the user to essentially fall for this scam. So if you get a scam message and you go, "That's obviously a scam" and delete it, great. You're good. So that is sort of the best way to protect yourself is notice that it's a scam text. Don't fall for it of course. It's like obvious. Notice obvious. But if you're not sure of what this is, you know, definitely don't enter any personal data anywhere. As we've mentioned many times, go to the source. If somebody's purporting to be from a company saying, "Hey, you owe us money" or, you know, there was some sort of issue with your account, don't go through the link that you've been texted. Go directly to the company's site or call a verified number, not one that you necessarily Googled. Be careful. And one note that "Wired" put in their article that had me a little bit iffy was you can actually disable 2G access on your phone if your device and carrier allow it. Many Androids will let you do this. IPhones have Apple's lock down mode that technically will allow you to limit legacy connections like 2G. But there are downsides to that. So if you're in an area where cell phone connectivity is poor sometimes the only way you can connect is through 2G. So you may not want to actually disable that. It's going to be up to you, sort of your living situation. I personally like being able to connect to 2G when it's the only option I've got. So you'll see, but keeping your device updated will also help. And if you an SMS that you see is suspicious always report it to your carrier if you can or if there are national reporting hot-lines do so as well.

 

Joe Carrigan: So while you're talking, Maria, I whip out my Android phone, my Google pixel 6 which needs to be replaced. It's getting end of life soon.

 

Maria Varmazis: Walk us through it.

 

Joe Carrigan: So what happens is you go to settings and then you can look for the advanced protection setting and it is you can either turn it off or on and it's a -- it looks like it does seven different things, one of which is prevents you from connecting to 2G networks. But it also has like app protection and device safety that is like theft detection lock, offline device lock, and inactivity reboot, restarts device if it remains locked for three days.

 

Maria Varmazis: Is it you need to deploy? Is it just a little toggle to say disable 2G?

 

Joe Carrigan: It is just a toggle. But it impacts everything. It doesn't just disable 2G. And there's no modularity to this. You're getting all of it or none of it.

 

Maria Varmazis: Okay because I was thinking if it was a matter of saying just turn off the ability to connect to 2G I would probably keep that on all the time unless I'm somewhere really rural where I'm going, "I have no cell phone connection out here. Let me see if I can at least get a 2G signal."

 

Joe Carrigan: Interesting. It also has protection against scam calls and texts as a thing, and that's interesting because this morning --

 

Maria Varmazis: Why is that not default?

 

Joe Carrigan: I don't know. This morning I looked over and saw a phone call coming in that said "Scam." Probable scam or something like that. And I answered it and it was some woman saying, "Hey, I'm looking at your file and we've got all your credit card information here and we see -- I see that you can save a lot of money by going with a debt consolidation loan." I said, "You're looking at my file?" She goes "Yeah." I say "What's my name?"

 

Maria Varmazis: [Laughs]. I don't know. Tell me your name.

 

Joe Carrigan: And she was like "Uh, it's all encrypted and kept safe and secure and only an account executive -- " Okay. So what's my name? I mean that should be a simple thing and it shouldn't -- that part shouldn't be encrypted. And then eventually she hung up. So.

 

Maria Varmazis: That's so funny. Wow. Well, this is one of those things, this SMS blaster situation, something to be aware of. I don't think people need to be losing sleep over it. But certainly just always treat links in SMS and text messages as suspicious. I think that's just always good standard operating procedure. We always encourage that. And if disabling 2G makes sense for you that's something that you may want to consider as well. So. And hopefully we will get better in terms of law enforcement and also carriers at detecting this kind of thing and being able to shut it down. But it may be an escalating cat and mouse game with this kind of capability. So something we'll keep an eye on.

 

Joe Carrigan: Yep.

 

Maria Varmazis: All right. So that is -- those are my stories. Let's move on over now to the Catch of the Day. [ Sound Bite of Reeling in Fishing Line ] [ Music ]

 

Joe Carrigan: Maria, our Catch of the Day is a post from R slash scams on Reddit. The scam starts off with it's a letter from a U.S law firm, but no real information is given or rather --

 

Maria Varmazis: So it's a physical letter that's been mailed to someone's home?

 

Joe Carrigan: Physical piece of mail has been sent to this person. This person has posted a picture of it in the Reddit interface. I don't know what you call it in the chat. It's not a chat. It's a post.

 

Maria Varmazis: In a post. In a post. Yeah.

 

Joe Carrigan: I'm not a big Reddit guy. I have an account, but that's about it.

 

Maria Varmazis: Do -- shall I read it then?

 

Joe Carrigan: Yes. You should read this. It's --

 

Maria Varmazis: Okay. So it's on very official letterhead I should notice and it says -- the letterhead says it's from Goldberg and Cohen Legal Group. And I'll just read the text. "Case number GC199070." I can say numbers. "Case number GC19972. Amount owed $1,634.16. This notice is to formally inform you that Goldberg and Cohen Legal Group now represents a client in relation to your delinquent account. You have ignored previous attempts to resolve this matter by prior collection agencies retained by our client. You are hereby notified that a recommendation to file a lawsuit to collect this debt may be the next step resulting in a judgment entered against you. Notice of impending legal action due to the significant delinquency of your loan. We are compelled to initiate immediate legal action to recover the outstanding debt. If restitution is not made this action may result in further legal consequences, consequences of a judgment. A judgment is a grave matter with serious repercussions including but not limited to wage garnishment, court order required for a spouse or domestic partner, levy on bank accounts or safe deposit boxes, liens on real or personal property, suspension of licenses, real estate contractor or drivers under certain conditions. The total claim may encompass the principal amount, accumulated interest, court fees, and legal costs. We reserve the right to subpoena financial institutions, employers, and other entities listed on the initial application of their testimony should this case advance to court." Sorry. Some of the text is cut off. "Required action to prevent further legal proceedings. You must contact our office within 10 days of receiving this letter. Ignoring this notice will be interpreted as a refusal to settle the debt prompting immediate litigation. We trust you will treat this matter with the urgency it demands. Sincerely Carlton J. Edwards, legal administrator."

 

Joe Carrigan: Right.

 

Maria Varmazis: I'm trying to make it sound scary because it looks scary.

 

Joe Carrigan: Yeah. It does look scary. This is frightening. It -- this actually has a date on it of September 12, 2025 and we're recording this a little more than a week later. Or a little less than a week later. So I mean this is very recent. There are -- somebody points out in the comments here that, "Yep. This is a scam. We've seen this before including using this exact law firm," this exact fake law firm. What's interesting is that the address that shows up is like a 14 story office building and there's no -- there's no suite number on the Goldberg and Cohen Legal Group. And I don't know of a law firm that takes up 14 stories of a building that participates in this kind of law. There is a Goldberg - or is it the Cohen Group? I looked it up. There -- it's -- but it's a family law. And it's just one lawyer in the office.

 

Maria Varmazis: Yeah. There's no -- there is no Goldberg and Cohen Legal Group. This does not exist. A cursory Google will reveal that pretty quickly. It's amazing.

 

Joe Carrigan: Right. The -- the guy who responded to it goes on to say that, you know, if you have any collections under the Fair Debt Collections Act the communication has to say who you owe the debt to. So that's a dead give away. There's no -- there's no -- there's no name here. If the debt is owed to the client then the name of that client, whatever entity it is, has to be listed here. It can be a person. You know, you can -- somebody can be suing you for -- or having a lawyer contact you for money you owe them over some agreement. It could be a company. It could be a bank. It can be anything, but it has to be listed whoever it is. So yeah. This is all fake and BS. You know, I think -- I think what I would do here is, you know, call -- report it to law enforcement if you get this, and maybe give them the phone numbers that -- and they can make a phone call or they can take some action from their end. But otherwise yeah. Just ignore these things.

 

Maria Varmazis: Yeah. It is I want to repeat this is a very scary official looking letter. Like this would scare me if I got this in the mail.

 

Joe Carrigan: Yep.

 

Maria Varmazis: So I mean it's -- it does not look like it's on cheap letterhead. It's not even printed in black ink. It's printed in navy ink which to me makes me go, "Oh. Somebody put some money in to this."

 

Joe Carrigan: Right.

 

Maria Varmazis: I mean this is a little "American Psycho" of me, but even the paper looks nice. So it's -- this -- I could absolutely see this snowing people because this would have given me a bit of a fright.

 

Joe Carrigan: It took a little while for me to get the "American Psycho" reference, but I got it. Yeah. It showed up.

 

Maria Varmazis: The card stock, it's really nice. Yeah. I can't quote the movie, but yeah.

 

Joe Carrigan: Right. The funny thing is also in here the case. They try to put a case up top and it's like regarding Goldberg and Cohen versus and the guy has scratched his name out. But I'm guessing it's just Goldberg and Cohen versus whoever. You know, this is a form letter that if this was sent to me it'd be Goldberg and Cohen versus Joe Carrigan. I would be like, "That's a boxing match I'll take on any day." I get to beat up a couple of lawyers? All right. Let's go.

 

Maria Varmazis: Fun times. Yeah. Carlton J. Edwards.

 

Joe Carrigan: Although if I got in to the ring with Ben Yelin I think he'd probably kick my butt.

 

Maria Varmazis: I would put money on that. Sorry, Joe. But it's true. Well, thank you for that, Joe. This was a really good Catch of the Day. So hopefully people will be aware and not get freaked out if they get something like this in the mail. It is indeed a scam. Okay. Let's take a quick break before we close out. [ Music ] And that is "Hacking Humans" brought to you by N2K CyberWire. We always would love to know what you think of our podcast. Your feedback ensures that we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, and of course we always hope that you do, please share a rating and review in your podcast app. You can also fill out the survey in our show notes or send an email to hackinghumans@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K helps space and cybersecurity professionals grow, learn, and stay informed. As the nexus for discovery and connection we bring you the people, the technology, and the ideas shaping the future of secure innovation. Learn how at N2K.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We are mixed by Elliott Peltzman and Tre Hester. Peter Kilpe is our publisher. And I'm Maria Varmazis.

 

Joe Carrigan: And I'm Joe Carrigan.

 

Maria Varmazis: And we miss Dave Bittner. Thanks for listening [laughs]. [ Music ]

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Maria Varmazis
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan has been a Software and Security Engineer for 25 years and has been working in the security field for more than 15 years focusing on usable security, security integrations social engineering, and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Maria Varmazis is a podcast producer and journalist specializing in space, cybersecurity, and emerging technology. She translates complex industry developments into clear, engaging conversations and thoughtful storytelling that connects technical subjects to the people and ideas shaping the future. Maria is the host of T-Minus: Space-Cyber Briefing and co-host of Hacking Humans.
Schedule: Thursdays
Creator: N2K Networks, Inc.
ADVERTISEMENT
Sponsored by ThreatLocker
Sponsored by ThreatLocker

ThreatLocker® is a Zero Trust endpoint protection platform that provides enterprise-level cybersecurity to organizations globally. With ThreatLocker, you can allow only what you need and block everything else, including ransomware! Learn more.