Podcast Summary: Hacking Humans – "Brushed Aside: The Subtle Scam You Didn't Order"
Release Date: July 3, 2025
Host: Dave Buettner, Joe Kerrigan, Maria Varmazes
Produced by N2K Networks
1. Email Scams: The e-Vanguard Deception
Timestamp: [00:50] – [02:18]
Joe Kerrigan kicks off the episode by sharing a personal encounter with a deceptive email purportedly from Vanguard. He received an email that appeared legitimate at first glance. However, upon inspecting the links, he noticed they directed to "e-vanguard.com" instead of the authentic "vanguard.com."
Joe Kerrigan [01:21]: "So I reported it as spam immediately. But then I was like, I want maybe... it was really convincing."
Despite Vanguard owning the "e-vanguard.com" domain since 2007, Joe criticizes their choice of using a subtly different domain, which can easily be mistaken for a phishing attempt. He emphasizes the importance of companies maintaining clear and distinguishable communication channels to prevent consumer confusion.
Joe Kerrigan [02:10]: "Why are you using something that looks like a scammer's address to send out your emails?"
2. Listener Contribution: The Fortified Chicken Coop
Timestamp: [02:18] – [04:20]
Transitioning to a lighter topic, the hosts discuss a creative listener submission featuring a highly fortified chicken coop. Joe describes the image as reminiscent of a "prepper bunker" complete with a watchtower, sandbags, and even sharks with lasers guarding the moat.
Joe Kerrigan [03:10]: "It's surrounded by a moat with sharks with lasers on their heads."
The playful banter continues as the hosts imagine a world where chickens defend their coop by launching eggs, blending humor with creative imagery.
3. Travel Scams: Insights from McAfee's Survey
Timestamp: [05:20] – [14:00]
Maria Varmazes introduces a significant segment based on McAfee's annual survey on travel scams, highlighting the vulnerability of American travelers. The survey, which included 7,000 adults from the U.S., France, Germany, India, Japan, and Australia, revealed alarming statistics:
- 23% of Americans fell victim to travel scams while booking trips.
- 13% lost over $500, and 5% lost more than $1,000.
- Men were more susceptible than women (29% vs. 18%).
- Younger individuals, particularly those aged 18-24, were at higher risk, with 21% falling for fake confirmation links.
Maria Varmazes [08:58]: "Economic pressures play a role here, with 58% of Americans cutting back on personal spending to afford vacations, which increases their susceptibility to scams."
Common scams identified include:
- Fake Booking and Payment Sites: Scammers create counterfeit websites resembling legitimate booking platforms.
- Fake Confirmation Links: Malicious links that mimic genuine booking confirmations.
- Misleading Listings: Advertisements that manipulate or misrepresent accommodation details.
The hosts share personal anecdotes about encountering misleading listings and emphasize the importance of vigilance when booking travel, especially through third-party sites.
Dave Buettner [13:03]: "We were kind of booking places as we went... the place is a dump. It's a total dump."
4. Social Engineering in Insurance: Rachel Tobek's Expertise
Timestamp: [14:41] – [24:26]
Joe Kerrigan delves into a LinkedIn post by Rachel Tobek, a renowned social engineering expert. Rachel discusses a group named "Scattered Spider" targeting insurance companies to steal data using sophisticated social engineering tactics. Her primary techniques include:
-
Impersonating IT and Help Desk Personnel:
- Technique: Call employees posing as IT support to extract usernames, passwords, and multi-factor authentication (MFA) codes.
- Quote:
Rachel Tobek: "Impersonating IT and help desk people to get passwords and multi-factor authentication codes."
-
Using Remote Access Tools as Help Desks:
- Technique: Malicious actors use remote access tools to gain unauthorized access to systems, bypassing MFA through tactics like MFA fatigue.
- Quote:
Joe Kerrigan [17:09]: "Remote administration tool. You're not our remote administration tool if you're not going to run."
-
SIM Swapping:
- Technique: Fraudulently obtain a victim's phone number to intercept MFA codes by impersonating the victim with their telecom provider.
- Recommendation: Secure telecom accounts with PINs and stringent verification processes.
- Quote:
Rachel Tobek: "Best way to protect yourself is to put a PIN on your telco account."
Rachel's recommendations for preventing such attacks include:
- Multi-Factor Authentication (MFA) with FIDO Tokens: Utilizing hardware tokens like Yubikeys for enhanced security.
- Application Whitelisting: Allowing only approved applications to run within the network, thereby blocking unauthorized remote access tools.
- Password Managers: Implementing secure password management solutions to prevent credential theft.
Joe Kerrigan [22:10]: "If you can do, if you're going to do one thing, multi-factor authentication with a FIDO token... then application whitelisting."
The discussion also touches on the overconfidence individuals have in their ability to detect scams, underscoring the need for robust security protocols.
Dave Buettner [23:42]: "People fall for this and they think, oh, it won't happen to me or I'll be able to detect it."
5. USPS Scam Awareness: A Valuable Resource
Timestamp: [26:46] – [31:03]
Dave Buettner introduces a valuable resource from the United States Postal Service’s Postal Inspection Service. He highlights their comprehensive YouTube channel dedicated to educating the public about various scams. The channel boasts over 80 informative and engaging videos covering topics such as:
- Investment Scams
- Romance Scams
- Phishing and Refund Scams
- Tax Scams
Dave Buettner [28:00]: "This is an amazing list of... well produced, they are informational, they are entertaining."
The hosts commend the USPS for their effective use of multimedia to combat fraud and encourage listeners to share these resources with friends and family.
Maria Varmazes [29:21]: "We gotta get them on the show. We gotta talk to someone from them. I would love to pick their brain."
They also share amusing personal stories related to counterfeit stamps, adding a nostalgic touch to the conversation.
6. Personal Stories: Counterfeit Stamps and Their Consequences
Timestamp: [31:03] – [34:26]
The conversation shifts to personal anecdotes about counterfeit stamps, illustrating how such scams operated in the past. Dave recounts a story shared by the CyberWire CEO, Peter Kilpe, about a student at the Rhode Island School of Design who fraudulently sent handwritten stamps to apply for college admissions.
Dave Buettner [31:38]: "We've yet to see any of your work. And the student responded and said... all stamps that I have sent you has been hand drawn."
Joe shares a similar experience from his youth, attempting to reuse stamps by erasing cancellation marks.
Joe Kerrigan [33:06]: "Can you really? So one day I had a letter with a stamp on it and started erasing it... it's possible that I erased a good portion of the cancellation."
The hosts reflect humorously on the outdated nature of such scams and the stringent security measures now in place to prevent them.
7. Catch of the Day: Recognizing Advanced Fee Scams
Timestamp: [34:50] – [38:19]
In the "Catch of the Day" segment, Joe presents a text exchange from the scam subreddit, exemplifying an advanced fee scam commonly known as "check floating."
Scam Text Exchange:
Sender: "Hey, what are you doing? Hate to ask, but I don't know who else to ask. Can I ask a favor? I need a big favor. You one of the few people I can ask. There is no punctuation in this, so it's just a huge ass run-on sentence. I need you. Spare me $300 for an emergency. I'll tell you where to send it on and I promise to send it back later today."
Joe analyzes the scam, explaining how scammers entice victims with seemingly urgent financial needs, only to ultimately have them deposit fake checks and lose money when the checks bounce.
Joe Kerrigan [36:03]: "This is sounding a lot like a scam. Not going to lie."
Dave emphasizes the importance of recognizing such red flags and advises listeners to avoid engaging with suspicious requests.
8. Understanding Modern Text Abbreviations
Timestamp: [38:19] – [41:16]
The hosts engage in a light-hearted discussion about contemporary text abbreviations like NGL (Not Gonna Lie) and TBH (To Be Honest). They reminisce about older abbreviations like BRB (Be Right Back) and LOL (Laugh Out Loud), sharing amusing anecdotes about their usage and generational differences in understanding these terms.
Joe Kerrigan [40:35]: "Yeah, I knew it was laugh out loud."
This segment adds a relatable and humorous element to the episode, highlighting the evolving nature of digital communication.
Conclusion
In this episode of "Hacking Humans," the hosts delve deep into the intricate world of social engineering scams, offering listeners both critical insights and practical advice on recognizing and preventing various types of fraud. From deceptive emails and travel scams to advanced social engineering tactics targeting the insurance industry, the discussion is both comprehensive and engaging. Additionally, the episode underscores the value of educational resources like those provided by the USPS and emphasizes the importance of vigilance in an increasingly digital world.
Notable Quotes:
-
Joe Kerrigan [01:21]: "So I reported it as spam immediately. But then I was like, I want maybe... it was really convincing."
-
Maria Varmazes [08:58]: "Economic pressures play a role here, with 58% of Americans cutting back on personal spending to afford vacations, which increases their susceptibility to scams."
-
Rachel Tobek [17:09]: "Impersonating IT and help desk people to get passwords and multi-factor authentication codes."
-
Joe Kerrigan [36:03]: "This is sounding a lot like a scam. Not going to lie."
Resources Mentioned:
- USPS Postal Inspection Service YouTube Channel: Comprehensive videos on various scams. [Link in Show Notes]
- ThreatLocker: Sponsor providing Zero Trust Endpoint Protection. [ThreatLocker.com/HH]
For more details and links to the resources mentioned, refer to the show notes.