Dave Bittner (4:39)

Wow. Wow. Yeah. I'm curious, Seamus, your comments on this. I mean when you think about this kind of scam coming into someone, what are some of the red flags that come to mind for you?

Seamus Lennon (4:49)

Well, if I receive a text message from the irs, I'm going to get really worried.

Dave Bittner (4:55)

I bet you I don't need the.

Seamus Lennon (4:56)

United States, don't pay tax in the United States. But if I do, I'm going to get really, really Worried, but it is typical. Like they'll attach onto anything that's relevant in the time that's relevant. It's tax, period. Let's just hit everybody with tax.

Dave Bittner (5:10)

Now.

Seamus Lennon (5:10)

The thing is, most people won't fall for that, but a lot of people do, you know, like postal delivery. I mean, how many people have received a text message or an email to say, hey, we've got your package, but you need to go on to this link and pay the customs for it. When you have an order then now if you're an online shopper, you start questioning going, did I order something?

Dave Bittner (5:33)

Yeah.

Maria Vermasis (5:34)

Easy to forget.

Seamus Lennon (5:35)

Yeah. And that's the thing. And that's good to juke people. Very simply and very easy. Very easy. So I'm based in Ireland, so we have the regulation commission in Ireland for communication is Comrade. Now they've actually introduced something new which is totally new in Ireland, which basically means as a business in Ireland, you must register your number with comrade. If you do not register your number or caller ID or your SMS ID with comrades, every time you send out an email or a text message or a voicemail to a user in Ireland, it will come up as potentially fraudulent straight away. So the amount of times any of our voicemails, like the vision, I look at my phone, I see a number, I don't answer it, look up the number. It's a help and support site for know a telephone before in Ireland, they advertise the number online. So with no technology like voiceover, I can just throw in a, a phone number and I could be anybody. But with the introduction of this now when they do that, it's flat straight away. Now it's going to save like three and a half thousand people get juked every day in Ireland. We're not a huge country, we're only five and a half million, three and.

Dave Bittner (6:56)

A half thousand people. That's adorable.

Seamus Lennon (6:58)

It is. I'm not saying we're very people in Ireland. No, very silly people in Ireland. So.

Dave Bittner (7:07)

But it's a numbers game, right?

Seamus Lennon (7:09)

It is a numbers game, yes.

Dave Bittner (7:10)

Yeah. It also makes me think about how so many parts of the world, it seems, are ahead of us here in the US when it comes to regulations, you know, tamping down on these things. I know for me personally, like every time I get what is obviously a fraudulent phone call or text message or something, I think to myself, why is this still happening? You know, we in today, in the amount of technology we have, why are we still getting these things? It's maddening that we aren't farther ahead. But it's interesting to hear that other nations are taking action. Yeah.

Seamus Lennon (7:43)

And it's great that it's taken the control out of Andrews hands and that's essentially what it is because, you know, they're not targeting intelligent people, not targeting people that are aware of these things. They target everybody. Yeah, everybody. So, you know, my 70 year old auntie picks up the phone again. She's maybe ordered the package, maybe hasn't. Very simple, very easy to be juked.

Dave Bittner (8:07)

Yeah. Show of hands, how many people have gotten a fraudulent text message in the past month? That's pretty much everybody. Yeah, this gentleman raised both of his hands. He has a work phone and a personal phone. So yeah, nobody's immune. Yeah. All right, what else do you have, Maria?

Maria Vermasis (8:24)

That was actually both of my stories.

Dave Bittner (8:26)

All right, terrific. Well, my story this week is more of a sort of a broad informational kind of thing. This is actually from the folks at ABC7 in Chicago, one of the local affiliates there, and they did some reporting on the Better Business Bureau's report on the top local scams of 2024. So the better Business Bureau, most of you are probably familiar with, they're an organization that helps keep track of businesses in your community. They help take care of disputes that people might have with local businesses. One of the things they also do is they have a cyber scam reporting line and they keep track of the scams that are going on and they generate statistics. In this case, they generated a report for 2024 and I thought it'd be interesting to see some of the top scams that they were tracking from their perspective as folks who are keeping an eye on the consumer retail side of things. Let start with a question. So I'm going to quiz the two of you. What do you suppose the number one reported scam is for the Better Business Bureau for consumers.

Maria Vermasis (9:35)

Consumers. Is it gift card related? No.

Seamus Lennon (9:41)

No. Okay, Seamus, is it refund related?

Dave Bittner (9:46)

Maybe.

Maria Vermasis (9:47)

That's an interesting guess.

Dave Bittner (9:48)

All right. Yep, it's actually online purchases. So this is fake websites. This is fraudulent transactions situations where people believe that they have purchased something online and it never shows up. We're seeing a ton of situations, especially on platforms like Facebook, where someone will generate what looks like a totally legitimate storefront, sometimes offering impossible prices on irresistible products that are well known name branded things. And people shop around. The bad guys pay to have these ads put in front of people. And you're minding your own business, scrolling through and you see, oh, there's a kayak. And I really want A kayak. And that's half the price of the kayak usually is. You go through looks like the legitimate website for the company who sells the kayak, 100%. You put in your credit card information, they send you an email that says, good news, your kayak is on the way. And of course, you're never going to get the kayak. There never was a kayak. This fake store is just imitating the actual retailer of the kayak. And in most cases, you'd be out of luck there. You could go back to your credit card company, but these are rampant on platforms like Facebook.

Maria Vermasis (11:06)

Yeah, it costs pennies to do if that. Fractions of pennies. Yeah.

Dave Bittner (11:09)

Right, Absolutely. I'm going to go through some of the other ones here. Phishing, of course, is number two. I'm sure everyone in this room is familiar with what phishing is. Number three is employment scams. So we've been seeing this in the headlines a lot, particularly some of the stories coming out of places like North Korea where folks are either setting up fake recruiting services, they're trying to get folks who are looking for jobs, or there are folks who are signing up for jobs fraudulently. So people who are from places like North Korea will apply for jobs here in the US Sometimes get those jobs, let's say engineering jobs, but the money is all being funneled back to North Korea, which of course is illegal. So we're seeing both of those. In fact, just about a week or so ago, there was a woman in, I believe, the Midwest who got arrested for having a laptop farm that was facilitating fraud from North Korea. So the North Koreans were taking advantage of her laptop farm to make it appear as though they were here in the United States when they were doing all of their work from around the world. Coming in at number five. I'm sorry, I skipped number four. Number four is debt collection. So this is a really easy one. You get a text message or a phone call, someone saying that you owe someone money. One of the key components of this is it puts you in an emotional state.

Seamus Lennon (12:42)

Of course.

Dave Bittner (12:43)

Right? Yeah. And that's what these scammers rely on. They short circuit your brain's rational thinking. Someone calls you up and they say, you owe us money, and if you don't pay us, we're going to do something bad to you. Bad things are going to happen. We're going to ruin your credit or, you know, all sorts of. You could go to jail if you don't pay. And of course, it's all fake. Number five is counterfeit products. Number six are travel, vacation and timeshare scams. Government agency imposters. So this one we touched on with the fake delivery schemes, the postal service, that sort of thing. The irs.

Maria Vermasis (13:21)

Irs, yes.

Dave Bittner (13:22)

Yeah, these are big sweepstakes and lottery prizes. Number nine is tech support scams. How many folks have seen a tech support scam? Yeah, seems like these aren't as popular as they used to be, but they're still out there. Particularly you see pop ups of someone who is running a browser and they don't have what I would call a fundamental level of pop up blocking or ad filtering or the things that probably the folks in this room would seem like basic, but they don't have that. And so something pops up and it says, your computer is infected. My favorite thing was years ago, my elderly father had a hand me down MacBook Pro that I'd given him. And he called me over one day, he said, dave, the computer's broken, please come over. I'm sure there are many people in this room who have that relationship with their parents as well. So I go over to help him fix the computer and sure enough, there's a pop up on the, on his Macintosh that says that his Windows operating system is infected and said, dad, I think we're okay here.

Maria Vermasis (14:31)

Dad's not dual boxing.

Dave Bittner (14:32)

Okay? No, no, dad is not running a VM on his neck.

Maria Vermasis (14:36)

I can, I mean, I don't want.

Dave Bittner (14:37)

To assume, you know. No, I can assure you, my father, obviously I love my father dearly, but he's one of those people who knows what to do but not why he's doing it. So he will have a USB cable that he has a sticker on that says printer. And then he has a sticker on the computer above the USB slot that says printer. And so he knows the thing with the printer label goes in the hole with the printer label. And if he does that, the printer works. That's all he needs to know. It's a good reminder that there are lots of people, people we work with and our loved ones who are running successfully, doing their day to day lives with that level of understanding. But they have big targets on their backs because of that. They don't understand what's going on behind the scenes. And then the last one here are investment scams. And of course this has to do with cryptocurrency. We see lots of investment scams also tied to romance scams where someone will get a message out of the blue, someone will say, oh, I'm sorry I texted you accidentally, by the way. Who are you and where do you live? And they'll send a picture of someone who's quite attractive, and they'll start building a relationship, sometimes over days, weeks or months, that inevitably leads to a pitch for some kind of investment. And at that point, they have built up so much trust and they have done so much relationship building and love bombing where they're just telling this person that they are the best person and how important they are to them, and they get the person's defenses down, go in for the kill, get the investment scam, and now off we go. People lose thousands of dollars, hundreds of thousand dollars and even millions of dollars in some of the stories we've covered here. Just devastating. I'm curious, Seamus, as we go through this list, are there any ones in particular that stand out to you that you, either through you or your loved ones that have affected your family or ones that are particularly notorious in your mind?

Seamus Lennon (16:44)

Well, obviously, number one is vision. It's always been around, it always will be around. One thing as a cyber security professional, I always get asked is, what about AI? Can AI stop all this? Or how has AI improving things or disproven things? Well, realistically, what AI has actually achieved when it comes to fission is corrected spelling mistakes. That's about it. And it can also be used then for targeted fission. So you mentioned for us about the Facebook ads and that I have a Facebook profile. The last time I posted on Facebook would have been six years ago. I still use Facebook. I just don't post anything. There's nothing personal there. There's no information about me there. If you want to find anything out, you can find everything professional about me on LinkedIn and that's it. But I've got no personal information shared on the Internet so people can use against me, because that's what AI will do. It'll go off, search up your name on social media sites, and it'll create a Persona of efficient attack that suits you. Just you, very simple, very easy. And it can be done in seconds. Yeah, seconds. And that's the thing. So it's still always going to be primary and it'll hit all the notes that you as a reader will see that, oh, maybe this is genuine. So you know it's never going to go away. But look, there's two things with phishing. Either it's credential compromise or it's to get an excuse to run something on the device. Simple as that. It's to gain access with trial operator in place. We believe in zero trust, which only Allows access where access is required. So we can control, although we can control the fish itself, we can control what happens in the aftermath of that. Now if it's credentialing, obviously help with that. We just launched network Cloud control which says even if your credentials were stolen, if somebody tries to log in from an unauthenticated device, a device that's not yours, it gets blocked in the client. So it's again stopping that level of access as well.

Dave Bittner (18:45)

Yeah, well, and I think, you know, particularly at the corporate level, it seems as though there's recognition of the need for these types of things and more of these things are in place. But I still can't help worrying about my friends and family. They say my elderly father and I'm looking forward to the day when those level tools filter down and become the day to day things that just operate in the background that people don't have to worry about. You think we're heading that way?

Seamus Lennon (19:16)

We are heading that way. And as I said, my example about the Irish comrade, that's filtering up to the top. So that's taken it out of the equation completely. So imagine how many thousands of people is going to save from those phishing attacks, the smishing attacks, those text messages for packages and the IRS in Ireland. No, it's not going to happen. But the Revenue Service, but that's just going to take it all out of the equation. So again, that's taking it from the top level all the way down to the bottom. So look, it's about awareness. It's always been about awareness. Now you're not going to be able to teach everybody. And that's the unfortunate thing, you cannot teach everybody how to be secure and how to be safe. Right. I live by zero trust. So you know, basically I'm very much paranoid about everything. Not in that sort of way, but I am. When I'm online, I'm on my computer. The websites I go on to or anticipate that. You mentioned bitcoin. I do bits and bitcoin and cryptocurrency. And if you start reading up anything about what's the next best thing, because look, everybody that's into cryptocurrencies for one reason is to make that 200 plus thousand profit on what you've invested in. But if you look on what's the next big thing in cryptocurrency, you can guarantee the 5 out of 10 things that you look at are fake, completely fake. They don't exist. All they want is the initial investment because it's not Even the cryptocurrencies, it hasn't even been published. And that's what they utilize. What are people interested in? To dupe them into basically taking the money.

Dave Bittner (20:53)

Yeah. Yeah. I'm curious for you, Maria. Are there any of these things that have touched your life?

Maria Vermasis (21:00)

Oh, my goodness. I've mentioned it a few times on the show, but I've known people who've gotten really badly involved with these romance scams, and I've talked about it a couple times also. But even when you have people in their lives like myself who know about these things or people who work in law enforcement who can speak to, you know, the dangers of these romance scams, a lot of times people just really want to believe that they're true. And it's very, very hard to disentangle them from these things. But to your point about helping out family and friends, actually, to both of us, both of what you were saying, my mother's in a similar situation of she doesn't know a lot about how these things work. And my mother is very intelligent, but my view is she shouldn't have to know how these things work. She's extremely smart in her own areas of expertise. This just happens to not be what she is an expert in. So as much as we try to stay on top of these things, and we should, because it's our jobs, we have to just also remember that nobody can know everything. And hopefully we have solutions like what you've been mentioning that can help people not have that burden of knowledge because it's just not possible for everyone to do it.

Dave Bittner (22:05)

Yeah, Yeah. I think it's true that nobody is 100% immune to these sorts of things, particularly the social engineering types of things. Every one of us has something that we love to do. If it's a hobby or an interest or a collection that would, if sourced from something we know and trust and love, would probably get our defenses down. And that's not a dig against us. We're all human and we have emotions, and so that's what they take advantage of. It's interesting, too, just swinging back to what you're saying about not being on Facebook for so many years and doing things on LinkedIn and that sort of thing. It really is, I think, a shame that so many of us, when we have these conversations about social media platforms, it is the lesser of all the evils. Right. Like, we sort of begrudgingly say, you know, yes, I do this because I have to, not because there's any real joy and pleasure so much in it. I know there are new things in Mastodon and Blue sky and things like that are doing their best, but it's a shame that we've gotten to that where that is the point of where we are today.

Maria Vermasis (23:21)

Yeah. That the best way to use them is to basically not use them.

Seamus Lennon (23:23)

Not use them. The safest way to use them and.

Dave Bittner (23:26)

How aggressively bad they've gotten, I mean, I would say even in the past year, you know, I'm on Facebook to keep track of my friends and family all over the United States and around the world. And it's just remarkable to me how aggressively bad it has gotten, including scams in front of me and things I'm not interested in. Just ad after ad after ad. It's maddening that they have us kind of linked into that. Wait, that was a mixed metaphor, wasn't it?

Seamus Lennon (23:55)

Yeah.

Dave Bittner (23:56)

All right. All right. We are going to take a quick break to hear a message from our show sponsor.

ThreatLocker Sponsor (24:09)

So let's return to our sponsor, ThreatLocker. ThreatLocker is a zero trust endpoint protection platform that strengthens your infrastructure from the ground up. Where traditional cybersecurity tools require you to create a list of things you don't Want to Run, ThreatLocker enables you to easily curate an allow list of everything you need in your environment and network and block everything else by default. With ThreatLocker allowlisting and ring fencing, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware. The ThreatLocker Zero Trust Endpoint Protection platform deploys in a learning mode that analyzes the operations of your company using machine learning to assist you in developing your allow list for approved applications, what they can do on the endpoint, what can interact with your data, and even east and west network traffic. We thank ThreatLocker for sponsoring our show.

Dave Bittner (25:20)

And we're back. It is time for our catch of the day. Our Catch of the Day this week comes from a listener. His name is Diesel and he is from West Virginia. And he received this message from the Venmo support team. And the message is, we were frozen to process your recent unauthorized activity attempted. Now, we were saying earlier that AI has helped make the English in these messages better, that it is harder to just spot the poor English than it used to be because of AI. This is an exception. So see if you can spot where the AI that generated this message goes wildly off the rails. Here we go. Dear Customer. We inform you that we would like to proceed with a frozen transfer activity. As you may know, a frozen transfer involves the use of cryopreserved embryos which are thawed and transferred into the uterus in order to achieve a successful pregnancy. Wow. Don't look at me.

Maria Vermasis (26:43)

Don't look at me.

Dave Bittner (26:47)

If you disabled sign into your account by accident through our phone line and you do not believe unauthorized activity or access has occurred, you will need to verify your account and complete the prompted steps to regain access to your account. And then there's a big button that says verify now. And it says, thanks, Venmo support team. I got pregnant through Venmo.

Seamus Lennon (27:07)

Woohoo.

Dave Bittner (27:10)

Obviously, I'm going to leave it to you here, Seamus, to unpack. Walk us through the connection of where the AI, we think, made a faulty connection between several different things. What do you make of this?

Seamus Lennon (27:24)

This is one hacker that actually hasn't found AI yet.

Dave Bittner (27:29)

Really? See, my assumption was that the AI went from frozen assets and somehow connected the word frozen to. To frozen embryos and just ran with that and completely nonsensical. And nobody, you know, the bad guys, they don't. They don't bother to proofread anything. It's all a numbers game.

ThreatLocker Sponsor (27:56)

And of course, we want to thank this week's sponsor, ThreatLocker. Go to threatlocker.com HH and check out their Zero Trust endpoint protection platform. That's the words threat and locker with no space.com HH where you can request a demo and neutralize the threat of malware running on your devices.

Dave Bittner (28:24)

And that is our show. We want to thank all of you for listening. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes.

Maria Vermasis (28:50)

Yeah, Liz.

Dave Bittner (28:54)

Our executive producer is Jennifer Ivan. We're mixed by Elliot Heltzman and Trey Hester. Peter Kielpe is our publisher. I'm Dave Bittner.

Maria Vermasis (29:11)

And I'm Maria Vermazes.

Seamus Lennon (29:12)

And I'm Seamus Lambert.

Dave Bittner (29:14)

Thanks for listening. Thanks for being here, everybody.