A (5:21)

Thank you. No, before we get started, I just want to say that the views and opinions I express today are my own and do not necessarily reflect the opinion of the BBB Institute, the International association of Better Business Bureaus, or independently owned and operated Better Business Bureaus.

B (5:38)

Fantastic. This will make sure you stay employed, which is a good thing. So let's take this back to I like to bring things back to bare concept and then build from there to make certain that when we all use terms that we know what we're talking about, what we're not talking about. So you are an expert compared to most of the people who will be listening and definitely compared to me. But in layman's terms, what's fraud?

A (6:15)

Yeah, it's a great question. And actually technically fraud and scams, which is what I focus on mostly are scams are a little can be defined differently by depending on who you speak to. So when I talk about scams, what I mean by that is somebody who is a criminal who is doing some sort of scheme to steal your money or your identity or whatnot. And so they'll they may pretend to be somebody else. There may be all kinds of different tactics that they use but they will convince you to take action to pay them money. And then there's fraud, which is very similar. And the difference with fraud is that oftentimes it's somebody taking money out of your account where you haven't actually given them permission to do that.

B (7:07)

So that's interesting. That's interesting. So fraud would require access to my monetary instruments, if you will, my checking account, my credit card, et cetera, that I am not giving them, that they are using to extract my money, et cetera. Whereas a scam is convincing me to part with my money.

A (7:33)

That's correct.

B (7:35)

I know the institution you work for and what it's designed to do. Talk to our listeners about what the Institute for Marketplace Trust does and who it represents within the community. Let's do a little education about that first, please.

A (7:52)

Yes. So the BBB Institute for Marketplace Trust is the 501c3 educational foundation of the International association of BBBs. And so we are a nonprofit organization. So is the Better Business Bureau, by the way. It's a C6 and has the same mission that we do, which is to foster marketplace Trust. But the Institute does a lot of charitable work. And particularly the biggest part of our portfolio is around scam prevention and educating people on how to protect themselves, creating tools to help them protect themselves, and so forth. And so we have programs that are delivered by our network of BBBs. As many of you know, there are Better Business Bureaus in all of your communities. And so we work at the national level to create programs and resources that are then distributed by local BBBs in their local communities.

B (8:51)

Is the target for your education individuals, or is it small businesses? Is it both?

A (8:56)

It's both, for sure.

B (8:59)

Were you seeing then the bulk of interest in the services that you provide? Are you seeing small businesses begin to rise to the occasion and recognize that they themselves are becoming bigger targets? Or are you seeing individuals? Or is that something you track?

A (9:15)

So we get the bulk of our reports to our platforms. Just another note, we have a platform called BBB Scam Tracker, and people are allowed to come in and report scams, and they can also actually search to find out if they're being targeted because we publish scam reports. So we do a lot of research around that. And so when you ask about data, that's where I'm referring as I'm going into looking at our research. And the bulk of our reports for scams come from individuals, for sure. And we are trying to. One of the focuses for us is to get out and understand a little bit better of what's happening because small businesses are definitely being targeted as well. I'm not sure they're reporting it as often as individuals are. And so it's a matter of self reporting. Right. Can be a problem. It depends on who's reporting and that's what you know. And so there's, that's the other thing. When we look at what the full impact of scams are, it's hard to understand because we only know what's being reported. You know, there's a lot of people that never report the scams when they're targeted.

B (10:20)

Based upon what you're seeing, is there any trend in terms of the types of scams that are being perpetrated and what are the top. And again, I don't need you to go back into burying you through the data now, just top of head. What are the top two or three scams that seem to be perpetrated here and the follow on to that. Has there been any change in terms of those top two or three in the past X number of years?

A (10:49)

Definitely. So we publish every year what's called the BBB Scam Tracker Risk Report. And it's an, it's essentially a full data year over year comparing what's happening in the with scams targeting both individuals and small businesses. And it, it actually has a list of what we call the riskiest scams. And so that's how we differentiate what's having the biggest impact on people. So it's not just what's the volume of a specific, what's the most common, it's which scams are actually having the biggest impact on the public.

B (11:20)

So what are you seeing?

A (11:21)

Yeah, and the way that we decide that is there's three things we're looking at. We're looking at yes, the volume of a specific scam type. So for example, online purchase scams, those are the scams where you go online, you buy something at a fake website and it never arrives. But so you're out the money that you spent spent. About 30% of what we get are online shopping scams. So they're, they're that has the most volume or exposure, if you will. The second thing we look at is susceptibility and that's the percentage of people who say they lost money when they're targeted by that specific scam type. So with online shopping scams it's pretty high. It's like 80 some percent typically report if they ran into that website, they actually went ahead and they paid and they lost their money. So it's Pretty high. And then the third factor is median dollar loss, and that is, on average, how much do people lose when they did lose money to this scam type? And so for online shopping scams, following up on that, it's. It's pretty low. It's like a hundred bucks, you know, so it's the impact overall over the last few years since the pandemic, that was one of our riskiest scams. Just because it was hitting so many people and such a high percentage of people were losing money to them. But the overall loss is pretty low. It's not gonna change your life.

B (12:38)

It's a volume based attack. It's not trying to steal $100,000 from you, it's trying to steal $100 from 10,000 people.

A (12:46)

Exactly, exactly. But however, the thing that you're asking about the change we've seen over the last few years, Kim. And that dropped to number four this year.

B (12:57)

Really?

A (12:58)

Okay. Yeah. So while it's the most prevalent of the scam types we track, the impact is still the same. But the reason it dropped is because the scams that landed in the top three spots are just having a huge impact on people right now.

B (13:12)

And they are.

A (13:14)

Yeah. Long story short, the riskiest scam this year is investment cryptocurrency scams, and that was also riskiest last year. So this is the second year in a row we've seen that happen. And what happens there is that's a combination of a scammer basically promising to get you, make you money at very little risk to no risk, which we know is not something that's true. There's no investment opportunity that comes with zero risk. So it ranges from all kinds of different opportunities they offer you. They take your money and they're gonna make money for you. The cryptocurrency, we've sort of connected it that was collected as a separate scam type, but we found that over the last few years that most of the investment scams are crypto. Now. There's. So a lot of what's happening is people are promising to help you make money in crypto. What they're doing is they're encouraging people to go onto fake platforms that put their money in. What happens is the money appears to be growing and people get very, very excited. And then they start taking loans out. They start, you know, basically investing those savings into it, because they think, I can actually retire early. I'm making all this money on it, not realizing that they're about to lose their life savings.

B (14:36)

So let me. I'm going to take us a little bit off that tree branch just a little. I want to come back to talk about what the top two are because I think it's important. Are we seeing a prevalence or an uptick in crypto scam? And again, I understand these are all opinions. I understand that opinions may not be fully supported by the data, but you have more data and looking at this closer than we are right now, we've begun to see, at least here in the States, a normalization, if you will, of crypto, if not an encouragement around crypto, given the changes in the regulatory framework and the encouragement from the executive branch of government here. Do we and this would, and maybe the timing will help with this. Could this be a contributor? Do you think this is a contributor? Does the timing of this uptake indicate it might be a contributor or am I drawing false inferences, which I very well may be? What do you think?

A (15:39)

I'm not sure. I think so. For our data, I would tell you there are more of them, but I don't think that's the reason it landed. Number one, it isn't because of the prevalence, it's because of the massive amount of money people are losing when they do. That's the reason and that's it's in the other ones on our top three similar and the other thing I would say on this is crypto is there's legitimate cryptocurrency platforms, right? The, the issue is this is brand new still. There's not as much regulation around it. And anytime that's the situation, scammers are going to come and take advantage of that, right? They're going to try to take advantage of the news. They're trying to take advantage of new technologies, particularly around areas where people may not fully understand how it works and, and basically become impersonators to pretend like they know what they're doing and, and offer up this great opportunity for you.

B (16:45)

Sam.

A (17:10)

Foreign.

B (17:23)

Have you ever imagined how you'd redesign and secure your network infrastructure if you could start from scratch? What if you could build the hardware, firmware and software with a vision of frictionless integration, resilience and scalability? What if you could turn complexity into simplicity? Forget about constant patching, streamline the number of vendors you use, reduce those ever expanding costs and instead spend your time focusing on helping your business and customers thrive. Meet Meter, the company building full stack zero trust networks from the ground up, with security at the core, at the edge and everywhere in between. Meter Designs, deploys and manages everything an enterprise needs for fast, reliable and secure connectivity. They eliminate the hidden costs and maintenance burdens, patching risks and reduce the inefficiencies of traditional infrastructure. From wired, wireless and cellular to routing, switching, firewalls, DNS security and vpn, every layer is integrated, segmented and continuously protected through a single unified platform. And because Meter provides networking as a service, enterprises avoid heavy capital expenses and unpredictable upgrade cycles. Meter even buys back your old infrastructure to make switching that much easier. Go to meter.com CISOP today to learn more about the future of secure networking and book your demo. That's me t e r.com CISOP Foreign Ray Ban display the world's most advanced AI glasses with a full color display built into the lens of the glasses. It's there when you need it and gone when you don't. Send and receive messages, translate or caption live conversations, collaborate with Meta, AI and more. Be one of the first to try Meta Ray ban display. Visit meta.com metaraybanddisplay to book a demo and find your pair.

A (19:41)

So the second riskiest are employment scams. And these are hitting young people particularly, although they're, they're hitting all age groups. But it's number one risk is for the younger age groups that we track. And what happens in this typically is somebody is looking for work and they have an online interview with a really great potential. It's a job offer that often is remote work, it's great pay, you know, it's, it's low skills, like anyone could do it kind of thing. And so what happens is they get hired and they start work in the traditional way that this has been perpetrated is the, the new employer basically will say we are going to send you a check in the mail for, for office equipment or training or whatever it is that's needed. And as soon as it gets to the person that it comes FedEx, they make it look very official. That person is told to put it in their bank account and then very quickly they're told transfer that to this other account. And that's the account that will be sending you your office equipment or setting you up for your training or whatever it is. Then one of the key things about this that I think is interesting is that young people I know I have teenagers who don't really know how checks work. They don't know that when you deposit it in the bank that it, even though it's in your account, it hasn't cleared the other bank yet and it might not be good and it may come back out of your account. And so what's happening is folks are transferring their own real funds before realizing.

B (21:14)

That the bank before the check clears. So the check itself is kited.

A (21:20)

Yes.

B (21:21)

You send me a check for $1,000 that doesn't have anything backing it. I transfer you $1,000 out of my account that really exists. So that's now in your account is gone forever. And the check you sent me bounces in there. I disappear as well.

A (21:36)

Yes.

B (21:37)

Okay.

A (21:38)

The other interesting thing about this, though, is that one thing about scammers is they change their tactics constantly. Right? They. They're just figuring out, like I said, they're. They're using anything new that works. So one of the newer employment scams that we're seeing is now people are being hired to do online marketing, where they go to a website and they're just checking things off and whatever, and they're getting paid in crypto. And now. So it's the same. It sort of takes you. It's just a different way to onboard you into the same scam where you end up on these platforms and they're paying you in crypto, and you start to see the money and then you're putting your own money in.

B (22:18)

So you hire me to go review things online or what have you. You agree to pay me in crypto, so you pay me in crypto within the environment, and I'm being asked to transfer real money out instead to a business account. Is that, Is that what's happening or what's happening?

A (22:37)

Yeah, what's happening is people start to see the money grow, and so they're like, wow, I have my own crypto account and they're paying me. And look at how quick it's growing. And so they get excited to put their own money in to sort of start to. To make it. It's. It's an investment scam, and it turns into that eventually.

B (22:54)

So we've got crypto scams. We have employment scams. We have a combination of employment scams using crypto. What's the third?

A (23:04)

The third also can involve crypto as well. The third are romance slash friendship scams. And you probably have all heard of these romance scams that have been going on.

B (23:16)

Talk us through it anyway.

A (23:17)

Yeah. So please. Typically, traditionally, what's happened is these are folks who reach out and fill a gap in somebody's life. You know, it's. It's somebody who. And. And the reason we changed the name is it used to just be romance scam. It's now romance slash friendship scam because it doesn't always have to Be a romantic encounter. It could be you just met your best friend, you know, and this is. This is somebody who's there for you always. And so these are really relationship scams. And they can start in a variety of different ways. A lot of times they start with a random text that's intentionally very vague, but it sounds like they know you, so it might be, hey, are you bringing the plates tonight? Or something, really. And so the person being nice to say you have the wrong thing, which is. Gives the opportunity for the scammer to start a conversation with the person. And before you know it, you've started a conversation with this person and it's developed. It develops into something. Can also happen with a direct message on a social media platform. It can happen on a dating website. It can happen on all kinds of social media where they just. They connect with you and start a conversation. And what happens with a lot of folks is. And this can particularly happen if somebody's going through a major life change. They've lost their spouse, they've been through a divorce, you know, they're lonely in some way, and this person suddenly is their best friend. And they're always there. I've talked to victims who say later, even after they realize it was a scam, how much they miss that person. And this person was the only one that was there for them whenever they needed them, they were always there. And so their relationship scams. And I say that because in some cases, we find out later that this person texted throughout the day for weeks and months on end to build this relationship. So the idea is to build trust with this person. And eventually, if it's been gone on for months, you almost this person. This is like your best friend. It's no longer this person you met online. It's this is one of my best friends. And then it turns into something else. Where traditionally it would be, you know, somebody was overseas and they're stuck in jail and they need you to send money, or they are stuck in customs and they need you to sense. So there was always a reason, an urgent reason. I'll pay you back when I need you to send me money. That's the traditional romance scam. It's evolved into the cryptocurrency scams. What we call. Unfortunately, the term law enforcement has used is pig butchering.

B (25:51)

As I understand that term. Please correct me if I am wrong. It amounts to continuing to take different. As when you butcher a pig or butcher any animal, continue to take different slices of meat and find different ways to actually utilize as Many parts of the pig as you can, and in this case it's the same thing. Finding different ways to extract money from your target. Am I reading that correctly? Is that your understanding?

A (26:21)

Yeah, I think.

B (26:22)

If not, please.

A (26:22)

Yeah, I mean, I, I have had it described of just fattening up the pig for slaughter so you get them to put more and more money in over time until it's time to finally like steal the money.

B (26:35)

So in all three of your. And I'm going to push a little bit and I understand that I'm pushing for opinion and I understand that this opinion may not be supported by the data, but in all three of these scams we're seeing crypto variants of this within the environment. Are you. First question is, are you seeing an increase in volume of reporting, you know.

A (26:59)

In recent years of reporting specific scam types or just in general?

B (27:04)

Yes, in general.

A (27:07)

I mean, I definitely think we've seen an increase in crypto scams in general. Like I said, the reason it's on our list is because of the impact and the amount of money people are losing. But I definitely am hearing it more over the last five years, for sure. I think the exposure is still fairly low for straight up crypto investment scams compared to other things like online shopping, but they have definitely gone up over the years.

B (27:33)

So I guess the next question that I would ask is we've talked about that for individuals as well. Talk to me about what you're seeing in small business. Same priorities within small business, same types of scams targeting, different order in terms of priority in small business. Talk to me.

A (27:51)

Yeah, so for small business, seeing things like phishing and social engineering, you know, that's a big one for small businesses, trying to get employees to click a link and, you know, put ransomware, malware, and then business email compromise is another one that's significant. And that's where somebody pretends to be your boss and, you know, sends you a text to say, I'm in a meeting and I can't talk right now and I need you to wire this money to this account right away.

B (28:25)

I've got to ask, what are we doing wrong? So I can tell the younger CISOs that are out there listening to this, please be better than I am, because clearly I didn't get it right. What do we need to do differently or better?

A (28:38)

I think, see, I can speak for small business, I guess, more than I can speak to anything else. And I think for that audience, I think it's just this need for constant training for everyone. And you Know, I, I think tactics change constantly. Even though phishing and you know, becs are still around, they're just, I think you just have to remind staff constantly that this is, this is an issue. And I, I even, even for my job I'm in, I'm constantly in trainings to remind myself because I think from a, the social engineering aspect of things, there's all these things you can do on the cyber end to try to do your multi factor authentication and all this, but they're focus, I think a lot of scammers are focused on the personal aspect, the human aspect and trying to get to your employees. And that's why I say, I think one of the big things is just it isn't a once and done kind of training with your employees. That's the other thing. So number one, make sure any new employees are constantly updated and they're thinking about this stuff all the time and then just have regular trainings. You know, it's gotta be something that you talk about quite a bit, especially for small businesses that don't have the resources that big companies might.

B (29:54)

Let's talk a little bit regarding expectation management out in the environment. I remain of the opinion, and again, I know this is a little bit outside your wheelhouse, that there's an expectation of perfection regarding stopping bad guys within cybersecurity. If we were doing our jobs right on my end of the fence, phishing would never happen, scammers would never succeed, etc. And I try and remind people that there's been law enforcement around for hundreds, if not thousands of years in one form or fashion, yet crime has not been eradicated. So is this a case of we need to expect that scammers were scammers going to scam and people are going to be hit and we probably need a different metric in terms of how we measure whether or not we are being successful or not. Am I being unrealistic or does that make sense to you and talk to me.

A (30:58)

I think it makes sense. I think those of us who are in this field and talk about scams all the time, it's, it's really frustrating because it just continues to evolve and scammers evolve and, and we, we evolve with it. So I think to your point, we've made a lot of, you know, a lot of changes and we've done a lot of good to try to protect people. It's just that it's, we're, we're, we're advancing at the same level with these scammers. Right? So they're they're using the technology to, to scam people and, and I guess my hope is that we can use AI to stop scammers. I'm hopeful that there's a way, and I don't know what that is, to sort of use AI to sort of detect in real time scams and try to help more. The one thing I am seeing in the work that I'm doing is you can't pin this on one organization or one segment of society. Right. This is. If we're going to solve this problem, we have to work with government agencies and businesses and big companies and nonprofit organizations. We all have to be working together to figure this out.

B (32:06)

Okay, so let me push you for specificity if possible. You are now supreme ruler and empress of the world for a day. So you now have an opportunity to fix or solve this problem. What are the top three things that you would be doing? Or arm twisting, encouraging, cajoling, et cetera, the world to do to help make it harder on the bad guys?

A (32:33)

I don't know if I have three, but I would say that the top thing for me, I think, and this is there's work being done through the Aspen institute with about 80 different organizations, including ours, to figure this out. And includes companies, it includes nonprofits, it includes government agencies. And the number one thing in the United States that they're looking at is a national fraud strategy that is driven by the government because other countries are ahead of us in a lot of respects in terms of taking, taking this issue on. And so that's one thing I would love to see happen. Is there be. And the thing is, I think what gets confusing is yes, there are a lot of government agencies dealing with scams and I could name off about 10 of them. The problem is, I think that they're all kind of out there on their own doing it. I think there needs to be a unified strategy where you bring everyone together to figure this out. And I think that would. That's the hope from this work that's being done right now and this fall. I know they're going to be coming out with their recommendations for that.

B (33:39)

Fantastic. If there's one thing you'd want my audience to know and these listeners to know that we haven't talked about. What would that be?

A (33:47)

Can I give a two. Two things, of course. If you get targeted by scam, please report it. That information is critically important to us, to everybody that's doing this. If we don't know what's happening, we can't warn people. We can't try to stop the scam in the future. And then the other one is just to think about people who have been through this. If you know someone who has been scammed, think about how you how you react to them. Because there's a lot of shame for victims of financial fraud, and it's different than other crimes. We talk about it differently, we treat them differently, and it's something that can be incredibly embarrassing. But we know that these scammers are professional criminals. So we have to put the blame on the criminal and not on the person and not make them feel worse. So that's the other thing I would just say for anyone out there that knows somebody who's been through one of these scams is to step back and think about how you handle it and how you help them.

B (34:47)

That is fantastic, and we will leave it there. Before I conclude, though, one question can anybody get access to the reports, et cetera, that your institute puts out?

A (34:56)

Yes. They're all free on our website. If you go to bvbmarketplacetrust.org There's a whole section on research and all of our reports are available for free. Also go to bvbscamtracker.org if you want to report scams or you want to search to find scams that have been published. That's another thing, if we could put it in a blog, because we estimate that we were able to help people avoid losing about $43 million last year alone by using Skim Tracker, we'll make.

B (35:24)

Sure that both those links end up in the blog. So as always, this was educational. You are always a joy to talk to. And let's not make it six months until we talk again. Thank you so much for giving us your time and your energy and your knowledge. We really appreciate it.

A (35:38)

Thanks. K.

B (35:45)

Foreign and that's a wrap for today's episode. Thanks so much for tuning in and for your support as N2K Pro subscribers. Your continued support enables us to keep making shows like this one, and we couldn't do it without you. If you enjoyed today's conversation and are interested in learning more, please visit the CISO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic. There's a link in the show Notes this episode was edited by Ethan Cook, with content strategy provided by Mayon Plout, produced by Liz Stokes, executive produced by Jennifer Ibin, and mixing sound design and original music by Elliott Peltzman. I'm Kim Jones. See you next episode. Securing and managing enterprise networks shouldn't mean juggling vendors, patching hardware, or managing endless complexity. Meter builds full stack zero trust networks from the ground up, secure by design and automatically kept up to date. Every layer from wired and wireless to firewalls, DNS security and VPN is integrated, segmented and continuously protected through one unified platform. With Meter, security is built in, not bolted on. Learn more and book your demo@meter.com CISOP that's M E T E R.com CISOP and we thank Meter for their support in unlocking this N2K Pro episode for all Cyberwire listeners.